Security Now 207

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 207


Security Now 207: Listener Feedback 71

News & Errata

02:35 - 07:00

  • The iPhone SMS exploit is being shown at Blackhat and affects all iPhones
  • It allows someone to completely take over your phone
  • They will also be revealing a similar exploit in windows mobile SMS

07:01 - 12:30

  • Microsoft have released two critical out of cycle updates
  • Theres a patch for the Visual Studio tool set which is used for producing Active X controls
  • There is a flaw in it which allows the killbit to be ignored if set
  • Theres a patch for Internet Explorer which also addresses this issue

12:31 - 13:35

  • Windows 7 has was RTM

13:36 - 16:20

  • There is a critical vulnerability in Adobe Flash player 9 and 10 and Adobe Reader

16:21 - 19:22

  • Network Solutions had a massive credit card breach 573,000 credit and debit card accounts over a three-month period were exposed

19:23 - 22:15

  • Bind v9 has a known problem and updates are available

22:16 - 29:40

  • Buy.com and Orbitz.com as well as some other sites have been linked to what they're calling controversial marketers
  • They are providing your credit card information to third parties without your permission who are charging the card

29:41 - 31:02

  • Dan Kaminsky and Kevin Mitnick were both hacked

31:03 - 32:55

  • The BBC has released a scifi series called "Torchwood: Children of Earth" which Steve recommends

32:56 - 33:47

  • The pilot of "Defying Gravity" is airing on ABC this Sunday
  • It is about a bunch of people who are cooped up on a space ship which is on an extended voyage from Earth to Venus,

33:48 - 35:04

  • Last week Leo commented that curling your toes may help with Jetlag and a listener wrote in to say it actually is used to relieve stress

Spinrite Story

35:05 - 39:17 Matthew (Fresno)

Spinrite fixed his mother in laws PC which would not boot after running for 17 minutes

Questions & Answers

Question: [ 01 ]

41:56 - 47:24 FireXware (North Canada)
Question: What is your favourite assembly language to use on Windows ?

Answer: MASM

Question: [ 02 ]

47:25 - 57:28 Chris (Australia)
Question: Can you explain the new attack on AES 256 ?

Answer: This is called a "related key attack," where if somebody had access to the keys, you could make small changes to the keys, changing only a few bits, and map how the so-called "key schedule" changes. The idea is we can take a key, make a few bits of change out of the 256 bits of the key, and track how those changes propagate through the expansion of the key and learn something about it. And what we learn is that not as much changes as we were hoping. What you want in a theoretically perfect cipher, is any changes in the bits of the key completely change the action of the cipher in a way that can't be predicted. So this is purely a theoretical weakening such that it turns out that the 256-bit length is not as strong in the presence of somebody manipulating the key. The only time that might be useful is when the cipher is being used in a hash function where the data that you're hashing, depending upon the hashing algorithm, might provide input to the keying input of the cipher.

Comment: [ 03 ]

57:29 - 59:22 John Hughan (San Francisco)
Listener Comment: A good book for eliminating jetlag is Overcoming Jet Lag" by Charles F. Ehret. It involves eating certain kinds of foods at certain times starting a few days before the flight.

Steve and Leo's Comment: He is sceptical about solutions for jetlag from books as there is a mental element where you want the book to work as you brought it.

Comment: [ 04 ]

59:23 - 01:04:15 John Kennedy (Metairie, Louisiana)
Listener Comment: Steve should use the latest version of software as he could provide review and analysis of it

Steve's Comment: Steve doesn't have the time to test new versions of software and he doesn't want to lower his security

Question: [ 05 ]

01:04:16 - 01:09:48 Andrew McKinnon (Brisbane, Australia)
Question: My iPhone's IP address changes from 144.233.xxx.xxx to 10.1.xxx.xxx in certain areas how come?

Answer: Different ISP's have different set ups and when you have a 10.1.xxx.xxx you are behind a NAT

Question: [ 06 ]

01:09:49 - 01:14:36 Kevin Ghadyani (Overland Park, Kansas)
Question: When I run your security now webpage through a HTML validator I get 13,853 errors and 24 warnings why is this?

Answer: Steve's pages are designed to work in all browsers and due to differences between browsers you have to use some tricks which technically aren't standards compliant but it works

Question: [ 07 ]

01:14:37 - 01:20:03 Mike V. (Greeley, Colorado)
Question: I have a system for mobile USB security. I wanted to make sure it was totally safe. I've encrypted all my files on my USB drive with TrueCrypt, with a password from your Perfect Passwords system. The password for that is stored in a text file on a drive, actually on the same drive, which I encrypted with 7-Zip. The password for that zip file is another Perfect Password, which is stored in a text file on a separate thumb drive I always carry with me. THAT text file is in a zip with a password that I've memorized. Is this secure?

Answer: The simple password which you have memorised is the weak link in the chain and it is very complex so it is not as secure as it sounds. You could just use a true crypt encrypted drive and copy a perfect password in with some changes only you know.

Question: [ 08 ]

01:20:04 - 01:23:09 Scott (Upstate New York)
Question: Is it a privacy concern that Firefox remembers your zoom setting for each website even after you clear private data as you no longer have plausible deniability that you didn't visit it ?

Answer: Yes it is a privacy issue

Comment: [ 09 ]

01:23:10 - 01:25:37 Patti Clark (Knoxville, Tennessee)
Listener Comment: I was listening to Episode 205 on Lempel and Ziv when my ears perked up on the CompuServe segment. I spent most of the 1980s as an employee of CompuServe. You were correct when mentioning that CompuServe was a time-sharing company, and H&R Block was their parent. The computers behind the Consumer Information Service were DEC System 10s and 20s. That's what they called - CompuServe was called CIS.

I had the pleasure of working with one of the system programmers who had pulled together a handful of games and created the forum - precursor to bulletin boards and chat rooms - software. The idea was indeed to do something with all of that computing power that was sitting mostly idle during the evening hours. It surprised management when it took off and ultimately became what the company will be known for in history. AOL bought CompuServe from H&R Block some time back. Back then, modems started as 300 baud acoustic couplers - that's what I used to log onto CompuServe when I first started doing it - then later 1200 and 2400 baud modems were comparatively fast. Everything was text-based. Yeah. We were on the "bleeding edge" when we brought email to larger corporations and the federal government. Sorry, my reminiscent hat has slipped on. Anyway, I enjoy your program, and I learn something new each week. Thank you, Patti Clark. 75106,3139.

Steve's Comment: Steve thinks its neat.

Comment: [ 10 ]

01:25:38 - 01:29:16 David Cox (Colorado Springs)
Listener Comment: I was driving to work listening to Security Now and I was so engrossed in it I lost concentration driving and nearly crashed the car.

Steve's Comment: Thank you for your story

Question: [ 11 ]

01:29:17 - 01:35:40 Robert Antman (Los Angeles)
Question: Could you code a password generator for your website that uses words from the English dictionary as it would be easier to remember?

Answer: It would not be much more memorable and he recommends modifying a perfect password you can write down as it is really secure

Question: [ 12 ]

01:35:41 - 01:42:40 Jeff (USA)
Question: I have received a new Chase credit card with an RFID chip is this secure?

Answer: Possibly not as anyone could poll the card whilst its in your wallet. Steve recommends microwaving it for 5 seconds.

Sponsors

GoToAssist

Production Information

  • Recorded Date: July 29, 2009
  • Release Date: July 30, 2009
  • Duration: 1:43:50
  • Log line:
  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.