Security Now 279
Topic: Your Questions, Steve's Answers #107
Recorded: December 15, 2010
Published: December 15, 2010
- 1 Security Now 279: Your Questions, Steve's Answers #107
- 1.1 Security Updates
- 1.2 Security/Privacy News
- 1.3 Errata
- 1.4 SpinRite
- 1.5 Questions & Answers
- 1.5.1 Comment [ 01 ] - Robbee Nelson in Raleigh, North Carolina may have found an alternative to PayPal Virtual Credit Card: ShopShield
- 1.5.2 Question [ 02 ] - An Anonymous listener posed a great question: Subject: Encryption algorithm for a low power performance impaired CPU
- 1.5.3 Question [ 03 ] - Lance Reichert, Itinerant Engineer in Upstate NY asks: How can I Convince Customer Service that Email is Public???
- 1.5.4 Question [ 04 ] - Didier Stevens in Brussels suggests: RFID tags in wristbands of watches...
- 1.5.5 Question [ 05 ] - Efrain in Miami, Florida thinks that an RFID-enhanced cell phone would be good enough...
- 1.5.6 Question [ 06 ] - Eric in Palm Coast, Florida reminds us about Bluetooth...
- 1.5.7 Question [ 07 ] - Dustin B in Seattle, Washington wonders about Controlling Bandwidth:
- 1.5.8 Question [ 08 ] - Ty in Nashville, Tennesee wonders about the security of Google's new Chrome OS?
- 1.5.9 Question [ 09 ] - Christiaan Conover in Annapolis, Maryland wonders whether a One Time Password (OTP) model would work for RFID tags...
- 1.5.10 Question [ 10 ] - Nick in Thief River Falls says Chrome DOES have Side Tabs!
- 1.5.11 Question [ 11 ] - Nathan Ramsay from Australia, now in London, wrote the nicest thing we've heard in a long time about the Security Now! podcast...
- 1.5.12 Question [ 12 ] - Jack D of Port Perry, Ontario, Canada brings us the "Adobe Gotcha!" TIP OF THE WEEK!
- 2 Sponsors
- 3 Production Information
Security Now 279: Your Questions, Steve's Answers #107
9:45 - 11:25
- Microsoft's December Security Update:
- Addressed 40 Vulnerabilities across 17 security bulletins
- Fixed the 0-day privilege escalation kernel vulnerability we’ve been waiting for
- Windows, Internet Explorer (IE), Office, SharePoint and Exchange.
- Among the vulnerabilities fixed in the updates are a critical flaw affecting IE 6, 7 and 8, and the last four vulnerabilities exploited by Stuxnet.
11:26 - 11:47
- Firefox has jumped to v3.6.13 and v3.5.16
- Fixed 12 vulnerabilities, 10 were critical
11:48 - 25:26
- Claims are being made that the OpenBSD IPSEC (IP Security) Stack was deliberately Compromised 10 years ago
- Did the FBI, ten years ago, pay open source developers to implement secret backdoors and side-channel key leakage into BSD’s OCF (OpenBSD Cryptographic Framework)?
- Steve and Leo are sceptical
25:27 - 31:53
- WikiLeaks DDoS attacks
- A tool called the LOIC (Low Orbit Ion Canon) is being used to carry out the attacks
- It hooks onto an IRC channel and then the hivemind (the controller) issues commands to the bots to attack a target
- At one point up to 1200 bots were in the channel
- However they were using TCP which cant be spoofed so the attackers can be identified
- Panda Labs has a good article on the attacks: http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/
31:54 - 32:30
- IE9's "Do Not Track" technology will be present, but off by default
32:31 - 33:27
- A addon called "not script" is available for Google Chrome which is similar to "NoScript" in Firefox
- The developer says it is hard to implement a "NoScript" like addon in Chrome due to its security model
33:28 - 35:44
- SANS: "UAE Authorities Can Decrypt BlackBerry Communications With Court Order"
- The United Arab Emirates' Telecommunications Regulatory Authority now has the key for BlackBerry services; this means that the authorities can decrypt and monitor BlackBerry communications after obtaining a court order. BlackBerry parent company Research in Motion (RIM) has reached a similar agreement with authorities in India.
- Steve is confused as to how this works as if they have the key they wont need a court order
35:45 - 37:06
- DoubleClick and "rad.msn.com" serving Malware Advertisements
- "HDD Plus" ransom-ware told users that they had serious system errors which required the premium version to be fixed.
37:07 - 38:57
- GRC's “Sales Support” eMail lost Monday night to Tuesday noon
- Misconfigured spam filters permanently deleted all incoming mail
38:58 - 40:08
- Upcoming Flash v10.2 to use 10% of previous CPU and system power
40:09 - 40:40
- Listener Mack Morris: Thanks again for the great podcast and tell Leo that I think his Irish accent is the best of all the ones I've heard so far.
40:41 - 45:40 Sean McStay (St Louis Missouri)
SpinRite fixed a broken hard drive
Questions & Answers
47:58 - 01:28:57
Comment [ 01 ] - Robbee Nelson in Raleigh, North Carolina may have found an alternative to PayPal Virtual Credit Card: ShopShield
47:58 - 51:00
Listener Comment: Back on October 7, 2010 - Episode #269 - Listener Feedback #102. You sent out " A plea or a question to our listeners, who are spread far and wide. If anyone knows of a replacement, we all want to know." Speaking of the PayPal Plug-in.
Well, I ran across this site called ShopShield: http://www.shopshield.net/
I did some online checking and ShopShield is highly regarded by the Identity Theft Resource Center, a nonprofit nationally recognized for providing education and resources to prevent identity theft http://www.idtheftcenter.org
Their review can be found here - http://www.idtheftcenter.org/artman2/publish/headlines/Shop_Shield.shtml
Steve's Comment Steve has not looked at it yet but it looks legitimate. He doesn't know how they do what they claim however. Steve will report back next week.
Question [ 02 ] - An Anonymous listener posed a great question: Subject: Encryption algorithm for a low power performance impaired CPU
51:01 - 54:31
Question: I have been involved in discussions with my work colleagues about which encryption algorithm to use on a low powered CPU. The CPU runs at roughly 1 MIPs. One of my colleagues suggested RC4. It is simple to implement and won't take up too many CPU cycles. The device will be battery powered so keep the number of instructions to a minimum is important. What are your thoughts on this?
Answer: RC4 is a really good cipher that got a bad reputation due to its implementation in WEP. If you use it properly the stream of data it produces is really good.
Question [ 03 ] - Lance Reichert, Itinerant Engineer in Upstate NY asks: How can I Convince Customer Service that Email is Public???
54:32 - 59:03
Question Recently, one of my credit cards had the idea to show me how convenient paperless statements would be by giving me a temporary enrollment. One of the "features" of these paperless statements was a monthly email announcing the availability of my online statement and detailing my outstanding balance, minimum due, and due date.
They were agreeable enough to remove me from the program immediately upon request, but were unwilling to accept that the practice of putting customer's balances & due dates in email breached those customers' financial privacy and ran afoul of the consumer data protection act. They seemed to think that since I had to log in to my email server to collect my email, it was as secure as my email password.
Is there any compelling argument to offer them that between their server and mine, email is publicly available to anyone who cares to read it?
Answer: Email is typically sent in the clear once you have logged in securely and anyone sniffing the traffic could read it
59:04 - 01:05:20
Listener Comment: I know someone who keeps his sub-cutaneous RFID tag lodged into the wristband of his wristwatch. He always has it with him, and there's no surgery involved.
Steve's Comment: Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it
Question [ 05 ] - Efrain in Miami, Florida thinks that an RFID-enhanced cell phone would be good enough...
59:33 - 01:05:20
Listener Comment: I think that rather than implanting a chip in to our bodies we can have a chip implanted in to our cell phones. With the chip being in our cell phones it can handle complex things because it is a powered device. It seems to be a logical choice, because I think we can all agree that our phones are always within reach and it is more likely for a company to give you a cell phone with the tracking chip than ask you to get a chip surgically implanted.
Steve's Comment: Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it
Question [ 06 ] - Eric in Palm Coast, Florida reminds us about Bluetooth...
59:53 - 01:05:20
Listener Comment: Concerning having your RFID public key advertised. I know this may be unlikely for most of us, but could you not be the trigger for your own assassination? While this may be an extreme example, could we not be target in many other less sinister ways as well?
Additionally, much of what you thought could be cool was available to Bluetooth users a decade ago. Walk into a room and your music would resume, your mac would unlock, etc. Probably a lot less secure, though.
Steve's Comment Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it
Question [ 07 ] - Dustin B in Seattle, Washington wonders about Controlling Bandwidth:
01:05:21 - 01:10:50
Question: How do ISPs limit bandwidth to specific households? I hear so much about digital meaning everything is either on or off, no in between. Clearly the physical connection to my house isn't changing, I am able to change my service speed with my provider without getting a new router. So, how does a company like Comcast suddenly say I am getting 20 Mbit/s or 5 Mbit/s from the same connection?
Answer: The way ISPs function is that the coaxial cable has an insane bandwidth capacity. The bandwith on the pipe connected to your modem from the outside is massive and so the ISPs tell your modem how much of the bandwith to use
Question [ 08 ] - Ty in Nashville, Tennesee wonders about the security of Google's new Chrome OS?
01:10:51 - 01:15:43
Question: I know it may be a little early to tell, but what do you think of the security of Google's Chrome OS? Much of what I've read makes it sound like it will keep local storage to a minimum and only allow downloading of a small subset of file types, meaning not even running executable code outside of the browser. I've even read that it will monitor system files for changes on startup and repair them if it sees any modifications.
It almost sounds too good to be true from a security standpoint (not privacy, of course, since Google is running the show and users are required to log in with a Google ID to even use the system). Can you think of any obvious drawbacks to the platform, or have you heard of anything that would give you pause in giving it a try?
Answer: Security is only something that can be proven with time. Steve likes that its been designed with security awareness from the beginning unlike windows and the internet. Steve does know of a program that allows Chrome to run native code
01:15:44 - 01:19:44
Question: I was listening to your discussion on RFID tags which sound very intriguing. Though you mentioned some security concerns (naturally), the benefits & use cases of such technology sound appealing. What I started to realize as I was listening was that some of the uses sound similar to how I use my Yubikey.
This got me thinking: perhaps the Yubikey model is exactly the solution to many of the security concerns around RFID tags. It's already an open protocol & authentication standard which an be implemented by anyone, so it would take care of the need for a standard to be developed. It could be set to issue a one time password at each use, so that somebody trying to clone your chip with a reader wouldn't get much benefit as all they'd get from a read was that single instance of OTP. Plus, it would give the user the ability to control authorization of use, by requiring them to confirm a certain device or location to be allowed access & be able to revoke it at any time. You could easily send a text message or email to somebody when authorization is needed, which they could reply to & within seconds a new authorization rule could be created on the fly.
Is this possible to do with the way RFID tags work, or have I missed a technical detail that would preclude this? It seems like a proven secure authentication method & a natural choice for a technology like this.
Answer: The problem is that a OTP requires some way of everyone knowing that you've used a password so it cant be used again. So you need a real time connection to a central server.
Question [ 10 ] - Nick in Thief River Falls says Chrome DOES have Side Tabs!
01:19:45 - 01:22:44
Listener Comment:Side tabs are actually in Chrome already, but labeled experimental. If you type about:flags into Chrome you will get to a settings page where you can enable a Side Tabs context menu option on the tabs context menu.
Steve's Comment: There are lots of nice options hidden in about:flags you do need to restart after the changes though
Question [ 11 ] - Nathan Ramsay from Australia, now in London, wrote the nicest thing we've heard in a long time about the Security Now! podcast...
01:22:45 - 01:24:02
Listener Comment: After studying on and off for a couple of months, I just passed my Security+ exam today. All I can say is that it was a tiresome yawn. This is not a negative on Security+, but a positive on Security Now. Listening to you week after week has imbued me with the ability to understand words like honeypot, least privilege, DNS spoofability, etc. with the greatest of ease. I was amazed at how much everything you've told us follows (sometimes word-for-word) with the best practices that I had to study for this exam. It almost felt like you wrote the exam.
Anyway, I just wanted to thank you for your and Leo's devotion to such a technically useful show and your commitment to provide nothing short of the best.
Question [ 12 ] - Jack D of Port Perry, Ontario, Canada brings us the "Adobe Gotcha!" TIP OF THE WEEK!
01:26:44 - 01:28:57
Steve's Comment: Turn them back off !
- Sync 9
- Ad times: 0:47-0:59 and 5:53-8:56
- Carbonite.com offer code SecurityNow
- carb 3
- Ad times: 1:01-1:12 and 46:03-47:43
- GE Ecomagination Challenge
- GE 4
- Ad Times: 1:16-1:30 and 1:24:09-1:26:28
- Edited by: tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|