Security Now 196
Topic: 12 listener questions
Recorded: May 13 2009
Published: May 14, 2009
- 1 Security Now 196: Listener Feedback 66
- 1.1 News & Errata
- 1.2 Spinrite Question
- 1.3 Questions & Answers
- 2 Notable Quotes
- 3 Significant Products
- 4 Sponsors
- 5 Production Information
Security Now 196: Listener Feedback 66
News & Errata
01:00 - 02:05
- Security Now has never missed an episode in 196 weeks
- Leo is going to China in July so they will be pre recording episodes
12:03 - 15:10
- The second Tuesday of this month was the past Tuesday (May 12).
- There was a critical remote code execution vulnerability in Powerpoint that was patched.
- New edition of the Microsoft Malicious Software Removal Tool.
15:11 - 16:00
- Google patched a critical 'Graphical Integer Divide Overflow Rendering' flaw in Chrome.
- But they didnt do it right and later this week a new(er) patch was released to fix some additional errors.
- If you are using Chrome check that you have the latest version, 188.8.131.52.
16:01 - 19:00
- Largest Mac OS X update ever released this week (10.5.7) at 449MB.
- More than 13,000 files changed in this update.
- A lot of Unix programs were patched.
19:01 - 23:06
- Medical devices and MRI machines were found to be infected with Conficker in hostpitals
- Someone noticed a medical machines was reaching out to get updates from the internet.
- The manufactures told them none of the machines were meant to be connected to the internet.
- US Laws prevent the machines being updated for at least 90 days
- Conficker Worm Found in Hospital Equipment
23:23 - 28:08
- Adblock Plus and Noscript have had a dispute
- Noscript went to some lengths to stop Adblock Plus from blocking ads on its site
- Noscript's author admitted he had made a mistake and removed this behaviour
- Adblock Plus on NoScript /Adblock Plus and (a little) more: Attn NoScript Users
- Giorgio of NoScript's response to above article Hackademix.net/ Giorgio's Response
28:09 - 33:07
- Steve's next major commercial product will be Cryptolink
- He had to decide what mode to use for authentication and encryption
- There is one mode called OCB created by Phillip Rogaway it is twice as efficient than any other mode
- Steve asked Phillip if he could use it and was given permission
- Phillip Rogaway's OCB Encryption and Authentication Algorithm OCB
33:08 - 34:04
- SecurAble has been mentioned all over the place as a way of determining what processor capabilities you have
- Steve Gibson's SecurAble GRC/SecurAble
34:05 - 36:54
- Correction: Steve stated in the last Security Now that the new Kindle DX had a higher pixel pitch then the Kindle 2, when in fact the DX's overall resolution may be higher, it's pixel density is lower.
- Kindle 1 & 2: 167ppi (or 800x600 pixels)
- Kindle DX: 150ppi (or 1200x824).
- Extra note, the DX has a rotation sensor built-in
36:55 - 42:19
- D-Link is about to begin to replace router built-in DNS with their own service.
- This is concerning as it will monetize DNS and fundamentally break the DNS service.
01:55:07 - 01:59:10
- On May 24th there is going to be a TWiT with Dan Bricklin, the creator of VisiCalc.
42:23 - 46:50
Question: Is it safe to use a drive after you have ran Spinrite at level 4 ?
Answer: Keep an eye on the drive and if possible don't use it in a mission critical situation then run SpinRite on it from time to time. Consult the SMART display screen (in SpinRite) and see the dynamic error-correction rate, if this count rises over time or is considerably greater than other similar drives then take heed.
Questions & Answers
Question: [ 01 ]
53:15 - 01:01:36 Robert Minkler (Prescott Valley, Arizona)
Question: During the SSL connection negotiation what happens when the two machines need to create and
exchange a new symmetric key. How exactly do both machines end up with the same
symmetric key and keep it a secret?
Answer: The client sends a client key exchange message, it takes the version number and generates another 46 bytes to create a 48 byte datum. It encrypts this 48 bytes with the servers public key and sends the result in the client key exchange message. The server receives this and decrypts it using its private key. It compares the client version with what it was told earlier and if they dont match drops the connection. Then the client generates another chunk of randomness and they send it to each other. Then the client generates 48 bytes, which it encrypts, sends to the server, which it decrypts. They mix all of that together the client's randomness, the server's randomness, and their shared secret, which is called the "premaster key." That's all mixed together using a common hashing function to generate the final master key, which is then used to generate all subsequent keys.
Question: [ 02 ]
01:01:37 - 01:09:30 Marv Schwartz (Case Western Reserve University, Cleveland, Ohio)
Question: Is putting a router between you and a potentially insecure LAN a good idea?
Answer: Yes it gives you hardware level protection as long as you configure it properly by doing things such as disabling Universal Plug and Play and changing the administrator password.
Comment: [ 03 ]
01:09:31 - 01:14:10 Jason Russo (Unknown) & “JD” (Unknown)
Listener Comment 2: PDFs have the ability to have Flash content embedded inside. I have personally seen a demonstration of this in the form of a Flash based "dashboard" that contained data represented in the form of "pretty" gauges. These "dashboards" could then be sent to an executive or other user for review. They could then "play' with the data by adjusting graphically represented "sliders" and "knobs" to analyze the effects on the data as it is changed.
Comment: [ 04 ]
01:14:12 - 01:19:29 Adrian Oliver (Chiang Mai, Thailand)
Listener Comment: I used to work with a large industrial automation systems manufacturer, which for the last 30 years, has been designing, building, installing large (and small) control and monitoring systems from nuclear power stations down to small factory systems.
Throughout all those years, the critical control systems have always been based on either home-grown proprietary operating systems, or a commercial real-time OS, like VxWorks. Some 10 years ago, Microsoft were trying to convince us and other similar companies to adopt Windows Embedded. When asked the question of vulnerability issues, they stated that they would guarantee a patch within 2 weeks of discovery - the control system could then automatically download it from the internet, install, and reboot. Obviously the concept of rebooting the control system of a nuclear power station did not worry them -- but it sure wasn't feasible to us. Given that the default for Windows is to automatically download, install and reboot at the
same time, it would be likely that ALL such Windows powered control systems would reboot (and potentially fail to boot) at exactly the same time!
In the 20 years that I have been in this industry, our company never had any control failures in the dedicated control systems due to viruses, attacks, or hacking attempts. Yes, it is true that most/all the supervisory systems now are Windows based, which are as vulnerable to viruses as any home computer. However, they are normally operating as supervisory only, reporting, monitoring systems – hopefully never part of any control loop. All critical control systems are designed to continue operating, even when the supervisory system fails for whatever reason (virus, power failure, cut network cable, or even deliberate attempts to cause failure). Fortunately, I know that most European operators and manufacturers are extremely careful with what they will allow to run their systems. One pharmaceutical company near where I use to live in the UK manufactured penicillin. Because the manufacturing process of penicillin produces a very fine dust, the explosion hazard is extremely high. The estimated blast radius, should an explosion occur, is one and a half miles! The local, permanently manned fire station is 2 miles away. Consequently, the people who run the plant were extremely particular (no pun intended) about what software was used to control the plant, as their lives depended on it! It sure wasn't anything from Microsoft!
On a different, but related note, Nasa's Mars Rovers are running VxWorks … and they are still running. Had they been designed with Windows XP, we would have had to ask the Martians to reboot the robots several of times by now.
Steve's Comment: Microsoft tries to get into markets it doesn't have a foothold in.
Comment: [ 05 ]
01:19:30 - 01:22:50 Daan Dingjan (Netherlands)
Listener Comment: The last two episodes I've been hearing your worries about Windows being used to run critical systems. I'm sure you'll be happy to know that, yes indeed, a nuclear plant in the Netherlands _is_ run on Windows. During a tour through the control room of the facility in Petten, I recognized Windows on the monitors; from what I could tell, it was NT4. Of course I asked whether this was actually used to run the plant, or just for administrative tasks. Without any trace of worry, they replied that it was used to run the plant. When I expressed my concern and skepticism, they said it had been running a long time, and was completely secure. “If it ain't broke, don’t fix it” was the gist of their reply.
Steve's Comment: The good news is Windows NT was pretty bulletproof and secure it did have the metafile exploit though.
Comment: [ 06 ]
01:22:51 - 01:26:15 Lucas Qualls (Jonesboro, AR)
Listener Comment: I just wanted to let you know that if you've ever seen the self-checkouts at a WalMart store, they are running on windows XP. My store no longer has them (thank god because they were a total pain!) But when we did, I saw them reboot several times, and it is Windows XP booting up, and then just a program that loads at boot time to run the kiosk (just drag it into the Start Menu!) (An interesting side note is that they run a terminal emulation program that allows them to access the proprietary system that the other WalMart cash registers connect to.) Also, recently they took out the reliable “old-timey” ATM that we had in the store (you know, the kind that has the green text on a screen and no graphics at all, and also the kind that Just Works.) ... and replaced it with the Walmart “Money Center Express”. We got word that it was supposed to be the most amazing thing in the world. It has an ATM built in, but also allows customers to buy money orders, purchase and reload gift cards, etc. Well ... it would be a great thing … if it actually worked. However ... yes you guessed it ... the new system runs (when it does) on Windows XP as well. And not only that, but the thing doesn't work AT ALL half the time. Things on it are constantly breaking. It is always needing someone to come out to fix it. It has to be serviced by NCR at least once a week. I've personally never used it because I don't feel comfortable using my ATM card at terminal that I know is running on Windows – and not even well! So this is just another example of how stupid some people can be when designing things. Feel free to use this on the podcast, and I don't care if you mention my name or location.
Steve's Comment: We will be reading more about Windows being used in mission critical situations more in the future.
Question: [ 07 ]
01:26:16 - 01:33:15 Barry Burton (Scotland)
Question: If your wifi access point goes down someone could put there own up with the same SSID and wouldn't your computer give it your Pre shared key, so when your access point comes back up they would have full access to it?
Answer: The client does not give the access point the PSK it has to be given it before the client connects. They both encrypt everything they send with the key and attempt to decrypt what they receive with the key.
Question: [ 08 ]
01:33:16 - 01:39:33 Anon (Unknown)
Question: If a criminal organization has control over that many machines, do they not have the ability to take down any web site on the
Internet? If so, wouldn't extortion be another method of gaining money? Has this happened and is there an effective countermeasure to a massive DDOS
Answer: It has happened before and gambling sites are normally targeted because they need to be online during sporting events. If they are taken down during a event they loose lots of money. The problem for the criminals is getting the money without being traced. Nothing can defend against contemporary DDOS attacks.
Comment: [ 09 ]
01:39:34 - 01:45:49 Marv Schwartz (Case Western Reserve University in Cleveland, Ohio)
Listener Comment: You have never discussed how the choice of language in which a system is written impacts the reliability, and therefore the
security of the system. In fact, since you are an accomplished assembly language programmer, you, perhaps inadvertently, promote assembly language programming. Assembly language, C, and C++ all put a huge and unnecessary bookkeeping burden on the programmer and lead to mistakes. And they all provide unnecessary opportunities to clobber registers and memory through bookkeeping errors, bad pointers, subscripts out of range, buffer overruns, and so forth; and they require the programmer to allocate and release memory. Language design that promotes writing reliable software is at least a 40 year- old endeavor. These languages are strongly typed. This immediately eliminates assembly language, C, and C++. Although I've never used it, I
remember a colleague returning from a stint at Xerox PARC and commenting that when a MESA program compiled, it would run. So if we are serious about writing reliable software which is a prerequisite for secure systems, shouldn't we be using languages that help us do that and
avoiding languages that invite us to mess up. Is this worth a session on SecurityNow? Are you going to write CryptoLink in assembler? If so, what are you planning for a UI?
Steve's Comment: Programmers like lower level languages because of the power they offer.
Comment: [ 10 ]
01:45:50 - 01:49:21 Charles Palen (Norwood, Mass)
Listener Comment: I work as an interactive developer for a company called Boston Productions. We actually build and install museum and visitor center exhibits. I have previous work experience in corporate and small business IT and it was always a mystery to me why museums, signs, and kiosk systems run on Windows until I started working in the industry. There are several reasons including total cost of ownership, IT support, dual display support, and driver support. My boss recently wrote an elaborate article about this at http://backroom.bostonproductions.com. To summarize the major reason we use Windows is touch screen driver support (which is terrible even in Windows across different overlay vendors) and multiple display support. How easy do you think it would be to configure a touch-screen in a 1366 x 768 vertical resolution with dual monitor support so it can also be viewed on a KVM from the exhibit machine room if the machine were running Free BSD? Although I am a long time Linux user and utilize Free BSD with dummynet to simulate network lag when doing network programming; most of the museum and creative design industry are Mac users. Its unfortunate but the vast majority of the people working in our industry simply don't have the computer skills needed to use a stripped down OS for exhibit deployments. As an example, everyone in our office uses a Mac except my boss and me who are the programmers in our company. We utilize Windows Vista on our main development machines because we need access to the Flash IDE, multi- monitor support, and many other features.
Steve's Comment: If the machine crashes nothing serious is going to happen and he understands the need to keep costs down and use a platform which is easy to develop for.
Question: [ 11 ]
01:49:22 - 01:52:13 Dan (San Diego)
Question: How do government organizations or individuals for that matter "spy" on people who use VPNs? I know it's possible. Do they need the assistance of the company providing the VPN service to that customer?
Answer: These programs protect the communication link but if the machine using the program is compromised it could still leak information
Comment: [ 12 ]
01:52:14 - 01:55:07 Andre (Jamaica)
Listener Comment: I can relate to the surprise Paul experienced upon discovering that ATMs at his bank ran Windows XP. I always assumed they ran special, robust embedded software, or at least a customized flavor of UNIX on these machines. Needless to say I was very surprised last year when I started working as a Software Engineer for a company that sells and supports ATMs, only to discover that the majority of ATMs run Windows XP. It turns out that the manufacturer whose ATMs I work with used to run OS/2 on them. When OS/2 went under they moved first to Windows NT and then to XP. They sold
the move to Windows based on ease of software development among other things. On the security side of things, these ATMs run in a somewhat isolated
environment (network wise). They are not connected to the Internet. No personal data is stored locally, and there are many levels of encryption including hardware based for really key stuff as well as on communications. And for the record, no Leo we don't write ATM software in VB. There are
also many pieces of software that manage failures, crashes, BSOD and the like. That being said, personally, I don't believe anyone or anything should run Windows - except perhaps the Death Star. I was gonna say the Borg, but they wouldn't be that stupid! So yes, it's a bit unnerving that Windows pops up in places which are obviously bad ideas
Steve's Comment: He hopes they wont move to Vista or Windows 7 soon.
51:00 - 51:55
- CVT Inc Keyboards - These are vintage keyboards with full motion mechanical switches, as mentioned by Steve
- Ad Time: 0:52-1:05 and 09:37-11:56
Nerds On Site
- Nerds on Site
- Ad Time: 0:33-0:50 and 46:51-48:57
- Recorded Date: May 13, 2009
- Release Date: May 14, 2009
- Duration: 2:00:54
- Log line:
- Edited by: Tony
- Notes: Longest Security Now to date
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|