Security Now 272

Security Now Episode 272

"Firesheep"Hosts: Leo Laporte and Steve Gibson Topic: Firesheep Recorded: 27 Oct 2010 Published: 28 Oct 2010 Duration: 1:17:31 Transcript Previous episode – Next episode

Contents 1 Security Now 272: Firesheep 1.1 Security Updates 2 Security News 2.1 Errata 2.2 SpinRite 2.3 Firesheep 3 Sponsors 3.1 Go To Assist 3.2 Carbonite 3.3 Ford 4 Production Information

Security Now 272: Firesheep

Mozilla and Real Player updates, Firefox 0-day, Wall Street Journal tracking and privacy series, session hijacking for the rest of us, and more.

Security Updates

7:15 - 11:55

• Mozilla updated across the board, patching multiple remote code execution vulnerabilities, 5 out of 12 vulnerabilities rated Critical:
  • Firefox upgraded to v3.6.11
  • Firefox ... to v3.5.14
  • Thunderbird ... to v3.1.5
  • Thunderbird ... to v3.0.9
  • SeaMonkey ... to v2.0.9
• There is a 0 day vulnerability in Firefox's implementation of the javascript engine and it IS being actively exploited
• Disable javascript / use NoScript to avoid being bit

11:56 - 14:05

• Real Player releases across-the-board patches for its various annoying media players. ALL 7 are remote execution exploits.
• Uninstall it if you no longer use it

14:06 - 14:36

• Google Chrome updated to v7.0.517.43

Security News

14:37 - 18:06

• New Adobe Shockwave Player remote code execution 0-day vulnerability discovered in the wild, being used to execute code on victim's computers
• This is NOT the same as Adobe Flash Player

18:07 - 20:21

• Apple Phasing Out JAVA from future MAC OS
• They will REJECT App Store apps using such interpreters

20:22 - 30:38

• WSJ "What They Know" - Online Tracking & Privacy Series
• http://online.wsj.com/article/SB10001424052702304410504575560243259416072.html
• The 10 most popular apps on Facebook were transmitting user's ID to outside companies not matter what privacy settings you have

30:39 - 33:38

• At the recent RSA Europe conference held in London, former US Homeland Security secretary Michael Chertoff has called on countries to develop doctrines to deal with cyber warfare in the same way cold war doctrines were developed for nuclear conflict.
• He acknowledges that finding the source of an attack is hard

33:39 - 34:37

• The UK is allocating serious money for Cyber defence / warfare iniatives

34:38 - 36:46

• France passes and begins enforcing "HAPOPI" anti-piracy law
• They have hired a 3rd party company to monitor eMule, BitTorrent
• They Capture IPs and send a warning eMail

Errata

36:47 - 37:57

• Safari's Private Browsing
• Your existing State is visible but state changes are NOT retained

37:58 - 40:41

• 99% of Interops' 45/8 network IPs returned to ARIN
  • http://arstechnica.com/business/news/2010/10/embargoed-interop-gives-back-a-months-worth-of-ipv4-addresses.ars
  • Free: 5, 23, 37, 39, 100, 102, 103, 104, 105, 106, 179,185
  • Most of 45/8 was just given back.

01:14:08 - 01:15:00

• DNSBenchmark is now public

SpinRite

40:42 - 41:35 Dianne Dunnett (Unknown)

Spinrite fixed some broken hard drives

Firesheep

44:05 - 01:00:37 & 01:04:02 - 01:14:08

• Firesheep was released at TORCON 12 during a presentation called: "Hey Web 2.0: Start protecting user privacy instead of pretending to"
• Presentation Description: "Despite growing public concern over web privacy, especially within social networking sites, companies including Facebook, Twitter, and even Google all fail to protect users against session hijacking attacks.
• The slides are available here http://codebutler.github.com/firesheep/tc12/#36

• With Firesheep, a computer user can log onto a public network, in an airport or coffee shop, and get a list of all the computers that happen to be connected to the network at that moment.
• You can also see their pictures as Firesheep goes onto facebook and myspace etc to find them
• Simply by double-clicking on one of the names, the Firesheep user can access whatever that computer user is doing online. If they are updating their Facebook account, the Firesheep user is also logged in.
• Firesheep works by intercepting Internet cookies, which websites place on your computer when you visit so they will recognize you when you return. Professional hackers have had that tool in their arsenal for years. Now, thanks to Firesheep, anybody that as downloaded the add-on can do it.

• Get it here
• http://github.com/codebutler/firesheep/downloads

• Sites it handles:
  • http://github.com/codebutler/firesheep/wiki/Handlers
  • Fully Supported: Amazon, Basecamp, bit.ly, Enom, FaceBook, FourSquare, Github, Google, Hacker News, Harvest, The New York Times, Pivotal Tracker, Twitter, ToorCon, Evernote, Dropbox, Windows Live, Cisco, Slicehost, Gowalla, Flickr
  • Coming Soon: Yahoo, eBay, Linkedin, Digg, Reddit, Wikipedia, Blogger, GoDaddy, Posterous, Tumbr, Netflix, YouTube, SlashDot, MobileMe, PayPal, Salesforce, Craigslist, MySpace, Match, AOL
  • Steve debates the possibility of using Firesheep against PayPal

• Sites switch you over to SSL to login and give you a cookie to maintain state
• They then switch you back to a non SSL session so your cookie is sent in the clear over the network
• A hacker can then grab this cookie and pretend to be you

• To fix this problem permanently sites need to use SSL all the time once a user is logged in
• SSL now has very little performance overhead
• Steve thinks that now it is so easy to hack peoples session this will start to happen soon

• Some Solutions:
• Firefox add-on to note when a cookie received over SSL is about to be sent over non-SSL
• Use WPA encryption on open Wifi but make the password known. E.g. put it as the SSID

Sponsors

Go To Assist

• GoToAssist.com/security
• G2AX #7
• Ad Times: 1:02 - 1:14 and 5:04 - 7:06

Carbonite

• Carbonite.com Offer code: Security Now
• Carb #3
• Ad Times: 1:14 - 1:27 and 41:36 - 44:01

Ford

• syncmyridepodcast.com
• Ford Sync #8
• Ad times: 1:27 - 1:44 and 1:00:36 - 1:04:02

Production Information

• Edited by: Jeff
• Notes:

This area is for use by TWiT staff only. Please do not add or edit any content within this section.