Security Now 228

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 228

Security Now 228: Your Questions, Steve's Answers 82

News & Errata

03:27 - 13:12

  • There is a critical remote code execution vulnerability in Adobe Reader and Acrobat 9.2
  • They will fix this on January 12 2010, they advise users to disable javascript in the mean time

13:13 - 20:22

  • Firefox and Seamonkey have been updated to fix 7 sets of problems
  • Mozilla have also said they are going to stop updating Firefox version 3.0

20:23 - 28:37

  • Conficker took down an entire seven-hospital maternity and continuing care medical network in New Zealand. All 3,000 of the PCs within their network had to be turned off. And the hospital's lab, the main hospital's lab is currently running at about 10 percent capacity.
  • A Website to track how many people are infected with worms

Spinrite Story

28:38 - 30:48 Peter Lilly (Unknown)

A listeners sisters computer wouldn't boot and she had no backups, so he ran Spinrite on the drive and it fixed the problem.

Questions & Answers

33:47 - 01:27:15

Comment: [ 01 ]

33:47 - 40:17 Tom Newman (Discovery Bay, San Francisco Bay Area)
Listener Comment: The bad guys always appear to be one step ahead as recently I received a scareware message through Skype and when I looked up the site on Googles safe browsing report it didn't report a problem / security threat.

Steve's Comment: Tom has made a good point, you cant be sure that Google will know about all bad sites just like you cant be sure that your antivirus software knows about all the viruses.

Question: [ 02 ]

40:18 - 48:39 Rob (near Ottawa, Canada)
Question: I've found a site that claims SSL could be brute force cracked in a matter of minutes is this true ?

Answer: The site is talking about cracking an old version of SSL that only uses a 40 bit key. Modern SSL uses 128 or 256 bit keys which can not be bruteforced using technology available today (January 2010) before the sun explodes

Question: [ 03 ]

48:40 - 54:54 Scott (Upstate New York)
Question: It turns out that the video feeds from American UAVs are sent unencrypted to the ground. Insurgents discovered this and are using $26 off-the-shelf equipment to intercept the feeds and plan their operations around the locations of the drones. The flaw has been known since the 1990s, but Pentagon officials assumed it would not be exploited because the Afghans and Iraqis wouldn't know how to! This is a clear failure of the "security through obscurity" model. What do you think?

Answer: They have encrypted ground control machines but emit unencrypted video to old computers that then relay them to the HQ. To upgrade the equipment would cost a lot of money which they cant afford at the minute.

Question: [ 04 ]

54:55 - 59:20 Chris (Texas)
Question: Are the free SSL certificates some companies offer safe to use ?

Answer: If you go to a website whose certificate is signed by someone you don't know or who offer free certificates you need to be cautious but they should be fine.

Comment: [ 05 ]

59:21 - 01:05:09 Anton Wirsch (Tokyo, Japan)
Listener Comment: I went to SeaWorld in San Diego and asked about their fingerprint scanning technology. The young person at the window assured me that the actual finger print is not stored anywhere. The finger printing machine used the fingerprint to generate a number that was then mapped to the barcode of the entrance ticket. This allows Sea World to ensure that only one person is using an entrance ticket. If a person leaves the park and then wants to reenter the fingerprinting machine should regenerate the same number and match the mapped barcode on the ticket.

Steve's Comment: Steve is surprised that they have a paper explaining the fingerprinting and this can't be the first timed they've been asked. They are essentially hashing his fingerprint which means that no one can derive his fingerprint based on the barcode on the ticket.

Comment: [ 06 ]

01:05:10 - 01:07:37 Marv Schwartz (Case Western Reserve University in Cleveland, Ohio)
Listener Comment: Would blocking with a HOSTS file entry now be a very good idea? If your hosts file blocked it then would never get control and therefore could not invoke chained malware.

Steve's Comment: Many people mentioned this and they are all correct

Question: [ 07 ]

01:07:38 - 01:11:52 Matt (Ohio)
Question: Where I work we used to give out cards with pictures on them but it costs too much money and time to have card printers and print them. We have a new system that reads finger veins. From what I have seen it works extremely well. They claim near 0% failure rate. So now we don't have membership cards they just scan their finger. Now people don't have to worry their finger prints are on file somewhere, and what are people really going to do if they know the layout of your finger veins?

Answer: This is the same type of technology that they use in hospitals to measure your blood oxygen and pulse. It has the advantage of using something that you don't leave everywhere.

Comment: [ 08 ]

01:11:53 - 01:17:35 Brian Kuner (Akron, Ohio)
Listener Comment: I was having a problem with Firefox so I ran DNSbenchmark and noticed my router performed really poorly I changed my settings so DNS is now handled by my computer and it fixed the problem.

Steve's Comment: Steve has no idea why routers offer DNS services as they are often just dumb boxes

Comment: [ 09 ]

01:17:36 - 01:23:14 Ilari Kajaste (Finland)
Listener Comment: We are concerned about giving out our biometric data at places like Disney land but we leave our fingerprints on every thing we touch, so we need to start considering our biometric data as public.

Steve's Comment: He makes a good point but Steve still thinks you should minimise disclosure

Question: [ 10 ]

01:23:15 - 01:27:15 Marco Silva (Madeira Islands, Portugal)
Question: Could your router crash test accidentally change settings on a router ?

Answer: Its highly unlikely and it hasn't happened yet

Significant Products


Ford Sync

Production Information

  • Edited by:Erik
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.