Security Now 306

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 306

Security Now 306: Q&A 120

Show Opening Teases

Week's big security news:

Security Updates

  • Firefox v5 Ahead of schedule! Went live Tuesday, June 21st! Fixes 5 remote code exploits (among them, multiple WebGL crashes!) Moves "DNT" to the TOP of the "Privacy" tab. LastPass update needed. But say it'll work with version 5, 6 & 7! :) For me (only) HTML Validator not yet v5 compatible
  • Adobe updates driving me nuts
  • Windows XP Support Countdown: 1020 days left

Security News

  • Microsoft won't do WebGL / June 16th Blog "WebGL Considered Harmful" http://blogs.technet.com/b/srd/archive/2011/06/16/webgl-considered-harmful.aspx "Our analysis has led us to conclude that Microsoft products supporting WebGL would have difficulty passing Microsoft’s Security Development Lifecycle requirements. Some key concerns include: Browser support for WebGL directly exposes hardware functionality to the web in a way that we consider to be overly permissive Browser support for WebGL security servicing responsibility relies too heavily on third parties to secure the web experience Problematic system DoS scenarios
  • Malware Stealing Bitcoins New Trojan malware ( Infostealer.Coinbit ) discovered in the wild last Thursday Steals users' Bitcoin wallets Locates the Bitcoin wallet file and sends it to the attacker via a server in Poland Bitcoin Wallets CAN be encrypted … SO DO SO, and use a STRONG password!
  • Should I Change My Password (dot com) / via @simonzerafa https://shouldichangemypassword.com/ Database of all publicly released account eMail addresses Appears legit "No passwords are stored in the ShouldIChangeMyPassword.com database." "If you have any questions or concerns, please contact me on twitter @dagrz (https://twitter.com/dagrz). The email you enter will NOT be stored, transmitted, or otherwise used beyond this check." (Ghostery only reports Facebook Connect & Google Analytics)
  • Quantum Crypto Cracked? No.

Attacks & Breaches

  • WordPress Hacked: Blog Posting / Tuesday, June 21: "Passwords Reset" Earlier today the WordPress team noticed suspicious commits to several popular plugins (AddThis, WPtouch, and W3 Total Cache) containing cleverly disguised backdoors. We determined the commits were not from the authors, rolled them back, pushed updates to the plugins, and shut down access to the plugin repository while we looked for anything else unsavory.
  • We’re still investigating what happened, but as a prophylactic measure we’ve decided to force-reset all passwords on WordPress.org. To use the forums, trac, or commit to a plugin or theme, you’ll need to reset your password to a new one. (Same for bbPress.org and BuddyPress.org.)
  • As a user, make sure to never use the same password for two different services, and we encourage you not to reset your password to be the same as your old one.
  • Second, if you use AddThis, WPtouch, or W3 Total Cache and there’s a possibility you could have updated in the past day, make sure to visit your updates page and upgrade each to the latest version.
  • BitCoin June 19th, 17:15:36 UTC: A person placed one or more orders to sell hundreds of thousands of Bitcoins, causing its exchange rate to crash from $17 down to $0.01 (one cent). More than $1.5M was traded. The exchange took half an hour to execute the order(s). At 17:51:16 UTC: "Kevin" bought 261383.7630 BTC for $0.01 each ($2613) http://forum.bitcoin.org/index.php?topic=20207.0 (See/read the top of Kevin's posting.) Fabulous Graphic of the collapse: http://leanback.eu/bitcoin/plots/20110619195756-mtgox.png MtGox Exchange's entire account database exfiltrated and posted publicly MtGox said: "It appears that someone who performs audits on our system and had read-only access to our database had their computer compromised. This allowed for someone to pull our database." Username, eMail addresses, password hashes 61,016 accounts. Most hashed with Unix MD5-based crypt() except 1765 are plain MD5 unsalted, non-iterated hashes. Many of the leaked hashes have been cracked Blog: MtGox - We're happy to report that over 10% of our user base have already reclaimed their accounts. Newly reclaimed accounts require strong passwords which are secured with SHA-512 multi-iteration triple salted hashing. There HAVE been detailed concerns expressed over MtGox security http://www.rhombazoid.com/trewq1/?p=33 Rolling back all trades and returning the exchange rate to $17.50. EFF stops accepting Bitcoins We don't fully understand the complex legal issues involved with creating a new currency system. We don't want to mislead our donors. People were misconstruing our acceptance of Bitcoins as an endorsement of Bitcoin. One user had 25,000 ($500,000 worth of bitcoins on June 16th) stolen http://ftalphaville.ft.com/blog/2011/06/21/600441/george-clooney-roils-the-bitcoin-market/ https://support.mtgox.com/entries/20208066-huge-bitcoin-sell-off-due-to-a-compromised-account-rollback
  • Dropbox For 4 hours last Sunday Blog Posting: "Yesterday’s Authentication Bug" by Arash Ferdowsi, June 20, 2011 http://blog.dropbox.com/?p=821 Hi Dropboxers,
  • Yesterday we made a code update at 1:54pm Pacific time that introduced a bug affecting our authentication mechanism. We discovered this at 5:41pm and a fix was live at 5:46pm. A very small number of users (much less than 1 percent) logged in during that period, some of whom could have logged into an account without the correct password. As a precaution, we ended all logged in sessions.
  • We’re conducting a thorough investigation of related activity to understand whether any accounts were improperly accessed. If we identify any specific instances of unusual activity, we’ll immediately notify the account owner. If you’re concerned about any activity that has occurred in your account, you can contact us at support@dropbox.com.
  • This should never have happened. We are scrutinizing our controls and we will be implementing additional safeguards to prevent this from happening again.
  • "SEGA Pass" breached, but not by LulzSec (though LulzSec offered to help Sega "destroy" the hackers who attacked them.) "Over the last 24 hours we have identified that unauthorized entry was gained to our SEGA Pass database. [...] The breach resulted in the compromise of email addresses, dates of birth and encrypted passwords of 1.3 million users, but luckily no personal payment information was acquired by the attackers since SEGA doesn't store it and uses external payment providers.
  • HasSonyBeenHackedThisWeek "Yes" -- And 20 times in just 2 months Adds a "Sony Hack History" page
  • UK Census Spoof -- Lulz Security (LulzSec) did NOT hack the UK.

Errata

Java Applets CAN be invoked in the absence of JavaScript

Twitterverse

@mrrobinmorley (Robin Morley) @sggrc Is a 25-score on Ghostery a new record? Courtesy salon.com... http://twitpic.com/5dei0k

@Luvs2Fly (Gary R) West Palm Beach Florida : Hey Steve @Sggrc ... Look what you started! ;) Bitcoin stealing Trojan found in the wild http://bit.ly/izMz0M

@marcbeaupre (Montreal Quebec) A way to know whether the site stores your password in cleartext is whether they send the password itself when you perform account recovery.

@richstaples (Rich Staples) Thanks for the tip on the Microsoft System Sweeper. 1st test subject was positive!

SpinRite

Lorenz Gude

Q&A

Question 1: John Fecko in Cape Coral, Florida (@john_fecko)

Does encrypting everything that goes into a database prevent SQL Injection attacks?

Question 2: Patrick in Laramie, Wyoming comments and wonders about: Latency vs Bandwidth

Steve,

While I realize this is outside of the normal scope of Security Now!, I feel this topic should be discussed.

ISPs typically quote their "performance" numbers in mega-bits per second. While this number can be useful, it does not tell anything about the performance of the connection.

What everyone perceives as "a fast internet connection" is actually low latency, not high bandwidth. A low latency T-1 connection (say, over fiber) will feel screaming fast compared to a high latency satellite connection, even if the satellite connection moves data at twice the sustained rate.

For all non-saturated networks, latency is the king of the hill, not bandwidth (although bandwidth makes a difference for high amounts of data being transferred, say a video, or a large image), yet all the ISP's only quote their bandwidth. I'd rather spec a connection based on latency rather than bandwidth.

If you get a chance, I would like to hear your thoughts.

Thanks, Patrick

Question 3: Patrick McAuley in Guelph, Ontario, Canada asks: Abandon Passwords?

Hey, Steve, did you see this Gizmodo piece arguing for abandoning passwords in favor of some entirely new scheme for online identity? http://gizmodo.com/5812685/its-time-to-abandon-passwords

Some of the comments following the article are interesting too.

Sponsors

Squarespace offer code securitynow6]

Netflix

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.