Security Now 272

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 272

Contents

Security Now 272: Firesheep

Mozilla and Real Player updates, Firefox 0-day, Wall Street Journal tracking and privacy series, session hijacking for the rest of us, and more.

Security Updates

7:15 - 11:55

  • Mozilla updated across the board, patching multiple remote code execution vulnerabilities, 5 out of 12 vulnerabilities rated Critical:
    • Firefox upgraded to v3.6.11
    • Firefox ... to v3.5.14
    • Thunderbird ... to v3.1.5
    • Thunderbird ... to v3.0.9
    • SeaMonkey ... to v2.0.9
  • There is a 0 day vulnerability in Firefox's implementation of the javascript engine and it IS being actively exploited
  • Disable javascript / use NoScript to avoid being bit

11:56 - 14:05

  • Real Player releases across-the-board patches for its various annoying media players. ALL 7 are remote execution exploits.
  • Uninstall it if you no longer use it

14:06 - 14:36

  • Google Chrome updated to v7.0.517.43

Security News

14:37 - 18:06

  • New Adobe Shockwave Player remote code execution 0-day vulnerability discovered in the wild, being used to execute code on victim's computers
  • This is NOT the same as Adobe Flash Player

18:07 - 20:21

  • Apple Phasing Out JAVA from future MAC OS
  • They will REJECT App Store apps using such interpreters

20:22 - 30:38

30:39 - 33:38

  • At the recent RSA Europe conference held in London, former US Homeland Security secretary Michael Chertoff has called on countries to develop doctrines to deal with cyber warfare in the same way cold war doctrines were developed for nuclear conflict.
  • He acknowledges that finding the source of an attack is hard

33:39 - 34:37

  • The UK is allocating serious money for Cyber defence / warfare iniatives

34:38 - 36:46

  • France passes and begins enforcing "HAPOPI" anti-piracy law
  • They have hired a 3rd party company to monitor eMule, BitTorrent
  • They Capture IPs and send a warning eMail

Errata

36:47 - 37:57

  • Safari's Private Browsing
  • Your existing State is visible but state changes are NOT retained

37:58 - 40:41

01:14:08 - 01:15:00

SpinRite

40:42 - 41:35 Dianne Dunnett (Unknown)

Spinrite fixed some broken hard drives

Firesheep

44:05 - 01:00:37 & 01:04:02 - 01:14:08

  • Firesheep was released at TORCON 12 during a presentation called: "Hey Web 2.0: Start protecting user privacy instead of pretending to"
  • Presentation Description: "Despite growing public concern over web privacy, especially within social networking sites, companies including Facebook, Twitter, and even Google all fail to protect users against session hijacking attacks.
  • The slides are available here http://codebutler.github.com/firesheep/tc12/#36


  • With Firesheep, a computer user can log onto a public network, in an airport or coffee shop, and get a list of all the computers that happen to be connected to the network at that moment.
  • You can also see their pictures as Firesheep goes onto facebook and myspace etc to find them
  • Simply by double-clicking on one of the names, the Firesheep user can access whatever that computer user is doing online. If they are updating their Facebook account, the Firesheep user is also logged in.
  • Firesheep works by intercepting Internet cookies, which websites place on your computer when you visit so they will recognize you when you return. Professional hackers have had that tool in their arsenal for years. Now, thanks to Firesheep, anybody that as downloaded the add-on can do it.


  • Sites it handles:
    • http://github.com/codebutler/firesheep/wiki/Handlers
    • Fully Supported: Amazon, Basecamp, bit.ly, Enom, FaceBook, FourSquare, Github, Google, Hacker News, Harvest, The New York Times, Pivotal Tracker, Twitter, ToorCon, Evernote, Dropbox, Windows Live, Cisco, Slicehost, Gowalla, Flickr
    • Coming Soon: Yahoo, eBay, Linkedin, Digg, Reddit, Wikipedia, Blogger, GoDaddy, Posterous, Tumbr, Netflix, YouTube, SlashDot, MobileMe, PayPal, Salesforce, Craigslist, MySpace, Match, AOL
    • Steve debates the possibility of using Firesheep against PayPal


  • Sites switch you over to SSL to login and give you a cookie to maintain state
  • They then switch you back to a non SSL session so your cookie is sent in the clear over the network
  • A hacker can then grab this cookie and pretend to be you


  • To fix this problem permanently sites need to use SSL all the time once a user is logged in
  • SSL now has very little performance overhead
  • Steve thinks that now it is so easy to hack peoples session this will start to happen soon


  • Some Solutions:
  • Firefox add-on to note when a cookie received over SSL is about to be sent over non-SSL
  • Use WPA encryption on open Wifi but make the password known. E.g. put it as the SSID

Sponsors

Go To Assist

Carbonite

  • Carbonite.com Offer code: Security Now
  • Carb #3
  • Ad Times: 1:14 - 1:27 and 41:36 - 44:01

Ford

Production Information

  • Edited by: Jeff
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.
Personal tools