Security Now 253

Security Now Episode 253

"Your Questions, Steve's Answers 94"Hosts: Leo Laporte and Steve Gibson Topic: Your Questions, Steve's Answers 94 Recorded: June 16, 2010 Published: June 17, 2010 Duration: 1:20:58 Transcript Previous episode – Next episode

Security Now 253: Your Questions, Steve's Answers 94

News & Errata

06:56 - 08:34

• Mac OS X was updated to version 10.6.4 (Snow Leopard)
• Mac OS X was updated to version 10.5.8 (Leopard)
• 23 Security Fixes, Safari 5 and a collection of various bug fixes

08:34 - 11:30

• Adobe has now fixed the Flash vulnerability discussed last week but will not be fixing Adobe Reader until the end of June
• Steve has a work around for the vulnerability on his blog

11:31 - 18:28

• A new vulnerability was revealed in the Windows XP and Server 2003 help system
• Microsofts Page on this
• A work around on Steve's Blog

18:29 - 24:43

• On Twitter, Alejandro (@microtwit32) says that NoScript v1.9.9.81 has added experimental TabNabbing protection:
• Type, "about:config" in the address bar
• Find "noscript.forbidBGRefresh" which has a default value of '1'
• You can change it to one of these values
• 0 - noblocking
• 1 - block refreshes on untrusted unfocused tabs
• 2 - block refreshes on trusted unfocused tabs
• 3 - block refreshes on both untrusted and trusted tabs (Steve's Chose)
• There is one other option "noscript.forbidBGRefresh.exceptions" which defaults to mozilla.org
• Domains in here override the other setting

24:44 - 31:31

• People have found another problem with AT&T's iPad auto population system
• There is a value called the IMSI ID which is meant to be secret
• The ICC ID was always meant to be public
• The ICC ID is meant to be used to securely look up the IMSI ID
• AT&T decided it was a pain to do this and so they made it so you can calculate IMSI ID's from the ICC ID
• With the IMSI and ICC ID you can do the following:
  • Get there Full Account Name
  • Get there Phone Number
  • Have the Ability to track the phone as it roams around the world
  • Retrieve their voicemail
  • Cellular Traffic Interception
  • Speech and SMS messages Interception
• Steve notes that this isn't the end of the world though as the iPad is a data only device

31:32 - 39:20

• Crooks Siphoned $644,000 from a School Districts Bank Account
• Steve encourages listeners to change the settings on accounts they have to prevent electronic fund transfers

Spinrite Story

39:21 - 44:58 Brad(Unknown)

Spinrite fixes hard drives at his company

Questions & Answers

47:56 - 01:19:40

Comment: [ 01 ]

47:56 - 50:37 Anon (Unknown)
Listeners Comment: The listener is a car systems expert and says that manufactures do consider security when designing cars

Steve's Comment: This is good but security is too hard to do so there will still be problems

Question: [ 02 ]

50:38 - 56:15 John Hughan (Austin, Texas)
Question: How does having microcode make engineers' jobs easier in terms of the number of AND and OR gates required to implement complex instructions? Why is it not the case that having a "computer within a computer" just meant that those AND and OR gates had to be implemented in the microcode area in order to run those instructions and manage the "main" area? Or if microcode allows those types of instructions to be executed in a fundamentally different way that doesn't require those AND and OR gates, why can't the rest of the instruction set be implemented that way?

Answer: It is easier to implement in a lookup table than wire up lots of logic gates. By doing a big job in steps you don't have to do it all at once and you can do it in smaller simpler steps

Comment: [ 03 ]

56:17 - 58:10 Simon (Canada)
Listeners Comment: I saw doctors watching the world cup on a computer running flash player in a operating room

Steve's Comment: This is not surprising unfortunately

Question: [ 04 ]

58:11 - 01:01:00 James Truesdale (Saint Louis MO)
Question: Instead of adding instructions, why not just use macros for commonly used operations?

Answer: Back then memory was very expensive and it would have taken a lot of time for the macro to run.

Question: [ 05 ]

01:01:01 - 01:03:50 Haystacks Calhoun (New York City)
Question: Is it true that Googles SSL search is not secure if you're using a computer with a web cache doing a man in the middle attacks on these searches, such as at work?

Answer: Yes

Question: [ 06 ]

01:06:27 - 01:11:17 Jeff Dunn (Riley Township, MI)
Question: How do you recover the data (file system level) on a drive if the TPM/motherboard fails ???

Answer: There is a way to backup the data contained in the TPM

Question: [ 07 ]

01:11:18 - 01:14:46 Michael (Denmark)
Question: I just changed ISP and thus got a new router. My new router is semi locked to the ISP configuration and has only very limited capabilities eg. no firewall but never the less basic port forwarding capabilities. I use port forwarding for a couple of services, but would like the rest of my ports to be stealthed. I found I could achieve this by setting the DMZ forwarding IP to an IP in my range that is not used, my question is however is there any 'risk' connected with this? The router will now allow traffic to flow to my internal net, but as there is no recipient there should be no danger - or? I mean can some sort of malicious traffic enter my network and do mischief, I don't see how but thought I'd better ask just to be on the safe side.

Answer: The data does not appear on your network or get sent to the non existent IP. When the router receives the data it will look at its ARP tables to try and find the computer associated with the IP. It won't find any computers with that IP and will drop the packet. So this is a good idea.

Question: [ 08 ]

01:14:47 - 01:19:40 William D. Elliott (Dallas, Texas)
Question: Can you review the best practices for using open wifi ?

Answer: The problem you are trying to solve is people looking at your traffic, and we know there are people sniffing wireless traffic. Only using SSL protects you. So be sure your POP and IMAP servers are using secure connections. Steve recommends 'being afraid'. You could use a VPN

Sponsors

Ford SYNC

• Syncmyridepodcast.com
• Ad Times: 0:42-0:59 and 3:55-6:05

Squarespace

• Squarespace.com/securitynow
• Ad Times: 1:12-1:25 and 45:00-47:34

CarbonitePro

• Carbonitepro.com - no other code or promo
• Ad Times: 0:59-1:11 and 1:04:00-1:06:26

Production Information

• Edited by: Tony
• Notes:

This area is for use by TWiT staff only. Please do not add or edit any content within this section.