Security Now 222
Episode 222 |
Topic: Listener Feedback #79 Recorded: November 11, 2009 Published: November 12, 2009 Duration: 1:53:55 |
Contents
Security Now 222: Your Questions, Steve's Answers 79
News & Errata
03:50 - 05:30
- Someone has created a Vitamin D iPhone application based on Steve's podcast
- It is called 'Vitamin D Listen and Learn'
10:38 - 14:55
- As well as installing a speech application demo on Steve's computer the Adobe updater installed a toolbar in Internet Explorer
- Adobe Shockwave has 5 critical vulnerabilities and users should update to v11.5.2.602
14:56 - 16:15
- The Java runtime environment has multiple vulnerabilities but no update is available
16:16 - 20:47
- France was proposing a law where if you are accused of illegal firesharing 3 time you get banned from the internet
- However the EU is trying to create a unified law and it appears that this will no longer be the case and their will be a more pro user policy
- Their is also a treaty called the ACTA treaty which is being negotiated in secret that would apply to the entire world that does propose the three strikes policy
- You can read more about it Here
20:48 - 21:37
- This patch Tuesday their were:
- 3 Critical updates
- 3 Important updates
21:38 - 23:27
- Leopard and Snow Leopard were updated
- Apple have released no details about what the updates do
- But it breaks support for Intel Atom processors
23:28 - 26:47
- Their is an iPhone worm in the wild called 'iKee'
- It works by attempting to connect to the SSH service on jailbroken iPhones by using the default username and password
26:48 - 28:34
- Their is a session renegotiation hack in the latest version of SSL
- It is possible for a man in the middle to attack an SSL connection and insert their own transactions
28:35 - 29:52
- Their are PDF and Powerpoint files of John Cummings javascript presentations available on Steve's website
Spinrite Story
29:53 - 34:20 Cody Krieger (Unknown)
A listener used a pirated copy of software to fix a few of his hard drives and then purchased a copy from Steve
Questions & Answers
36:35 - 01:40:10
Question: [ 01 ]
36:35 - 41:56 Mike (Baltimore, Maryland)
Question: Is it more secure to change my SSH port every day rather than leave it alone ?
Answer: Steve isn't a fan of this idea. He recommends using a really secure password instead and disabling the service unless you need it
Question: [ 02 ]
41:57 - 53:53 Dana Rae Park (Kelseyville, California)
Question: When I access the 2701HG-B Gateway System Summary through my browser, there is a Firewall icon which tells me, "The firewall actively blocks access of unwanted activity from the Internet." Am I behind two firewalls, one on the router and one on XP? The Summary also says "Your system software is current. Check back for future available upgrades." I don't know what the 2701HG-B gateway is. Do routers phone home for updates like XP? Am I safe? Am I practising safe computing?
Answer: You are behind two firewalls. Routers do sometimes require updates and not all of them automatically download updates.
Comment: [ 03 ]
53:54 - 01:05:02 Andrew DeFaria (Tempe, Arizona)
Listener Comment: Here are some tips to secure SSH: 1) Use a preshared key rather than a username and password. 2) I use a perl script to automatically email the upstream provider of anyone who tries to brute force the password. 3) Shadow all log files to another location and then compare the two logs to detect any modifications which would indicate a break in
Answer: 1) Using a preshared key is a great idea but, 2) The automated email thing is a bad idea, 3) If your computer is compromised the bad guy could modify both log files
Question: [ 04 ]
01:05:03 - 01:12:15 Duane McElvain (Chicago, Illinois)
Question: You said that if every website used SSL throughout the whole site then it would put a large load on the server. However you later said that some sites now used a 2048 bit key as processing power is so great it doesn't matter
Answer: It used to put a lot of stress on servers to use SSL but now with improvements in technology and modifications to the protocol it puts less stress on the servers
Comment: [ 05 ]
01:12:16 - 01:18:16 Jason M. (San Diego)
Listener Comment: You said that public keys normally expire in about 3 years, this may be true of the certificate but not the key
Steve's Comment: This is correct, normally on windows the keys are automatically changed though
Comment: [ 06 ]
01:18:17 - 01:23:32 Paul Wilde (Bristol, UK)
Listener Comment: My bank forces you to use a big, fat, ugly calculator type device to generate a pin when you want to use their website. This means I have to take it with me if I want to use my banks website which is annoying.
Steve's Comment: Steve agrees that security shouldn't annoy the user too much and companies need to strike balance between security and ease of use.
Comment: [ 07 ]
01:23:32 - 01:33:20 Jason (Rochester, Minnesota)
Listener Comment: If someone is watching your traffic then they could determine what your port knocking sequence is. It would be better to use something like the PayPal football to pseudo randomly generate the ports that need to be knocked.
Steve's Comment: Steve is not a fan of port knocking as packets can arrive out of order but this is a good idea
Biometric Abuse Story of the Week: [ 08 ]
01:33:21 - 01:40:10 Michael OConnor (Oswego, Illinois)
Story: His bank insisted that he gave them his fingerprints before cashing a cheque
Steve's Response: Steve is against casual disclosure of biometric data
Significant Products
Sponsors
Ford Sync
- Sync My Ride
- Ad Time: 00:36 - 00:53 and 05:58 - 10:33
Go To My PC
- Go To My PC
- Ad Time: 00:54 - 01:08 and 34:18 - 36:28
Production Information
- Edited by: Tony
- Notes: Leo has problems with the camera.
![]() |
This area is for use by TWiT staff only. Please do not add or edit any content within this section. |