Security Now 373

Security Now Episode 373

"Your Questions Steve's Answers #152"Hosts: Leo Laporte and Steve Gibson Recorded: October 10, 2012 Published: October 10, 2012 Duration: 1:32:38 Transcript Previous episode – Next episode

Contents 1 Security Now 373: Your Questions Steve's Answers #152 1.1 News & Errata 1.2 Spinrite Story 1.3 Topic 1.4 Questions & Answers 1.4.1 Question: [ 01 ] 1.4.2 Question: [ 02 ] 1.4.3 Question: [ 03 ] 1.4.4 Question: [ 04 ] 1.4.5 Question: [ 05 ] 1.4.6 Question: [ 06 ] 1.4.7 Question: [ 07 ] 1.4.8 Question: [ 08 ] 1.4.9 Question: [ 09 ] 1.4.10 Question: [ 10 ] 2 Notable Quotes 3 Significant Products 4 Sponsors 4.1 Audible 4.1.1 Picks 4.2 Other Sponsor 5 Production Information

Security Now 373: Your Questions Steve's Answers #152

News & Errata

Microsoft's 2nd Tuesday (10/9):

• Microsoft released a total of seven updates addressing vulnerabilities in Windows, Office, SQL Server and other products.
• One update for Office addresses a critical vulnerability that could possibly result in remote code execution, when opening a special RTF file.

RSA warns of Impending Attack on Online Banking:

• RSA's blog posting on the topic.
• Group plans to launch an attack against 30 American banks, through a Trojan attack.
• The group plans to clone users computers and then use a SOCKS proxy installed on machines to access online banking accounts.
  • In doing so the group will appears as though they are the user.
  • Once access is gained to an online banking account, the group intends to complete fraudulent transfers.
  • The group also plans to use VoIP phone-flooding software to prevent phone and text messages from reaching customers about unauthorized activity.

Adobe Flash Update:

• On Monday (10/8) Adobe released a critical out of cycle update for Adobe Flash Player, addressing 25 security vulnerabilities.
  • Adobe recommends that users of Adobe Flash Player 11.4.402.278 and earlier versions for Windows update to Adobe Flash Player version 11.4.402.287.
  • Adobe also recommends that users of Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh should update to Adobe Flash Player version 11.4.402.287.
• Microsoft also announced an update for Internet Explorer 10 on Windows 8, addressing the Adobe update. Remember that Internet Explorer 10 has Flash Player bundled with it.
• Google also updated Google Chrome to version 22.0.1229.92, including the new version of Flash Player. Remember that Google Chrome also has Flash Player bundled with it.

Spinrite Story

Topic

Questions & Answers

Question: [ 01 ]

Question:
- Carl Bolstad in Seattle, Washington declares: Carbonite wins! Hi Steve and Leo, I have been enjoying the Security Now podcast since the beginning (although I'm about 3 months behind right now!). I have also been a JungleDisk user, like you, Steve, until recently. When I had to re-install JungleDisk because it wasn't working anymore on my XP machine, I discovered that it wouldn't install at all. So I went to the website to post a help ticket and was shocked at all the complaints of not getting any response from the JungleDisk staff, etc. So I started looking for a new online backup solution. Lucky for me you had recently done a podcast on exactly that! I tried out several of the ones you recommended, but in the end I just couldn't resist Carbonite's plan of just backing up all of the user files on the internal hard drive, without worrying about how big that may be, or how much your backup will be costing this month. It's such a relief to know that EVERYTHING is backed up, and the only time I'll have to worry about it is if my hard drive fills up! Just thought you – and Carbonite – might like to know. Thanks for the great podcast. It's amazing that it's still relevant and entertaining after all these years! - Carl Bolstad
Answer:

Question: [ 02 ]

Question:
- Scott Reeves in Phoenix shares his OAuth/Facebook login idea... Steve, I heard last week's Q&A where you discussed your concerns with the Facebook login spoofing and had an idea. What if FB combined their login with a captcha of several of your friends faces? People could instantly recognize friends faces (in theory) and it would be very difficult for bad guys to spoof right? I don't think it would be much of a burden on users to recognize their friends as long as it wasn't somehow taken as a product endorsement. Thoughts?
Answer:

Question: [ 03 ]

Question:
- Keith Takayesu in Ottawa, Canada wonders about breaking passwords into bits... Steve - Love your show! I thought you might be interested in this article that I just found: “To Keep Passwords Safe from Hackers, Just Break Them into Bits” - Technology Review: http://www.technologyreview.com/news/429498/tokeep-passwords-safe-from-hackers-just-break/
Answer:

Question: [ 04 ]

Question:
- Michael Walther in Berlin, Germany wonders: No NFC - are you sure? Dear Steve, from what I found out so far about the A6 chip in the iPhone 5, I am pretty sure that it does have NFC. It's integrated in the A6 chip, waiting to be released via Software, thus giving Samsung a harder time to clone it. Just my two cents.
Answer:

Question: [ 05 ]

Question:
- Russell in London brings us this tip for Verizon users: Subject: Web History being sold by Verizon to Marketers Verizon customers have 30 days to opt-out from them selling your web history and device location history to marketers. Go to http://www.vzw.com/myprivacy to change your settings. Thanks for the show!
Answer:

Question: [ 06 ]

Question:
- Lance Reichert who is Re-crossing the Adirondacks wonders about hashing speed improvements: “Announcing New! Faster Secure Hash!” A couple months ago, you were discussing hashed storage of passwords, emphasizing that proper storage used hundreds, if not thousands, of rounds of hashing to make generation of rainbow tables prohibitively expensive. This made sense. In the SN episodes both before and after the announcement of the new SHA-3 algorithm, it seemed that its chief benefit was that it was faster than the existing SHA-256 algorithm. Certainly, the fact that Keccak has little in common with SHA-2 is a good thing, but have we stepped backwards as regards throughput? Lance ==)----------- Professional Nitpicker and Itinerant Engineer
Answer:

Question: [ 07 ]

Question:
- Ricardo in Brazil wonders and worries about the NFC threat... Hi Steve, I was very concerned about the NFC information you shared last week. You talked about it being a new surface of attack for the mobile phones (which is true) but I think you left out an important characteristic of NFC, which is to potentially replace all the contactless cards we may already have in our possession (like payment cards, corporate facilities entrance badges, transport cards, and so on). The interesting thing about NFC is the presence of a Secure Element, which is a microprocessor with an application behind that interprets the commands coming from the reader and acts upon it (even by rejecting the command due to a failed mutual authentication). Now, going to my question: Considering that smartphone mobile NFC is just replacing something that has already existed in a very open way for some time, is the possibility of using the handset as a reader/P2P device the main "new" threat or will this card emulation, with new players (like Google or even the mobile operators) that are not used to operating within a secure environment posing a threat to the existing well-established ecosystem?
Answer:

Question: [ 08 ]

Question:
- Stephen in Glasgow, Scotland shares his recent NFC experience... Hi guys. I think I know of a problem with NFC. When I first got my Galaxy S3 it would quite often beep for no apparent reason. Every time I put it in my jacket pocket, or on my table, it would beep. Then one day I noticed that it was when I put it on my table resting on my wallet that it was beeping! I felt like an idiot for not figuring it out sooner: Some of my newer credit cards have RFID chips inside for the new contactless payment systems, and the Galaxy S3's reader was shouting out “Hey I found a tag.” And sure enough, when I downloaded an NFC app from the Android store the beep would then be accompanied by the card info displayed on the screen when I put my S3 near my wallet. If these phones are going to go crazy when we put them near a wallet with RFID cards, then no wonder Apple is holding back. As far as I can see, there is no way to tell Android to ignore a tag! And even if you could, would that use battery as the RFID tag in your wallet was constantly shouting out "hey I'm here" and your phone listened to the details before ignoring it again? Love the show
Answer:

Question: [ 09 ]

Question:
- Brian in Michigan notes that NFC attacks are trivial with many current implementations: I was a bit shocked at your “benefit of the doubt” about NFC. There IS no doubt! ... because I would think it would be almost trivial to attack. Here is my quick scenario: 1. Several of the implementations will automatically go to the url in a NFC tag without any user interaction. 2. There will be browser vulnerabilities to browsers in the phone. 3. The attacker places several NFC tags that have been crafted to send victims to an attack site. 4. The head to the airport, subway, or any other crowded location at peek traffic time. 5. The "accidentally" bump into people. Most phones are in pockets so that is the target height of the tags for the attack. 6. The victim's phone goes to the attack site while never even leaving their pocket. 7. The site takes over the phone to copy contacts, send premium SMS messages, destroy data, or whatever else they feel like doing. I may be over reacting a bit but I feel that NFC has all the security problems of QR codes, but with the added attack of not needing line of sight.
Answer:

Question: [ 10 ]

Question:
- Nathan Cooprider in Bedford reminds us that "Russinovich gives answer to AV problem in Episode #371"... In Listener Feedback #151 (Episode #371), Vern Mastel from the Bismarck Public Library shared his continuing frustration with all traditional AntiVirus products. Both you and Leo expressed sympathy and proposed some incremental improvements, but it seemed like you felt a complete solution did not exist. However, in the previous episode, Mark Russinovich actually mentioned and endorsed the solution: "Whitelisting". A "default deny" approach which only allows authorized applications will compliment AV and address the issues Vern raises. Whitelisting is the future of security as AV continues to falter. I'll confess I'm a little biased here, since I work for Bit9. Our security product, Parity, provides the best whitelisting solution for endpoints and servers. However, we aren't the only ones in this important space. We just launched version 7 of our security product: https://www.bit9.com/products/parity7-what-is-new.php I'd be happy to help you with any research into this area, or set you up with people in our company who could answer questions as well. Whitelisting has arrived and it works.
Answer:

Notable Quotes

Significant Products

• Link URL and optional brief description

Sponsors

Audible

• Audible URL

Picks

TBD by TBD (ABRIDGED/UNABRIDGED) Narrated by TBD

Other Sponsor

• Link URL

Production Information

• Edited by:
• Notes:

This area is for use by TWiT staff only. Please do not add or edit any content within this section.