Security Now 321
From The Official TWiT Wiki
Recorded: October 5, 2011
Published: October 5, 2011
Security Now 321: The Beauty of the B.E.A.S.T
Live Listener Scheduling Update
Next Week: Tom Merritt co-hosts -&- Steve's on-call for Jury Duty! Security Update: Whoop's!
Microsoft's Security Essentials Removes Google's Chrome
- MSFT Says: On September 30th, 2011, an incorrect detection for PWS:Win32/Zbot (the notorious ZeuS botnet Trojan) was identified and as a result, Google Chrome was inadvertently blocked and in some cases removed from customers PCs. We have already fixed the issue — we released an updated signature (1.113.672.0) at 9:57 am PDT — but approximately 3,000 customers were impacted. Affected customers should manually update Microsoft Security Essentials (MSE) with the latest signatures. To do this, simply launch MSE, go to the update tab and click the Update button, and then reinstall Google Chrome. We apologize for the inconvenience this may have caused our customers. Security News: Many HTC handsets are not sandboxing their applications
- The discoverers notified HTC on September 24th and, receiving no response, decided to go public.
- HTC has, of course, NOW responded and acknowledged: ○ A privilege escalation vulnerability allows a potentially malicious app that uses only the INTERNET permission to connect to HTC's HtcLoggers service and get access to data far exceeding its access rights. This data includes call history, the list of user accounts, including email addresses, SMS data, system logs, GPS data, and more.
- The "Android Police" group who discovered and reported this problem wrote: ○ In recent updates to some of its devices, HTC introduces a suite of logging tools that collected information. Lots of information. LOTS. Whatever the reason was, whether for better understanding problems on users' devices, easier remote analysis, corporate evilness - it doesn't matter. If you, as a company, plant these information collectors on a device, you better be DAMN sure the information they collect is secured and only available to privileged services or the user, after opting in. That is not the case. What Trevor found is only the tip of the iceberg - we are all still digging deeper - but currently any app on affected devices that requests a single android.permission.INTERNET (which is normal for any app that connects to the web or shows ads) can get its hands on: ■ The list of user accounts, including email addresses and sync status for each ■ The last known network and GPS locations and a limited previous history of locations ■ Phone numbers from the phone log ■ SMS data, including phone numbers and encoded text (not sure yet if it's possible to decode it, but very likely) ■ System logs (both kernel & app), which includes everything your running apps do and is likely to include email addresses, phone numbers, and other private info ￼● Normally, applications get access to only what is allowed by the permissions they request, so when you install a simple, innocent-looking new game from the Market that only asks for the INTERNET permission (to submit scores online, for example), you don't expect it to read your phone log or list of eMails.
- Some of the HTC Sensation models
- EVO Shift 4G
- (possibly) MyTouch 4G Slide
- (possibly) Vigor
- (possibly) View 4G
- (possibly) the upcoming Kingdom.
- So now, HTC is scrambling to get a patch tested and ready to push out to all affected devices. Brian Krebs:
- Phishers and cyber thieves have been casting an unusually wide net lately, blasting out huge volumes of fraudulent email designed to spread password-stealing banking Trojans. Judging from the number of victims who reported costly cyber heist in the past two weeks, many small to medium sized organizations took the bait.
- eMail: "ACH Payment Cancelled"
- Recent (known) attacks just last month: ○ On Sept. 13, computer crooks stole approximately $120,000 from Oncology Services of North Alabama. ○ Also in September, $98,000 was stolen from the coffers of North Putnam Community School Corporation, which serves the children of six northern townships of Putnam County, Indiana. ○ In a separate attack on a public institution, malicious hackers last month struck the City of Oakdale, Calif. stealing $118,000 from a city bank account.
- Brian Concludes with exactly the advice I have often stated: ○ No single approach or technology will stop all of these account takeovers, but preventing the theft of your online banking credentials is a critical first step. That’s why I continue to advise that small- to mid-sized organizations use a dedicated computer for online banking. Using a non- Windows PC — such as a Live CD or a Mac — is the safest approach, but not necessarily the most practical or affordable. An alternate approach is to access bank accounts from an isolated Windows PC that is locked-down, regularly updated, and used for no other purpose than online banking. Miscellany: Bitcasa:
- Use a file's plaintext hash as it's encryption key.
- Hash the encrypted file as an anonymous ID. Keep Li-Ion batteries fully charged. BofA outage & ABC World News with Diane Sawyer Honor Harrington Feedback
The Beauty of B.E.A.S.T. B.E.A.S.T. - Browser Exploit Against SSL/TLS: SSL/TLS
- TLSv1.0, RFC2246 - January 1999
- TLSv1.1, RFC4346 - April 2006 ○ http://tools.ietf.org/html/rfc4346#ref-CBCATT ○ The original description of the SSL/TLSv1 trouble ■ http://www.openssl.org/~bodo/tls-cbc.txt ■ Last updated: 05/20/2004 ■ "There are some problems with the CBC-based ciphersuites in SSL 3.0 and TLS 1.0 that can be exploited by active adversaries under specific circumstances:”
- http://blog.g-sec.lu/2011/09/ssltls-hardening-and-compatibility.html Juliano Rizzo and Thai Duong
- ekoparty Security Conference in Buenos Aires
- Chosen Plaintext "Blockwise Attack"
- Refinement: Blockwise Chosen-Boundary Attack (BCBA) Exploit Operation:
- The attack must make many thousands of HTTPS requests before the attack could be successful. ○ Average of 128 requests to guess each byte of a LONG cookie string.
- TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
- SSL/TLS Cipher Suites ○ See the LONG list near the bottom of: http://www.openssl.org/docs/apps/ciphers.html
- Change priority to TLS_RSA_WITH_RC4_128_SHA Microsoft FixIt:
- Windows 7 and Server 2008 Support TLSv1.1 but have it disabled by default
- http://support.microsoft.com/kb/2588513 So what's the REAL danger?
- Attacker establishes MITM
- User transacts with secured site using secured ￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼￼
- Audible URL
| TBD by TBD (ABRIDGED/UNABRIDGED)|
Narrated by TBD
- Link URL
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|