Security Now 326
|Hosts: Leo Laporte and Steve Gibson|
Recorded: 9 Nov 2011
- 1 Security Now 326: Q&A 130
- 1.1 Security Updates
- 1.2 Security News
- 1.3 Miscellany
- 1.4 SpinRite
- 1.5 Questions & Answers
- 1.5.1 Question [ 01 ] - An anonymous listener why higher levels of TLS breaks the lower ones?
- 1.5.2 Question [ 02 ] - Frank C in Mississauga, Canada wants to share news of "The Best Version of Firefox to Date"=
- 1.5.3 Question [ 03 ] - A surprised IT administrator wonders how iPad keep their cool?
- 1.5.4 Question [ 04 ] - Michael Landers in Sunny California ponders whether Arstechnica might be copying our show topics?
- 1.5.5 Question [ 05 ] - Listener Jo-Jo, in the European Union thinks "Internet 2" is a good idea
- 1.5.6 Question [ 06 ] – “Wogsy” in “Flyover Cornfield” comments about Internet Bandwidth
- 1.5.7 Question [ 07 ] - Jon in Lincoln, Nebraska worries about giving Google too many eggs
- 1.5.8 Question [ 08 ] - Fadele Adeolu in Nigeria has been thinking about the diameter of the Internet
- 1.5.9 Question [ 09 ] - Peter "H" in Wiltshire, (as in (s)hear not as in (s)hire,) England wonders what about Lastpass?=
- 1.5.10 Question [ 10 ] - Mario Arce in New York wonders about sending Steve Twitter messages?
- 1.5.11 Question [ 11 ] - Paul Bone in Melbourne, Australia, bring us the “Happy Camper of the Week” Story
- 2 Sponsors
- 3 Production Information
Security Now 326: Q&A 130
Windows 0-day Vulnerability being exploited by the DuQu worm! The Microsoft Windows Kernel is susceptible to an 0-day vulnerability that is being actively exploited in the wild by the W32.Duqu worm. By enticing the target to view a malicious Word document, the worm exploits a previously unknown vulnerability in the Windows kernel to exploit arbitrary code on the target's machine. Technical information about the vulnerability is not available publicly. NOT FIXED YESTERDSAY! See: twitter.com/sggrc http://support.microsoft.com/kb/2639658 MSFT: Executive Summary - Microsoft is investigating a vulnerability in a Microsoft Windows component, the Win32k TrueType font parsing engine. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. We are aware of targeted attacks that try to use the reported vulnerability; overall, we see low customer impact at this time. This vulnerability is related to the Duqu malware. MSFT: Mitigating Factors - By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone, which disables font download by default. If a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario. T2EMBED.DLL
Remote Code Execution Kernel (TCP/IP stack) Vulnerability "This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker sends a continuous flow of specially crafted UDP packets to a closed port on a target system." "The security update addresses the vulnerability by modifying the way that the Windows TCP/IP stack keeps track of UDP packets within memory. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, " "An attacker could exploit this vulnerability by sending a continuous flow of specially crafted UDP packets to a closed port on a target system." "WORKAROUNDS: Block unused UDP ports at the perimeter firewall -- Blocking unused (closed) UDP ports at the perimeter firewall helps protect systems that are behind that firewall from attempts to exploit this vulnerability."
Adobe formally abandons FLASH support on Mobile devices. No further development past v11.1 for Android and Blackberry Playbook. This, following Adobe's announcement of a 7% cut to its global workforce. (750 jobs) Adobe stock down 12% at market open.
Newzbin 2 says almost all of their users already use the workaround BT is using blocking technology called Cleanfeed that it already has in place to block child abuse sites.
Now BT is being asked by another music industry trade group, BPI, to block access to "The Pirate Bay"... or face legal action.
LastPass adds support of the Google Authenticator (Nov 4th, v1.80.0) http://helpdesk.lastpass.com/security-options/google-authenticator/ Google supports Android, iOS & Blackberry Support also available for Windows Phone, webOS and Symbian devices
Browser Makers Revoke Trust for Malaysian Intermediate CA SSL Certificates Mozilla, Microsoft, and Google Was found to be issuing certificates with weak keys Intermediate CA with certificate signed by Texas-based Entrust
Dutch Telecom KPN Halts SSL Certificate Issuing Discovered that servers issuing certs had been compromised, perhaps as long as four years ago!
Apple to seriously enforce Mac OSX App Store Sandboxing March 1, 2012 Developers fear loss of useful features
Did something crawl into TWiT.tv again? http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http://twit.tv/twit
A milestone at 44:28 into TODAY's show... From: "Dejan" in Stockholm, Sweden Subject: 400 hours of SN! Hi Steve and Leo, Congratulations on cumulative 400 hours of Security Now! According to my calculations, you will fill and finish the 400th hour at 44:28 of episode #326. (For the record, I excluded episode SN-185a, "Gray Hair Computing" from this calculation.)
Questions & Answers
Question [ 01 ] - An anonymous listener why higher levels of TLS breaks the lower ones?
Steve, I tried just ADDING TLS v1.1 and TLS v1.2 by enabling them on my system (as you recently described), and I also left TLS v1.0 and SSL v3.0 enabled. But now I get connection errors with some sites. I thought that wasn't supposed to happen?
Hi Steve, I was listening to episode #323, and couldn't agree more with you about Firefox versions 4, 5 and 6, when it comes to memory leaks. I was also ready to give up on Firefox, but they came out with version 7 just in time and I was happy again. I know you don't like using the latest version of things but try version 7. Really. The memory handling has been greatly improved, especially when multiple tabs are left open over night. I usually have 25 to 30 tabs open at all times. Thanks for a great show! Frank ￼￼￼￼￼11 Questions: “Good & True” ￼￼￼
Question [ 03 ] - A surprised IT administrator wonders how iPad keep their cool?
Steve & Leo, I have been a listener of SN since EP 1 , and believe it or not I used to watch TECHTV back in the day! Anyways, I have heard you (Leo) and Steve go on and on about iPad this and iPad that ;) but one thing you both failed to talk about, at least that I can recall, is how well it handles heat. I work I.T. at a public school district which has recently started allowing iPads to connect to our network. When we ordered them for compatibility testing with our network, I figured it would be nothing more then a paper weight... because I love my Droid and windows tablet. But boy was I wrong! I have found that not only can I do just about everything my windows tablet and android can do, but it can run MUCH longer and temperature wise it runs much cooler. So my question for you guys is how did apple manage to keep the thing running so cool and efficient?
Question [ 04 ] - Michael Landers in Sunny California ponders whether Arstechnica might be copying our show topics?
There is an interesting article at http://arstechnica.com/business/news/2011/10/when-passwords-attack-the- problem-with-aggressive-password-policies.ars ... that exactly echoes your comments on password change policies. It's a good article (since it echoes you), however, this is not the first time I have seen an article from ars that closely echos your podcast, shortly after your podcast. Perhaps one of their writers is using your show for inspiration? ￼￼
Question [ 05 ] - Listener Jo-Jo, in the European Union thinks "Internet 2" is a good idea
Hi Steve, You've often mentioned how the original designers of the Internet were only focuses upon getting the mechanics of packet routing to work, and give little attention to security. So it's no wonder that pretty much everything we use today is a failure from security perspective: Ethernet, TCP, BGP, DNS, SMTP, FTP and so on. Maybe the Apple approach of not lugging excessive baggage should have been applied to the internet and most of its crappy protocols 10 years ago. Are DNSSEC and IPV6 the only signs of improvement for Internet 1?
Question [ 06 ] – “Wogsy” in “Flyover Cornfield” comments about Internet Bandwidth
I'm a little perturbed about this notion of selling tiered broadband / DSL service based on the philosophy that a faster data rate costs more because it uses more "bandwidth" and encourages more use (causes more "congestion"). I think this is a rather mischievous if not fraudulent interpretation of electronic throughput. Wouldn't the "tubes" be less congested if all packets were delivered more quickly, clearing buffers and giving routers and servers more "free time" to make fewer errors? I should think more clear open bandwidth would be available for all, if all routers, switches, servers ran at the maximum speed at a flat rate rather than deliberately holding, limiting, buffering or re-routing lower tier data.
Question [ 07 ] - Jon in Lincoln, Nebraska worries about giving Google too many eggs
Steve and Leo, Love the podcast, I am a long time listener, Lastpass & Vitamin D advocate. I have the entire family well educated and believing now. Over the weekend I saw that Lastpass now supports the Google Authenticator http://blog.lastpass.com/2011/11/introducing-support-for- google.html This is great news because I currently use the app on my Android phone to get into my Gmail account. I also know how much more secure 2 factor authentication makes the login process thanks to previous SN episodes. However this makes me wonder if tying so many of my services to Google is a good idea or a potential security problem? What happens if Google were to go down for a few hours? Any thoughts or opinions on this would be appreciated. Are we putting too many eggs in Google's basket?
Question [ 08 ] - Fadele Adeolu in Nigeria has been thinking about the diameter of the Internet
Hello Steve, I work as an IT professional in Nigeria. You should know that many are benefiting from Security Now, even from my part of the world. I was initiated into the Security Now world in 2006, and since then it has been addictive. I have also initiated many others who use the podcast as a learning tool. Well, my question is on the idea of internet diameter discussed in one of the "How internet Works" episode of 2011. You mentioned that "If we ever get more that 255 routers between two points on the internet, NO DATA would be able to get from one end to the other". This very much caught my interest, and have been thinking about it. You didn't sound like there is any possibility of ever reaching this limit. (You didn't sound worried.) But I like to know the extent of the limitation and the likely way out. Now, I like ￼￼ to ask: If this diameter is limited by the 1-byte header of TCPv4 that is used for setting the TTL, how flexible is it to enhance IPv4 to increase the diameter? What will the internet diameter be with IPv6 implementation? Steve, this Internet thing could be a mystery but for guys like you and Leo who are committed to demystifying many topics. Your good job is really making significant impact on the internet community. Please keep it up. Bye for now. Ade
Question [ 09 ] - Peter "H" in Wiltshire, (as in (s)hear not as in (s)hire,) England wonders what about Lastpass?=
Hi Steve and Leo. Great show, thanks, love it. I know you both previously have said good things about LastPass, but with all the talk about password haystacks, Latin Squares and the pros and cons of frequently changing your passwords, I have gained the impression that neither of you actually uses Lastpass. Why? They have solved the problems so elegantly and the job is done! I am aware of the network traffic anomalies that Lastpass detected and understand the implications and possible consequences, and limitations, of any impacts and as such am still happy with them. Are there other concerns that I have missed or do you simply prefer alternative apps/plugins/services etc. I would really appeciate some feed back, even if you don't select this question for the podcast, as I think Lastpass is great and have persuaded family members to adopt it. Consequently, I don't want to give those near and dear to me bad advice if there is something I have missed. Thanks!
Question [ 10 ] - Mario Arce in New York wonders about sending Steve Twitter messages?
I hear on your SecurityNow podcasts you say people send you tweets about some security-related events. Once, a while ago, I tried to make you aware of something, but I could not send you a message via twitter. Did I do something wrong, or you need to follow someone to be able to receive twitter-direct-messages from that person?
Question [ 11 ] - Paul Bone in Melbourne, Australia, bring us the “Happy Camper of the Week” Story
OMG OMG OMG. k2pdfopt, Thanks for sharing this on SN324! I am visually impaired, having about 12.5% of 'normal' vision (I was born cataract blind and after having my cataracts removed I developed glaucoma, and have since developed other vision problems). I bought a Kindle DX with the hope that it would help me read scientific papers more easily. (I'm working on my PhD in Computer Science.) Sadly, I found that zooming into PDFs was too clumsy. Although I love the e-ink screen and reading novels on it (thanks for your recommendations), and I use Audible also. I had pretty much given up trying to read PDFs on my kindle, and have since been waiting for a tablet PC that does this well, such as the Kindle Fire. But now that I've heard about and used k2pdfopt I am SO EXTREMELY happy, I found the website and saw an example where they had converted a PDF into a large print format. I was soo happy that I might be able to read my PDFs comfortably (and believe me, there are a lot to read for my PhD!) ... that I cried a little. Anyway, I know you've simply passed on a message rather than created this product, but I wouldn't have found out about it if it was not mentioned on Security Now. Thanks also to the listener who wrote in about it!
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|