Security Now 290

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 290

Security Now 290: Q&A 112

Windows 7 service pack 1 is out, Apple's Thunderbolt security, Facebook's HTTPS security turns itself off, and more.

Security News

8:30 - 11:52 Windows 7 Service Pack 1 released

  • Spotty trouble reports.
  • Brian Krebs suggests not bothering if you've been keeping up
  • Long-term, though, you may need to

11:53 - 16:13

  • Keystroke loggers found on library computers in Cheshire, UK
  • Remember: NOTHING is less secure than a "public access" PC!

16:14 - 23:59

  • Intel / Apple “Thunderbolt”
  • Essentially a high-speed serialized PCIe bus
  • Allows DMA access to the entire machine!! (There are chipset imposable limits, but not known to be implemented in the Mac OS)
  • Like: Firewire, ExpressCard & SD/IO ports

24:00 - 27:40

  • Facebook's HTTPS security turns itself off
  • If you click a link to a Facebook App that doesn't support HTTPS:
  • "Sorry! We can't display this content while you're viewing Facebook over a secure connection (https). To use this app, you'll need to switch to a regular connection (http).
  • BUT... this turns off your HTTPS preference setting and doesn't turn it back on! :(

27:41 - 30:30

  • Gmail Mail Lossage on the mend
  • 0.02% of Gmail users temporarily lost all their eMail
  • A "storage software update" was pushed out and introduced the bug
  • But nothing was permanently lost
  • <quote> It’s important to note that email sent to you between 6:00 PM PST on February 27 and 2:00 PM PST on February 28 was likely not delivered to your mailbox, and the senders would have received a notification that their messages weren’t delivered.</quote>

30:31 - 41:39

  • Lastpass Cross-Site Scripting discovery
  • @SGgrc: “Lastpass XSS impact CONFIRMED: It was an embarrassing information leak (fixed) but encrypted user logon data was never in danger of exposure.”
  • Did expose: Account eMail, password reminder, site usage history.
  • Mike's blog posting stated that he was “certain” it would be possible to obtain encrypted and protected site logon username and password data, but on that count he was extrapolating too far.
  • As I originally explained ~ the reason I'm so pleased with the fundamental Lastpass architecture ~ is that synthesizes the user's symmetric cipher key, on the client-side, using the locally prompted-for username and password. It then uses that to encrypt all site logon info that's sent to Lastpass.
  • Because the cipher key NEVER goes to Lastpass they don't have it, never have it and can't divulge it, nor any sensitive decrypted logon info.
  • STS - HTTP Strict Transport Security (HSTS) now implemented.
  • NoScript would have allowed the XSS script to run, since it was running in the presumably trusted domain, but Mike has indicated that NoScript's own XSS protection WOULD have prevented this attack all by itself.
  • (And Mike Cardwell, himself, is still continuing to use Lastpass.)


41:40 - 43:54

  • "Brian" in Vancouver, BC wonders about my feelings about the Kindle 3
  • Steve loves it for what it is
  • The iPad blows it away however
  • Kindle 3 is better for text only books with no graphics

46:41 - 49:23

  • Cryptolink is on hold due to the FBI's desire to have a backdoor in encryption
  • He is working on a USB drive encryption tool instead currently

SpinRite Story

43:55 - 46:40 Anthony Pitcher (Unknown)

Spinrite fixed a broken hard drive

Questions & Answers

Question [ 01 ] - Charles G in Pittsburgh wonders about Intel's 2nd factor authentication:

53:20 - 58:40

Question: Am I missing something? If the 6 digit number can be generated on demand for authentication, what's to prevent malware from being able to do the same thing? Yes, it stops crooks from using other machines, but if your machine is compromised, this is worse than having a separate dongle, is it not?

Answer: You are correct

Question [ 02 ] - Mike Norris in Louisville, Kentucky wants to poke a hole...

58:41 - 01:04:32

Question: I have installed bitcoin and it is cranking away. I have a question about the comment to set port 8333 (TCP) to forward to your computer to create more connections. I am having trouble doing this. What is the procedure to set this up safely? I am running windows 7

Answer: Look at Advanced Firewall Config in Windows to see ports open in the Windows firewall. for information on how to forward ports through your router.

Question [ 03 ] - Bryan L. Gay in Atlanta, Georgia declares: "Bitcoin FAIL"

01:04:33 - 01:07:51

Question: Well, I installed the bitcoin client on the only Windows machine I have (one I built for gaming), and the rest of my machines are either servers or work machines and laptops.

Unfortunately, bitcoin chose the WRONG port to try to operate on... 8333? Seriously? This is VMware's port! I run VMware server on all my machines, so bitcoin won't even attempt to run on any of them, citing its inability to bind to the port and assuming that it must already be running.

Now I'm looking for a way to change its port... got to get it off of 8333...

Answer: You probably cant change the port. Bitcoin can be ran over a SOCKS Proxy though and TOR information on there website

Question [ 04 ] - Andrew in Northern Ireland wonders whether “The server will protect us!” ??

01:07:52 - 01:12:50

Question: I recently starting working for a small company with a single server and around 15 client machines. Having listened to security now for several years, I was a bit startled to see that most of the client machines run XP SP2 with little or no updates applied.

When it comes to my home machines I have a mild case of OCD regarding keeping everything up to date with the latest patches and fixes so seeing this got me asking my employer some questions about their security practices. They have been told that because they are behind a server (windows based server, not sure which version) that they do not need to update the client machines at all!

Now, this doesn't seem right to me and I'm sure that there must be some example of how this can provide a security hole but I cant think of any good ones. If all traffic to and from the internet goes through the server does that automatically protect the client machines? If a virus/Trojan etc was to be installed locally (maybe via a USB pen brought from home or a downloaded malicious PDF file) what damage could it do if it can’t get through the server to the internet?

Of course this assumes that the server is constantly up to date with Microsoft's patches, virus definitions etc, but I also doubt that this takes place!

Am I wrong? Will the almighty server protect us all? Or am I right to advise updating some machines?

Answer: You still need to update the machines

Question [ 05 ] - Steven Meyer in Switzerland has a great comment about proxy dangers

01:12:51 - 01:16:16

Question: When you talking about proxies you forgot to mention about the sniffing risk of the proxy. any password sent through the proxy can be listen to and if it is malicious, it could impersonate you (even when using ssl).

Answer: Using a proxy is really unsafe, you are correct

Question [ 06 ] - Jesse in Minneapolis wonders about 'C' language character arrays

01:16:17 - 01:20:15

Question: I'm in my second semester of the CSCI program at the University of Minnesota and we're currently covering the String class in Java. My professor mentioned that in C, it handles all strings as a character array and looks for the null terminator to know when that array ends. My question is, if that's the case doesn't that make any application written in C vulnerable to buffer overflow attacks?

Answer: Yes

Question [ 07 ] - Kristofer Thurston in Plano, Texas tells of another proxy type...

01:20:16 - 01:26:35

Question: I've been a network administrator in both public and private education (K-12) for over 10 years, and proxy use (abuse) has been a nemesis for me for most of this time.

Don't get me wrong, I'm a full believer in the right to privacy, the internet, and speech. But, in my line of work, the distraction of the internet can drastically reduce student performance while simultaneously increasing the level of aggravation in our teachers. In order to make the internet a resource instead of a distraction (and also because of the CIPA), we're forced to filter traffic during school hours.

We're currently using a filter that leverages URL filtering in combination with deep packet inspection to prevent access to some of the less illustrious internet content. The DPI portion uses matching rules based on Snort packet signatures. This solution does a fantastic job of eliminating proxy type traffic as well as instant messaging and as a result is a fantastic supplement to the URL filter.

As a result, our students have had to result to more devious methods to bypass the filters. What they've found are two products called UltraSurf and Freegate.

These proxy services work by creating a local proxy server in the student’s, and pointing the browser to this local proxy server. The proxy server then negotiates an SSL connection to a network of servers on the public internet which then proxy the web requests (the distributed network, like bit-torrent, prevent blocking of specific IP addresses). This is particularly effective because the encryption completely masks the packet payload, rendering the DPI of my filter useless.

Also, because more and more sites are "going dark" and switching to SSL (like facebook and gmail), DPI is further becoming more ineffective.

As a result, we are in the process of using a filter similar to those you have discussed previously, that require the installation of a CA certificate on all clients so that SSL traffic can be decrypted inside the box (authorized man-in-the-middle). When we do this, we will, of course, do so with full disclosure and warn against using the school network for truly secure purposes like banking, etc.

So, sorry for the length, but I thought you would like to know about these two products specifically. By the way, from what I understand, Ultrasurf was created by CIA spook types to subvert Chinese government internet filters and Freegate is a derivative product.

Answer: Steve wants to bring this to peoples attention

Question [ 08 ] - Jack Daniel, our friend at Astaro weighs in on Proxies (and more)

01:27:30 - 01:32:30

Question: The web re-writing, browser-as-client kind of proxies you mentioned in a recent episode have a few problems: First is the inherent domain obfuscation, this breaks what little cross-domain protection we have left as all content is generally delivered to the browser from the same domain.

Second, and a bigger issue for many, those sites are free- and some (many? most?) are supported by unsavory practices like serving spyware and malware.

This type of proxy is a big problem for schools, both as they try to keep the students focused on school work instead of Facebook (or worse), and because of the malware issues they bring. (Astaro systems have tools to address these issues, but this isn't an advertisement)

I haven't looked lately, but I would also worry about those that support HTTPS sites- are they proxying that traffic by performing Man-in-the- middle proxy? I would look closely at the certificates. Finally, if they are just SSL/TLS wrapping the HTTPS, the tunnel is prone to the infamous TCP over TCP tunnel collapse once retransmissions begin. But complaining about poor performance on a free proxy is probably pointless.


You have talked a lot about two-factor authentication over the years, have you ever looked at WiKID Systems? They have two 2FA systems, one Open Source and one commercial, and they do some pretty cool things and support a myriad of devices. Might be of interest to you.

Finally, updates on free events:

HacKid has a few more events on the horizon, no dates yet, but lists several in the planning stages (including one in the Bay area near Leo). Another event I've been involved in (and Astaro sponsors) is Security BSides. These are a series of free InfoSec events held around the world, sometimes adjacent to large events, sometimes standalone. The focus is high-quality content in a relaxed and conversational format. I think Leo will be dropping by to see us in Austin next week. Registration is full for that one, we may have space for a few walk-ins, but there are many more coming up all around the world. is the main wiki for BSides.

No need to mention my name, I'm sure folks are sick of hearing from me- I just wanted to drop you a line with a few things I thought might interest you.

Answer: Great points

Question [ 09 ] - Brett Moffett in Adelaide, South Australia uses his Yubikey to logon to PayPal…

01:32:31 - 01:36:07

Question: Ever since hearing about Yubikey on Security Now I have been a convert. The power of a one time password and the ability to store a very long random password all in a very small device is fantastic. I just wish more sites would support it. Well it looks like instead of waiting for sites to accept Yubikey, Yubico have brought Yubikey to them.

I noticed in a recent Yubico newsletter that there is now an option of buying a Yubikey with Symantec VIP installed in the first memory slot of the key. This can then be associated with sites like Pay Pal and you can use your Yubikey to access these sites. The second slot can be programmed to use the Yubico OTP, OATH or even a static password.

Unfortunately, this can not be retro fitted to existing Yubikeys but buying it with it built in costs no more than a regular key.

Answer: This is using the same algorithm as the credit card

Question [ 10 ] - Lance, an Eagle Scout in the USA, has some great Bitcoin feedback...

01:36:08 - 01:41:10

Question:You have talked the last couple of weeks about bitcoins. After your podcast I decided to check it out. After running 2 computers with bitcoin for a day I saw nothing. So I decided to look into what others were doing to compete with these GPU bitcoin farms. I found that pooled mining is a great way to combat this. I joined the mining effort found here:

And after 2 days I had generated 1 bitcoin. However, my computer had just as yours cranked out the hot air and I could hear the liquid constantly being pushed through. So I decided that it wasn't worth wearing out my 2 computers for 50 cents a day. Now both computers that I was using were quad cores one at 3.4ghz and one at 2.8ghz. So I was on the higher end of CPUs. I can't imagine how long it would take an older PC, even in pooled mining, to generate 1 Bitcon. I stilled wanted to get in on these bitcoins but it was pretty apparent that I was either going to wear out my pcs doing it or I had to invest money into a GPU or just buying coins. But, after searching around I found that actually most people using bitcoins do not farm for them. They use sites that accept bitcoins to sell items and make bitcoins from those sales. So they have sites such as ebay and amazon where you can bid/pay in bitcoins. For those looking to get into the bitcoin game I would highly suggest trying to sell items on these trading sites that accept bitcoins instead of using say ebay. As I personally found it a lot easier, than farming bitcoins. As this way you will still make bitcoins but you wont have to wear out your computer, waste bandwidth and run up your electric bill doing it.

Answer: Rather than one machine trying lots of computers pool their resources and split the prize




Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.