Security Hype

 

 Security Hype 9.1-MD5 and SSL-A Public CA's perspective - Voicemail line 1-866-527-6606 [24:11m]: Play Now | Play in Popup | Download (1267)

You’ve read about the attacks against MD5/SSL, but what did the public CAs do? Ignore the hype and hear from a real CA what this attack meant and what lessons you can take away for future crypto vulnerabilities.

Bill and Bob discuss the hype behind “Internet Security is TOTALLY BROKEN now!” and “SSL IS DEAD!” We talk to Dr. Rolf Lindemann from TC TrustCenter to hear how one public CA handled this incident. One lesson learned: when a crypto algorithm is first announced to be weak, you should plan WHEN you will migrate away from it. Waiting until a practical attack is announced (if it IS announced) is not a safe strategy.

(Apologies for the poor sound quality; we had a lot of problems with our remote recording capability which we are addressing. Rolf had to call in via a different method in the final bit of the show.)

Links discussed in the show:

Researcher’s website

Chaos Computer Club video

Other links that describe the attack:

TechRepublic

ArsTechnica

More good research:

2004: MD5 first discovered to be vulnerable (someday)

 

 Security Hype 7.12-Vista UAC a year later, MiTM attacks at the office, Crypto Key Size Recommendations, Macs under attack - Voicemail line 1-866-527-6606 [29:55m]: Play Now | Play in Popup | Download (2899)

How paranoid are you? keylength.com

What RSA keysizes are you using at your company? What is your guidance? Are you sticking with RSA or moving to ECC?
Macs are under attack (include link to new trojan house): http://machinist.salon.com/blog/2007/11/02/mac_trojan/

eweek article link

full disclosure versus responsible disclosure (link to resp. disclosure RFC)

mac versus windows updates: Windows does a better job because it auto installs, does it auto reboot? Macs will go weeks/months with patches pending and won’t auto reboot. Does Leopard fix this? Do you actually need to *reboot*

 

 Listener feedback, network_monitering, new FireFox3 security - Voicemail line 1-866-527-6606 [38:49m]: Play Now | Play in Popup | Download (2278)

Bill and Bob address listener feedback on SiteKey and the security distinction between signature versus encryption. Bill’s Paypal securitykey arrived, and he reviews the activation process and tries it out for few days. Despite the fact that it won’t protect against phishing attacks, find out why he ended up deactivating it on his ebay account afterall.

Bob’s worried about his Internet security when staying at a hotel. How can you be certain that no one’s snooping on your traffic? Do you have any suggestions? Bob’s also wondering how can you tell if his employer is monitoring his personal traffic while at work? A question for the listeners: Does your company’s VPN enforce split tunneling or not? We’ll cover the results in an upcoming episode.

Finally, here about upcoming changes to FireFox 3’s security libraries. New crypto routines and security UI in FireFox!?!

What do you want us to cover in upcoming episodes? Send your show suggestions and feedback to comments@SecurityHype.com. And if you like this show (and even if you don’t), we’d be honored if you would submit a review in iTunes.

Thank you for listening!

 

 How Netscape tried to keep ahead of the hackers [10:37m]: Play Now | Play in Popup | Download (1976)

Bill and Bob invite Bob Relyea back to reminisce on Netscape’s early challenges to keep “strong crypto” out of the hands on “non US Domestic” persons, as declared by US Export Restrictions laws. The race was one! You’ll hear what Netscape crypto engineers did to try to stay ahead of the hackers, and the level of effort the hackers used to circumvent them.  This is the classic “cat and mouse” game. Check out the old Fortify effort, which has been frozen circa 2000 when Netscape released version 4.73 that included 128-bit crypto to everyone.

Paul Kocher did a great job at explaining the real challenge faced by security developers: Why companies want to make this a “Stalemate” problem instead of a “Checkmate” one. (PDF Link)

Send your show suggestions and feedback to comments@SecurityHype.com or call the studio line at 1-866-527-6606.

 

 Security Hype 7.6-SiteKey (not) broken and Mozilla's radical Security UI idea [30:03m]: Play Now | Play in Popup | Download (1881)

Bill and Bob peel back the hype on “SiteKey is broken!” claims and find that it’s working as designed. SiteKey isn’t broken, but computer security user interface design IS broken. User’s don’t know how to evaluate when computer systems are behaving securely, and are struggling to stay safe on the Internet.

New MIT & Harvard research indicates that people don’t know that the ABSENCE of security information on a banking website means “danger”. More evidence that security usability - particularly with web browsers - is in a sad state.

Microsoft’s support for EV SSL certificates has several new UI changes in the IE browser in an attempt to help people make security determinations. The Mozilla Foundation is considering taking a radically different approach. Jonathan Nightingale believes that SSL web connections is not about encryption, it’s about identity of the website you’re connecting to. Is the Lock Icon going away!?! Will this actually work and protect users on the Internet? Does this make sense? Send us your thoughts to comments@SecurityHype.com. We’ll try to get Jonathan on the show.

DiscoverCard’s fraud detection process is being exploited by hackers through “phone phishing” attacks. We tried to explain this to the DiscoverCard operator and they just didn’t understand the attack vector. Credit card companies spend millions of dollars printing and issuing credit cards to people, why would they use a different phone number for their customers to call and report fraud? They should be encouraging customers to use a simple, verifiable, and secure process.

What other silly security processes have you run across?

If you like the show, please go to iTunes and add your reviews to our podcast. If you have suggestions for show topics or have comments on this episode please send your feedback to comments@SecurityHype.com

Thanks for listening!

 

 Security Hype 7.4 - OCSP, CRL, and Vista's new SSL tricks: Play Now | Play in Popup | Download (1860)

Bill and Bob catch up on listener feedback, then delve into more details about digital certificates. Certificates and private keys may become compromised before they expire. CRL and OCSP are two methods that applications and systems can verify the status of digital certificates. Microsoft Vista, for the first time, now performs certificate revocation status checking by default. This is a good thing and we hope other systems and applications follow their lead.

Do you use CRLs, OCSP, or something else in your PKI? How did you decide which protocol to support, if any? We’d love to know. Have you encountered any OCSP-related errors in Vista? We have, and we’ll talk about them in upcoming episodes.

If you’d like to join the conversation, send your feedback to comments@SecurityHype.com. Thank you for listening!

 

 Enhanced Podcast [39:42m]: Play Now | Play in Popup | Download (1973)

Many banks encourage phishing through their use of inconsistent user interfaces and the improper use of SSL, both putting their customers’ credentials at risk. Financial institutions invent their own email security schemes that are readily copied by hackers and provide no real security. Bill and Bob describe several examples of how bad web and email security practices confuse their customers and weaken the total online security experience. They also provide some suggestions based on solid security practices.

Think SSL is too expensive to deploy? That’s 20th century thinking! Bob’s team has lab test statistics to refute that old myth: http://boblord.livejournal.com/1538.html

Links referenced in this email:

1. ETrade “Secure” Email which dilutes the security lock icon’s value
2. NetCraft Phishing Link
3. NetCraft Surveys
4. Yahoo! endangers, confuses uses instead of using SSL to begin with
5. SSL security warnings don’t stop users from getting hacked
6. Google’s SSL warnings don’t stop users either
7. Fake Chase phishing email #1
8. Fake Chase phishing email #2

Thank you for listening! Please send your comments, suggestions, and feedback to comments@SecurityHype.com.

 

 Enhanced Podcast [15:39m]: Play Now | Play in Popup | Download (2007)

Bill and Bob discuss misinformation about SSL represented in the February issue of Popular Mechanics and from BEA technical documents. We also discuss why hackers aren’t concerned by PayPal’s announcement to issue One Time Password (OTP) tokens to protect their members: the hackers already know how to defeat them.

(Technical glitch: the 8-second gap in the beginning of the audio will be fixed by our next episode.)

Please send your comments, suggestions, and feedback to comments@SecurityHype.com. And thank you for listening!