Security Now 200

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 200

Security Now 200: Your Questions, Steve's Answers 68

News & Errata - 02:04 - 23:26

Windows News 02:04 - 02:42 & 12:48 - 16:38

  • Microsoft's biggest patch Tuesday in history this month (June 2009)
  • 0 Day Direct X vulnerability is not fixed yet
  • Microsoft Patches 31 Vulnerabilities
    • Two vulnerabilities in Active Directory, which are critical remote code execution
    • Three vulnerabilities in the print spooler, which are critical remote code execution
    • Eight vulnerabilities in IE, which are critical remote code execution
    • Two vulnerabilities in Word
    • Several vunerabilities in Excel
    • A vulnerability in Windows Works
  • The RPC, Remote Procedure Call, has a privilege elevation vulnerability
  • The kernel has four privilege elevation bugs.
  • IIS has a vulnerability that involves authentication. If you're challenged for authentication, there's a way that you can send a specially crafted response which will essentially bypass the normal privilege level that you would have authenticating at that level, and you're able to elevate.
  • Windows Search has a information disclosure vulnerability

ATM Security 02:43 - 06:00

  • Trojan software has been found in ATMs located in Eastern Europe.
  • They all run Windows XP but are from many different vendors
  • They were written well in Borland's Delphi.
  • They are not remote install trojans someone would have to have had physical access
  • The creators of the trojan have special credit cards.
  • When they swipe the special credit card in the infected machine, it accesses the trojan software, which among other things allows them to:
    • Dump out all the cash from the machine.
    • Dump out all users information and PINs encrypted with DES encryption.
  • Link to news article

Pirate Bay News 06:01 - 08:42

  • The pirate bay appeal was denied
    • Update: The pirate bay: Appeals not off. (2009-06-12 02:00 GMT+1)
    • "Pirate Bay-judge Tomas Norström was not biased. It considers the Stockholm district court in a statement to the court of appeal which is investigating whether the trial should be taken on the basis of disqualification." -
    • District court judge Tomas Norström are considered by district court not to be biased.
    • Now the Court of Appeal decide if Norström was or was not biased with the help of the response from the District Court.
    • If the Court of Appeal decides that Norström was biased. In this case Norström was biased this invalidated sentence.
  • The Pirate Party won one of Sweden's 18 seats in European Parliament.
  • The Pirate Party was established three years ago in response to Swedish legislation that made filesharing a crime.
  • The party's publically declared aims are to:
    • Reform European copyright law
    • Abolish the European patent system
    • Eliminate digital rights management, DRM.
    • To allow free filesharing on the Internet (Non commercial purposes)
  • They got 7.13 percent of the vote - Swedish Election Authority
  • The Pirate Party in English
  • In order to obtain a mandate must be given at least 4% of the votes. Swedish Election Authority

Comcast News 08:43 - 11:15

  • Google engineer finds flaw in Comcast's Online Ordering Process Link
  • When you use the live chat to give Comcast your social security number it is sent in the plain text along with all your other personal information

Apple News 11:16 - 12:47

  • Safari 4 has been released [1]

Adobe News 16:39 - 18:47

  • Adobe Patch Tuesday this month
  • Updates are not pushed out automatically, you must manually update your software.
  • The updates are also incremental, so keeping updating until you get the final newest version.
  • Link to news article

DNS News 18:48 - 21:15

  • The .ORG DNS root server was the first major root of DNS to receive a DNSSEC signature.
  • Link to News Article
  • The NIST, the National Institute of Standards in Technology has asked ICANN to get all of the root name servers signed with DNSSEC by the end of 2009.

Recording News 01:47:46 - 01:48:40

  • They will be recording two episodes on June 24th 2009 and July 1st 2009 as Leo is going to China

Spinrite Story

23:26 - 25:25 Nate Friedman (Santa Rosa)

  • Read on episode 200 by request
  • Spinrite ran on a mission critical server hard drive that wouldnt clone. After this he was able to clone it successfully.

Questions & Answers

Comment: [ 01 ]

29:01 - 33:06 Jim Millard (Kansas City, Missouri)

Listener Comment: You said that commodity switches will break if we move to IPv6, recall that a switch that unless outfitted additional functionality that is not common in consumer equipment operates at layer 2 not layer 3. This keeps a list of MAC addresses, not IP addresses. So IPv6 will not break it all.

Steve's Comment: He is correct and lots of people pointed this out to Steve.

Question: [ 02 ]

33:07 - 39:42 John Meuser (Indianapolis, Indiana)

Question: Your Non-VPN solution sounds a lot like SSH port forwarding with something like a port knocking demon to hide that their is a port listening. Is it?

Answer: With SSH port forwarding you run a listening service on the local machine that listens for connections to the local host address. It takes a connections addressed to it and using SSH connections to the remote access point. This approach doesn't require anything in the kernel. Steve's approach will involve a kernel driver which inserts itself in between the NIC and the rest of the PC before the protocol stack and just before the packets leave or just after they come in. So the CryptoLink driver will have raw access to the actual packet. The benefits of this are that you dont have to reconfigure your software.

Question: [ 03 ]

39:43 - 48:53 Brad Beyenhof (San Diego, California)

Question: Your Non VPN solution would have to either:

  • Use port forwarding to let the secure ports through your router
  • Put the non-VPN server machine into a DMZ and rely on the software firewall plus non-VPN authorization encryption to remain stealthed.

These are either insecure or difficult or the average user to set up so what's the story?

Answer: Cryptolink will support NAT traversal but if both parties are behind a NAT router you will need to use port forwarding or a third party. However if you don't want to trust a third party you can configure Cryptolink to use port forwarding.

Comment: [ 04 ]

48:54 - 52:21 John Clayton (Billings, Montana)

Listener Comment: As a .NET developer with first-hand experience with Microsoft's ClickOnce technology, I felt there were some misconceptions that needed to be addressed. It won't be winning any awards for easy implementation, but ClickOnce is, simply put, a way for packaging and deploying thick-client applications. These applications run on your desktop like any other that you would otherwise download, not in your browser. They get an icon in the Start menu; they get an entry in Add/Remove Programs. The user is always prompted to install the application, so there's nothing silent as you implied. ClickOnce even supports Authenticode signatures and gives a warning if the signature can't be verified, as in the case of, say, a self-signed certificate. The plug-in that Microsoft installed into Firefox simply provides a handler for the .application files that initiate the install process. Without the plug-in, the user would just get XML. The browser wouldn't know what to do with this, you know, XML file. It wouldn't know that this is an installer prequel.

As a full-time Firefox user, if I want to install a ClickOnce application, the last thing I want to have to do is launch Internet Explorer to do it. While I'm not defending the way the Microsoft installed this update, I do have to present a Thurrott-ian argument. Paul Thurrott, of course, the host of Windows Weekly. If I look at the add-ons right now, I see that Skype, Office 2007, Adobe Acrobat, Apple iTunes, and Apple QuickTime all have their hooks in Firefox. These are all independent applications that installed stuff into Firefox without notifying the user.

If Adobe didn't install their plug-in, PDFs wouldn't open in the browser. If Apple didn't install QuickTime, the QuickTime plug-in, videos wouldn't play automatically. These work the same as the ClickOnce add-ins. They are just handling special files. These work the same as the ClickOnce add-ins. They're just handling special files. Skype, iTunes, and Office? Those have even less business being there without notification. My point is that when anyone else does this kind of thing, no one cares. When Apple does it, people thank Steve Jobs. When Google does it, people wonder why it wasn't there in the first place. But when Microsoft does it, all hell breaks loose.

Steve's Comment: See comment 5

Comment: [ 05 ]

52:22 - 59:54 Rob (near Ottawa, Canada)

Listener Comment: Thank you for pointing out the monopolistic behavior of Microsoft by installing a Firefox plug-in for ClickOnce that significantly reduces security for Firefox browsers. Microsoft should be shot and raked over the coals for this. You should have noted that for quite some time now there has been a third-party extension for Firefox that adds the ClickOnce capabilities to Firefox. It's called FFClickOnce. So the MS .NET update that included its own Firefox extension wasn't even necessary. In my opinion, if MS wanted to include its own Firefox extension, it should have made it a separate optional install in MS Updates. Since it did not do this and made it a mandatory installation when you installed .NET 3.5, one can only speculate that MS wanted to make its .NET framework more desirable to developers by increasing the number of users who use a browser with ClickOnce capabilities.

As you noted, ClickOnce is very dangerous. Just by clicking on something on a webpage, an application will be downloaded, installed and run. It would be easy to trick someone into clicking something on a web page that would run with a malicious webpage. Best to disable or uninstall the MS ClickOnce Firefox extension. But if you need to use it, I would highly recommend clicking the Options button right next to the Disable button for the extension and enabling the option that asks the end user for confirmation before running the ClickOnce app. In other words, it's best to turn ClickOnce into ClickTwice.

Steve's Comment: Microsoft is trying to promote a new standard and make it easier for users to install software.

Comment: [ 06 ]

59:55 - 01:10:19 Michael (Missouri)

Listener Comment: You claim to address security, yet you fail to truly take to heart the Linux on the desktop platform. I started out a very proud Microsoft fan myself, and I understand that many users are Microsoft users. But as a technical person I learned the true power of Linux and other open source technologies. Let me make it clear, Ubuntu can be used with no experience or knowledge. However, Linux provides a degree of control that

you just can't get with Windows. Linux is modular, does not hide its code in 1's and 0's. You know what you're getting when you use Linux. Please do not dismiss me as a Linux fan boy. I do program, and I understand the choices that both systems make. But even Microsoft declares Linux as its competitor. Microsoft CEO Steve Ballmer admitted Linux is a serious competitor. In any case, I just wish you would truly look into what Linux has become. Even spend an episode addressing it as a security option. You did so with Windows 7.

The next problem I have is with you, Steve Gibson, not making your code open source. You can do whatever you want with your code, and it's nice to keep some code closed source. But I just can't get over your reason for doing so. In one of your episodes you said you don't make your code open source because you were worried it would allow hackers to use it. To me that seems arrogant, to assert that your code is above any others without merit or reason. However, in a security sense, it seems you're condoning security by obscurity - something we mock.

Steve's Comment: There is a limited scope of what Steve can cover and he uses Windows everyday so its accessible to him. They do cover fundamental technology such as crypto though and that isn't platform specific. His software isn't open source though because people could create fake versions of this software that are malicious and some of his software is what provides his income.

Comment: [ 07 ]

01:10:20 - 01:15:10 Mike Potts, (Columbus, Ohio)

Listener Comment: This note is more for Leo and also for other listeners who want to help younger people who are learning to program. I like an open-source program called Basic-256. It's available at, means it's open source. Pre-built Windows binaries, source-code, and Ubuntu packages are available. The article "Why Johnny Can't Code" on Salon inspired Basic-256. This program is easy to learn and use. There are reasonable tutorials available. Some sleuthing in the source material will find some nice extras.

But really what sets this program apart is that it has a small graphics window. The programmer is given an approximately 300x300 pixel graphics window with all 16 colors, and enough primitives to do some real work - circles, rectangles, dots, et cetera. Sure, you could teach the classic algorithm of "have the computer guess your number between 1 and 100," which is my favorite beginner problem. But nothing generates more excitement - and I agree - or holds their interest more than having them generate their own primitive civil war, dodge ball, or soccer game.

This program held my 14 year old's interest for several months. What he really learned from this experience was one very important programming lesson: The computer did exactly what he told it to do. Not what he wanted it to do, but what he said to do. You can always get more experience, but I don't think you can get a deeper lesson than that.

Steve's Comment: It's a really nice integrated environment where you have code, you write code on the left, and then in the upper right are all your variables. So you're able to see, which I think is really important, the current state of all the variables in real time, that is, at that point. And then below is a graphic window. So you're able to write some code that says circle at this location of this size, and it goes blunk, and there it is.

Question: [ 08 ]

01:15:11 - 01:20:49 Greg M. (Fort Wayne, Indiana)
Question: If you use a site with an expired SSL certificate is the data still encrypted?

Answer: There is nothing insecure about an expired certificate but it does raise questions about the management of the site.

Comment: [ 09 ]

01:20:50 - 01:28:40 Jonathan the IT student (Roseville, California)
Listener Comment: NAT is not an acceptable replacement to IPv6 as it creates issues when you want to connect two computers over the internet that both use a NAT router.

Steve's Comment: Unfortunately, reality impinges on the Internet UNIX gurus' original immaculate conception of what the Internet could be. And we know that the 'Net has lots of bad people who do not wish us well. And we need to protect ourselves from them.

Question: [ 10 ]

01:28:41 - 01:33:13 Jeff (Michigan)
Question: How do you tell if your computer has the TPM ?

Answer: Look in the BIOS and it will be in there if your system has the TPM. It is normally turned off by default and you will need to enable it in the BIOS before Windows will recognise it.

Question: [ 11 ]

01:33:14 - 01:41:30 Don Daniels (Evergreen, Colorado)
Question: Skype enables UPnP by default but if I use your Unplug and Pray utility it says UPnP is disabled what's going on?

Answer: Skype uses UPnP to open a port on your router so that the connection quality is better.

Question: [ 12 ]

01:41:31 - 01:47:10 Jeffrey Dunn (Riley Township)
Question: Does your version of BRIEF have syntax highlighting ?

Answer: Yes Steve uses an add on called Colours for it. Link to Syntax Highlighting Add On For Brief


Go To Assist

  • GoToAssist Q209-1
  • Time Code: 0:33:-0:49 and 25:51-29:00

Production Information

  • Recorded Date: June 10, 2009
  • Release Date: June 11, 2009
  • Duration: 1:48:48
  • Log line:
  • Edited by: Dane with Erik
  • Notes: