Security Hype

 

 Security Hype 7.12-Vista UAC a year later, MiTM attacks at the office, Crypto Key Size Recommendations, Macs under attack - Voicemail line 1-866-527-6606 [29:55m]: Play Now | Play in Popup | Download (2899)

How paranoid are you? keylength.com

What RSA keysizes are you using at your company? What is your guidance? Are you sticking with RSA or moving to ECC?
Macs are under attack (include link to new trojan house): http://machinist.salon.com/blog/2007/11/02/mac_trojan/

eweek article link

full disclosure versus responsible disclosure (link to resp. disclosure RFC)

mac versus windows updates: Windows does a better job because it auto installs, does it auto reboot? Macs will go weeks/months with patches pending and won’t auto reboot. Does Leopard fix this? Do you actually need to *reboot*

 

 Security Hype 7.6-SiteKey (not) broken and Mozilla's radical Security UI idea [30:03m]: Play Now | Play in Popup | Download (1881)

Bill and Bob peel back the hype on “SiteKey is broken!” claims and find that it’s working as designed. SiteKey isn’t broken, but computer security user interface design IS broken. User’s don’t know how to evaluate when computer systems are behaving securely, and are struggling to stay safe on the Internet.

New MIT & Harvard research indicates that people don’t know that the ABSENCE of security information on a banking website means “danger”. More evidence that security usability - particularly with web browsers - is in a sad state.

Microsoft’s support for EV SSL certificates has several new UI changes in the IE browser in an attempt to help people make security determinations. The Mozilla Foundation is considering taking a radically different approach. Jonathan Nightingale believes that SSL web connections is not about encryption, it’s about identity of the website you’re connecting to. Is the Lock Icon going away!?! Will this actually work and protect users on the Internet? Does this make sense? Send us your thoughts to comments@SecurityHype.com. We’ll try to get Jonathan on the show.

DiscoverCard’s fraud detection process is being exploited by hackers through “phone phishing” attacks. We tried to explain this to the DiscoverCard operator and they just didn’t understand the attack vector. Credit card companies spend millions of dollars printing and issuing credit cards to people, why would they use a different phone number for their customers to call and report fraud? They should be encouraging customers to use a simple, verifiable, and secure process.

What other silly security processes have you run across?

If you like the show, please go to iTunes and add your reviews to our podcast. If you have suggestions for show topics or have comments on this episode please send your feedback to comments@SecurityHype.com

Thanks for listening!

 

 Security Hype 7.5-CreditCard Skimming, Setting up Secure Email: Play Now | Play in Popup | Download (2202)

Bill and Bob discuss credit card skimming, how is this risk different than exposing your CC number over the Internet? In this episode you’ll learn how to secure your email using FireFox and Thunderbird. You’re using 2048-bit RSA keys, right? And you’re backing up your digital certificates and private keys too, yes? Once you get your certificate, send us an encrypted email using our certificate!

Alternative instructions: Outlook and Apple Mail.

Did you know that if you aren’t digitally signing AND encrypting your email, the message isn’t truly secure? Bob discusses this subtle but important distinction. If this doesn’t make sense, let us know and we’ll cover this in more depth.

Free S/MIME certificates are available from Comodo (Windows only) and Thawte. Remember that with Thawte you have to “join” their system.

If you’re enjoying our podcast, we’d appreciate hearing more feedback from you and seeing your reviews at iTunes. If you have comments, suggestions or know where Bob, Alice, Eve and Mallory are please contact us at comments@SecurityHype.com.

Thank you for listening!