Security Now 369

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 369

Contents

Security Now 369: Internet Identity Update

News & Errata

Microsoft 2nd Tuesday of the month updates (9/11/12):

  • Two "important" privilege escalation vulnerabilities.
  • Microsoft Visual Studio Team Foundation Server 2010 Service Pack 1 released.
  • Updates for Windows Server applications:
    • Microsoft Systems Management Server 2003 Service Pack 3
    • Microsoft System Center Configuration Manager 2007 Service Pack 2

Apple updated Java on Mac OS X.

  • Apple released Java SE 6 Update 35 (1.6.0_35) for Mac OS X on September 4th.

Massive GoDaddy outage on Monday 9/10

  • GoDaddy's services experienced expected downtime, lasting from 10am PDT to 4pm PDT on Monday 9/10.
    • During this time godaddy.com and couponpuppet.com, may have not resolved in DNS.
    • GoDaddy released a statement on the issue earlier today (9/11).
      • GoDaddy claims the issue was not caused by a DDoS attack and was not caused by external sources.
      • No customer data was leaked, this was not a hack.

Apache and Do Not Track:

  • The Apache HTTP Server will be suppressing the "do not track" header, if the client identifies itself as Internet Explorer 10.

UUID Leakage:

  • David Schuetz (aka @darthnull & http://darthnull.org/)
    • Examined the data, crunched it through filters, looked for dups, saw a pattern.
    • Data was leaked from an app developer and not an FBI laptop.

UPEK Fingerprint Logon:

  • User passwords are lightly obscured and stored in the system registry.
  • People who have purchased devices Acer, Amoi, ASUS, Clevo, Compal, Dell, Gateway, IBM/Lenovo, Itronix, MPC, MSI, NEC,

Sager, Samsung, Sony, and Toshiba may find UPEK on their machines.

  • Fingerprint authentication (EFS) is designed to be unbreakable. Unless of course you use UPEK's biometric.

Spinrite Story

James Lewis writes about how SpinRite got him a free TiVo. He writes "I was skeptical SpinRite even worked. I figured it was worth giving a shot for 89 bucks. I've been using my Series 1 TiVo for years. My friend had one of those fancy Humax Series 2 with DVD burners. One day it wouldn't reboot for him, so he gave it to me for free. SpinRite spent a couple of hours on the drive, and when it was done I had a Series 2 TiVo. Thank you."

Topic

Internet Identity Update:

  • OATH is the internet standard for event or time based code generation.
  • OAUTH provides permission management background autonomous data sharing inside of an application.
  • OAUTH asks the user for the other service they wish to authenticate against.
    • For example: "Login Using Facebook" / "Login Using Twitter"
  • OpenID: A user visiting website website A authenticates to site A by using login information for site B.
    • OpenID first asks the user for their "universal ID".

Notable Quotes

Significant Products

  • Link URL and optional brief description

Sponsors

Audible

  • Audible URL

Picks

Audibledotcom.png
TBD by TBD (ABRIDGED/UNABRIDGED)
Narrated by TBD

Other Sponsor

  • Link URL

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.
Personal tools