Security Now 214

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 214

Security Now 214: Listener Feedback 75

Steve addresses feedback on GSM security, cookies, router admin passwords, proxy servers, and more.

News & Errata

02:01 - 07:49

  • Steve and Leo discuss science education in America

07:59 - 14:50

  • Last week Microsoft fixed a sockstress problem in the TCP / IP stack for Windows 2003 and newer versions
  • It did not fix it for any older versions as it is not flexible enough
  • It works by using a flaw in the design of the protocol to tell a machine that the other computer has no buffer space left so no more data can be sent to the machine. Once the buffer is full the machine would wait forever for the other end respond.

14:51 - 15:24

  • Snow Leopard has been updated to incorporate the latest version of Adobe flash player

15:25 - 16:35

  • Firefox has been updated to V3.5.3 and V3.0.14

16:36 - 23:03

  • was compromised using a Linux kernel exploit
  • The hackers then gained access to the main Apache server and were able to get onto a staging server and install CGI scripts that allowed them to run remote shells
  • The source code and software was not compromised
  • The extent of the attack was limited as they were using different OS's on there servers

23:04 - 25:46

  • The New York Times website was hit with a JavaScript based scareware attack
  • The NYT uses a third party ad server to which hackers had submitted an add with JavaScript in it that gave a fake message to visitors of the NYT saying they had a virus

25:47 - 26:48

  • Adobes quarterly update should have been on the 8th of September 2009 but has now been moved to October 13th 2009

26:49 - 29:27

  • Some web monitoring software which is available at retail under the brand Sentry and FamilySafe produced by a company called EchoMetrix is reading the chat logs of its users and selling them to third parties

Spinrite Story

29:45 - 35:55 Anon (Unknown)

A listener went to update his boss's computer but the PC locked up and wouldn't reboot. His boss had not backed up his data but luckily they could set up the drive as a slave on another PC and recover his data. Unfortunately though it still meant that his boss would have to reconfigure his computer back to the way he likes it and he wouldn't be happy. So the listener ran Spinrite on the drive overnight and it fixed the problem.

Questions & Answers

36:07 - 01:27:20

Comment: [ 01 ]

36:07 - 40:20 Anon (England, UK)
Listener Comment: Data GPRS doesn't use A5/1 it uses GEA/1 which is similar in structure to A5/1, but this would require a different rainbow table computation. Also there is a new standard A5/3 but it is hard to get people to spend money to upgrade to it

Steve's Comment: Steve understands it hard to get people to spend money to upgrade and that it is now as secure as wired phone lines as you can tap into them too

Question: [ 02 ]

40:21 - 49:10 Austin Clark (Menomonee Falls, Wisconsin)
Question: What cookie manager do you use with Firefox ?

Answer: Steve uses "Permit Cookies" but warns that it is feature lean. Mozillas site says it is not compatible with V3.5 although it is. So you will need to install it from the authors website Here. Steve sets Firefox to accept cookies and third party cookies, but to only keep them until I close Firefox. Note that in Firefox 3.5 you need to change the History setting to Use custom settings for history before you can see the options to remove cookies. The net effect is that when Firefox closes, all cookies are deleted except those allowed to be retained by Permit Cookies.

Question: [ 03 ]

49:11 - 53:00 Mateus (Del Bianco in Brazil)
Question: How easy is it to clone someone's cell phone over the air ?

Answer: It is very easy

Question: [ 04 ]

53:01 - 01:00:56 Dax Mars (Unknown)
Question: Could I securely run my own web server ?

Answer: Steve would use NetBSD or FreeBSD and run Apache on it. They will run on old hardware and will be very secure. If you install SMB support under Unix you can look at the UNIX machines file system from a Windows browser. However if you are running a server at home Steve recommends using mutliple NAT routers to split the server from your home network. Steve also recommends not installing any more services than you need, for example if you don't need PHP support don't install it.

Question: [ 05 ]

01:00:57 - 01:09:08 Tim (Rancho Cucamonga, CA)
Question: Do I need to use a secure password for the administration area of my router as well as a secure WPA password  ?

Answer: The only known vulnerability against WPA AES is a bruteforce attack. If someone has physical access to the router or you have WAN management enabled then a poor admin password on your router is a security vulnerability. However if someone doesn't have physical access and you don't have WAN management enabled then it is not possible for someone to get to the login page for your router. But if malware is on your network they could see the routers login page and attempt to crack the password so it is important to change the default password regardless.

Question: [ 06 ]

01:09:09 - 01:15:45 Gary McCleery (Oamaru, New Zealand)
Question: I work at a high school where students use proxy servers to get access to blocked sites, can our computers be compromised by the use of these servers?

Answer: It is possible yes. Most open proxy servers are setup to allow anything through, a corporate or school run proxy may have additional anti-virus or other security features enabled. Essentially, when you use an open and public proxy server your web browser is bypassing any external security measures your school or business has put in place.

Question: [ 07 ]

01:15:46 - 01:21:53 Poojan Wagh (Chicago, IL)
Question: Isn't implementing security in hardware a bad idea as you cant modify it in the future?

Answer: Hardware offers greater security than software as it is much faster to implement security algorithms in hardware than software or have a more powerful security algorithm run at the same speed a less secure one would implemented in software. It also means you cant modify it which is more secure.

Way Cool Tip of the Week: [ 08 ]

01:21:54 - 01:27:20 Chris (Iron Mountain, MI)
Tip: You can use Google's Safe Browsing Diagnostic Report ( to bring up a malware report on the site for the referencing the last 90 days. You simply put the site you want it to check after the "?site="

Steve and Leo's Comment: This is really cool

Significant Products

  • A Linux plug and play web, DNS and mail server can be found Here and best of all it is free!
  • Steve uses "Permit Cookies" but warns that it is feature lean. Mozilla's site says that it is not compatible with V3.5 although it is. So you will need to install it from the author's website Here.

Production Information

  • Recorded Date: September 16, 2009
  • Release Date: September 17, 2009
  • Duration: 1:28:45
  • Log line:
  • Edited by: Tony
  • Notes: No Ads
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.