Security Now 294

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 294

Security Now 294: Q&A 114

Security Updates

Nada

Security News

Real Player Heap Buffer Overflow Vulnerability (No patches yet)

  • Security Focus: <quote> RealPlayer is an ugly media player developed by RealNetwork and used mainly for its browser's plugin supporting the proprietary file formats of its developer.</quote> BUG: <quote> Classical heap overflow during the handling of the IVR files caused by the allocation of a certain amount of data (frame size) decided by the attacker and the copying of another arbitrary amount on the same buffer. From rvrender.dll (base address 63AE0000):
  • Last update from Real was Feb 8th, 2011 fixing a security problem.

Rogue SSL Certificates Issued!

  • SANS Institute: "Attackers compromised a partner of SSL certificate authority, Comodo and issued themselves fraudulent SSL certificates. The certificates vouch for a site's authenticity, and would have allowed the thieves to set up sites that fool visitors into believing they have reached major Internet presences, like Google, Microsoft and Skype. Comodo has revoked the stolen certificates." [Editor's Note (Pescatore): The SSL certificate industry has long needed to invest in stronger external review of registration processes, as proven by this incident and others before it. (Ullrich): SSL is based on trust. However, in a race to the bottom on pricing, certificate authorities no longer are able to rally the resources to sufficiently secure the SSL infrastructure they manage. It is sad that all it took to compromise the system was a single password, not two factor authentication. This comes just at a time when we finally see large sites like Facebook, Google, Microsoft and Twitter implementing site-wide SSL as an option.]
  • IRAN? Was it a sneaky hack by Iran to spy on Internet users within its borders, despite claims otherwise?
  • Microsoft immediately offered updates
  • Chrome immediately blacklisted the bad certificates.

RSA SecurID Breach Update:

  • Alan Paller, the very well-connected director of research of SANS Institute: <quote> “One of the largest defense contractors has stopped the use of RSA tokens by its senior staff. They replaced the tokens with another manufacturer's solution. I asked whether the move had been planned for a long time. The answer was, "No. We did it because of the breach."

SCADA (supervisory control and data acquisition) systems:

  • 34 new exploitable vulnerabilities found in SCADA systems from a handful of different manufacturers.

Oracle's MySQL.com site breached through a blind SQL Injection Attack.

Miscellania:

  • RSA and "Toy" operating systems
    • Updates, and emergency out-of-cycle updates being pushed to us continuously.
    • Visiting a web site can hijack our machines.
    • "Mysterious" things happen all the time. We shrug and reboot.
    • Things mysteriously break so OS's are being "reinstalled" all the time.
  • Amazon's VM-based Android test-drive system.

SpinRite

Christian Alexandrov

Questions & Answers

Question [ 01 ] - Patrick Pater in London, UK sees a huge performance hit from drive encryption...

Hi Steve,

I'm a long time listener of Security Now. I enjoy it as a good source of information and amusement.

Being a software developer for many years I put an effort in keeping my data secure. My machine is a T9400(2.53GHz), 4GB RAM running SuSE Linux and until recently it had 200GB 7200rpm FDE (full-disk encryption) HDD. A couple of weeks ago I finally switched to SSD drive. Wanting to keep my data still secure, I have performed full partition encryption on the drive following help from http://en.opensuse.org/SBD:Encrypted_root_file_system

However, the amount of CPU power needed to decrypt and encrypt data on the fly was through the roof. Don't get me wrong, thanks to you and Leo I know thing or two about how encryption and that it comes with price but can you advise a reasonably usable crypto that won't cost an arm & a leg? I got this SSD for speed of which I can't benefit at the moment.

drive stats for NON CACHED read timings: old Full Disk Encryption: ~50MB/s SSD not encrypted partition: ~220MB/s SSD encrypted partition: ~70MB/s

Thank you for great podcast and the SpinRite. Patrick P.S. Thanks to you, my private project SpaceBench.com now accepts Bitcoin donations :)

Question [ 02 ] - An anonymous listener wonders... Old IEs? will IPv6 will kill them?

I'm listening to SN292, and you're talking about attempts to kill IE6.

I saw a job description today that including website testing with IE5.

But are these old versions of IE IPv6 ready? Were they designed to be protocol agnostic enough?

What about old Netscape browsers? Or "old" game consoles like the Xbox & PS2?

What's going to happen?

Question [ 03 ] - Michael Noone in Circleville, Ohio has an updated on Facebook and HTTPS:

Long time listener, first time commenter... I'm not sure if you covered this, but I was on Facebook today and received the following message when I attempted to access an app:

"Switch to regular connection (http)? Sorry! We can't display this content while you're viewing Facebook over a secure connection (https). Would you like to temporarily switch to a regular connection (http) to use this app? You will have a secure connection upon your next login."

Looks like they are trying to fix the issue about having to shut off the secure connection completely. I did need to log out of Facebook but when I logged back in it was https again.

Thanks for a great podcast!

Question [ 04 ] - Rommel in San Diego wonders about the Lastpass Virtual Keyboard:

Hi Steve, I am wondering how secure is it to use the Lastpass Virtual Keyboard when I login to Lastpass?

Lets say that I have to use a computer that I am not familiar with, and I do not have my one time passwords, and my phone is dead. Is using the virtual keyboard safe? Lastpass says that keyloggers cannot detect what its entered using the virtual keyboard. Thanks.

Question [ 05 ] - Joseph in Los Angeles had a VOIP hacking follow-up question...

Steve... I'm addicted to your podcast. It is like free continuing education. But this is one class I really look forward to attending. Anyway, on to my question:

I listened with great interest to your most recent Q&A #113. One of the questions had to do with being able to decrypt about 50% of a VOIP call.

My business has a PBX switch that allows us to connect a traditional office phone (i.e. multiple phone lines and the ability to intercom other employees) over the Internet. Instead of a traditional phone cable, we plug in an Ethernet cable. We've had this since 2004 when I literally begged my phone vendor to sell me the equipment so I could have employees work at home and answer our phones. We were the first customer in Southern California to install this equipment. The system has been incredibly reliable for seven years and I couldn't be happier...until I listened to the podcast today.

At the time, the vendor thought I was crazy for worrying about people hacking our phone switch. I was really worried about a bad guy somehow connecting to our PBX over the Internet to make phone calls. I was insistent that the PBX only be accessible over a 192.168.x.x IP.

Here is my question: Are the VOIP calls through a VPN tunnel able to be monitored 50% of the time? I've always assumed that our calls are private when on the VPN but fully hackable over copper. Do I have anything to worry about or change? I am very curious whether you and Leo give me an A or an F for the way I setup access to the PBX.

P.S. I would like to vote to make the podcasts even longer! You never waste our time trying to educate us.

Question [ 06 ] - JT in Wintergreen Virginia wonders about MSSE versus MRT?

Steve -- Long time SN listener and licensed SpinRite user. I've switched my home office and home computers to MSSE (MicroSoft Security Essentials) which I keep current, and I run an automatic full scan every night. It only flags malware once every couple of months, or so.

Also, immediately after a Patch Tuesday, I run the latest MRT in "Full" mode.

But once I do that, do I have any further use for that month's MRT? Isn't the once-or-twice daily update to MSSE definitions making MSSE more current and therefore more complete? I couldn't find a clear direction on Microsoft's website. Thanks

Question [ 07 ] - Jonathon Bly in Sioux Falls, South Dakota is annoyed with his bank!

Hey Steve,

I've been listening to Security Now since around 2006, but have recently been working through each and every episode to bring myself up to date. I've also recently purchased your excellent SpinRite software. I haven't "needed" it yet, but I feel very comfortable knowing that not only can it save my bacon when one of my disks starts to fail, but also provides preventative maintenance.

With the standard introductory material out of the way, I would now like to comment on my bank's ability, or inability, to allow the use of secure passwords for online access. The following is a letter I sent off to the bank through its contact link:

---Pasted content--- I've been trying to change my password to something more secure than the easily guessable combination of a dictionary word followed by some numbers to a secure password from grc.com. I was completely dismayed at your ridiculous restriction of a password to a max of 16 characters. Quite honestly, that should probably be the minimum.

Fine. I'll obey the restriction. I dutifully cut down the secure password from 64 down to 16. I copy-pasted the new password into the appropriate fields. I hit the submit button. I got an error. Maybe you don't allow copy-pasting of passwords, so I tried typing in the password. No go. I tried typing in a new password that I made up off the top of my head, being a slight modification of my current password. That went just fine.

I tried switching to Internet Explorer (ugh) and Firefox. Neither allowed me to use the password I'd like to use. Fix this.

Good day. ---End Pasted Content--- As you can tell, I was a little miffed with the bank. I feel like duct-taping the software engineers to a chair in front of a computer and playing every episode of Security Now for them. If I did so, I would think they'd come up with a system more security friendly.

I understand that having a small password would be preferable to the people that have no sense of security and just want to log in quickly. I, however, live on a shoe-string budget and need to my finances to be completely secure.

Anyway, love the netcast and everything you and Leo do. Just wanted to know that your guys hard work is very appreciated.

All the best, Jonathon Bly, Sioux Falls, South Dakota

Question [ 08 ] - Two listeners with similar questions:

Jason Stratman in St. Charles, MO wonders about Firesheep and Smartphones:

Hi Steve, I just started listening to Security Now when Firesheep first sprung up and I heard you talk about it again last week. I started wondering... if I'm using the Facebook or Twitter app on my smartphone on an open access point at a local bar, can Firesheep still acquire my login information? Do smartphone apps use cookies like web browsers?

--- AND ---

Jim Guistwite in New Jersey has some thoughts and concerns raised by Firesheep and mobile apps...

I tried Firesheep a few months ago when you first mentioned it and I was startled like many other listeners. Many web sites are switching to secure communications for browser-based HTML traffic ... but are their APIs used by mobile applications also using HTTPS? There may not be the same session cookie security hole as with browser clients, but it makes me wonder how safe it is to use my mobile applications (e.g. Facebook) on an open WiFi connection.

Perhaps other listeners are similarly concerned and it would be worth addressing on an upcoming show.

Thanks for a great podcast.

P.S. My 11 year old son calls Steve "the bot guy": His iPod died on a car trip - might have been about a year ago now - and he was forced to listen to what I was listening to. His first introduction to SecurityNow was during a discussion of botnets. So Steve, you are now "the bot guy".

Question [ 09 ] - Matt Vanderville in Woodstock, Illinois wonders whether, after uninstalling IE9 his Windows 7 is less secure?

Love Security Now! but I'll get right to the point:

I have previously chosen to remove IE8 through the add/remove Windows Components section. After investigating and trying out IE9 I then choose to uninstall it. Is my OS now less secure? In other words, will I be left with the old IE8 components that integrate with the OS? or am I left with the newer IE9 components?

Question [ 10 ] - Jerod Lycett in Duncannon, PA, US, North America, Earth, Sol, Milky Way brings us the Chrome security tip of the week!

First off, I want to give a small tip of not saying bad things about Java, as one of your sponsors (Citrix) uses Java.

Second is a quick Chrome security tip. In about:flags one of the most important flags there is Click to play. This adds a third option to the menu in Content Settings (Wrench > Options > Under the Hood > Content Settings > Plug-ins) Which is "Click to Play". This means when you go to a website you can choose not only whether or not to use the plugins at all, but also which ones specifically you want to allow. So you can only play the YouTube clip, but not the ads or other possibly malicious content. Also, you need to expand the Location box, as I couldn't fit Alpha Quadrant into it.

Question [ BONUS #1 ] - from Matt Peterson regarding Steve's old InfoWorld Tech Talk column:

Hey Steve,

You and Leo discussed your "Tech Talk" column in InfoWorld in last week's episode. Although they are mostly of historical (or nostalgic) interest now, I thought that the other "Security Now!" listeners might be interested to know that most (or all) of the back issues of InfoWorld containing your column are archived on Google Books.

So all of your insights, from your "Borland's Turbo Basic Language Encourages Fast, Easy, and Casual Use" column from December 1986, to "The Only Drawback to the SCSI Interface is its Pronunciation" from January 1989, all the way up to your farewell column in December 1993 are there to peruse. I created a short URL for those interested:

http://snipurl.com/sgtechtalk

It is worth a trip down memory lane if you were a computer nut back in those days, or if you just want to see what Steve's mustache looked like back then. ;)

Question [ BONUS #2 ] - Just HAD to mention this!!

Kevin in Ocala, Florida found Khan Academy...

Hi Steve and Leo!

I thought you might want to check out this website: http://www.khanacademy.org/

Many students use this to get help in Math. It is a TERRIFIC training site and free of charge.

I love the podcast! I listen to many but yours is my favorite!

Sponsors

GoToAssistExpress

Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.