Security Now 273
Topic: Q&A #104 and “The FireStorm”
Recorded: November 3, 2010
Published: November 3, 2010
Security Now 273: Q&A #104 and “The FireStorm”
Firesheep firestorm, Flash 0-day exploit in the wild, another iPhone lock screen bypass, your questions, and more.
Intro - The Firesheep FireStorm
08:53 - 11:00
- "Ken Papp" tweeted: "Did my good deed today. Showed managers at Starbucks, CornerBakery, Barnes&Noble, and Sheraton Firesheep in action. Jaws hit the floor."
- Steve likes this as it means people are taking note and becoming more secure
11:01 - 12:10 & 12:51 - 13:26
- Firefox "Nobel Prize Hack" update has been available for some time:
- Fixed in: Firefox 3.6.12, Firefox 3.5.15, Thunderbird 3.1.6, Thunderbird 3.0.10 and SeaMonkey 2.0.10
12:11 - 12:50
- Google Chrome again silently and without fanfare moved up v7.0.517.41
13:27 - 15:35
- Adobe Shockwave did get fixed last Friday, October 29th, repairing 11 known security vulnerabilities.
- If you NEED shockwave, update to v18.104.22.1682 for Windows and Mac OS X
15:36 - 18:34
- New Abobe 0-day vulnerability being actively exploited in the wild.
- Exploit is in FLASH, but being accessed via Reader and Acrobat.
- Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
- Adobe Flash Player 10.1.95.2 and earlier for Android
- Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX
- Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh*
- Version 8.x are confirmed NOT vulnerable.
- Vulnerability in authplay.dll AGAIN
- Fixed Nov 4th for main OSes running V10
- Nov 9th for android
- Nov 15th for version 9.x updates.
18:35 - 22:01
- Brand new 0-day vulnerability discovered and reported by Symantec in Internet Explorer
- Affects IE v6 & v7, vulnerability exists in IE8, but DEP, enabled by default, thwarts it.
- IE9 Beta is not vulnerable.
- Targeted eMail with link-to-click installs malware Trojan.
22:02 - 24:20
- Another iPhone Lock Screen Bypass in iOS 4.1, to be fixed in iOS v4.2
- Tap the “Emergency Call” button, then enter three pound signs, hit the green Call button and immediately press the Lock button.
- Now the user has access to the Phone app on the iPhone including the address book, voicemail and call history.
24:21 - 27:20
- India dropping threat to ban Blackberry services
- "BlackBerry parent company Research in Motion (RIM) and the Ministry reached an interim agreement regarding government access to data sent over the BlackBerry network. RIM has promised a final proposal by January 31, 2011."
- The United Arab Emirates (UAE) cancelled a similar planned ban in early October, saying that "RIM had offered a workable solution."
- A Indian newspaper reports PC's have been installed in telecom providers on which RIM installs some software that reaches out to RIM and contacts them so they perform the decryption and return the decrypted data to the computer
27:21 - 34:40
- Amazon wins customer privacy battle with North Carolina tax collectors
- N.C. Wanted 50 million purchase records for everything purchased from 2003 through 2010 - with names and addresses.
- U.S. District Judge Marsha Pechman in Washington state said that request went too far and "runs afoul of the First Amendment." She granted Amazon summary judgment.
- Amazon stressed in its lawsuit that purchases of books, DVDs, Blu-ray discs, and other media enjoy special privacy protections.
34:41 - 47:44
- When a client first contacts a server if they have SSL credentials which are less than x hours old it can provide these credentials so re authentication does not have to be done
- Costs of Ubiquitous SSL, Google's experience:
- "If there's one point that we want to communicate to the world, it's that SSL/TLS is not computationally expensive any more. Ten years ago it might have been true, but it's just not the case any more. You too can afford to enable HTTPS for your users.
- In January this year (2010), Gmail switched to using HTTPS for everything by default. Previously it had been introduced as an option, but now all of our users use HTTPS to secure their email between their browsers and Google, all the time.
- In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead.
- Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that.
- If you are already using SSL to log users in there is very little overhead to using throughout the whole site
47:45 - 52:42 Gary Harris (Unknown)
Spinrite fixed a broken hard drive
Questions & Answers
54:51 - 01:24:33
Comment [ 01 ] - Todd Karwoski tweeted:
54:51 - 57:52
Listener Comment: Thought you should know that Microsoft's Security Essentials wants to "protect" my computer from Firesheep add-on that I installed. Here's a TwitPic of the message: http://twitpic.com/33btk1
Steves Comment: I guess this is protecting you from yourself. Steve however likes that Mozilla isn't blocking Firesheep
Question [ 02 ] - Paul Kawolski in Seattle Washington wonders whether WEP is enough?
57:53 - 01:00:53
Question: Would using WEP encryption be sufficient to protect from Firesheep? ... or would only WPA work?
Answer: Yes and No. WPA uses per connection encryption. WEP only uses one key. If the person running Firesheep has the WEP key then it offers no protection. If they dont have the WEP key they it does prevent Firesheep from being effective but WEP can be cracked in seconds anyway
Comment [ 03 ] - Doug Johnson in Orem, Utah suggests that using WPA doesn't help much:
01:00:54 - 01:05:57
Listener Comment: In your last episode you mentioned that turning on WPA solves the problem of session hijacking via insecure cookies, as Firesheep does. This is a great step in the right direction, but it isn't really a cure-all for the problem.
Even with WPA turned on, networks are still susceptible to ARP cache poisoning. Used in combination with Cain & Abel, Firesheep would still work even with WPA encryption turned on. A malicious user can send instructions to other computers to tell them to direct all internet traffic to their machine (and that computer pretends to be the network's gateway), at which point client isolation becomes meaningless, and Firesheep is able to capture all packets from targeted computers just as if the network was unencrypted and had no protection.
The only real solution is for web sites to force use of SSL for all authentication information.
Steve's Comment This is true - The only real solution is for web sites to force use of SSL for all authentication information. He is wrong about WPA not providing protection though as each connection is individually encrypted so the attack he talks about wouldn't work.
Question [ 04 ] - Thomas Crowe in Virginia Beach, Virginia proposes a WPA- NoPSK mode for WiFi:
01:08:41 - 01:17:33
Question: Since WPA came out I always thought they should have an encrypted version of open access where you only have a secure connection to the access point, indicating with the SSID that its open; say NoPSK mode. Personally I think we need to completely ban Open WiFi and WEP and possibly require UAC even in order to connect to them as it is in fact very insecure, especially now that we have the Firesheep plug-in.
Now, I can't see any more vulnerabilities with having "NoPSK" than telling everyone the password or making it the same as the SSID. I think they need to add this to part of the standard as we already have PSK and Enterprise 802.11x with radius auth, why not this one?
I wanted to make one final comment that this does not protect us against man-in-the-middle attacks where the WiFi access point is impersonated. The only way you can prevent that is to use trusted certificates that are already installed on the machine, like the do with SSL in the first place. But I think it would still be a huge step forward in wireless security. Does that sound about right? I look forward to your response.
Answer: If you dont have authentication which is the critical thing SSL and certificates provide then there is always the possibility of impersonation. WPA is not a perfect solution because someone listening in while a new user is connecting will be able to see all the traffic gong in both directions. So there isn't anything the access point or user can know that the attacker doesn't. So this means that an attacker could get the per station pairwise temporal key. So turning on WPA doesn't ensure protection
01:17:34 - 01:19:05
Listener Comment: I wanted to share this very nice chart at DigitialSociety.org showing their analysis of their security under the Firesheep threat: http://bit.ly/cJ8Xig or http://www.digitalsociety.org/2010/11/online-services-security-report-card/
Steve's Comment This is neat
Comment [ 06 ] - Dean in North Dakota wonders about "Secure" Cookies
01:19:06 - 01:22:24
Listener Comment: I would like to hear about ways for individuals to enforce cookie encryption. One possibility is (no surprise) noscript! In the noscript options, under the advanced tab, is an https tab where one can enforce secure cookies. Noscript tries to append a Secure flag to cookies. I'd love to hear your advice on this or other solutions.
Steve's Comment: The problem with this is that it will break a lot of sites
01:22:25 - 01:24:33
Listener Comment: I'm guessing you're probably already aware of this, but just in case you've not heard yet checkout the following. http://github.com/blog/737-sidejack-prevention
Steve's Comment: Github implements secure cookies like discussed earlier
Go To Meeting
- Offer code: NOW
- G2M #9
- Ad Times: 1:01-1:16 and 52:39-54:38
- General Electric's Ecomagination Challenge
- GE #4
- Ad Times: 1:19-1:36 and 6:06-8:27
- Sync #8
- Ad Times: 1:38-1:54 and 1:06:20-1:08:41
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|