Security news... - Leo Laporte

Microsoft pushes biggest update yet on Patch Tuesday yesterday. http://www.microsoft.com/securit... - 13 patches on Oct 13 - Leo Laporte

Acrobat Reader 9.1.3 has an exploit. Adobe patched yesterday as well. http://searchsecurity.techtarget.com/news... with 29 updates (!) - Leo Laporte

Comcast pilot test: Comcast Constant Guard http://security.comcast.net/constan... - http://www.thetechherald.com/article... - Leo Laporte

Australian ISP, iiNet, is being sued by AFACT over not disconnecting subs when asked. http://torrentfreak.com/afact-v... - Leo Laporte

Errata... - Leo Laporte

From now on Steve will pronounce Mac OS X, OS Ten - Leo says he doesn't care. It's not our job to carry Apple's water. - Leo Laporte

Warning: Windows Security Essentials replaces your hosts.ini file! - Leo Laporte

Using a hosts file to make the internet not suck (as much) (thanks to Hartwell in chat): http://someonewhocares.org/hosts... - Leo Laporte

Question [ 01 ] - Andrew Branagan in Carteret NJ reports an Adobe "Patch Tuesday Headache"... Good (Wednesday) Morning, Steve, Just wanted to point out that even though adobe DID release their quarterly update, they are not making it easy to distribute the update. They are dragging their feet on releasing a .msi package for version 9.2. When you go to their site and enter your information to get a distributable copy of the software, they send you a link which contains Version 9.0. Just thought you might be able to incorporate this into the security news today. Looking forward to the show. :) - Leo Laporte

Question [ 02 ] - Two Listeners had related questions: Patrick McAuley in Guelph (near Toronto), Canada has a Man-in-Middle Question: Hi, Steve. I'm not really a techie, but I have been listening to Security Now for a couple of years now and I've learned a lot about keeping myself safe online. Last week's show with Alex subbing for Leo was a great one, but a bit scary, as you revealed how someone can get between me and an apparently secure login screen to capture IDs, Passwords, etc. One thing that was not clear to me was whether this loophole only occurs if the man-in-the-middle has somehow gotten access to my LAN, or if it is a danger in any internet connection. Right now, I'm on your site from my home computer, connected to my router by cable. I don't think there's any way that someone can get access to this LAN, so am I safe? And further, if I use my notebook to connect to my router wirelessly using WPA encryption, am I safe there? Ted Lind in Woodstock, Il also had a "Broken SSL question"... I wanted to make sure I understood you correctly. The man in the middle attack you described requires the bad guy be on your local network. If I am using SSL to do a bank trans action and I am connected to my private network which uses WAP2 and one of your really long random passwords, it is my understanding this is still secure because the man in the middle cannot get through the router. Both my wired and wireless computers should be not be vulnerable to this attack on my home network. Is this correct? Also if I am on a public network but the first thing I do is set up a connection with Hotspot VPN, is this also a secure way to do a SSL transaction? Love TWIT and Security Now. My car radio is constantly tuned to one of Leo's podcasts. I am also a Spinright owner. - Leo Laporte

Question [ 03 ] - Jean-Matthieu BOURGEOT in Tarare, FRANCE had an interesting idea for securing public WiFi hotspots: Dear Steve and Leo, Listener from day 1, love the show, been learning soooooo much with you guys. Here is an idea for securing public WiFi hotspots that came to my mind (not sure if that would work): On public WiFi hotspots, users obviously do not need to have their computers be able to directly talk to each other just as is they were on an office LAN. But the fact is that all computers are on the same LAN, and are therefore prone to ARP spoofing, or OS exploit attacks, etc... If the WiFi hotspot's DHCP server was to assign IPs belonging to different subnets to every new computers (eg. 192.168.0.10, 192.168.1.10, 192.168.2.10, 192.168.3.10, etc.), would this prevent many of the possible via-the-LAN attacks ? Also, this solution would be very cheap to implement by just changing the DHCP server's behavior. - Leo Laporte

Late to the show, but Leo: did you happen to mention to Steve that you don't use anti-virus software on Windows? (re yesterday's MBW) - Ken Sheppardson

Question [ 04 ] - Jason Learmouth in Sydney Australia has some thoughts about the "Broken Browser Model" Hi Steve and Leo, I listened with great interest to your discussions on the state of play with secure browser sessions and the session hijack trojan that is out there stealing people's money. Steve, you mentioned in one of your listener feedbacks that the authentication needs to be moved closer to the transaction. While I agree that this would fix the problem for now, I expect it would only be a matter of time before the attackers moved closer to the transaction as well. Discrete applications were suggested as a way to offer a secure, connection based solution. Steve correctly pointed out that we have enough stuff installed on our computers already and the browser is very convenient. Could the browser run an application perhaps based on Java or some similar technology to provide the best of both worlds? I've seen some SSL VPN providers download a Java app when you want to create a tunnel to the network. I believe that Google uses this type of technology in its Docs product which offers very near real time document collaboration - there must be some two way traffic there beyond just HTTP??? What about Jungle disk? It encrypts before sending data to the cloud through an SSL tunnel. How does that avoid being vulnerable to attacks - or does it? Could a site offer a local application to the user that would handle all the security, authentication and encryption through its own persistent connection without requiring a local install? Love the show, happy to hear my name on the show if you feel like reading this on the show. Thanks, Jason - Leo Laporte

There's no place like 127.0.0.1 http://www.mvps.org/winhelp... i'm using it for so many years. - dstamand

Ken: Steve and I talk about this all the time. He doesn't use AV or security software either. - Leo Laporte

Neither does Bruce Schneier - Bruce doesn't even use a firewall, but I'm not that crazy. - Leo Laporte

Question [ 05 ] - Dale Willer in the Kansas City area asks about ARP Spoofing on a home network?... In episode 217 it wasn't clear if the ARP spoofing attack and the scenario presented in that episode is a threat on a home LAN behind a router. My first impression was that it was only a threat at public hot spots such as airports, Starbucks, etc. Later in the episode I wasn't so sure. Please clarify. Also, one way to protect against this at a public hot spot is to always use your VPN, if you have one. - Leo Laporte

Interesting. I always just install AVG free when I set up a new machine, but I don't think I've had my AV software flag a threat in the past... sheesh... 10 yrs or so... - Ken Sheppardson

Question [ 06 ] - John Clayton in Billings, Montana reports that Astaro has upgraded their free home-use licenses! Hi Steve and Leo, I know that Astaro is one of your longest and most loyal advertisers on the show, so I thought your listeners might be interested in this news: For the longest time I had used Astaro on an old PC as my home firewall using their free home user license. Unfortunately, with so many connected devices in the house I out-grew the 10-IP limit of the license and had to switch. I've never been nearly as satisfied with any other firewall solution as I was with Astaro. Fast forward to yesterday, when Astaro announced that it was raising the limit to a whopping 50 IP addresses for the home user license!!! This is more than enough to protect my home network, and is likely sufficient even for a larger family with even more devices! This is truly generous of Astaro; the restricted license was partly to deter businesses from using it for free, and most of the community was only expecting 20-25. I'm happy to say I'm back on Astaro, as there is simply nothing else that can touch it as far as power, features, and ease of use. Now it is even more accessible for your listeners to run in their own homes. Always love the show, keep up the good work! - Leo Laporte

Question [ 07 ] - Alan Goldstein in Franklin, Mass comments on our "Broken Browsers" Hi Steve, I'm a Spinrite owner and fan - it has saved me many times, including helping me get more than an extra year out of my Pentium 4 desktop - that's a great return on my $90 investment! This was a great episode and it made me think that both Internet Explorer and Firefox should do more to clearly indicate if the connection is secure with https. In the short term, my approach is to Otherwise change all my more critical bookmarks to include https for those pages that support it, so I won't forget to try and get a secure connection. Perhaps we could suggest that someone "in the know" to write a Firefox add-on that would highlight both the address bar and the status bar in green whenever you are securely connected. It's too easy to neglect looking for the "https" on every page. Top and bottom green bars would stand out and clearly show when you are at an https page or not, when there is no green bar. Unfortunately, the padlock indicator just does does not sufficiently stand out. Keep up the great work and the great podcasts! Alan - Leo Laporte

I have a small business and have forms on my website that collect cc#s from customers. I've been using Wufoo forms. I create the forms on Wufoo and embed them with Java Script code on my website. Wufoo Claims that any info entered into their forms are 128-bit SSL encoded even if the page I'm embedding the form on is not using https:// .. I was wondering if Steve could comment on Java Script embedded forms. - Jeremy Snavely

Interesting site for security certificate ssl http://cert.startcom.org/ if you are poor as I am :-) - Erik Trolle

Brian Krebs says "don't bank with Windows": http://voices.washingtonpost.com/securit... - Leo Laporte

I bought an inexpensive godaddy SSL cert and it causes browser warnings in IE7. It works fine in every other browser but not IE7! - Jeremy Snavely

Tease: Microsoft ships its biggest update ever, Comcast has its eyes on you, and Steve answers your questions. - Leo Laporte

ENJOYING THE SHOW FROM GEORGIA haveing a pleasunt day and yall - daveccorey

hey leo is there any freind feed aps 4 iphone that u know of - daveccorey

Leo, what was Steve Gibson talking about in episode 218 regarding security essentials changing the hosts.ini file? I cant find any info on this and I havbe three computers that can't browse the web after installing it but can still resolve dns, ping to the net and even get windows updates. I'm pulling my hair out on this one and security essentials is the only thing they have in common. - Scott Fiduccia