Security Now 186

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 186


Security Now: 186 Listener Feedback 61

News & Errata

6:26 - 8:39

  • Zero day Microsoft Excel remote code execution exploit on MAC and PC

8:40 - 9:45

  • Exploits in the wild for the Adobe Acrobat Reader exploit which won't be patched until March 11th 2009

9:46 - 11:05

  • Lots of exploits in Adobe flash player for which updates have been released. Versions 10.0.12.36 or earlier for windows and Mac are troublesome. Users should upgrade to version 10.0.22.87 or 9.0.159.0

11:06 - 14:45

  • Facebook and Myspace are becoming the source of an increasing number of viruses

14:46 - 18:26

  • Steve's two previous original Kindles batteries life decreased significantly over the year he owned them, and he has noticed the battery life on the new Kindle isn't 25% longer as advertised
    • The Kindle 2 has an irreplaceable battery
    • Lithium ion batteries have a shelf-life limitation as well as a cycle life of a few years
    • When the battery is not continually cycled, it will slowly die out
    • Battery life does not live up to Amazon's claims
    • The radio inside the Kindle sucks up a lot of juice
    • Leo and Steve agree that a scheduling system for the wireless radio would be great

18:27 - 19:11

  • If the Kindle incorporated Wifi it could be international

19:12 - 22:30

  • Steve explains hysteresis

Spinrite Story

22:30 - 23:28

Spinrite recovered 32gb of data for a listener in Germany when no other program could.

Questions & Answers

Starts: 29:00

1) 29:01 - 32:29
Listener Comment: Retr0 Bright offer a cheap / free solution for the yellow colouring which occurs to old PC's.

Steve's Comment: Chemical engineers figured out the fire retardant caused the yellowing and came up with a formula using UV that can return computers to there original colour.

2) 32:29 - 36:37
Question: How does Apple's guest networking feature work in their AirPort Extreme and Time Capsule?

Answer: A user sets up a separate SSID with separate crypto passphrase which allows a guest computer access to the internet only and not the LAN. This is how Apple set it up which happens to be the right way. Other manufacturers may not necessarily do it correctly as Apple did.

3) 36:37 - 41:10
Listener Comment: Grey Haired Memory: Listener remembers a PDP-8 based lunar lander game.

Steve's Comment: Lunar lander games are fun because they are simple and tricky.

4) 41:10 - 48:58
Question: If you have a mix of secure and non secure items on a page your browser gives you a warning. But if you embedded a secure iframe on a page the padlock doesn't appear alerting you it is secure and you don't get the warning message about a mixture of secure and non secure items on a page. Is there a way a hacker could exploit this?

Answer: When a browser retrives a page it may then contain URLs to other assets e.g. images. There are two types of URL's relative or absoulte URL's.

  • Absolute URL's begin with a "\" e.g. \image\red.gif and the browser knows to put the URL of the site you are on in front of it.
  • E.g. If you are on http(s)://www.the.com/cats/funny.html and the page requires an image to which the link is \image\red.gif.
  • It would retrieve it from http(s)://www.the.com/image/red.gif
  • Relative URL's begin with a "/" e.g. /image/red.gif and the browsers knows it is relative to where you are so adds it after the folder you are on.
  • E.g. If you are on http(s)://www.the.com/cats/funny.html and the page requires an image to which the link is /image/red.gif.
  • It would retrieve it from http(s)://www.the.com/cats/image/red.gif
  • If you enter https:// and go to a page with assets it automatically maintains the secure connection to the assets.
  • If however you enter http:// and go to a page with assets on it will not start a secure connection to retrieve them.

An iFrame allows you to imbed an entire page within another. These are powerful and useful but exploitable. Web browsers designers isolate the iFrame and restrict what can be done inside the frame.

5) 48:58 - 53:29
Question: Listener disagrees to comments made in episodes 185 and 185a that the "mini" in "minicomputer" refers to the instruction set. Instead "mini" refers to physical size.

Answer: Steve recalls a document by Gordon Bell which explains that DEC was aiming at minimal computer. Steve explains the difference between RISC and CISC.

6) 53:29 - 56:31
Question: I have about 8 hours of audio I need transcribed. Is Elane a good choice? Do you give out her contact information?

Answer: Elane's transcripts are painstakingly accurate and she is highly recommended. Her website is on-sitemedia.com[1].

7) 56:31 - 1:01:49
Question: I'm the CTO of PKWARE, inventors of the zip file format. I'm writing in response to episode 184 where you commented that zip uses AES now. We've updated the zip standard format to support strong encryption capabilities with industry standard encryption. Combining AES with X.509 digital certificates provides sufficiently durable file protection that is every bit as strong as PGP. Support has been added to ZIP files with AES using either a symmetric key or asymmetric key or both. Additional security is provided using digital signature SHA1 or SHA2 to provide authentication.

Answer: SecureZIP express is free for non-commercial use. We may consider doing a security now episode on this software.

8) 1:01:49 - 1:07:35
Question: What's to prevent malware to be inserted into an open source software package and for it to be distributed? Wouldn't it be easy to insert a trojan into software and have it be activated at a later date?

Answer: There are custodians in charge of the master archive for a program. Any change is made with scrutiny by multiple parties. One should be careful to trust the source of your programs no matter whether it was open or closed source.

9) 1:07:35 - 1:11:01
Question: Why is it considered safe to use GoToMyPC on an untrusted computer (such as at an internet cafe) as Leo states in his ads?

Answer: It is important to understand the threat model: what it is you're protected from and what it is you are not. GoToMyPC could use a hardware token to mitigate the threat from keyloggers.

10) 1:11:01 - 1:18:16
Question: If an e-mail is not encrypted, how hard would it be for someone to grab that content between my e-mail server and the destination server? What techniques would they use?

Answer: The threat is not from random people. The ISP network people do have access to everyone's e-mail in their system. The threat is from a rogue ISP employee who targets you. The other threat is from the government who could install devices at ISPs to filter keywords in e-mail. If you really don't want your e-mail read, you need to use PGP or its equivalent.

11) 1:18:16 - 1:24:49
Question: Should modern hard drives be defragmented?

Answer: A lot of hard drives are prone to overheating. The only downside to defragmenting is overheating of the drive. Disk defragmenters do not monitor drive temperature, so be careful. Steve still defragments after cleaning caches and old files and before disk imaging.

12)
There were only 11 questions this week, Steve explains why on his Security Now newsgroup.

"I watched it happen as Leo lost his place and skipped over what was originally question #9. I didn't correct him this time since he had done a Windows Weekly podcast with Paul just before, which ran a bit long, and his schedule was totally jammed up immediately after our recording. So he was in a hurry and essentially needed the time. So I just let it go."

[[2]]

Sponsors

Picks

Audibledotcom.png
Bright of the Sky: The Entire and the Rose, Book 1 by Kay Kenyon (UNABRIDGED)
Narrated by Christian Rummel, Kay Kenyon

Ad Time:0:34-0:44 and 23:28-28:59

GoToMyPC

Production Information

  • Recorded Date: March 04, 2009
  • Release Date: March 05, 2009
  • Duration: 1:25:32
  • Log line:
  • Edited by: Tony
  • Notes: NA
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.