Security Now 381
Topic: Q & A #156
Recorded: December 6, 2012
Published: December 6, 2012
Security Now 381: Your Questions, Steve's Answers #156
News & Errata
- At the Passwords^12 conference
- Jeremi Gozney, the same guy who analyzed 6.4 million LinkedIn password hashes looking for common passwords, leveraged OpenCL (Open Computing Language) and a lot of GPUs to demonstrate new heights in brute-force password cracking. With this system he can brute force any Windows XP password in 6 minutes.
- Developer of HashCat, Jens Steube, demonstrated an optimization for brute forcing SHA-1 hashing that improves performance by 20%.
- Australian man, William Weber was arrested for running a TOR exit node (TOR is discussed in SN#70), charged with trafficking in child pornography. He is trying to establish a precedent for other TOR node operators.
- John McAfee's location was "leaked" when Vice magazine published a photo with embedded GPS data.
- Macronix, a Taiwanese company may have solved the flash memory wear problem through controlled reheating.
- Listener Andrew provides easy instructions for how to disable Java in IE 8, 9, and 10 on his website. Use Steve's test applet to verify.
- The WITCH computer from Bletchley Park has been restored. Video of it in operation.
- Showtime's Homeland is a great show.
- TV show Fringe, ends on their 100th episode airing January 18th.
- Portable Bark Killer (PBK) project is moving forward. The schematic for the amplifier has been posted in the Google Group.
- The Google Group
- Full plans will be available for those who want to build one.
- Steve will build testing units in exchange for feedback.
- Some builders have purchased a kit called The Launchpad for $4.30. There will also be plans that use components from this kit.
Sean Milochic in Reading, Pennsylvania – Spinrite fixed my drive and nobody cares.
Questions & Answers
Question: [ 01 ] - Micah in San Paolo, Brazil
Should I keep using Jungle Disk or is it time to move to CloudBerry?
If you are a Jungle Disk user and it works for you, why not keep using it? CloudBerry passed Steve's TNO security audit and is a "Pay only once" application. He is thinking of making the switch eventually, himself.
Question: [ 02 ] - Tom Callahan in Cincinnati, Ohio settles the issue once and for all (darnit)
If reading is only something you only do when looking at a book, then what is it that blind people are doing when they read a book in Braille?
Steve agrees that they are reading the book with touch. It's not the sense that you use for input that matters.
Question: [ 03 ] - Adi Kajuriah in London, UK wonders about TNO Web Browsing
I want to go TNO (Trust No One) with my web browsing using a VPN. Are there any free VPNs that are reputable and TNO. I know that TOR is TNO. I'm on a Mac running Mountain Lion and I also have a Windows laptop running Windows XP.
Kind Regards, Adi
Steve isn't sure what Adi is looking for. A VPN encrypts the link between two endpoints. It can be used to hide your location. Perhaps he is wondering about online tracking and anonymity. A VPN won't do it on its own.
Leo mentions that the free VPN options aren't very good.
There is a service called Hotspot VPN: For $100 they provide a wifi device that connects to your laptop by Ethernet. It acts as an encrypted firewall and hotspot with minimal configuration.
During the Olympics, many people used Tunnelbear.
Question: [ 04 ] - Ian Smith near Grenoble, France wonders about a 6 digit password
My French bank has just changed their online banking so that I am now limited to 6 digits for a password. I need to enter it into an onscreen widget thingy.
Previously the limit on password length was longer. Mine was 12 characters and I could have letters and digits. They moved the order of the 0-9 buttons each time to make things interesting.
But I still believe this is a backward-step security-wise. So my podcast question is whether the onscreen keyboard is more or less secure than an standard password entry field and why. For info, Citibank used to do this but they switch back to standard password entry which allows me to use LastPass.
Thanks for the podcast and for the Vitamin D,
Ian Smith, a Spinrite user for many years.
This is not as bad as it sounds on the surface. One-time passwords are also 6 digits. Instead of the password changing constantly, the position of the numerals changes. You use the same 6 digit password but the location is different each time.
Leo points out: The password is where you touch. It's a one-time password.
This method thwarts keystroke logging and screen scraping. If we assume that there are other security policies in place, it's pretty good.
As you are the world renowned super guru, Mr. Gibson, of a great many things including spinning disks and especially disks that don't "Spin Rite," I thought I would tell you a tale of great calamity. We had our gas fire suppression released over the weekend. What we found was an alarming number of disk failures at the second the gas was released. Some entire arrays were wiped out.
What I believe at this point is that the noise from the 220 PSI gas release is what killed the drives. How could noise kill the drives? I read the link below which has me maybe convinced that this is the issue. The fire suppression vendor has advised the dBs from the release in a relatively confined space is extreme.
The gas we used is completely inert, not harmful to anything - human, hardware or otherwise. Can a man of your great wisdom advise one way or another? I should note, there wasn't a fire. There was a fault in the system.
Thanks from a long-term listener.
These types of systems release their gas very fast to fill large data centers. It's usually accompanied by alarm bells 120dB in strength.
Steve knows others who were measuring data transfer rates affected by fan noise, pressing on the case, and other sources of vibration. This video demonstrates a test setup where shouting at the disk clearly affects disk performance.
Track density is so high in modern drives that vibrations can create a problem, especially during write operations.
I heard you talking about Daemon and Freedom by Daniel Suarez for some and I've always wanted to pick it up but just didn't get around to it. Then I was walking through the airport. I saw it there in hardcover for $7.99. I couldn't pass up that deal so I bought it. I couldn't put it down. Usually when I read I fall asleep within an hour or so. Not with this! I had to force myself to stop so that I wouldn't stay up all night. This book scared the crap out of me, more than any psycho-thriller I could find. I don't see a black sedan or silver BMW without looking to see if there's a driver. I want to go live with the Amish. Wow!
When I came back through the airport, I looked for Freedom(TM) but they didn't have it. They were out of Daemon, too. I'm buying Freedom(TM) today for the Kindle so that I can read it on my iPad and smartphone as well.
Thanks for a great podcast. I swear I get as much out of the ancillary stuff as I do out of the computer security stuff. I've been a Spinrite user for a couple of years and it did save me once, but not in a story-worthy way.
Security Now and TWiT are the only two netcasts I listen to religiously. Keep up the great work.
Freedom(TM) is another great book. Leo pointed out that it's a continuation to Daemon's story line.
Kill Decision, Daniel Suarez's latest is about drones and sounds more like fact than fiction every day.
Question: [ 07 ] - John Engle from Fredericksburg, Virginia wonders about one-way Ethernet transfer
Steve & Leo, thanks for providing such an interesting podcast. I've found both your products and services to be extremely useful, especially Spinrite. I use Spinrite once about every 6-8 months or so on my home server in order to prevent any disk failures. So far, so good.
In your recent podcast, #379, you spoke about a company called Owl Computing Technologies. They specialize in one-way transfer type hardware. I did little research online and found some resources that discuss how to create a transmit-only Ethernet cable. Couldn't one use something like this in conjunction with a protocol like UDP for purposes of enforcing a hardware solution? Would this be a practical home solution to make sure that an attacker could not modify logs, files, notifications, etc? If this is possible then why would Owl Computing need to create a new protocol?
10- and 100-baseT (not gigabit) uses 4 wires, 1 pair in each direction. If you cut 2 wires, then you would get a cable that could only transfer data in one direction. However, Ethernet uses many other protocols such as ICMP and ARP that requires bi-directional communication in order to work properly. You could hard-wire the ARP table and take other steps but there would be a lot involved.
Leo points out a comment from the chatroom which mentions that the ATM protocol could be configured in this way.
Question: [ 08 ] - John Bell in Northern Virginia has been made curious about full disk encryption
In the last episode you and Tom were discussing full disk encryption, specifically the use of cascading encryption. I have a comment and a question.
Comment: I think you might have missed a big advantage of cascading encryption. In a previous episode you talked about how a brute force attack can know that it has found the key because it checks the decrypted data against a dictionary to see if the text produced recognizable words.
In cascading encryption the brute force application may get the outer key correctly but it won't know because the resulting decryption is still random data and not recognizable words. Thus the only way for the brute force app to produce results is to create a nested loop of outer key and inner key decryptions until it hits recognizable words. The amount of time needed for that, as you might imagine, is pretty big.
Question: At the end of that segment Tom boldly stated that all hard drives should have full disk encryption. I don't have a lot of personal data on my hard drive, just some account passwords. I don't see too much that I need to protect. Aside from protecting personal information, is there a compelling reason to encrypt my hard drive that would be worth the performance hit? I am using OS X.
Regarding the comment: Cascading is identical to increasing the key length, creating a composite key. The only advantage for cascading is that if one cipher is vulnerable, then you would still have the protection of the other one.
Regarding the question: Ask yourself "What If?" Would you mind someone else gaining access to those account passwords and other information? There isn't much of a measurable performance hit as far as Steve has seen with TrueCrypt.
Question: [ 09 ] - Rob Alexander in Boston wonders about SSL Interception and LastPass
Steve, great podcast, been a listener for a while. I'll skip to the chase and give you my question so that I don't have to say "blah, blah, blah."
I am at a company that was recently acquired and have been forced to migrate to a new IT infrastructure. They are forcing us to use Windows 7 and have installed various monitoring and controlling pieces of software. One of the things they have claim they can do is intercept SSL traffic so that they can decrypt it and inspect what's inside. The claim for this is that they have to prevent malware or filter outbound connections to malicious websites.
First, how can I tell if SSL interception is occurring? Will the Firefox plugin CertPatrol reveal this if my company is installing a new root CA in Windows that is used by their SSL proxy to generate new certificates for real websites?
Second question, will LastPass' encryption in my vault still prevent them from seeing my passwords contained in the vault even if the SSL transport can't protect the download of the vault from LastPass' servers. My suspicion is yes, but I was curious if there were any other considerations for data leakage or exposure of sensitive data that I have.
We have covered the answer to the first question many times. The answer is: go to a site using SSL and then view the certificate chain. You want the chain to terminate at a public provider such as Verisign. Intercepted SSL certificate chains would be signed by your company's CA.
The beauty of LastPass is that they never rely on link-level encryption. Their vault encryption uses PIE and will keep your data safe even if the company is watching.
Question: [ 10 ] MoreThought in the UK comments on the Hush Puppy
15khz isn't high enough. Children and adults that have good hearing can hear it. Dog devices like your Portable Bark Killer are way higher at 18khz-20khz and I would hope you would increase the frequency to at least 19khz. By the way, I am 28 years old and I still hear frequencies up to 16Khz easily.
Steve's design and choice of components limit the frequency to 15Khz. He chose the frequency intentionally. It's most effective since canine hearing is acute at that frequency. Speaker efficiency also drops off at higher frequencies.
Finally, he wants people to be able to hear it so that they know that it is potentially dangerous and needs to be treated with respect.
- Use the offer code SecurityNow
- Try it for 2 weeks without a credit card
- Gift of the Month club
- TWiT listeners save 20% on your first box.
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|