Security Now 265

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 265

Security Now 265: Your Questions, Steve's Answers #100

Fix-It for .dll hijack, danger from applications changing the working directory, first successful 64-bit Windows root kit, your questions, and more.

News & Errata

3:15 - 4:03

  • Safari has been updated to v5.0.2

4:04 - 14:39

  • Steve recommends going to Microsofts site and getting this update to fix "Microsoft Library Loading Could Allow Remote Execution" vulnerability
  • Once installed you can choose from three settings
    • 0 Changes Nothing
    • 1 Blocks DLL's from loading from current working directory if its set to a web dav folder (biggest concern)
    • 2 As above + any other remotely located shared folders (Microsoft and Steve recommend this)
  • Steve doesn't think this fix will break anything for anyone he worries about how people will learn about this fix though

14:40 - 23:53

  • 64-bit Windows Anti-Rootkit protections have been bypassed
  • x64 systems:
    • Enforce digital signature checking
    • "PatchGuard" (Kernel Patch Protection) prevents kernel hooking
    • To bypass both the digital signature detection and kernel patch protection the rootkit is patching the hard drive's MBR to intercept Windows startup routines, own Windows, and load its driver.

Spinrite Story

23:54 - 28:35 Doug Johnson (Provo, Utah)

Spinrite fixed a broken server

Questions & Answers

31:56 - 01:17:06

Comment: [ 01 ]

31:56 - 36:20 Tom Sullivan (Indiana)
Listener Comment: There is nothing particularly difficult about the new Microsoft patch. You install the patch which enables the use of new registry entries to control the DLL search path system. Without the patch, the registry entry is not recognized.

After the system is patched, you can both globally restrict DLL searching, and also restrict it by application by using appropriate registry entries.

Few programs will actually *need* to get a DLL from the current directory, (as opposed to their own execution diretory). For any that do, on startup, you simply would set the shortcut (*.lnk) to start in the directory wherein the program .exe is stored. So that's pretty simply. However, it is clear that if a program, like Adobe, changes its current directory, then it won't *need* to find DLLs from there.

Overall, this seems like a safe patch. I have set mine to 2 globally (most secure) and have had no problems on XP or Win 7.

Steve's Comment: You can also set the value to Hex: FFFFFFFF which removes the current working directory from the default DLL search order. Steve encourages people to get the update and set it to 2

Comment: [ 02 ]

36:21 - 45:45 Steve (Florida)
Listener Comment: Hey Steve, thanks for featuring my question (Steve in Florida) about the certificate mismatch between my router admin page's gateway address,, and the certificate, issued to Linksys, which generated a standard name-mismatch warning.

The certificate is indeed self-signed, by Cisco-Linksys LLC, but issued simply to "Linksys", as shown on the mismatch warning.

I did as you suggested - went into the HOSTS file and just mapped "Linksys" to And it worked like a charm! Now I just type https://linksys, no more mismatch warning, the password prompt pops up, and I'm in!

Fortunately, the URL "linksys" by itself doesn't go anywhere. However, if you just type "", or, you get redirected to Cisco's home page. No conflict here; just leave off the .com when you want to access your own router.

As for Leo's and your questions about the connection itself, yes, of course the laptop is WPA2-secured, with a strong password. The choice of https- only for the router admin page is partly defense-in-depth, and partly because sometimes when you're messing around with things in there, you may have to restore the default settings, or disable encryption momentarily, and it would be just my luck to have a bad guy listening in at that very moment. Trust No One.

So I recommend that all super-paranoid people set their router admin pages to "Accept Secure Connections Only", now that you've solved the certificate mismatch problem. (You might have to give a quick refresher on how to do the HOSTS remapping.)

Listener Comment: The hosts file is the first place the computer looks when you type in a domain name

Question: [ 03 ]

45:46 - 48:41 Brandon Ivy (San Jose, CA)
Question: In order to gain internet access at the college I attend the first requirement is that every student first install a custom certificate. Is this certificate a sure sign that the higher ups are seeing everyone's passwords to paypal, banks, and the like?

Answer: Steve thinks its probably being done for a benine reason. The college probably wants to use it for filtering what sites you visit. This does however mean that the college can decrypt your SSL traffic. You can verify what they are doing by checking who signed the SSL certificate for a given site.

Question: [ 04 ]

48:42 - 53:11 David (Utah)
Question: We got the Net Nanny because my wife wants to helps the whole family not be exposed to pornography. I didn't realize it for a while, but after installing it, I have discovered that IT is the one issuing all the certs whether I connect to my bank ... or

Should I be worried that ContentWatch, Inc. can see all my bank data and probably lastpass passwords?

Answer: It is possible for them to look at your SSL traffic if they are issuing certificates

Comment: [ 05 ]

53:12 - 01:01:31 Philip Le Riche (Unknown)
Listener Comment: I think you should put Leo right on the von Neumann architecture as the root of all evil. Without it, it would be impossible to write a general purpose operating system. After all, how could you ever compile a program or load it into memory for execution, except by treating it temporarily as data?

The Manchester architecture, with its separate instruction and data address spaces, is fine for single task computers such as microcontrollers and embedded systems, but isn't much use as for general purpose computing.

The Big Mistake was probably on the part of Microsoft. The x86 architecture does provide you with a virtual Manchester architecture in user space, having separate code, data and stack segments and no means of writing to the code segment or executing instructions from the data or stack segments. But as far as I can tell, the execution model used by Windows throws that advantage away by making the three segments coincident!

Steve's Comment: It is not true that you couldn't write a general purpose operating system using The Manchester architecture. The Manchester architecture physically separates instructions from data so that even if the instruction referred to the same address as data it would be referring to a separate bank of memory. This is more secure yes, but it doesn't solve the worlds security problems.

Question: [ 06 ]

01:01:32 - 01:06:33 Anon (Unknown)
Question: You mentioned that the STS tokens do not transmit anything, however, anyone who has access to the machine locally could view a user's list of STS tokens and deduce from the very recent tokens which websites a users visits. This could be used to determine things such as what bank a person uses in order target an attack.

While a minor issue, is there a way to conceal from others what STS tokens are present?

Further, in your last Q&A someone mentioned a "self denial-of-service" attack. What prevents a random website from issuing a forged token for another website thereby doing a denial-of-service to that domain?

Answer: STS doesn't try to prevent the problems you are describing

Question: [ 07 ]

01:06:34 - 01:09:19 Craig (California)
Question: So why are MAC addresses not a big concern or factor of privacy or security?

Answer: No one on the internet can determine your MAC address, unless you are using Windows file sharing

Question: [ 08 ]

01:09:20 - 01:14:30 Ronald Wilson (Upstate New York)
Question: I'd like a utility that alerts me when a web site polls my browser for data (if that's even possible). Is something like this possible? perhaps even a 'browser info firewall' that'll block the information from being returned, or randomize it??

Answer: The problem is there are legitimate reasons for a website asking for data like this. You could use a Linux live CD as lots of people would have the same configuration

Question: [ 09 ]

01:14:31 - 01:17:06 Richard (Unknown)
Question: Have you ever looked at OAuth? It would be a great topic for security now.

Answer: This is the topic for next week


Carbonite Pro

  • - no other code or promo
  • CarbPro #2
  • Ad Times: 0:59-1:15 and 28:42-31:41

External links

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.