TWiT’s Brian Brushwood and Tom Merritt are headed to Dragon*Con in Atlanta Georgia, September 3-5, streaming live from one of the biggest SciFi/Fantasy/Geekfests in the world. They’ll be streaming the parade of costumed awesomeness, walking through the hotels talking with cosplayers, and sneaking into parties where nobody should probably bring a camera.

If you’re going to be in Atlanta, be sure to head to our meetup on Saturday night at 6 PM Eastern at the Sundial Restaurant in the Westin Peachtree Hotel.

Coverage begins Saturday morning at 10 AM Eastern/7AM Pacific at live.twit.tv. Here’s the full schedule

Live on TWiT

• Friday September 3 7 PM Eastern/4 PM Pacific NSFW Show Live – Brian Brushwood and Justin Robert Young bring their Internet madness and hilarity to Dragon*Con. Expect the unexpected and special surprise guests. (1 Hour)
• Saturday September 4 10 AM Eastern/7 AM Pacific Dragon*con Parade – ever seen 20 wookies walk through the center of a major metropolitan area? Followed by a battalion of Stargate Officers, who are being chased by a dozen Boba Fetts? Well, then you haven’t seen the Dragon*Con parade. (2-3 Hours)
• 8 PM Eastern/5 PM Pacific Meetup and Party tour – Tom Merritt gives you a glimpse inside the TWiT meetup at the Sundial Restaurant, then heads out to Brian Brushwood’s magic show. Afterward they’ll sample some of the Dragon*Con nightlife. Geek parties! (2 hours)
• Sunday September 5 12:00 PM Eastern/9 AM Pacific Dragon*con tour – Tom and Brian walk through the hotels meeting and chatting with stars and fans alike. You’ll get to hang out at Dragon*Con without ever leaving home. (2 hours)

See you this weekend in Atlanta!

Great news: Apple will be streaming its event today live at apple.com – finally. Unfortunately the stream will only work with Apple products: iOS 3.0 or better devices or Safari. I suspect that’s because Apple wants to show off its new http streaming capability – perhaps related to an announcement they’ll make today.

We’ll do our own breaking coverage and analysis of the event starting at 12:30p Eastern/9:30 Pacific/1630 UTC at http://live.twit.tv with Andy Ihnatko, Alex Lindsay, Tom Merritt and me. Live coverage will be followed by MacBreak Weekly immediately after Steve leaves the stage.

Podcaster Leo Laporte, the everywhere man | Technology | Los Angeles Times

• Tim O’Reilly, founder of O’Reilly Media, author Gov 2.0
• Jennifer Pahlka, founder and executive director of Code for America
• Carolyn Lawson, Deputy Director, Technology Services Governance Division, Director eServices, State of California
• Andrew Hoppin, Chief Information Officer for the New York State Senate
• John Wonderlich, Policy director of the Sunlight Foundation

Join us and discuss Government 2.0.

Show Notes

Windows Phone Secrets completed this week

I’ll never do this again. Never!

Windows Phone news: Marketplace opening and final developer tools scheduled

Final version of Visual Studio for Windows Phone and Expression Blend on September 16 Marketplace for Windows Phone in early October

SBS “Aurora” and WHS “Vail”: Some notes from the battlefield

I’m implementing both of these solutions here in Maison du Thurrott – There’s a lot to learn

Hotmail EAS coming soon

Push, over-the-air access to Hotmail-based email, calendar, contacts and tasks on supported mobile devices for one and all

Yahoo Search completes transition to Bing

US and Canada, English only. Other languages (French, Spanish) in week; other countries throughout 2011 and 2012

Internet Explorer 9 UI revealed

It looks like Chrome, which is a wise move in my opinion.

Small Office Web Apps update gives hope for the future

Nothing major, functionally, but if they can keep updates coming on this schedule, Microsoft will prove they “get” the online market

Halo: Reach pirated

Gamers who download and play pirated versions face “permaban” from Xbox Live.

Related: This is a *huge* year for Xbox 360 gaming

I’ve preordered Halo: Reach, Call of Duty Black Ops, Medal of Honor, Assassin’s Creed: Brotherhood, the Kinect and several Kinect titles. This should make up for July nicely.

Intel and McAfee: A second look

Maybe this wasn’t so crazy after all

Microsoft late to the tablet game? What about HP? What about Google?

Microsoft gets a lot of crap for its slow response to the iPad. But they’re moving faster than the other so-called, would-be competition. I’m looking at you, HP (WebOS Tablet) and Google (Android).

Windows 7 Feature of the Week: Parental Controls

The parental control functionality that debuted in Windows Vista is updated in Windows 7 to support multiple games rating systems and parental control providers, while some functionality is pushed out to Family Safety, part of Windows Live Essentials (and is thus updated more frequently).

Windows 7 Tip of the Week: Create a wireless hosted network using a hidden feature in Windows 7

This was originally going to have a GUI, but Microsoft took it out of Windows 7 because it doesn’t work with every wireless adapter. But if you do have a compatible wireless adapter, you can share a wireless connection using the same wireless adapter, or share a wired connection with the wireless adapter. There’s a third party utility we’ve recommended called Connectify that does this. Or you can simply configure it yourself.

Audible pick of the week

The Big Lie: Spying, Scandal and Ethical Collapse at Hewlett Packard
“Anthony Bianco gets to heart of the ethical morass at HP that ended up damning the entire board that created it. Almost every American has an interest in how the country’s greatest corporations are run, and the character of the people entrusted with them. The story of Hewlett-Packard reflects power struggles that shape corporate America and is an alarming morality tale for our times.”

Software pick of the week

Similarity
Compares music files on your PC and looks for duplicates. Why is it special? Because it doesn’t just compare meta-data or file names, it actually compares the contents of the files.

Thanks to Andrew Simek for the tip!

Also: Scrim, a way to hide your email address from spammers and scammer

Thanks to David Sherman for the tip!

Security Updates:

Adobe forced to release Out-Of-Cycle Updates after BlackHat & Defcon:

• Not scheduled until October 12th but couldn’t wait.
• Upgrade Adobe Reader to v9.3.34 for Windows/Mac/Unix
• Adobe Acrobat to v9.3.4 for Windows/Mac
• Adobe Reader & Acrobat to v8.2.4 (cross-platform).

Google Chrome: v5.0.375.127

Fixes 10 vulnerabilities, two of which are considered critical and six of which are considered high risk. Google did not release any details about the vulnerabilities. It blocked public access to its bug-tracking database to prevent the flaws from being exploited before most people were upgraded to the latest version of the browser. One of the critical flaws could be exploited to cause memory corruption; the other could cause a crash on shutdown.

Apple: Security Update 2010-005

84 Mb Security Update

ATS

• Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution
• Description: A stack buffer overflow exists in Apple Type Services’ handling of embedded fonts. Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution. This issue is addressed through improved bounds checking.

CFNetwork: (Core Services Networking Framework)

• Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: CFNetwork permits anonymous TLS/SSL connections. This may allow a man-in-the-middle attacker to redirect connections and intercept user credentials or other sensitive information. This issue does not affect the Mail application. This issue is addressed by disabling anonymous TLS/SSL connections.

ClamAV

• Impact: Multiple vulnerabilities in ClamAV
• Description: Multiple vulnerabilities exist in ClamAV, the most serious of which may
  lead to arbitrary code execution. This update addresses the issues by updating
  ClamAV to version 0.96.1. ClamAV is distributed only with Mac OS X Server systems.
  Further information is available via the ClamAV website at http://www.clamav.net/

CoreGraphics

• Impact: Opening a maliciously crafted PDF file may lead to an unexpected application
  termination or arbitrary code execution
• Description: A heap buffer overflow exists in CoreGraphics’ handling of PDF files. Opening a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking.

libsecurity

• Impact: An attacker in a privileged network position who can obtain a domain name that
  differs only in the last characters from the name of a legitimate domain may impersonate
  hosts in that domain
• Description: An issue exists in the handling of certificate host names. For host names
  containing three or more components, the last characters are not properly compared.
  In the case of a name containing exactly three components, only the last character is
  not checked. For example, if an attacker in a privileged network position could obtain a
  certificate for www.example.con the attacker can impersonate www.example.com. This
  issue is addressed through improved handling of certificate host names.

PNG

• Impact: Loading a maliciously crafted PNG image may lead to an unexpected application termination or arbitary code execution.
• Description: A buffer overflow exists in PHP’s libpng library. Loading a maliciously
  crafted PNG image may lead to an unexpected application termination or arbitary code
  execution. This issue is addressed by updating libpng within PHP to version 1.4.3.

PHP

• Impact: Multiple vulnerabilities in PHP 5.3.1
• Description: PHP is updated to version 5.3.2 to address multiple vulnerabilities, the most
  serious of which may lead to arbitary code execution. Further information is available via
  the PHP website at http://www.php.net/

Samba

• Impact: An unauthenticated remote attacker may cause a denial of service or arbitrary code execution.
• Description: A buffer overflow exists in Samba. An unauthenticated remote attacker may
  cause a denial of service or arbitrary code execution by sending a maliciously crafted
  packet. This issue is addressed by performing additional validation of packets in Samba.

Security News

Microsoft/Windows: New Problem: “Binary Planting” / Application DLL Load Hijacking

Acros, a Slovenian security firm last Thursday, published an advisory that identified what they call a “binary planting” flaw in iTunes. If a file type associated with iTunes is opened from a remote network share, iTunes will *ALSO* try to load one more specifically named DLLs from the share. Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.

DLL Search Order used by LoadLibrary(EX):
1. The directory from which the application loaded
2. The system directory
3. The 16-bit system directory
4. The Windows directory
5. The current working directory (CWD)
6. The directories that are listed in the PATH environment variable

Apple patched the problem in Windows iTunes last March with v9.1 From my own cursory examination using HDMoore’s Audit tool:
CorelDraw, Windows cscript & wscript scripting engines, Firefox, WinRAR, Wireshark.
MSFT: “Insecure Library Loading Could Allow Remote Code Execution”

http://www.microsoft.com/technet/security/advisory/2269637.mspx

http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx

http://support.microsoft.com/kb/2264107
Microsoft told UC Davis Ph D candidate/researcher:

Microsoft will not issue patches to fix the critical DLL (dynamic link library) flaw in multiple applications, but will instead address the
issue in future Windows and Office service packs.

Google-WiFi-Gate

In the US, the eight privacy-breach class action lawsuits have been consolidated into one and
that may be joined by five others. Google sued in Spain over data collection. NYT: Judge in Spain orders Google representative to appear before her. Meanwhile, for Germany, Google offers an “optout tool” for Street View, available for eight weeks.

Spanair’s 2008 crash which killed 154 of 172 people because take-off flaps and slats failed to extend as they should have, may have malware implications

Spanair’s Maintenance System was infected with malware, believed to have been spread
through a Flash Drive, which might have prevented it from alarming about the problem which,
had it done so, would have grounded the plane pending investigation. Internal Spanair documents pointed to “Trojans” causing its central computer — designed to monitor fault messages transmitted from the aircraft — to fail.

Windows 7 graphics-related kernel problems found (grumble)

Questions

Question [ 01 ] – Nick in New Brunswick, CANADA wonders about “The Math
behind Password Strength”

Hi Steve, love the show, and love the way you explain complex
issues. I was wondering if you could explain the math behind password
strength sometime and how bit-entropy relates. I have been doing a lot of
research and discovering more questions that need answering.

For example, when someone says, the NIST recommends a 128 bit
password… how is that calculated. I understand that bit entropy is
calculated by LOG2 of a base (where the base is number of possible
characters), and by multiplying that result with the number of characters in
the password you achieve a bit entropy length for the password. But is that
the same as stating “my password is x Bits long” ?

Question [ 02 ] – Joshua Backes in Shreveport, LA believes that he got “rebound”…

I believe that our Netgear router at my job, where I am the computer
tech, had fallen victim to this new type of attack! A few weeks ago our
computers started randomly redirecting to a few different websites as well
as a google-analytical.com/… and would not load the page intended. After
reinstalling windows on two machines, we discovered they began
redirecting within in a couple minutes. Our final resolution was to reset the
router to default … then the rest of the computers began working fine.

Question [ 03 ] – Thorarin Bjarnason in Vancouver, BC, Canada is concerned that:
“Michael McCollum’s Wikipedia page is being considered for deletion”

Hi Steve,

You pointed me towards the Gibraltar Series. I downloaded Gibraltar
Stars today and did a wiki search on the author, only to find his wiki page
being considered for deletion.

I think that Michael’s page should be kept, not only because I think
his Gibraltar series is great Sci Fi and worth note, but also because I think
his business model is interesting. He sells easily copyable PDFs directly to
consumers who can choose, rightly or wrongly, to distribute the digital
content immediately, and widely.

I think his trail-blazing methods of selling his wares is of potentially
more note than his literature, and this alone should justify his existence on
Wikipedia.

Perhaps you can help summon the security now army to keep his page
on wikipedia, and maybe the more literate among us can contribute to his
page.

Yours Truly,
Thorarin Bjarnason

Question [ 04 ] – Harold Kravatsky in Florida found a Windows LNK-Checker that
works with Widows 2000:

Steve,

I have w2k and I wanted protection from the .lnk exploit. Sophos had
a program but it only works with xp, Vista and win 7. I tried it and it would
not let me install on win2k.

I searched further and found a program from G Data that runs under
Windows 2000. After installing it I had to restart Windows 2000 to
complete the installation. The icons still look normal. Below is more info
from G Data.

Harold Kravatsky, Happy SpinRite customer

Question [ 05 ] – Toby Wilkins in Wales, United Kingdom rightly worries about the
new “Contactless Payment Systems”

Hello Steve,

I have some information you and security now listeners may be
interested in regarding a new “feature” my Bank in the United Kingdom is
rolling out to all its customers. Wireless credit card payments! (Barclays
bank is a very large bank chain in the UK.)

Today I received my new Barclays bank debit card. I Opened the
letter to find a small booklet boasting Barclays new “contactless” wireless
payment feature built in to the card. UH OH *Alarm Bells*.

The booklet claims payments of up to £15 (~$25) can be made from
any new “contact-less” enabled debit (credit?) card by simply holding it
close to a newly released reading device. NO PIN IS REQUIRED!

I called up the information number (freephone 0800 009 4220). The
polite lady confirmed the above and stated this feature is being rolled out
with all new Barclay cards.

I asked what was to stop a thief walking around a busy railway station
with a reader. Her defense was these devices are physically big, but
admitted she had never been asked this question before. We know that
readers are only going to get smaller and I’m sure its only a matter of time
before hackers rustle up a nifty little reading device to take advantage of
this. When asked, she did not know if the technology used RFID. (blackhat
& defcon spring to mind)

Okay, so only £15 will get taken. This adds up to a lot of money
when taken from hundreds of passers by in a public location. What happens
if a card is “pinged” or “virtually swiped” a number of times under the
counter while you pay? Even with manual swiping of cards, Signatures and
pin numbers; card fraud and “skimming” earns thief’s big bucks. Adding a
wireless, no pin “feature” is only going to make this game much easier for
the bad guys.

In the UK nearly all credit/debit card transactions take place by
inserting the card into a physical reader and typing your personal PIN
number in to the device. When I visit the united states, this does not seem
to be the system used. I have never understood why the US has not adopted
this system like we have in the UK.

I hope you found this information interesting. I’m a great fan of the
show. I recently graduated from university with a computer security degree
with a first class honours results. I am sure that listening to Security Now
was the reason for this great result.

Regards,
Toby

Question [ 06 ] – Antonio Lorusso in Swindon, UK has a thought about “Strict
Transport Security”

Hello Steve & Leo,

You spoke of one small problem with STS in that if a computer
connects to a fraudulent site, say a site trying to imitate PayPal.com before
it has connected to the real PayPal.com to receive the STS token the user
will not be protected. Here is one solution.

If I were operating an STS site I would ask for browsers that support
STS to come pre-installed with an STS token with a large expiry date for
my site. This would not even require browser manufacturers to take the
burden of verifying the validity of the request for a pre-installed STS token
simply by insisting that the request is digitally signed for the site requesting
the pre-installation of the STS token. Pre-installed STS tokens could also
be added or updated by browser updates.

The only theoretical fly in the ointment for pre-installed STS tokens
that I can see is that this requires that the provision of browser software and
browser updates be secure. However if browsers software is not being
provided in a secure manner we have more serious problems than the STS
system being compromised, but it would be something to bear in mind with
this pre-install system.

Question [ 07 ] – Thomas Crowe in Virginia Beach, VA worries about a “Self Denial
of Service attack on STS”

Steve,

First of all I want to say that I’ve been listening security now since
the very beginning, well maybe since episode 10 and quickly caught up.
Thanks for the great podcast!

After listening to your latest podcast number 262, Strict Transport
Security a second time, I started to think about enabling this on my own
web site. But I realized that I could easily shoot myself in the foot if I were
ever to decide not to keep up with my site’s SSL certificate.

Another troubling scenario in general would be: what if a domain
name changes ownership at some point? That domain would not be
accessible by someone who sells it unless they use SSL for the next 40
years or so (whatever the last STS token was set to).

It would make sense to somehow tie this to DNS, where the
ownership of control of the domain is actually implemented. It doesn’t
make nearly as much sense to put this in at the HTTP level — where it is
now.

I think the browser should somehow check against the DNS
expiration date or see if it was renewed. As it is now, it just seems to be a
temporary fix and not a real solution to the problem. Any thoughts to this?
Anyways, thanks for the show. I really enjoy listening every week!

Question [ 08 ] – Matt Bender in Madison, WI wonders about “Adoption Delay”…

Steve,

Every now and again when listening to Security Now! you make
(usually proud) reference to the fact that you’re still on XP, and not too long
ago we know that you were still using Windows 2000. So, like you, I’m
cautious about adopting new technology the minute it comes out so it can
get the bugs worked out. For example, I would never buy a new model line
of car the first year it comes out. From what I can remember, your
reasoning in not adopting the latest technology/OS is just that very reason,
it’s too new and the bugs need to be ironed out as well as possible security
implications.

But based upon your reasoning, if you’re still using XP, why have you
adopted the iPad? It’s a new technology running a relatively infant OS that
has some proven security flaws… I’m not bashing the iPad (or any
technology for that matter), in fact I really like it (I don’t have one
though…). I’m just wondering what your thought process is on adopting
new technology both for you personally and for use at “GRC”.

Take care and keep providing quality work!

Matt Bender

Question [ 09 ] – Steve in Florida worries that “STS will block the adminstration of
his router due to Linksys cert mismatch!”

Steve, great show on STS. I’ve been using it in NoScript for a long
time. BUT … whenever I log on to my router’s administration page, I get a
certificate mismatch error, essentially: “You are trying to connect to
192.168.1.1. However, the name on this certificate is Linksys… (etc.)” I
click past it, but from what you said, I wouldn’t be able to do that when
STS is fully implemented.

I have configured the router’s admin page to accept secure
connections only, to help prevent my wireless network being used by a bad
guy to mess with the router. It seems I’d have to disable that, allowing
insecure connections to the router, or else I’d never get past the certificate
mismatch.

Of course, the default password has been changed, but I’d still hate to
change the security settings on the router admin. Any thoughts?

Question [ 10 ] – David Jaundrew (pronounced John-Drew) in Victoria, BC, Canada
came up with an STS-based Denial of Service Scenario:

Hey Steve,

Great discussion on Strict Transport Security! I was very excited to
hear about this new security feature, though I thought of a scenario that
could allow STS to be incorrectly enabled for non-HTTPS sites using a
man in the middle attack:

– A Starbucks WIFI hacker sets up a man in the middle attack for a
user connecting to the open access point.

– The user attempts to connect to a site that does NOT have HTTPS
support (i.e. http://randomblog.example/) MANY don’t!

– The hacker intercepts the HTTP: request, returning a page that
redirects the user’s browser to httpS://randomblog.example/

– The user’s browser then attempts to connect via the HTTPS URL,
which is AGAIN intercepted by the man in the middle attack (likely using
on-the-fly self-signed certificates). The hacker now sends back an HTTPS
page with the STS header, thus enforcing and requiring the use of HTTPS
connections.

– The user clicks through the certificate warning, and the browser
reads the STS header, adding the site to its list of STS-enabled sites.

– The user is now no longer able to connect to
http://randomblog.example/ from ANY internet connection, as their
browser now requires an HTTPS connection, to which the server does not
support.

Now granted, the application for this is strictly a Denial of Service attack
on the individual user, as once STS is enabled, the browser would then be
forced to require proper certificate authentication for the intercepted site.
I suppose my two questions are:

– are the STS headers able to be initially sent when the site is using a
self-signed certificate?

– where has my logic failed me?

Thanks for the podcast, and congratulations on five years!

In their own words…

From: Google Buzz Team To: @Leo Laporte

Thanks for reporting this issue — and sorry we didn’t get to the bottom of it until today. You helped us uncover a very rare bug that has existed for a while, one that only someone with a ton of followers was likely to uncover.

Here’s what happened: If one of your followers deleted their Google Account (this probably happened around August 6th), Buzz failed to deliver your post to all of your followers. Your post still existed in your Buzz stream, it just wasn’t sent properly to the people who wanted to see it.

We’re in the process of fixing this bug now, and it should be resolved in the next day or two. We’re really sorry that you had this experience and really thankful that you reported it to us so we could fix it.

I’m happy to say the bug is fixed, I’m back on Buzz, and the lesson is learned. I’ll start content here on my blog, but push links to it to Buzz, Twitter, and Friendfeed. Any comments you post on those fora will be automagically piped back into my comments here (thanks to JS-Kit Echo). Best of both worlds.

And thanks to everyone on Buzz and at Google who put up with my tantrum!