SERIES: Security Now!
DATE: February 5, 2019
TITLE: 700 & Counting
HOSTS: Steve Gibson & Leo Laporte
DESCRIPTION: This week we discuss Chrome getting spell check for URLs; a bunch of Linux news with reasons to be sure you're patched up; some performance enhancements, updates, additions, and deletions from Chrome and Firefox; more Facebook nonsense; a bold move planned by the Japanese government; Ubiquiti routers again in trouble; a hopeful and welcome new initiative for the Chrome browser; a piece of errata; a quick SQRL update; and some follow-up thoughts about VPN connectivity.
SHOW TEASE: It's time for Security Now!. Steve Gibson is here. Lots to talk about, including new systemd vulnerabilities. Linux users, listen up. We'll also talk a little bit about Chrome, a new feature giving us URL spell checking, and why TLS 1.0 and 1.1 are soon to hit the highway. It's all coming up next on Security Now!.
LEO LAPORTE: This is Security Now! with Steve Gibson, Episode 700, recorded Tuesday, February 5th, 2019: 700 & Counting.
It's time for Security Now!, the show where we cover the latest developments in the world of security and privacy, help you understand how computing works, and have a little fun along the way with this guy right here, Steve Gibson. He's the commander in chief of the good ship Security Now!. Aye aye, sir. What you pointing - that is not the logo you want. Maybe this.
STEVE GIBSON: No, no.
LEO: You want an “L.”
STEVE: Yeah, but which hand do I use? I can never get that right.
LEO: I don't know. Yeah, it's very important. Sometimes it's an “L.” Sometimes it's backwards. Hey, Steve. You're no loser in my book.
LEO: You're number one.
STEVE: Well, thank you very much. Great to be with you again for, as I was saying before the podcast to you, I was tempted to title this one “The 700 Club”; but I thought, no, that's been taken. So let's just call this one “700 & Counting.”
LEO: The 700th episode.
STEVE: And as is sometimes the case, there was no one particular crazy thing that stood out. So we've got a bunch of stuff to talk about. We've got Chrome getting spell checking for URLs. That's what I call it. That's not what they call it. A bunch of Linux news with reasons to be sure, extra sure you're patched up to date. And some performance enhancements, updates, additions, and deletions from Chrome and Firefox. There's some more Facebook nonsense. And I have a theory about Facebook nonsense we'll talk about. Also a bold move planned by the Japanese government. I've not been listening to the network, so I don't know if you guys have been talking about this on other podcasts, but something big is in the works.
LEO: Yeah. We talked about it on TWiT, yeah. Thought it was very interesting. I'm glad you're going to bring it up, yeah.
STEVE: And also we've got Ubiquiti routers in trouble again, big trouble. A hopeful and welcome new initiative for the Chrome browser. A piece of errata, a quick SQRL update, and some follow-up thoughts about VPN connectivity. So I think I can promise another great podcast for our listeners.
LEO: Well, that ought to do her, I'll tell you what. Sounds like fun ahead with Steve. And of course our Picture of the Week is good. Steve?
STEVE: So we had two pictures this week. The first one I ran across just when doing some research I encountered a notice and a notification from Firefox that we've talked about in the past, but I had never seen it. I went to LinuxForums.org and got, what do they call it? I think they call it a “wall hanger” or something where it hangs down from - I've seen the term. Anyway, it says: “Have an account on this site? More than 200,000 accounts from LinuxForums were compromised in 2018.”
LEO: Wow. That's nice.
STEVE: Check Firefox - yeah, isn't that nice? So it's a proactive notification that where you're going has had a security compromise. I think I remember when we talked about this, like within the last year. So it's not like forever. But it's like, while it's relevant. And then you're able to click on “Check Firefox Monitor,” provide your email address, and I think it uses Troy Hunt's, I'm sure now that I remember, it uses Troy Hunt's Have I Been Pwned site. Troy provides an API that allows facilities like this to query his backend database. So it checks for you, given the email address, to see whether your address is on the Have I Been Pwned database and, if so, warns you. So just a very nice sort of closing-the-loop, proactive, hey, you know, in case you haven't been listening to Security Now! or you don't have an eidetic memory, we'll help you by saying, hey, remember when we talked about Linux forums being pwned? Well, maybe you should check your email address. So very cool.
LEO: Actually, I just wanted to mention that there is now a Chrome extension to do exactly the same thing. Did you know that this is Safer Internet Day?
STEVE: Oh. Well, what a happy coincidence.
LEO: Yeah, Happy Safer Internet Day.
STEVE: February 5th.
LEO: Yeah. So Chrome has added a password checkup extension. You have to install it, which I did immediately. And it will say, as mine does right now, none of the recent passwords you've entered were detected in a data breach. So it's a little bit different. It's not precise. It's actually looking at…
STEVE: Ah, nice.
LEO: And they make a big point about how they're using technology that they developed with Stanford University with the help of cryptography researchers to keep your privacy safe, you know, that passwords aren't getting sent to Google, that kind of thing. So I don't think they're using Have I Been Pwned, it sounds like. They probably have their own database.
STEVE: And is it a Google extension from…
LEO: Yes, Oh, yeah, yeah, it's from Google. Yeah, yeah.
STEVE: Oh, interesting, yeah.
LEO: So you can do this in Google, as well.
STEVE: Well, and of course what's cool is that Google, if you have your Chrome browser saving your sites' passwords for you, then it's got a local database of the password. And sometimes your username will be your email address and so forth. So it would be able…
LEO: Now, I don't do that, of course, because I use LastPass.
LEO: But apparently it's still monitoring as you enter them, or as they get entered.
STEVE: Yeah, very nice.
LEO: And they do cross-account protection and stuff. So it's kind of cool, very cool, yeah.
STEVE: Well, and so the second picture that we have - I gave the first picture the title “Firefox Warned Me.” And so I titled the second one, “And So Did Chrome.” Although this was a different one, which is our first story.
LEO: I like this, though.
STEVE: Yes. Yes, yes, yes. This shows that paypai.com has been entered into the URL bar of Chrome. And there's a dropdown saying, “Did you mean to go to http://paypal.com?” I'm not sure why it didn't do https://.
LEO: Yeah, that's interesting.
STEVE: That's interesting. But so…
LEO: And it's a link, so you could click it, and you could say, oh, whoops, yes.
STEVE: Yup. That was a typo. I meant - exactly. So you click, and you go to the right place. Okay. So a bit of terminology first. Typo squatting, which is what this practice is of bad guys registering lookalike or typo, like P-A-Y-P-A-I dot com, and hoping that some percentage of people are going to type “I” rather than “L” and go there. And so what they'll do is they'll set up a fake-looking PayPal site and say, oh, you haven't used this machine, or you haven't registered before on this machine or, you know, one way or the other they will spoof you into getting you to give them your PayPal credentials, believing that that's where you are. And then you're in trouble.
So this so-called “typo squatting” is formerly known as an “IDN homograph attack,” IDN being International Domain Name. But typo squatting is a lot catchier. Similarly, although I think that URL spell checking is clear, Google calls their forthcoming technology “navigation suggestions for lookalike URLs.” I don't think that has a catchy abbreviation, NSFLU.
STEVE: NSFLU, yeah. So it's under active experimentation with the Canary release, which is at 70 now, in Chrome. And if all goes as planned, it will be appearing in mainstream release before long. You know, they like to sort of roll these things out incrementally, which is a good thing. Actually, we're going to be talking about Firefox here in a minute where they did something that they followed out that caused a whole bunch of unexpected problems. So it makes sense to have, as Firefox does, a nightly build channel.