Security Now 267

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 267

Security Now 267: Your Questions, Steve's Answers #101

Security Updates

3:35 - 5:20

  • Adobe Flash has been updated to fix its 0-day vulnerability
  • Adobe Reader still has a unpatched 0 day vulnerability
  • Adobe say it will be patched the week of October 4th 2010

Security News

5:21 - 8:38

  • Major Microsoft ASP.NET problem:
    • Microsoft confirms that "millions of web sites" are vulnerable.
    • ASP.NET's server-side cryptography can be probed by sending ciphertext back to the server and examining differences in the returned error code to learn what the server thought about what was sent.
    • By sending many such requests, the system's crypto can be cracked to expose usernames, passwords and other data protected by the server.
    • The temporary workaround is to force EVERY error message to be the same so that the attacker cannot learn anything from probing the system.

8:39 - 11:01

  • Intel has confirmed that the HDCP master key has been leaked
  • Video content "in flight" can be decrypted with custom hardware

11:02 - 14:16

  • Twitter "OnMouseover" XSS flaw
  • Pearce Delphin, a 17 year old Australian schoolboy who a few weeks short of high school graduation, innocently tweeted a piece of javascript code using "OnMouseover" to bring up a pop-up window.
  • He realised that you could put javascript in a tweet and Twitter doesn't filter it out
  • Hackers quickly grabbed the idea to send users to porn sites and create "worm" tweets that replicated every time they were read.
  • Twitter fixed it within 5 hours

14:17 - 16:50

  • Google is going to start offering 2 factor authentication
  • Currently its only for: Google Apps Premiere, Education & Government
  • Its coming to Standard Edition coming soon
  • You can have Google text you a one time password that you have to use to authenticate

16:51 - 18:42

  • Steve keeps seeing and reading good things about IE9
  • The security of IE really is getting better and better

Errata

18:43 - 19:26

  • Mozilla Firefox went to v3.6.10 and v3.5.15 to fix a crash on start up some users were having with the previous versions

19:27 - 21:39

  • A researcher has created a cookie called "The Evercookie"
  • The idea is that you cant get rid of it no matter what you do
  • Steve believes hes been very clever and will discuss it in the future

Spinrite Story

21:40 - 28:59 Steve Morton (Unknown)

Spinrite fixed a broken hard drive

Questions & Answers

31:55 - 01:14:35

Question [ 01 ] - Vincent Ragosta in Pittsburgh, PA had a follow up question about Strict Transport Security:

31:55 - 35:30
Question: Will STS prevent an SSLStrip attack from being successful ?

Answer Yes

Question [ 02 ] - Brett in South Africa wonders about the Verisign VIP Token for iOS:

43:21 - 47:42
Question: Steve, I was wondering whether you had seen VeriSign's "VIP Access" for the iPhone, iPod Touch and now the iPad? It's free, but is it the real deal ?

Answer Its time based like the 'football' and is the real deal

Question [ 03 ] - Gerry Rachar in Victoria, BC, Canada wonders about Trusteer Rapport?

35:31 - 40:03
Question: I am an IT professional and have a client who recently asked me what I know about Trusteer Rapport? I have not given a reply yet, however it looks like an additional product you install to block a key logger when going to a protected site, mostly banks. When looking on line I found a site in England that was producing movies showing successfully blocking key loggers. I went to some sites that had videos of key loggers getting through the protection, however all these videos had been taken down. It seems any dissent about this product is not taken well by the company, I could be wrong on this. I guess my question is, don't you have to log keystrokes to block them? What are they doing with this data? Does it work if a key logger is already infecting the computer?

Answer Its not necessary to log keystrokes to block them. There is malware which is aware of this product and works around it. Steve give it his seal of approval.

Question [ 04 ] - John Moehrke, who writes a Healthcare Security & Privacy Blog, wonders about OAuth Terminology:

40:04 - 43:20
Question: From a terminology standpoint, does OAuth provide Authentication, Authorization, Permissions, Credentials? These terms were used too interchangeably for me to understand what it is that OAuth provides ?

Answer OAuth provides a way for a user to allow a third party service to act on their behalf without providing them with your password


Question [ 05 ] - John Fecko in Cape Coral, Florida wonders about "Client Side Security"

47:43 - 52:22
Question: My current project will eventually involve an iPhone and Android app, as is required in this day and age. These apps will need to retrieve information from my database, but after listening to your discussion last week, I'm not sure how I can do that securely. Any key that I put into my app is vulnerable. Since ultimate security isn't possible, is there a more secure option. Possibly a key that programatically changes, similar to a garage door opener?

Answer Assume the foetal position, your app can be reverse engineered. The only thing to do is issue each app its own authentication key so you can deauthorise it if necessary

Question [ 06 ] - Joe, listening from somewhere in the U.S. had a further thought about OAuth:

52:23 - 57:43
Question: Steve... Why are people using OAuth on the desktop???

Shouldn't desktop apps just work via some API of their own to their own website, then any use of OAuth ought to work in the same way as on web!

I.e. the Seesmic App wouldn't need to store OAuth tokens locally if it just communicated with Seesmic.com. Then the OAuth token stored at Seesmic.com isn't susceptible to the desktop vulnerabilities you mention in the podcast, right? What am I missing here?

Answer' This doesn't work. You've just moved the problem the bad guys just pretend to be the app and talk to the website

Comment [ 07 ] - Dan Malone, California Polytechnic State University: Response from Cal Poly to SN-265 Question #3...

57:44 - 01:03:50
Listener Comment: I am responding to Brandon's question about whether or not his college is spying on him (SN-265 Question #3).


I work for the central Information Technology Services (ITS) organization for California Polytechnic State University, San Luis Obispo (Cal Poly SLO) and I have been listening and/or viewing since the TechTV days.


I was surprised when I heard about the Cal Poly requirement to install a custom certificate. After a little bit of searching around, I found the reference to installing a root CA certificate on our on-campus residential network (ResNet) web site.


As you surmised, the root CA certificate route was a benign choice, in this case for both cost savings and technical reasons. In the ResNet network, Cisco Clean Access (CCA) is used for, among other reasons, authenticating network access. Since credentials are sent to the CCA appliances, they need to be protected with SSL. This is where the cost was an issue because there are many CCA appliances to support the network of over 6000 students living in on-campus housing, each requiring its own certificate. The technical issue has to do with the certificate format required by the CCA appliance and difficulty of converting the format of previously purchased SSL certificates.


Even though this cannot meet the TNO (Trust No One) model, I can say that the root CA certificate is used ONLY for creating SSL certificates for the CCA appliances and a few ResNet support web sites. While Cal Poly is using other technology for "bandwidth shaping" (more details here: http://resnet.calpoly.edu/networksecinfo.html ), these methods do not include decryption of SSL traffic.


We do understand the concerns with installing the root CA certificate from a user perspective, and we will work together to resolve the issues and move away from that model. We discussed implementing the changes over the weekend; however, timing was not good. 6000+ students were moving in, so we agreed instead to implement the changes during the fall term.


On the other hand, timing was good, since now the ResNet staff know of the issue and our plan to address it and are able to answer questions from our many tech-savvy students (and parents) who may be listening to Security Now. We will be meeting this week to go over options that will provide a significant cost savings. Cal Poly, and the California State University (CSU) system, are members of Internet2 (www.internet2.edu) and the InCommon Federation (http://www.incommonfederation.org/). The InCommon Federation now offers members unlimited server and personal certificates for a flat rate. Cost of purchasing SSL certificates will no longer be an issue.


To address the technical issues, we will work with our central Network Administration group to see how they resolved the issues with the CCA appliances they use for our wireless network. We are doing a lot of great work with identity management in the InCommon Federation, maybe the topic of a future Security Now? I'd be more than willing to discuss these further with you. Thanks for the netcast,


Dan Malone Lead Identity Management Architect Information Technology Services Cal Poly


Steve's Comment: This explains what there doing

Question [ 08 ] - Steve in State College, PA really "gets it" about Net Nanny...

01:03:51 - 01:08:05
Question: During the last Q&A, you mentioned that Net Nanny installs itself as a root certificate authority. This begs the question - Does the software generate a different root certificate for each user of the software? It seems much more likely that they just install their own common CA cert that's bundled in with their software.


But... if everyone is sharing the same one, wouldn't it be possible for a malicious party to install Net Nanny on their own computer, then capture the certificates it delivers to their browser when they browse to well-known sites such as BankOfAmerica.com ... and then re-use them on phishing sites?


To any user of Net Nanny, there would be no certificate trust flags raised by such a site, and anyone else going there would see a certificate signed by The Net Nanny/ContentWatch root instead of a self signed cert.


Answer: You are right and this is why you don't want to install more root certificate authorities than necessary

Question [ 09 ] - JR Hallman in Ohio was inspired by "The Portable Dog Killer" lesson...

01:08:06 - 01:12:44
Listener Comment:After listening to Security Now 248: "The Portable Dog Killer" episode, and with everyone talking about data encryption, I starting thinking about making my own site for storing text encrypted.


I knew basic HTML and some PHP, but not how to make a complex site with a Login system and Data Storage and Encryption.


So, following your example, I opened Firefox went to http://www.w3schools.com/, and started reading.. and then opened Notepad and started writing.


I have been working on the site almost from the time Security Now 248 was made. I have been doing a lot of problem solving to make it secure and have learned so much from the work I have done on it. Here is the site:


https://www.cryptscript.com/


It's not completely finished, yet, but its getting there. The server it's running on is running with six 10k RPM SCSI Drives in raid 10 for redundancy.


Here is a little more info about me: I am 17 and computers are my hobby. The first computer I had, had 4MB of ram and the CPU I think was 75Mhz and had a 400MB HD and was running Dos and I installed windows 3.1. Today, my main desktop now has 8GB of DDR3 and a AMD Phenom II 955 running at 3.6GHz and 1.5TB of HD Space and I installed windows 7 on it. I like to keep my computers very clean and secure. So I run almost everything in VMware unless its something like World of Warcraft. Here is my Youtube channel http://www.youtube.com/v3dgames


Steves Comment: Steve salutes him for doing something

TIP OF THE WEEK! [ 10 ] - Tim in Illinois brings us the Abode Flash Installation

01:12:45 - 01:14:35
Tip:I think it was on one of your recent Security Now podcasts that I heard a discussion of installing Flash and how Adobe annoyingly forces the use of its own download manager. I discovered a way around that as this was an issue that annoyed me for some time: I would have to either install the download manager, or search for a direct link every time Adobe put out an update. But I found an easy way around that. All this takes is going to Adobe's site using a different browser!

To update FLASH for Firefox, open up IE and go to the Flash page (get.adobe.com/flash). Select the browser near the top. At the next page choose the correct operating system and continue. Select the radio button for Flash Player 10.1 for Windows - Other Browsers. Click on the agree and install now button and an option to download the file instead of the download manager should pop up. The opposite of this works for updating IE by using Firefox as well. Just have to select the IE version instead.

Steve's Comment: This is a great tip

Sponsors

Carbonite

  • Carbonite.com
  • Offer Code: SecurityNow
  • Carb 3
  • Ad Times: 0:59-1:13 and 29:11-31:55

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.