Security Now
Security Now! | |
---|---|
File:Securitynow logo.gif | |
Presentation | |
Hosted by | Leo Laporte / Steve Gibson |
Genre | Computer security |
Updates | Weekly |
Publication | |
Original release | 19 August 2005 |
Security Now! is a weekly podcast (Internet radio show) hosted by Leo Laporte of this WEEK in TECH and Steve Gibson of Gibson Research Corporation (GRC). It is part of the TWiT.tv network [1], and the first episode was released on 19 August 2005.
Released each Thursday, Security Now! consists of a discussion between Gibson and Laporte of issues of computer security and, conversely, insecurity. Topics that have been covered include then-current security vulnerabilities, firewalls, password security, spyware, rootkits, Wi-Fi, virtual private networks (VPNs), and virtualization. In late 2005 and early 2006, the Windows Metafile vulnerability was also covered.
Podcast feed
Security Now! is distributed via its main podcast RSS feed (link) and on the GRC Security Now! page [2]. As with many podcasts, the audio is encoded in MP3 format, with higher quality (64 kilobits per second) and lower quality (16 kbit/s) versions available for listeners on low bandwidth connections (such as dial-up) or those with limited storage space.
Additional content
As part of GRC's section on the podcast, supplementary notes and transcripts of each show are available in plain text and PDF formats. Through Frappr, an online map is available for people to place a marker on, creating a geographical picture of where Security Now! listeners around the world live [3].
Listener feedback
Every fourth episode (referred to as the "mod 4 podcast"), Gibson and Laporte devote an episode to answering questions and responding to feedback provided by Security Now! listeners. This began on 1 December, 2005. The GRC web page has a feedback form allowing listeners to submit their comments and questions [4].
Popularity
In August 2006, Security Now! ranked fourth in the "Top 40" of all podcasts listened to via the PodNova service.[1] Security Now! averages around 100,000 downloads per episode throughout 2006. [2][3]
Episode list
Episode | Date | Episode name | Discussed | |
---|---|---|---|---|
1 | 19 August 2005 | As the Worm Turns | Zotob, one of the first worms of 2005. | |
2 | 25 August 2005 | HoneyMonkeys | Microsoft's Strider HoneyMonkey research project to find malicious and phishing web sites. | |
3 | 1 September 2005 | NAT Routers as Firewalls | Network address translation routers and how they can act as firewalls. | |
4 | 8 September 2005 | Personal Password Policy | Various ways of creating and using a personal password "algorithm" for Internet web sites. | |
5 | 15 September 2005 | Personal Password Policy — Part 2 | A wrap-up of the password topic with answers to listeners' questions. | |
6 | 22 September 2005 | Mechanical and Electromagnetic Information Leakage | How researchers at UC Berkeley were able to recover text typed at a keyboard through the sound made by the keys, and how CRT emissions can be used to snoop on users. [5] | |
7 | 29 September 2005 | "SPYaWAREness" | How and why Steve Gibson wrote one of the first spyware removal tools. | |
8 | 6 October 2005 | Denial of Service Attacks | How denial-of-service attacks are being used not only against large corporate sites but the average computer user also. | |
9 | 13 October 2005 | Rootkits | Rootkits, their use, detection and removal. | |
10 | 20 October 2005 | Open Wireless Access Points | The privacy and security concerns of "open" wireless access points. | |
11 | 27 October 2005 | Bad Wi-Fi Security | Some of the less secure Wi-Fi security methods, including WEP and MAC address filtering. | |
12 | 3 November 2005 | Sony's "Rootkit Technology" | Sony's XCP, the technology behind the 2005 Sony BMG CD copy protection scandal. | |
13 | 10 November 2005 | Unbreakable Wi-Fi Security | Wi-Fi Protected Access encryption on wireless networks and the various flavours of it. | |
14 | 17 November 2005 | Virtual Private Networks — Theory | The reasoning behind virtual private networks and how they can offer security for the average user. | |
15 | 24 November 2005 | Virtual Private Networks — Secure Tunneling Solutions | SSL and SSH used in conjunction with virtual private networks. | |
16 | 1 December 2005 | Listener Q&A #1 | Answers to questions sent in by Security Now! listeners. | |
17 | 10 December 2005 | PPTP and IPSec VPN Technology | Earlier VPN protocols and some of the difficulties in applying them. | |
18 | 15 December 2005 | Hamachi Rocks! | Hamachi — a zero-configuration VPN system. | |
19 | 22 December 2005 | VPNs — Part 3 | Hamachi, iPIG and OpenVPN systems compared. | |
20 | 29 December 2005 | Listener Q&A #2 | Listener questions and the first word on the Windows Metafile vulnerability. | |
- | 1 January 2006 | WMF special edition | A special short edition concerning the WMF vulnerability and a temporary hot-fix by software developer Ilfak Guilfanov. | |
21 | 5 January 2006 | The Windows Metafile vulnerability | Ilfak Guilfanov who makes a guest appearance and the impact of the WMF vulnerability. | |
22 | 12 January 2006 | The Windows Metafile backdoor? | Steve Gibson raises his concerns that the WMF vulnerability could be a backdoor inserted deliberately by Microsoft. | |
23 | 19 January 2006 | GRC's MouseTrap | Steve Gibson's MouseTrap utility to test Windows computers for the WMF vulnerability [6]. | |
24 | 26 January 2006 | Listener Q&A #3 | — | |
25 | 2 February 2006 | How the Internet Works — Part 1 | The fundamental technology behind the Internet. | |
26 | 9 February 2006 | How the Internet Works — Part 2 | The two main data protocols of the Internet: UDP and TCP. | |
27 | 16 February 2006 | How LANs Work — Part 1 | The operation of local area networks. | |
28 | 23 February 2006 | Listener Q&A #4 | — | |
29 | 2 March 2006 | Ethernet Insecurity | The flaws in Ethernet security and the phenomenon of ARP cache poisoning [7]. | |
30 | 9 March 2006 | Cryptographic Issues | The social and ethical implications of cryptography. | |
31 | 16 March 2006 | Symmetric Stream Ciphers | The use and security behind stream ciphers and early decoder rings. | |
32 | 23 March 2006 | Listener Q&A #5 | — | |
33 | 30 March 2006 | Symmetric Block Ciphers | The fundamentals of symmetric block ciphers. | |
34 | 6 April 2006 | Public Key Cryptography | Public key cryptography such as the Diffie-Hellman key exchange and RSA. | |
35 | 13 April 2006 | Cryptographic Hashes | How cryptographic hashes work and are used to verify the integrity of files and email. | |
36 | 20 April 2006 | Listener Q&A #6 | — | |
37 | 27 April 2006 | Primes and Certificates | Prime number generation, key recovery, and digital certificates. | |
38 | 4 May 2006 | Browser Security | The security of web browsers. | |
39 | 11 May 2006 | Buffer Overruns | How buffer overruns occur. | |
40 | 19 May 2006 | Listener Q&A #7 | — | |
41 | 26 May 2006 | TrueCrypt | Discussion of the open source file encryption program TrueCrypt. | |
42 | 01 June 2006 | NAT Traversal | Discussion of NAT routers and techniques for P2P programs to traverse them. | |
43 | 08 June 2006 | Open Ports | Open, closed, and stealth ports | |
44 | 15 June 2006 | Listener Q&A #8 | — | |
45 | 22 June 2006 | The Hosts File | The Hosts file, and its use in privacy and spyware applications | |
46 | 29 June 2006 | Router Logs | Steve discusses whether or not router logs are useful security information. | |
47 | 6 July 2006 | Internet Weaponry | Denial of Service Attacks and botnets. | |
48 | 13 July 2006 | Listener Q&A #9 | — | |
49 | 21 July 2006 | Netstat | Operation and use of netstat. | |
50 | 28 July 2006 | Intro to Virtualization | Virtual machine technology and its history. | |
51 | 4 August 2006 | Vista's Virgin Stack | Windows Vista's new network stack. | |
52 | 11 August 2006 | Security Bulletins | JavaScript exploits, eBay gaming and Hamachi's sale to LogMeIn | |
53 | 17 August 2006 | VMware | VMware Player and its Virtual Machine "appliances"; use of virtualization for sandboxing | |
54 | 24 August 2006 | Blue Pill | "Blue Pill" rootkit that takes advantage of next generation virtualization hardware support and is "completely undetectable". | |
55 | 31 August 2006 | Application Sandboxes | Lighter programs for virtualization, with focus on semi freeware-semi nagware ("just" one nag once a month) and crippleware (some "extra" features can be unlocked by paying) (Sandboxie. [8] | |
56 | 7 September 2006 | Listener Q&A #10 | — | |
57 | 14 September 2006 | Virtual PC versus VMware | Virtual PC review and why Steve thinks VMware is superior. | |
58 | 21 September 2006 | Two New Critical Windows Problems | Vulnerability in Vector Markup Language for IE and Windows 2000 NTFS file corruption bug. | |
59 | 28 September 2006 | Parallels | Steve and Leo closely examine the commercial multiplatform virtual machine offerings from Parallels, comparing them to VMware and Virtual PC. | |
60 | 05 October 2006 | Listener Q&A #11 | — | |
61 | 12 October 2006 | ISP Privacy and Security | Two new 0-day Internet Explorer vulnerabilities and the exploration of commonly expressed privacy and security concerns presented by the need to trust Internet Service Providers. | |
62 | 19 October 2006 | Internet Proxies | The entire range of applications for Internet proxies and proxy servers, as well as both the benefits and the potential security and privacy liabilities created by filtering and caching web and other Internet content. | |
63 | 26 October 2006 | MojoPac | MojoPac from RingCube Technologies. Steve tells all about what he found and what he believes it means now and in the future. | |
64 | 02 November 2006 | Listener Feedback Q&A #12 | — | |
65 | 09 November 2006 | Why Is Security So Difficult? | Leo and Steve discuss the difficulties of securing Windows. | |
66 | 16 November 2006 | Windows Vista Security | The new security features Microsoft has designed and built into their new version of Windows, Vista. | |
67 | 23 November 2006 | Kernel Patch Protection | Vista's Kernel Patch Protection (aka PatchGuard), its limitations, benefits, and real purpose. | |
68 | 30 November 2006 | Listener Feedback Q&A #13 | — | |
69 | 7 December 2006 | Internet Anonymity | Is there such a thing as anonymity on the Internet? How important is it? | |
70 | 14 December 2006 | Freenet and TOR | Two interesting implementations of Internet anonymization: The Freenet Project for anonymously storing and transmitting files, and Tor, "the onion router" which can anonymise Internet traffic. | |
71 | 21 December 2006 | SecurAble | SecurAble, Steve's latest freeware for analyzing processor support for x86-64, the NX bit and hardware virtualization. | |
72 | 28 December 2006 | Listener Feedback Q&A #14 | — | |
73 | 4 January 2007 | Digital Rights Management | The history of digital rights management and the technologies used to enforce it. | |
74 | 11 January 2007 | Peter Gutmann on Vista DRM | Peter Gutmann is a guest to discuss the Advanced Access Content System for protecting high-definition content in Windows Vista. | |
75 | 16 January 2007 | Vista DRM | Premium content protection features in Windows Vista. | |
76 | 23 January 2007 | Listener Feedback Q&A #15 | — | |
77 | 1 February 2007 | Microsoft Responds | Microsoft's response to Peter Gutmann's paper on Windows Vista's digital rights management. | |
78 | 8 February 2007 | Hardware DEP | How hardware data execution protection works, how to turn it on, and the possible pitfalls of using it. | |
79 | 15 February 2007 | Spambots | An explanation of how spambots work, and how one can ascertain the original source of spam. | |
80 | 22 February 2007 | Listener Feedback Q&A #16 | — | |
81 | 1 March 2007 | Hard Drive Unreliability | A discussion of the distressing results and implications of two recent very large studies of hard drive field failures. | |
82 | 8 March 2007 | Cyber Warfare | A discussion of the interesting topic of state-sponsored Cyber Warfare. | |
83 | 15 March 2007 | Vista's UAC | A closer look at Windows Vista's User Access Control. | |
84 | 22 March 2007 | Listener Feedback Q&A #17 | — | |
85 | 29 March 2007 | Cross Site Scripting and Jikto | A discussion of Jikto and the cross-site scripting flaws it looks for. | |
85A | 2 April 2007 | Special Edition: The Animated Cursor Vulnerability | Special edition to warn and inform listeners of a serious zero-day exploit that affects NT, XP, and Vista - even if fully patched. | |
86 | 5 April 2007 | Cross Site Scripting Part II | Updates on the Animated Cursor Vulnerability, a recommendation for security software from eEye, and how the Sony Reader works, plus an in depth discussion of scripting vulnerabilities. | |
87 | 13 April 2007 | SQL Injections | Another common attack vector in web software is the SQL injection. Steve explains what it is and how it happens. | |
88 | 19 April 2007 | Listener Feedback Q&A #18 | — | |
89 | 26 April 2007 | WEP Insecurity | An in depth look at the latest security problems regarding WEP. | |
90 | 3 May 2007 | Multifactor Authentication | Steve explains Multifactor Authentication. | |
91 | 10 May 2007 | Marc Maiffret of eEye Digital Security | Windows and Mac security, the coming threat from web applications and Blink. | |
92 | 18 May 2007 | Listener Feedback Q&A #19 | — | |
93 | 24 May 2007 | Software Patents | Steve and Leo discuss Software Patents. |
Windows Metafile vulnerability claims
In episode 22 of Security Now! in January 2006, Steve Gibson made an accusation[4] that Microsoft may have intentionally put a backdoor into the Windows Metafile processing code of the Windows 2000 and XP operating systems.
Gibson claimed that while reverse engineering the Windows Metafile format, he could only run arbitrary code if he used a "nonsensical" value in the metafile. His conclusion was that Microsoft had intentionally designed Windows in this way to allow them to use the feature as a backdoor to running code on Windows computers without the knowledge of the user.
Gibson's claim was refuted[5] by Stephen Toulouse of Microsoft in an MSDN blog posting on 13 January 2006, stating that Gibson's observations applied only to metafiles containing one data record, and that the behavior was not intentional.
References
- ^ "PodNova Top 40". PodNova. 2006. Retrieved 2007-01-12.
4. Security Now!
{{cite web}}
: Unknown parameter|month=
ignored (help) - ^ Leo Laporte (2006-07-19). "June Numbers". Leo Laporte's blog. TWiT.tv. Retrieved 2007-01-12.
Security Now: 103,034
- ^ Leo Laporte (2006-11-21). "October Numbers". Leo Laporte's blog. TWiT.tv. Retrieved 2007-01-12.
Security Now 61: 99,751
- ^ Steve Gibson (January, 2006). "Security Now!, Transcript of Episode #22". Security Now! podcast. Retrieved March 18.
{{cite web}}
: Check date values in:|accessdate=
and|year=
(help); Unknown parameter|accessyear=
ignored (|access-date=
suggested) (help); Unknown parameter|coauthors=
ignored (|author=
suggested) (help)CS1 maint: year (link) - ^ Stephen Toulouse (January, 2006). "Looking at the WMF issue, how did it get there?". Microsoft Security Response Center Blog. MSDN TechNet Blogs. Retrieved March 18.
{{cite web}}
: Check date values in:|accessdate=
and|year=
(help); Unknown parameter|accessyear=
ignored (|access-date=
suggested) (help)CS1 maint: year (link)