Security Now 243

"Subverted SSL"Hosts: Leo Laporte and Steve Gibson Topic: Subverted SSL Recorded: April 7, 2010 Published: April 8, 2010 Duration: 1:39:29 Transcript Previous episode – Next episode

Security Now 243: Subverted SSL

News & Errata

09:25 - 12:40

• Firefox has been updated to 3.6.3 to fix a memory corruption flaw
• It also fixes an information leak vulnerability where a website could determine which websites you have visited through checking the colour of links

12:39 - 14:24

• Java has been updated to fix multiple remote code execution vulnerabilities

14:25 - 15:47

• Quicktime has been updated on Windows to v7.6.6

15:48 - 24:04

• Adobe PDF's by design are able to launch other system executables in order to display embedded content
• Hackers can manipulate the warning message Adobe displays before launching the application to deceive users
• This also affects Foxit Reader
• Launching embedded executable from PDF document using features of the PDF language, without exploiting vulnerabilities: [1]
• Preventing Adobe Reader from launching executables: [2]

27:33 - 56:29

• UPS's online tracking system crashed on iPad release day due to everyone checking the status of there order
• Steve has now ordered the top of the range 3G iPad
• He says it needs a case with a stand
• Wifi connects quickly
• The battery life is great
• There is a fantastic PDF reader called 'Good Reader'
• The rotation lock is good
• The iBook store currently has a weak collection of books
• You cant hold the iPad in one hand it is too heavy
• The mail app is also good
• Steve also likes 'Puzzle Maniak'

01:32:18 - 01:39:00

• Steve is annoyed by the lack of Flash on the iPad

Spinrite Story

56:30 - 58:23 Anon(A CEO) (Unknown)

A customer used Spinrite to fix a dead hard drive and saved $30,000 worth of orders that were not backed up

Subverted SSL

58:24 - 01:32:18

• Microsoft stores trusted Certificate Authorities(CA) in the Windows Trusted Store
• If you go to a website whose web certificate is signed by someone not currently in your instance of Windows, down in the Windows crypto system, it will see that you're asking about a certificate it doesn't currently have. So it contacts Microsoft and grabs the certificate that you're asking for on the fly.
• All browsers on Windows use this store of trusted CA's apart from Firefox
• A researcher was at a conference where they saw in sort of the trade show portion of the conference a very disturbing booth from a company called Packet Forensics.
• Packet Forensics was advertising a little turnkey network appliance which was able to perform SSL man-in-the-middle attacks
• A country could force a CA operating in its country to issue a certificate for any website in the world
• Then when a user visits the fake website it would appear to be the real website as is has a certificate signed by a trusted CA
• The researchers believe this sort of attack is happening right now
• There are so many trusted CA's in our browsers we have no idea which ones to trust

• Christopher Soghoian's paper Certified Lies: Detecting and Defeating Government Interception Attacks Against SSL
• Microsoft Windows Root Certificate Program members (November 2009)

Sponsors

GoToMeeting

• GoToMeeting.com/SecurityNow
• G2M #2
• Ad Times: 0:42-0:54 and 6:31-8:57

Astaro

• Astaro.com
• Ad Times: 0:55-1:09 and 24:22-27:27

Production Information

• Edited by: Tony
• Notes:

This area is for use by TWiT staff only. Please do not add or edit any content within this section.