Security Now 279

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 279


Contents

Security Now 279: Your Questions, Steve's Answers #107

Security Updates

9:45 - 11:25

  • Microsoft's December Security Update:
    • Addressed 40 Vulnerabilities across 17 security bulletins
    • Fixed the 0-day privilege escalation kernel vulnerability we’ve been waiting for
    • Windows, Internet Explorer (IE), Office, SharePoint and Exchange.
    • Among the vulnerabilities fixed in the updates are a critical flaw affecting IE 6, 7 and 8, and the last four vulnerabilities exploited by Stuxnet.

11:26 - 11:47

  • Firefox has jumped to v3.6.13 and v3.5.16
    • Fixed 12 vulnerabilities, 10 were critical

Security/Privacy News

11:48 - 25:26

  • Claims are being made that the OpenBSD IPSEC (IP Security) Stack was deliberately Compromised 10 years ago
    • Did the FBI, ten years ago, pay open source developers to implement secret backdoors and side-channel key leakage into BSD’s OCF (OpenBSD Cryptographic Framework)?
    • Steve and Leo are sceptical

25:27 - 31:53

  • WikiLeaks DDoS attacks
    • A tool called the LOIC (Low Orbit Ion Canon) is being used to carry out the attacks
    • It hooks onto an IRC channel and then the hivemind (the controller) issues commands to the bots to attack a target
    • At one point up to 1200 bots were in the channel
    • However they were using TCP which cant be spoofed so the attackers can be identified
    • Panda Labs has a good article on the attacks: http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/
    • A JavaScript version of the LOIC is available, so an iPhone could be used

31:54 - 32:30

  • IE9's "Do Not Track" technology will be present, but off by default

32:31 - 33:27

  • A addon called "not script" is available for Google Chrome which is similar to "NoScript" in Firefox
  • The developer says it is hard to implement a "NoScript" like addon in Chrome due to its security model

33:28 - 35:44

  • SANS: "UAE Authorities Can Decrypt BlackBerry Communications With Court Order"
    • The United Arab Emirates' Telecommunications Regulatory Authority now has the key for BlackBerry services; this means that the authorities can decrypt and monitor BlackBerry communications after obtaining a court order. BlackBerry parent company Research in Motion (RIM) has reached a similar agreement with authorities in India.
    • Steve is confused as to how this works as if they have the key they wont need a court order

35:45 - 37:06

  • DoubleClick and "rad.msn.com" serving Malware Advertisements
    • Heavily obfuscated JavaScript was used to exploit at least seven previously patched vulnerabilities in Adobe Reader, Java and IE
    • "HDD Plus" ransom-ware told users that they had serious system errors which required the premium version to be fixed.

Errata

37:07 - 38:57

  • GRC's “Sales Support” eMail lost Monday night to Tuesday noon
  • Misconfigured spam filters permanently deleted all incoming mail

38:58 - 40:08

  • Upcoming Flash v10.2 to use 10% of previous CPU and system power

40:09 - 40:40

  • Listener Mack Morris: Thanks again for the great podcast and tell Leo that I think his Irish accent is the best of all the ones I've heard so far.

SpinRite

40:41 - 45:40 Sean McStay (St Louis Missouri)

SpinRite fixed a broken hard drive

Questions & Answers

47:58 - 01:28:57

Comment [ 01 ] - Robbee Nelson in Raleigh, North Carolina may have found an alternative to PayPal Virtual Credit Card: ShopShield

47:58 - 51:00
Listener Comment: Back on October 7, 2010 - Episode #269 - Listener Feedback #102. You sent out " A plea or a question to our listeners, who are spread far and wide. If anyone knows of a replacement, we all want to know." Speaking of the PayPal Plug-in.

Well, I ran across this site called ShopShield: http://www.shopshield.net/

I did some online checking and ShopShield is highly regarded by the Identity Theft Resource Center, a nonprofit nationally recognized for providing education and resources to prevent identity theft http://www.idtheftcenter.org

Their review can be found here - http://www.idtheftcenter.org/artman2/publish/headlines/Shop_Shield.shtml


Steve's Comment Steve has not looked at it yet but it looks legitimate. He doesn't know how they do what they claim however. Steve will report back next week.


Question [ 02 ] - An Anonymous listener posed a great question: Subject: Encryption algorithm for a low power performance impaired CPU

51:01 - 54:31
Question: I have been involved in discussions with my work colleagues about which encryption algorithm to use on a low powered CPU. The CPU runs at roughly 1 MIPs. One of my colleagues suggested RC4. It is simple to implement and won't take up too many CPU cycles. The device will be battery powered so keep the number of instructions to a minimum is important. What are your thoughts on this?


Answer: RC4 is a really good cipher that got a bad reputation due to its implementation in WEP. If you use it properly the stream of data it produces is really good.


Question [ 03 ] - Lance Reichert, Itinerant Engineer in Upstate NY asks: How can I Convince Customer Service that Email is Public???

54:32 - 59:03
Question Recently, one of my credit cards had the idea to show me how convenient paperless statements would be by giving me a temporary enrollment. One of the "features" of these paperless statements was a monthly email announcing the availability of my online statement and detailing my outstanding balance, minimum due, and due date.

They were agreeable enough to remove me from the program immediately upon request, but were unwilling to accept that the practice of putting customer's balances & due dates in email breached those customers' financial privacy and ran afoul of the consumer data protection act. They seemed to think that since I had to log in to my email server to collect my email, it was as secure as my email password.

Is there any compelling argument to offer them that between their server and mine, email is publicly available to anyone who cares to read it?


Answer: Email is typically sent in the clear once you have logged in securely and anyone sniffing the traffic could read it


Question [ 04 ] - Didier Stevens in Brussels suggests: RFID tags in wristbands of watches...

59:04 - 01:05:20

Listener Comment: I know someone who keeps his sub-cutaneous RFID tag lodged into the wristband of his wristwatch. He always has it with him, and there's no surgery involved.


Steve's Comment: Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it


Question [ 05 ] - Efrain in Miami, Florida thinks that an RFID-enhanced cell phone would be good enough...

59:33 - 01:05:20

Listener Comment: I think that rather than implanting a chip in to our bodies we can have a chip implanted in to our cell phones. With the chip being in our cell phones it can handle complex things because it is a powered device. It seems to be a logical choice, because I think we can all agree that our phones are always within reach and it is more likely for a company to give you a cell phone with the tracking chip than ask you to get a chip surgically implanted.


Steve's Comment: Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it


Question [ 06 ] - Eric in Palm Coast, Florida reminds us about Bluetooth...

59:53 - 01:05:20

Listener Comment: Concerning having your RFID public key advertised. I know this may be unlikely for most of us, but could you not be the trigger for your own assassination? While this may be an extreme example, could we not be target in many other less sinister ways as well?

Additionally, much of what you thought could be cool was available to Bluetooth users a decade ago. Walk into a room and your music would resume, your mac would unlock, etc. Probably a lot less secure, though.


Steve's Comment Many people suggested alternatives to implantation and the cellphone idea is interesting but you could loose it


Question [ 07 ] - Dustin B in Seattle, Washington wonders about Controlling Bandwidth:

01:05:21 - 01:10:50

Question: How do ISPs limit bandwidth to specific households? I hear so much about digital meaning everything is either on or off, no in between. Clearly the physical connection to my house isn't changing, I am able to change my service speed with my provider without getting a new router. So, how does a company like Comcast suddenly say I am getting 20 Mbit/s or 5 Mbit/s from the same connection?


Answer: The way ISPs function is that the coaxial cable has an insane bandwidth capacity. The bandwith on the pipe connected to your modem from the outside is massive and so the ISPs tell your modem how much of the bandwith to use


Question [ 08 ] - Ty in Nashville, Tennesee wonders about the security of Google's new Chrome OS?

01:10:51 - 01:15:43

Question: I know it may be a little early to tell, but what do you think of the security of Google's Chrome OS? Much of what I've read makes it sound like it will keep local storage to a minimum and only allow downloading of a small subset of file types, meaning not even running executable code outside of the browser. I've even read that it will monitor system files for changes on startup and repair them if it sees any modifications.

It almost sounds too good to be true from a security standpoint (not privacy, of course, since Google is running the show and users are required to log in with a Google ID to even use the system). Can you think of any obvious drawbacks to the platform, or have you heard of anything that would give you pause in giving it a try?


Answer: Security is only something that can be proven with time. Steve likes that its been designed with security awareness from the beginning unlike windows and the internet. Steve does know of a program that allows Chrome to run native code


Question [ 09 ] - Christiaan Conover in Annapolis, Maryland wonders whether a One Time Password (OTP) model would work for RFID tags...

01:15:44 - 01:19:44

Question: I was listening to your discussion on RFID tags which sound very intriguing. Though you mentioned some security concerns (naturally), the benefits & use cases of such technology sound appealing. What I started to realize as I was listening was that some of the uses sound similar to how I use my Yubikey.

This got me thinking: perhaps the Yubikey model is exactly the solution to many of the security concerns around RFID tags. It's already an open protocol & authentication standard which an be implemented by anyone, so it would take care of the need for a standard to be developed. It could be set to issue a one time password at each use, so that somebody trying to clone your chip with a reader wouldn't get much benefit as all they'd get from a read was that single instance of OTP. Plus, it would give the user the ability to control authorization of use, by requiring them to confirm a certain device or location to be allowed access & be able to revoke it at any time. You could easily send a text message or email to somebody when authorization is needed, which they could reply to & within seconds a new authorization rule could be created on the fly.

Is this possible to do with the way RFID tags work, or have I missed a technical detail that would preclude this? It seems like a proven secure authentication method & a natural choice for a technology like this.


Answer: The problem is that a OTP requires some way of everyone knowing that you've used a password so it cant be used again. So you need a real time connection to a central server.


Question [ 10 ] - Nick in Thief River Falls says Chrome DOES have Side Tabs!

01:19:45 - 01:22:44

Listener Comment:Side tabs are actually in Chrome already, but labeled experimental. If you type about:flags into Chrome you will get to a settings page where you can enable a Side Tabs context menu option on the tabs context menu.


Steve's Comment: There are lots of nice options hidden in about:flags you do need to restart after the changes though


Question [ 11 ] - Nathan Ramsay from Australia, now in London, wrote the nicest thing we've heard in a long time about the Security Now! podcast...

01:22:45 - 01:24:02

Listener Comment: After studying on and off for a couple of months, I just passed my Security+ exam today. All I can say is that it was a tiresome yawn. This is not a negative on Security+, but a positive on Security Now. Listening to you week after week has imbued me with the ability to understand words like honeypot, least privilege, DNS spoofability, etc. with the greatest of ease. I was amazed at how much everything you've told us follows (sometimes word-for-word) with the best practices that I had to study for this exam. It almost felt like you wrote the exam.

Anyway, I just wanted to thank you for your and Leo's devotion to such a technically useful show and your commitment to provide nothing short of the best.


Steve's Comment:


Question [ 12 ] - Jack D of Port Perry, Ontario, Canada brings us the "Adobe Gotcha!" TIP OF THE WEEK!

01:26:44 - 01:28:57

Listener Comment: I've really enjoyed your SN podcast and wish to thank you and Leo for doing a superb job. I just wanted to pass on to you something I noticed that your listeners should look out for. When I recently updated Adobe Reader from 9.4.1 to the new version X, unlike previous updates (I suppose because this is a new version number) it re-enabled JavaScript AND re- enabled "Allow opening of non-PDF file attachments with external applications" found in the Trust Manager section of Preferences. I'm unsure whether allowing these settings is no longer as much of a security threat under this new sandboxed version but I thought I should point it out.


Steve's Comment: Turn them back off !

Sponsors

Ford

Carbonite

  • Carbonite.com offer code SecurityNow
  • carb 3
  • Ad times: 1:01-1:12 and 46:03-47:43

GE

Production Information

  • Edited by: tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.