Security Now 244

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 244

Security Now 244: Your Questions, Steve's Answers 90

News & Errata

04:00 - 07:15

  • Microsoft issued 11 patches this month to fix up to 25 problems

07:16 - 10:52

  • Some time ago the FCC sanctioned Comcast for specific handling of BitTorrent traffic
  • Comcast sued the FCC, saying you don't have the authority to regulate this aspect of our business.
  • And it turns out that initially that lawsuit failed, and then they appealed it, and the U.S. Court of Appeals agreed with Comcast that the FCC lacked the authority to enforce what it was trying to do.

10:53 - 12:32

  • Adobe is now telling users to take steps to prevent them being affected by the latest exploit in Adobe Reader

12:33 - 14:57

  • There's now a trojan called the W32.torrent.a trojan
  • When users are running BitTorrent, it pops up a notice saying that their system has been scanned, and the transfer of copyrighted materials into their computer has been confirmed, allowing them to pay $400 in a pretrial settlement to avoid further prosecution, which would involve five years in prison and $250,000 in fines.

14:58 - 17:11

  • There's a new zero-day flaw which has been uncovered in Java

Spinrite Story

17:12 - 21:19 Ernie Moreau (Kelowna, BC, Canada)

Spinrite fixed a drive at the users workplace

Questions & Answers

Comment: [ 01 ]

22:51 - 29:06 John Moehrke (Milwaukee, Wisconsin)
Listener Comment: I grit my teeth every time you say SSL is broken. Yet most of the time it isn't SSL that's broken, but the policies some have chosen to use to simplify our lives. So as an example, last episode, the problem with SSL server certificates, this isn't broken SSL, this is a broken policy. I recommend SSL very often to protect healthcare. I'm involved in all of that stuff going on in Washington, D.C. around healthcare IT.

I often have to reverse misunderstandings. In addition, I have to point out that the recommendations that we're giving with healthcare are to use multi-authenticated TLS to a well-controlled certificate or CA branch that is highly controlled, following a system inspection and business agreement. This isn't just server authentication to a list that some browser vendor chooses.

Steve's Comment: Absolutely true as far as we know

Comment: [ 02 ]

29:07 - 33:55 Nasko Oskov (Unknown)
Listener Comment: I wanted to let you know about a small project that started the moment the "Subverting SSL" paper came out. I've collected some data on most widely used root CAs, such that the list could be trimmed down to 20 to 30 CAs. I've also started a personal project, 30 days with almost no trusted CAs. I deleted all trusted roots and am adding them one by one as things break.

Steve's Comment: Listeners should visit his website

Comment: [ 03 ]

33:56 - 41:50 Mariusz S. Cybulski (Guelph)
Listener Comment: In 242 you talked about Disposeamail and how everyone can see the email sent to the disposable address. Well, how about this site, It allows you to create an account that only you have access to, and all over a secure HTTPS connection, not just the logon.

You get to select how many junky emails you get sent to your real email account, which you configure with them ahead of time. You can have them send up to 20 emails, but can always reset if you need more. Anything past that threshold, more than 20, let's say, gets eaten by their servers.

Best of all, you get to create a new email on the fly, which is automatically linked to your account with them. This is a great free service, and they also provide several domains, not just

Steve's Comment: You go there, put in a username and password in order to identify yourself to the system. So then you are able, without talking to them ahead of time, again, without having to, like, go pre-create accounts, you can have any mail sent to So say that you created an account called MickeyMouse. So you would give any other website And by default three emails will be accepted by with that prefix and will be invisibly forwarded to your real email address, which you also register with them. And after three, it will block any additional ones.

Question: [ 04 ]

41:51 - 51:59 Chris Clark (Vancouver, BC)
Question: Are iPhone and iPad operating systems more secure due to Apples vetting process for apps ?

Answer: Yes

Question: [ 05 ]

52:00 - 01:00:30 Dave Popovich (Port Saint Lucie, Florida)
Question: Is it safer to use an iPad for online banking rather than a normal PC.

Answer: Yes

Question: [ 06 ]

01:00:31 - 01:07:50 John McCormack (Twin Falls, Virginia)
Question: How come Shields UP died recently complaining it was too busy ?

Answer: Steve was having problems with his servers CPU usage jumping to 100% randomly. Then Lifehacker mentioned Shields UP and tons of traffic was sent to GRC and it bogged the server down. After several days the server was still being swamped so Steve investigated and realised that he had left his own developmental memory auditing code in the production server which was using extra resources

Question: [ 07 ]

01:07:51 - 01:09:30 Mike King (Eastern Shore of Maryland)
Question: Is the iPad a good device to read PDF's on ?

Answer: Good Reader is a nice application to read PDF's on and the iPad does also support PDF's natively

Question: [ 08 ]

01:09:31 - 01:15:49 Brandon (Atlanta, Georgia)
Question: I was trolling my router's security log when I noticed several dozen entries that say "Found attack from [variable IPs] in port [variable ports]," and they all occurred at the very same moment. Is this some automated attack from some random machine trying to find insecure addresses? How can I be sure my network isn't compromised? Should I be concerned?

Answer: What you are seeing is what Steve calls 'Internet Background Radiation' where people are just scanning thousands of IP's trying to find vulnerable computers. It could also be 'FIN' packets that a website is sending back to you to confirm the connection to the server has been closed that are being blocked by the router

Question: [ 09 ]

01:15:50 - 01:23:02 Robert Hickman (Bristol, U.K.)
Question: Would it be possible for a browser and/or browser add-on to maintain a database of URL or IP addresses with the original signing authority for most sensitive websites like your bank and large eCommerce sites and so forth, your email system like Gmail? Using such a database it would be possible to detect if the signing authority that a website is using changes, and thus perhaps a man-in-the-middle attack. Obviously this would not be a perfect solution by any means due to the vast number of websites and the introduction of an additional trusted party, though it would offer a workaround to the problem.

Answer: There are browser addon's for Firefox that tackle this problem with SSL in multiple ways . One approach is to cache the SSL certificate of a site when you first visit it and then each time you return compare the certificate presented to check if the certificate has changed. Another is to check the sites certificate against a database maintained by some who knows who signs the genuine certificates

Question: [ 10 ]

01:23:03 - 01:30:15 Joe Lyo (Lehi, Utah)
Question: How does one know if they have corporate CAs? Can these be removed by a user? Will the browser still work if they're removed? What if one browser, Internet Explorer for instance, has the corporate CA; but another browser, Firefox for instance, does not have the corporate CA? Does that mean that Firefox would not be snoopable by the corporate IT department?

Answer: To check if you have a corporate CA:

Go to any secure website from within your company. Go to to establish a secure connection to Google, or Just get a secured connection to something outside your company. And then do whatever it is your particular browser has you do to look at, to inspect the page's certificate. Sometimes you can just right-click on the page itself and check properties of the page, or double-click on the little lock icon down in the tray. What that will show you is what we've been talking about, the so-called "chain of trust."

And be worried if it doesn't make it very clear that it's directly trusted by, like, VeriSign, for example. Either it'll be trusted only by VeriSign, or it'll be trusted, it'll say, like, VeriSign Trust Authority, maybe like in a second step. But if there's anything else in line, if it says, for example, Ajax Plumbing Works is an intermediate CA, then that demonstrates that there has been, essentially, that there is an intermediate certificate authority in line. And it may well be your own company that has created the certificate.

If you use a browser without the corporate CA you will not be able to access secure websites



Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.