Security Hype

 

 Security Hype 8.3-Security In the News - Voicemail line 1-866-527-6606 [14:50m]: Play Now | Play in Popup | Download (800)

In this episode, Bill and Bob debunk recent articles on computer security.   

• Gambling site brought to its knees by ‘unstoppable’ botnet -http://software.silicon.com/security/0,39024655,39170296,00.htm?r=11
• Computer Users Expect More Mac Attacks -http://www.informationweek.com/security/showArticle.jhtml?articleID=206504189
• Cyberthieves go phishing to rob banks -http://www.cnn.com/2008/TECH/02/12/cyber.thieves/index.html?eref=rss_topstories
• State of the Malware Nation - http://blog.johnath.com/index.php/2008/02/26/state-of-the-malware-nation/

See you at RSA 2008. And special thanks to Lee Anne for helping us out with this episode! If you have comments or suggestions for the show, share them by calling 1-866-527-6606 or emailing us at comments@securityhype.com.   

 

 Security Hype 8.2-Industry Predictions for 2008 - Voicemail line 1-866-527-6606 [22:00m]: Play Now | Play in Popup | Download (829)

Bill and Bob discuss what other people think are the information security trends for 2008.

Paul Kocher’s theory is that you don’t “win” at security, the best you can hope for is to be able to keep playing: a “stalemate” mentality versus a “checkmate” mentality. That’s a great theory, but Bill’s trying to figure out how we declare “success” in the computer and information security space. For instance, by what measure can we declare that we’ve done a better job in 2007 than in 2006?

What do YOU think will rock the security world in 2008?

Links discussed or referenced in the show:

• Data breach statistics: The number of records stolen per second has increased from 1.7 to 5.1 between 2006 and 2007: http://etiolated.org/statistics
• A good statistical writeup:  http://www.privacyrights.org/ar/DataBreaches2006-Analysis.htm
• Data breaches are on the decline (what does THAT mean?): http://etiolated.org/
• Symantec 2008 predictions:
  • Decentralized bot nets {Bill: that’s already been done!}
  • popular websites spreading malware; especially social network sites
  • Mobile phones (move to where the users are)
  • Virtual worlds (Did 2nd life already jump the shark?)
  • Election/political hacks, phishing, DoS {Check out the security cartoon interview from episode 7.10}
• Ed Felten:
  • From the site’s comments: A new kind of botnet will come into existence (or at least, be discovered), without a visible control channel. It will be designed to be autonomous and evolve slowly. Stealthy, many variants will remain below the radar of bot hunters. {Bill: doesn’t that already exist?}
  • A Facebook application will cause a big privacy to-do.
  • {Bill: I think a ad-related version of this will happen.}

 

 Security Hype 8.1-Our 2008 Predictions - Voicemail line 1-866-527-6606 [12:22m]: Play Now | Play in Popup | Download (772)

Show Notes for 8.1:

1. Shout-outs to:
   1. Thank you to the mysterious and powerful Bill @ Apple for technical assistance
   2. Thank you to Wil Becker (http://ironwil.net/blog/) for adding us to his blogroll - THANKS!
2. Bob’s sarcastic predictions:
   1. Microsoft will claim that Vista will be the most secure OS EVAR!
   2. Virtualization will prove to be a new shiny toy for malware authors. Or at least someone will demonstrate something cool to the press.
   3. Reasonably sane people will start taking themselves “off the grid”. Social networking sites will continue to leak private information, and the benefits of social nets will be lower than the costs for some people.
   4. Sarbanes and Oxley will win the Nobel Peace Prize.
   5. 2008 will be the year of PKI!
3. Bill’s predictions:
   1. People will become desensitized to PII breaches, news overage will wane, people will get blasé about it
   2. Macs OS X will see its first really solid malware attack that will be a wake-up call to Mac users to finally check (enable!, for Tiger) their firewalls and install AV scanning software. Free = ClamXav
      1. Will it force Leopard upgrades? If hackers are smart, their attack will be Leopard compatible.
   3. Overly greedy, warring botnet factions will fight each other and briefly take out parts of the Internet in collateral damage
      1. site:phishing toolkits with backdoors
   4. IPv6 will start to gain traction and we’ll start seeing IPv6 hacks (finally), which is probably an inevitable phase for any technology to become ubiquitous.
   5. The corp security industry (cutbacks, less to spend) will be focused on maintaining compliance, moving away from “risk management” and “ROI”. Watch for more marketing messages in that vain.
   6. No massive attack on cell phone networks or SCADA. (And would we ever find out?)
   7. Malware served via ads, serve up malware (related to legit web site defacement)
      1. Ad distribution become decentralized, democratized, less trustworthy

Have predictions of your own? Post them below or call the studio voice mail line!

 

 Security Hype 7.12-Vista UAC a year later, MiTM attacks at the office, Crypto Key Size Recommendations, Macs under attack - Voicemail line 1-866-527-6606 [29:55m]: Play Now | Play in Popup | Download (1376)

How paranoid are you? keylength.com

What RSA keysizes are you using at your company? What is your guidance? Are you sticking with RSA or moving to ECC?
Macs are under attack (include link to new trojan house): http://machinist.salon.com/blog/2007/11/02/mac_trojan/

eweek article link

full disclosure versus responsible disclosure (link to resp. disclosure RFC)

mac versus windows updates: Windows does a better job because it auto installs, does it auto reboot? Macs will go weeks/months with patches pending and won’t auto reboot. Does Leopard fix this? Do you actually need to *reboot*

 

 Listener feedback, network_monitering, new FireFox3 security - Voicemail line 1-866-527-6606 [38:49m]: Play Now | Play in Popup | Download (1171)

Bill and Bob address listener feedback on SiteKey and the security distinction between signature versus encryption. Bill’s Paypal securitykey arrived, and he reviews the activation process and tries it out for few days. Despite the fact that it won’t protect against phishing attacks, find out why he ended up deactivating it on his ebay account afterall.

Bob’s worried about his Internet security when staying at a hotel. How can you be certain that no one’s snooping on your traffic? Do you have any suggestions? Bob’s also wondering how can you tell if his employer is monitoring his personal traffic while at work? A question for the listeners: Does your company’s VPN enforce split tunneling or not? We’ll cover the results in an upcoming episode.

Finally, here about upcoming changes to FireFox 3’s security libraries. New crypto routines and security UI in FireFox!?!

What do you want us to cover in upcoming episodes? Send your show suggestions and feedback to comments@SecurityHype.com. And if you like this show (and even if you don’t), we’d be honored if you would submit a review in iTunes.

Thank you for listening!

 

 Security Hype 7.10-SecurityCartoon.com - Voicemail line 1-866-527-6606 [32:00m]: Play Now | Play in Popup | Download (1145)

Bill and Bob interview Dr. Markus Jakobsson and Dr. Sukamol Srikwan, creators of SecurityCartoon.com. It’s not your ordinary comic strip: Over a year of research when into this innovative and friendly information security educational methodology. Learn the background on this effective security countermeasure and why everyone — especially information security professionals — need to pay attention to this teaching method.

Please send your feedback and other show ideas to comments@SecurityHype.com or call our toll-free voice mail line at 1-866-527-6606

Thanks for listening!

Other links mentioned in this episode:

• Markus Jakobsson: Associate Professor of Informatics and Associate Associate Professor of Cognitive Science
• Sukamol Srikwan Jakobsson: Research Associate / Staff Scientist; The Center for Genomics and Bioinformatics
• October is National Cyber Security Awareness Month - learn how to stay safe on the Internet!
• Messin’ with Texas, Deriving Mother’s Maiden Names Using Public Records
• Cartoon showing phishing and URL obfuscation
• www.SecurityCartoon.info - Whitepaper and study behind the cartoon.

Cartoons embedded in this podcast were reproduced with permission. Please visit www.SecurityCartoon.com for more material.

 

 How Netscape tried to keep ahead of the hackers [10:37m]: Play Now | Play in Popup | Download (1046)

Bill and Bob invite Bob Relyea back to reminisce on Netscape’s early challenges to keep “strong crypto” out of the hands on “non US Domestic” persons, as declared by US Export Restrictions laws. The race was one! You’ll hear what Netscape crypto engineers did to try to stay ahead of the hackers, and the level of effort the hackers used to circumvent them.  This is the classic “cat and mouse” game. Check out the old Fortify effort, which has been frozen circa 2000 when Netscape released version 4.73 that included 128-bit crypto to everyone.

Paul Kocher did a great job at explaining the real challenge faced by security developers: Why companies want to make this a “Stalemate” problem instead of a “Checkmate” one. (PDF Link)

Send your show suggestions and feedback to comments@SecurityHype.com or call the studio line at 1-866-527-6606.

 

 Security Hype 7.8-Bob Relyea AACS Part 2: Practical implications of key compromises [16:00m]: Play Now | Play in Popup | Download (1133)

Bill and Bob wrap up their interview with Bob Relyea who describes the practical implications to the AACS key compromise.

Bill recounts the story of the satellite pirates who were locked out by DirecTV in the middle of the Superbowl, sometimes called “Black Sunday”. DirecTV had been slowly downloading a pirate detection and lockout routine, byte by byte, over the course of a few weeks. When activated, this routine disabled the hacked cards. So anti-pirate measures can be quite affective, at least in the short term.

We ask Bob Relyea a number of questions about the AACS crack, and whether or not it’s a big deal. Is AACS really better than the old CSS system? We explore the issue of using well-known crypto standards, and if the content protection people learned from their CSS mistakes. We also talk about what steps we might see the studios take.

Here’s a good Wired article: http://blog.wired.com/gadgets/2007/02/the_new_hddvdbl.html

There are loads of other sites on the web. Search for “09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0” or “09 F9 key”.

Send your show suggestions and feedback to comments@SecurityHype.com or call the studio line at 1-866-527-6606.

Thank you for listening!

 

 Security_Hype_7.7-RSA_Key_Compromise_and_AACS_key_management_details: Play Now | Play in Popup | Download (1289)

Bob Relyea, a PKI and cryptographic engineer, joins Bill and Bob to discuss the recent RSA and AACS key compromises in depth.

In the news, we’ve been reading about how researchers have been able to factor a very large number which is 307 digits long. Bob Relyea helps us understand if these results help spell doom for 1024-bit RSA or if it’s a non-event. Are there implications for Diffie-Hellman and DSA as well?

We’ve also been reading about AACS, a new DVD content protection scheme aimed at preventing piracy of the new high-definition DVDs. One of the AACS keys was found and posted on the web, including on Digg. Digg management removed the key, triggering a user revolt at Digg. A summary posted on BoingBoing nicely describes the event and Digg’s decision to side with its users, risking legal action by the DVD industry.

Bob Relyea helps us understand what AACS really is, how it works, and how it attempts to address the security flaws the previous standard. Bob will help us understand whether or not a key compromise like the one highlighted on Digg represents a real problem for the motion picture industry.

If you like the show, please go to iTunes and add your reviews to our podcast. If you have suggestions for show topics or have comments on this episode please send your feedback to comments@SecurityHype.com

Thanks for listening!

 

 Security Hype 7.6-SiteKey (not) broken and Mozilla's radical Security UI idea [30:03m]: Play Now | Play in Popup | Download (1121)

Bill and Bob peel back the hype on “SiteKey is broken!” claims and find that it’s working as designed. SiteKey isn’t broken, but computer security user interface design IS broken. User’s don’t know how to evaluate when computer systems are behaving securely, and are struggling to stay safe on the Internet.

New MIT & Harvard research indicates that people don’t know that the ABSENCE of security information on a banking website means “danger”. More evidence that security usability - particularly with web browsers - is in a sad state.

Microsoft’s support for EV SSL certificates has several new UI changes in the IE browser in an attempt to help people make security determinations. The Mozilla Foundation is considering taking a radically different approach. Jonathan Nightingale believes that SSL web connections is not about encryption, it’s about identity of the website you’re connecting to. Is the Lock Icon going away!?! Will this actually work and protect users on the Internet? Does this make sense? Send us your thoughts to comments@SecurityHype.com. We’ll try to get Jonathan on the show.

DiscoverCard’s fraud detection process is being exploited by hackers through “phone phishing” attacks. We tried to explain this to the DiscoverCard operator and they just didn’t understand the attack vector. Credit card companies spend millions of dollars printing and issuing credit cards to people, why would they use a different phone number for their customers to call and report fraud? They should be encouraging customers to use a simple, verifiable, and secure process.

What other silly security processes have you run across?

If you like the show, please go to iTunes and add your reviews to our podcast. If you have suggestions for show topics or have comments on this episode please send your feedback to comments@SecurityHype.com

Thanks for listening!

 

 Security Hype 7.5-CreditCard Skimming, Setting up Secure Email: Play Now | Play in Popup | Download (1261)

Bill and Bob discuss credit card skimming, how is this risk different than exposing your CC number over the Internet? In this episode you’ll learn how to secure your email using FireFox and Thunderbird. You’re using 2048-bit RSA keys, right? And you’re backing up your digital certificates and private keys too, yes? Once you get your certificate, send us an encrypted email using our certificate!

Alternative instructions: Outlook and Apple Mail.

Did you know that if you aren’t digitally signing AND encrypting your email, the message isn’t truly secure? Bob discusses this subtle but important distinction. If this doesn’t make sense, let us know and we’ll cover this in more depth.

Free S/MIME certificates are available from Comodo (Windows only) and Thawte. Remember that with Thawte you have to “join” their system.

If you’re enjoying our podcast, we’d appreciate hearing more feedback from you and seeing your reviews at iTunes. If you have comments, suggestions or know where Bob, Alice, Eve and Mallory are please contact us at comments@SecurityHype.com.

Thank you for listening!

 

 Security Hype 7.4 - OCSP, CRL, and Vista's new SSL tricks: Play Now | Play in Popup | Download (1144)

Bill and Bob catch up on listener feedback, then delve into more details about digital certificates. Certificates and private keys may become compromised before they expire. CRL and OCSP are two methods that applications and systems can verify the status of digital certificates. Microsoft Vista, for the first time, now performs certificate revocation status checking by default. This is a good thing and we hope other systems and applications follow their lead.

Do you use CRLs, OCSP, or something else in your PKI? How did you decide which protocol to support, if any? We’d love to know. Have you encountered any OCSP-related errors in Vista? We have, and we’ll talk about them in upcoming episodes.

If you’d like to join the conversation, send your feedback to comments@SecurityHype.com. Thank you for listening!

 

 Enhanced Podcast [18:30m]: Play Now | Play in Popup | Download (1130)

Bob and Bill discuss their impressions of the RSA 2007 Security Conference. It seems to be getting less “technical” and more “business focused”, but Bill was underwhelmed. Bob notices that all the good security company names are taken. What were your thoughts of the conference, did you find it as helpful as previous years?In the new “Vendor Smackdown” section, Bill tries to figure out what problem PC Magazine’s “CoverUp” program was designed to solve. Do you use it and find it useful? Tell us if we’re missing something.

Send your smackdown nominees, suggestions, or feedback to Comments@SecurityHype.com

Links referenced in this episode:

• RSA Security Conference 2007
• PC Magazine’s CoverUp

And thanks for listening!

 

 Enhanced Podcast [39:42m]: Play Now | Play in Popup | Download (1265)

Many banks encourage phishing through their use of inconsistent user interfaces and the improper use of SSL, both putting their customers’ credentials at risk. Financial institutions invent their own email security schemes that are readily copied by hackers and provide no real security. Bill and Bob describe several examples of how bad web and email security practices confuse their customers and weaken the total online security experience. They also provide some suggestions based on solid security practices.

Think SSL is too expensive to deploy? That’s 20th century thinking! Bob’s team has lab test statistics to refute that old myth: http://boblord.livejournal.com/1538.html

Links referenced in this email:

1. ETrade “Secure” Email which dilutes the security lock icon’s value
2. NetCraft Phishing Link
3. NetCraft Surveys
4. Yahoo! endangers, confuses uses instead of using SSL to begin with
5. SSL security warnings don’t stop users from getting hacked
6. Google’s SSL warnings don’t stop users either
7. Fake Chase phishing email #1
8. Fake Chase phishing email #2

Thank you for listening! Please send your comments, suggestions, and feedback to comments@SecurityHype.com.

 

 Enhanced Podcast [15:39m]: Play Now | Play in Popup | Download (1474)

Bill and Bob discuss misinformation about SSL represented in the February issue of Popular Mechanics and from BEA technical documents. We also discuss why hackers aren’t concerned by PayPal’s announcement to issue One Time Password (OTP) tokens to protect their members: the hackers already know how to defeat them.

(Technical glitch: the 8-second gap in the beginning of the audio will be fixed by our next episode.)

Please send your comments, suggestions, and feedback to comments@SecurityHype.com. And thank you for listening!