Security Now 263

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 263

Security Now 263: Your Questions, Steve's Answers #99

News & Errata

2:57 - 4:16

  • Adobe released a patch for Reader and Acrobat to fix several security vulnerabilities

4:17 - 5:37

  • Google Chrome has been updated to v5.0.375.127
  • 10 security fixes in total
  • 2 critical
  • 6 high risk
  • Google has not publicly announced what the flaws are though

5:38 - 8:41

  • Apple has updated OS X
  • Lots of security fixes

12:35 - 31:20

  • In the past there have been various ways of malware exploiting the order in which windows searches the hard drive for pieces of applications that are loading
  • When a application runs Windows looks for what DLL's are needed in this order
    • 1. The directory from which the application loaded
    • 2. The system directory
    • 3. The 16-bit system directory
    • 4. The Windows directory
    • 5. The current working directory (CWD)
    • 6. The directories that are listed in the PATH environment variable
  • Bad guys try to plant malicious DLL's with the same name as a real DLL upstream of the real DLL in the search order so there code will be executed
  • Acros, a Slovenian security firm last Thursday, published an advisory that identified what they call a “binary planting” flaw in iTunes.
  • If a file type associated with iTunes is opened from a remote network share, iTunes will *ALSO* try to load one more specifically named DLLs from the share.
  • Even if the file that the user opened is completely safe, a malicious DLL can be supplied that will lead to code execution.
  • Apple fixed this but another 40 applications which they tested also have this flaw
  • HD Moore a security researcher created a Audit tool so you can test your own system for this vulnerability
  • STEVE DOES NOT RECOMMEND RUNNING THIS
  • Microsofts page on this issue
  • They say "Microsoft will not issue patches to fix the critical DLL (dynamic link library) flaw in multiple applications, but will instead address the

issue in future Windows and Office service packs."

  • Steve comments that they cant fix it as doing so involves changing the order in which DLL's are found and this would break a lot of things
  • It is up to the individual software developers to fix there own application
  • There is a patch on that page to block the most serious exploits based on this vulnerability
  • Steve doesn't like it however

31:21 - 33:16

  • A privacy group in Spain has sued Google over there collection of data from open wifi hotspots
  • Germany has received a new tool from Google to allow people to opt out of street view showing their home

33:17 - 35:15

  • SpanAirs 2008 plane crash which killed 54 people was apparently not the fault of malware
  • But the fault of a reporting system which should have notified authorities in time
  • This plane had a problem where the take off flaps and slats had failed to extend on 3 previous instances
  • Malware which had infested the reporting system caused it to fail to report this problem
  • Had the malware not been presented its believed the notification would have been logged and noticed in time resulting in the grounding of the plane so it could be fixed

35:16 - 38:38

  • Two graphics related kernel problems exist in Windows 7

Spinrite Story

38:39 - 40:02

Spinrite fixed a broken hard drive

Questions & Answers

40:51 - 01:22:44

Question: [ 01 ]

40:51 - 47:25 Nick (New Brunswick, Canada)
Question: I was wondering if you could explain the math behind password strength sometime and how bit-entropy relates. I have been doing a lot of research and discovering more questions that need answering.


For example, when someone says, the NIST recommends a 128 bit password… how is that calculated. I understand that bit entropy is calculated by LOG2 of a base (where the base is number of possible characters), and by multiplying that result with the number of characters in the password you achieve a bit entropy length for the password. But is that the same as stating “my password is x Bits long” ?

Answer: Say we had an alphabet of just two characters (1 and 0) then its clear that the number of possible passwords made with that alphabet is 2 ^ (of the number of characters in the password)

So if we had a two character password thats two bits and there bits because the alphabet from which we formed the password is only 0 or 1.

Then there are 4 possible combinations

In a normal password the alphabet is much greater than 2

64 is the number of possible combinations of 6 binary bits that is 2^6 = 64

So a 1 character password with an alphabet of 64 characters has an entropy of 6 bits because theres 64 possible passwords and 6 binary bits gives us 64

Similarly if we had a 2 character password with this alphabet we get 12 bits of password strength

Comment: [ 02 ]

47:26 - 49:35 Joshua Backes (Shreveport, LA)
Listener Comment: I believe that our Netgear router at my job, where I am the computer tech, had fallen victim to this new type of attack! A few weeks ago our computers started randomly redirecting to a few different websites as well as a google-analytical.com/… and would not load the page intended. After reinstalling windows on two machines, we discovered they began redirecting within in a couple minutes. Our final resolution was to reset the router to default … then the rest of the computers began working fine.

Steve's Comment: It sounds like something reconfigured the router and a DNS rebinding attack would do this

Question: [ 03 ]

49:36 - 53:58 Thorarin Bjarnason (Vancouver, BC, Canada)
Question: Michael McCollum’s Wikipedia page is being considered for deletion. Perhaps you can help summon the security now army to keep his page on wikipedia, and maybe the more literate among us can contribute to his page.

Answer: You have to way in, in a responsible informed manner

Comment: [ 04 ]

53:59 - 55:37 Harold Kravatsky (Florida)
Listener Comment: I found a program from G Data that runs under Windows 2000 and protects against the .lnk vulnerability .

Steve's Comment: This is good news

Comment: [ 05 ]

55:38 - 01:02:25 Toby Wilkins (Wales, United Kingdom)
Listener Comment: I'm worried about contact less debit cards from Barclays bank. You dont have to enter a pin for payments less than £15, just hold the card near the reader

Steve's Comment: Steve is flabbergasted by this, "This is the dumbest thing I've ever heard of in my life"

Comment: [ 06 ]

01:02:26 - 01:05:40 Antonio Lorusso (Swindon, UK)
Listener Comment: If I were operating an STS site I would ask for browsers that support STS to come pre-installed with an STS token with a large expiry date for my site. This would not even require browser manufacturers to take the burden of verifying the validity of the request for a pre-installed STS token simply by insisting that the request is digitally signed for the site requesting the pre-installation of the STS token. Pre-installed STS tokens could also be added or updated by browser updates.

The only theoretical fly in the ointment for pre-installed STS tokens that I can see is that this requires that the provision of browser software and browser updates be secure. However if browsers software is not being provided in a secure manner we have more serious problems than the STS system being compromised, but it would be something to bear in mind with this pre-install system.

Steve's Comment: Google Chrome does this

Comment: [ 07 ]

01:05:41 - 01:10:24 Thomas Crowe (Virginia Beach, VA)
Listener Comment: After listening to your latest podcast number 262, Strict Transport Security a second time, I started to think about enabling this on my own web site. But I realized that I could easily shoot myself in the foot if I were ever to decide not to keep up with my site’s SSL certificate.

Another troubling scenario in general would be: what if a domain name changes ownership at some point? That domain would not be accessible by someone who sells it unless they use SSL for the next 40 years or so (whatever the last STS token was set to).

It would make sense to somehow tie this to DNS, where the ownership of control of the domain is actually implemented. It doesn’t make nearly as much sense to put this in at the HTTP level — where it is now.

I think the browser should somehow check against the DNS expiration date or see if it was renewed. As it is now, it just seems to be a temporary fix and not a real solution to the problem.

Steve's Comment: This is already in discussion but the problem is DNS is not secure. DNS Sec should address this though

Question: [ 08 ]

01:10:25 - 01:13:30 Matt Bender (Madison, WI)
Question: You talk about still using Windows XP as you want to wait for the issues in newer operating systems to be ironed out. However you have a iPad how come ? I’m just wondering what your thought process is on adopting new technology both for you personally and for use at “GRC”.

Answer: For Steve the iPad and Kindle are appliances. They are like a island and if anything goes wrong with them it isn't going to spread to his main work computers

Question: [ 09 ]

01:13:31 - 01:17:57 Steve (Florida)
Question: whenever I log on to my router’s administration page, I get a certificate mismatch error, essentially: “You are trying to connect to 192.168.1.1. However, the name on this certificate is Linksys… (etc.)” I click past it, but from what you said, I wouldn’t be able to do that when STS is fully implemented.

I have configured the router’s admin page to accept secure connections only, to help prevent my wireless network being used by a bad guy to mess with the router. It seems I’d have to disable that, allowing insecure connections to the router, or else I’d never get past the certificate mismatch.

Of course, the default password has been changed, but I’d still hate to change the security settings on the router admin. Any thoughts?

Answer: What have you gained by using a SSL connection to your router ? You cant have everything. Put the name on your routers certificate in your hosts file and map it to 192.168.1.1 . This will fix any errors

Question: [ 10 ]

01:17:58 - 01:22:44 David Jaundrew (Victoria, BC, Canada)
Question: I thought of a scenario that could allow STS to be incorrectly enabled for non-HTTPS sites using a man in the middle attack:

  • A Starbucks WIFI hacker sets up a man in the middle attack for a user connecting to the open access point.
  • The user’s browser then attempts to connect via the HTTPS URL,which is AGAIN intercepted by the man in the middle attack (likely using on-the-fly self-signed certificates). The hacker now sends back an HTTPS page with the STS header, thus enforcing and requiring the use of HTTPS connections.
  • The user clicks through the certificate warning, and the browser reads the STS header, adding the site to its list of STS-enabled sites.
  • The user is now no longer able to connect to http://randomblog.example/ from ANY internet connection, as their browser now requires an HTTPS connection, to which the server does not support.

Now granted, the application for this is strictly a Denial of Service attack on the individual user, as once STS is enabled, the browser would then be forced to require proper certificate authentication for the intercepted site. I suppose my two questions are:

  • are the STS headers able to be initially sent when the site is using a

self-signed certificate?

  • where has my logic failed me?

Answer: No STS header will be accepted if there is any deviation from a perfect SSL connection like expired or self signed certificates

Sponsors

GoToMeeting

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.