Security Now 255

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 255


Security Now 255: Your Questions, Steve's Answers #95

Out of cycle Acrobat and Reader updates, Firefox improvements, flawed SSL study, internet kill switch, your questions, and more.

News & Errata

4:10 - 8:32

  • Adobe Flash 10.0 has been fixed so users can downgrade from 10.1 if the latest version isn't working for them
  • Adobe have updated Adobe Reader to fix the same vulnerability that was found in Flash
  • You may have to manually check for updates inside Adobe Reader

8:33 - 12:08

  • Mozilla Firefox has been updated to version 3.6.6
  • A beta for the beta of Firefox 4 has been released
  • Firefox 4 will have significant UI changes and the ability to make online services like Google Calander appear as a stand alone application

16:21 - 19:37

  • Congress has not given the President a internet kill switch as this is not possible
  • "The protecting cyberspace as a national asset act" gives the President the right to ask ISP's to pull the plug on their transatlantic cables if the US is being attacked

19:38 - 23:26

  • The department of homeland security has produced a document on "the national strategy for trusted identities in cyberspace"
  • Steve will be doing a whole podcast on this

23:27 - 27:36

  • Adobe has done nothing to fix a bug in Adobe reader where you can force it to run executable content
  • Targeted attacks are increasingly taking advantage of this vulnerability

27:37 - 33:20

  • People can now block secure Google searches

33:21 - 41:00

  • In Brazil a suspected criminal encrypted 5 hard drives with Truecrypt
  • The Brazilian authorities tried for 5 months to break the encryption and read the contents of the drive
  • They failed
  • So they asked the FBI to try
  • They tried for a year and also failed
  • The FBI use a program called 'dictionary' which is password brute forcer

41:01 - 42:00

  • Google Chrome is now the 3rd most used browser on the internet

42:01 - 44:21

  • ICANN has approved a ".xxx" top level domain for adult content
  • The registrar will charge $60 and a large percentage of this will go to child protection charities

Spinrite Story

44:22 - 47:24 Troy Haskin (Madison Wisconsin)

Spinrite fixed a friends broken hard drive and saved some files. He asks why Steve doesn't have a tip jar for Spinrite. Steve thinks that this formalises breaching the Spinrite licensing agreement

Questions & Answers

Question: [ 01 ]

52:10 - 01:02:20 Timothy Hahn (Maryland)
Question: "eSecurityPlanet", and SlashDot and many others, have front page articles today stating: “we have about 22 million SSL servers with certificates that are completely invalid because they do not match the domain name on which they reside, meaning about only 3% of SSL certs in use are actually valid!”. Please explain this ?

Answer: This story is completely bogus. This guy got all the domain names there are in the main top level domains. He did a IP lookup for the domains and then connected to that IP and checked if port 80 and 443 were accepting connections. If port 443 was accepting connection he initiated a SSL connection to obtain the SSL certificate. He was then upset if the certificate name was different than the domain name he used to look up the IP. Look at this example; Steve owns www.grc.com and www.spinrite.com. However www.spinrite.com takes you to www.grc.com. So based on this guys logic if he looked up the SSL certificate for www.spinrite.com it would show www.grc.com on the certificate and Steve's certificate would be invalid. One of the reason this guy found so many so called 'invalid' certificates was that there is so called 'shared hosting' where multiple sites live at the same IP.

Question: [ 02 ]

01:02:21 - 01:08:24 Corby (Reno, Nevada)
Question: Can you create a numeric perfect password generator on your site ?

Answer: Each number gives you 3.322 bits of strength. If you use 63 of them you get 209 bits of key strength and this is perfectly secure ASSUMING you pick the numbers randomly

Comment: [ 03 ]

01:08:25 - 01:12:11 David Newton (Leamington Spa, UK)
Listener Comment: I recommend you feature a new Firefox extension called HTTPS-Everywhere. It is being created by the EFF and aims to automate the process of using TLS for web pages where that is possible. For example after installing the application all pages on Wikipedia automatically go to their TLS version.

Steve's Comment: This is cool but limited

Question: [ 04 ]

01:12:12 - 01:17:24 Christoph Angerer (Zurich, Switzerland)
Question: I was just listening to episode 254 and your discussion of open vs. encrypted wireless routers in the Google-case. What I was wondering, and I wanted to hear your take on this: why do the standardized security solutions always have to be either 100% … or nothing at all??

Answer: He is saying have SSL without authentication. If we do this you can't prevent a active man in the middle attack but if you understand you dont have authentication with the end point this could absolutely be done

Sponsors

Astaro

Audible

Picks

Audibledotcom.png
True Enough: Learning to Live in a Post-Fact Society by Farhad Manjoo (UNABRIDGED)
Narrated by Ray Porter

Production Information

  • Edited by: djc
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.