Security Now 277

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 277

Security Now 277: Your Questions, Steve's Answers #106

New WIndows kernel vulnerability, Wikileaks siprnet, Vitamin D findings, your questions, and more.

Security Updates

10:30 - 14:38

  • No Security Updates
  • Adobe Updates Flash to improve performance v10.2

Security News

14:39 - 19:30

  • Windows - New Local Privilege Escalation 0-Day Kernel Vulnerability:
    • 32 & 64 bit XP, Vista, Win7 & Win2008/SP2
    • Stack overflow in the NtGdiEnableEUDC function allows an attacker to inject a return address pointing to his own code.
    • This code is then executed with full system privileges.
    • Proof-of-concept code in the wild
    • Microsoft acknowledges and is examining
    • Next patch Tuesday is December 14th (since Dec 1st is a Wednesday!)

19:31 - 22:02

  • Iran has acknowledged that STUXNET got into and interfered with their nuclear fuel enrichment processes.

Wikileaks

22:03 - 26:07

  • Siprnet - "Secret IP Routed Network"
    • Disabling write-enable on removable devices

Errata

26:08 - 30:57

  • Supreme Court declines to hear Whitney Harper case:
    • 12 years old at the time, now she's 22
    • "inadvertent innocent infringer" - $200 max
    • non-innocent infringer: $150,000 max (per song)
    • First trial judge agreed with her defense that she was innocent since no notice of any kind was present on what she downloaded.
    • Federal appeals court judges concluded that a copyright notice anywhere trumps the innocent infringer defense.

30:58 - 33:27

  • Wikipedia is asking for donations
  • Steve and Leo gave $100

33:28 - 47:50

  • Institute of Medicine's Food and Nutrition Board (FNB) new Vitamin D finding
  • "No need to supplement with extra Vitamin D and calcium" - Reported widely by news outlets
  • Study only addressed bone strength aspects of vitamin D
  • 1/5 children throughout world still develop rickets

Sci-Fi Update

51:11 - 01:02:59

  • Peter Hamilton
    • Fallen Dragon
    • Pandora's Star -> Judas Unchained
  • Michael McCollum : Sci-Fi AZ (www.scifi-az.com)
    • Antares Trilogy: Dawn / Passage / Victory
    • Gibraltar Trilogy: Earth / Sun / Stars
    • Many individual novels
  • The Lost Fleet by John G. Hemry, pen name: Jack Campbell
    • The Lost Fleet: Dauntless (2006)
    • The Lost Fleet: Fearless (2007)
    • The Lost Fleet: Courageous (2007)
    • The Lost Fleet: Valiant (2008)
    • The Lost Fleet: Relentless (2009)
    • The Lost Fleet: Victorious (2010)
  • Helfort's War - Graham Sharp Paul
    • The Battle at the Moons of Hell
    • The Battle of the Hammer Worlds
    • The Battle of Devastation Reef
    • The Battle for Commitment Planet (11/23)
  • Gregory Benford's Galactic Center Series
    • In the Ocean of Night (1977)
    • Across the Sea of Suns (1984)
    • Great Sky River (1987)
    • Tides of Light (1989)
    • Furious Gulf (1994)
    • Sailing Bright Eternity (1996)

Question [ 01 ] - An anonymous listener raised a good and disturbing point:

01:06:11 - 01:08:26
Question: Regarding the Chinese redirection of traffic:


You forgot to mention that SSL would not have prevented snooping in the latest traffic redirection incident. China controls root certificates that are installed on our systems, which enables them to do transparent SSL man-in-the-middle.


Answer: This is exactly right. Steve does not think what China did was deliberate though

Question [ 02 ] - Another anonymous listener had a thought about defeating Phorm- style man-in-the-middle eavesdropping:

01:08:27 - 01:12:30
Question: Would it be possible to derive a simple protocol using certain parameters known by both the Browser & the Server? This should deter some systems like phorm, but not unduly impede Security Services. I was thinking perhaps the Server would know the connection IP address or some header & the Browser would know both the IP address of the Server & the requested URL. XOR should be fast & transient enough?


Answer: He's asking if theres some simple way to prevent Phorm from tracking us by establishing a simple yet secure connection to a server. What you need however is Authentication and Encryption and as Phorm is a man in the middle it can see everything your doing. There is no simpler way to do it than SSL

Question [ 03 ] - Rick Shepherd in Reno, Nevada wonders about the ".p2p" top level domain?

01:12:31 - 01:22:54
Question: I'd like to hear your thoughts on the proposed .p2p TLD that is supposed to be ICANN-independent and would allow we-the-people to bypass traditional DNS and thereby remove the power from ICE or whomever may wish to take down domain names. http://dot-p2p.org


Answer: This site is proposing an alternative DNS which is de centralised. They want to create a ".p2p" domain. Steve doesn't like that its being run by the pirate bay founder however.

Question [ 04 ] - Mark Jones in Midland, Michigan wonders about Web Fingerprinting and Fonts

01:22:55 - 01:32:19
Question: Today's Wall Street Journal's front page contains another article in their on- going series on web privacy. This one addresses the technology of BlueCava for web fingerprinting. The technology is clearly not unique to BlueCava. It is the web fingerprinting technology you described some time ago that polls many different attributes of a particular system. A unique pattern that identifies the system emerges when these attributes are viewed as a set. As a loyal Security Now listener, I was surprised to actually learn something from the mass media about security.


The article called to my attention that one of the means the fingerprinting uses is to interrogate fonts on the system. Several years ago I converted my handwriting into a font. I gave the resulting font the fairly obvious name of my name. My name is fairly generic, but I'm betting that I might still be the only person to have a font with my name. I never thought this might be a beacon for tracking me on the web.


This prompts a couple of questions:

  • How many ways can the fonts on your system be interrogated by a web site you visit?
  • Can all of the BlueCava methods be blocked by the use of NoScript?
  • Are there other means to block the font list from prying eyes?


Answer: Steve doesn't know how many ways there are. Scripting is used to do a lot of these tracking things so NoScript blocks a lot of them. However even without scripting browser headers give away a lot of information. If you are really worried about this Steve recommends using a VM or live CD.

Question [ 05 ] - Edward "Ted" Doyle in Columbia, MO, USA wonders about "The allocation of IP addresses for efficient routing..."

01:32:20 - 01:39:55
Question:I have been reading a wonderful free book about TCP/IP, and neither your past podcasts introducing basic Internet concepts, nor the first 500 pages of the book have addressed so far the notion of IP address allocation for efficient routing.

There are about 64 times 256 or about 16,000 Class B addresses (IPv4 with the first number of the IP address starting 128 through 191). If these addresses are assigned to organizations in an unorganized fashion then the following situation could occur:

• 140.65.* assigned to a company in Perth, Australia • 140.66.* assigned to a university in Poland • 140.67.* assigned to an ISP in Edmonton, Alberta • 140.68.* assigned to the City of Buenos Aires, Brazil and so on

There must be some order to the way addresses are assigned; for instance if the IP block with 140 though 147 in the first byte was assigned to Europe. And then Europe could in turn assign 140 to England, 141 to France, and so on. Thus the router in St. Louis, Missouri, using one router table entry, could examine the first number in the IP address see something between 140 and 147 and know that the packet needs to be routed eastward towards Europe.

Is this how IP addresses are assigned and routed?? If not, could you describe how IP addresses are allocated to make routing feasible.

Yes, I know that now most routers use Classless Inter Domain Routing (CIDR) obsoleting the old class A, B and C systems.

The book I am reading is "The TCP/IP Guide," by Charles M. Kozierok. The full 1600 page text is available at www.tcpipguide.com. So far I have read only the first 500 pages and in the next hundred to two hundred pages I will reach the chapters on the routing protocols.

I will both continue reading the TCP/IP guide and listening for to your podcast for the answer to this question.


Answer: Visit http://bgp.potaroo.net. If we were to do it again we would do it differently but the IP's were not handed out considering geography

Question [ 06 ] - Dennis Keefe in Panama City, Florida wonders about securely using Lastpass on a work PC...

01:39:56 - 01:42:56
Question:The following is a post from my blog, what do you think?

If you love LastPass, but are not exactly comfortable having it installed on your work PC, you might like this solution.

Today I decided to try this approach. First, I used TrueCrypt to create an encrypted volume on the hard drive. Next, I went to www.portableapps.com and instead of downloading the software to a USB drive as usual, I installed it into the encrypted volume. Now, the only way to access Firefox and my Last Pass vault is by first mounting the True Crypt volume.

If you still need Firefox installed for others in your office, just install a stripped down version for others to use that doesn't include any personal info. Keep up the great work!


Answer: This is a clever idea but Steve would add that LastPass have created there own portable version which you should also use

Question [ 07 ] - Ralph in California wonders about Alternate PDF Readers for Macs?

01:42:57 - 01:45:13
Question: In episode 276 -"Testing DNS Spoofability" - you encourage listeners to find an alternative to Adobe reader. Leo mentioned Foxit. What are the best of breed PDF readers for the Mac?


Answer: You don't need one, it comes with Preview.

Question [ 08 ] - Rick in Canada brings us the Firefox Addon TIP OF THE WEEK!:

01:45:14 - 01:48:15 Tip: I found a GREAT Firefox add-on: sslpersonas. What it does is change the Firefox Persona on the fly, so that you know you are on an SSL site, instead of needing to look for the little lock, or the "s" on the "http" on the address bar, it changes the Persona, and makes it obvious, check it out.


Steve's Comment: This looks really neat

Sponsors

Ford

  • Ford and the 2012 Ford Focus Global Test Drive
  • twitfordfocus.com
  • Sync #9
  • Ad Times: 1:00-1:15 and 5:29-10:24

GE

Go To Assist

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.