Security Now 268

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 268


Security Now 268: Cryptosystem Backdoors

Security Updates

3:56 - 5:53

  • The 0 day flaw in ASP.net where error message variations could be used to eventually crack a site's crypto to reveal usernames and passwords has been fixed with a out of cycle patch

5:54 - 7:28

  • A new 0-day vulnerability for Windows:
  • The msnetobj.dll contains multiple remotely exploitable vulnerabilities
  • If a user visits a malicious web page it can run code on there machine

Security News

7:29 - 12:51

  • Software has been released that can perform HDCP encryption/decryption
  • It can be found here http://www.cs.sunysb.edu/~rob/hdcp.html
  • The algorithm is designed to be implemented in hardware and so inefficient when written in software but the programmer has taken steps to speed it up
  • Steve believes he is using precomputed lookup tables to speed it up

12:52 - 18:54

  • Steve doesn't want to claim that Stuxnet is targeted at Iran
  • Iran has disclosed that 30,000 IP addresses within Iran have been infected by Stuxnet
  • Professionals looking at the code says that it is so good it must be state sponsored
  • The Bushehr Nuclear Reactor, scheduled to go online in just a few weeks, is claimed to be unaffected
  • Last week Ralph Langner, a well-respected expert on industrial systems security, suggested that it may have been used to sabotage Iran's Bushehr nuclear reactor
  • One of the things that Langner discovered is that when Stuxnet finally identifies its target, it makes changes to a piece of Siemens code called Organizational Block 35.
  • This Siemens component monitors critical factory operations, things that need a response within 100 milliseconds.
  • By messing with Operational Block 35, Stuxnet could easily cause a refinery's centrifuge to malfunction, but it could be used to hit other targets too, * Byres said. "The only thing I can say is that it is something designed to go bang,"
  • Whoever created Stuxnet also employed four previously unknown zero-day attacks and a peer- to-peer communications system, compromised digital certificates belonging to Realtek Semiconductor and JMicron Technology, and displayed extensive knowledge of industrial systems.
  • This is not something that your run-of-the-mill hacker can pull off.
  • Many security researchers think that it would take the resources of a nation state to accomplish
  • Iran says that this worm is not in the reactor

18:55 - 25:25

  • The Combating Online Infringements and Counterfeits Act (COICA) is quickly making its way through the senate
  • Read about it here
  • If this law is passed it creates two US Attorney General-driven DNS Blacklists that would have to be enforced by ISPs, domain registrars, and all other access providers to censor and block Internet access and content.
  • One would be mandatory to follow and one would be optional

25:26 - 27:14

  • All charges were dropped in that case of the school that was spying on its students in their rooms at home.
  • "No malicious intent" was proven.

SpinRite

27:15 - 28:20 Bill Pomeroy (Unknown)

Spinrite fixed a broken hard drive

Cryptosystem Backdoors

35:20 - 01:18:15

  • In 1997 Louis Freeh, then Director of the FBI, speaking before the Senate Judiciary Committee, said:

" For law enforcement, framing the issue is simple. In this time of dazzling telecommunications and computer technology, where information can have extraordinary value, the ready availability of robust encryption is essential. No one in law enforcement disputes that. Clearly, in today's world and more so in the future, the ability to encrypt both contemporaneous communications and stored data is a vital component of information security.

As is so often the case, however, there is another aspect to the encryption issue that, if left unaddressed, will have severe public safety and national security ramifications. Law enforcement is in unanimous agreement that the widespread use of robust non-key recovery encryption ultimately will devastate our ability to fight crime and prevent terrorism. Uncrackable encryption will allow drug lords, spies, terrorists and even violent gangs to communicate about their crimes and their conspiracies with impunity. We will lose one of the few remaining vulnerabilities of the worst criminals and terrorists upon which law enforcement depends to successfully investigate and often prevent the worst crimes. For this reason, the law enforcement community is unanimous in calling for a balanced solution to this problem. "

  • The FBI wants to make all crypto systems have a backdoor so that with a court order than can decrypt the data and read it
  • This is bad for Steve as he was planning on having Cryptolink as a trust no one product
  • If this law passed he would have to have the ability to decrypt data sent with this product
  • How will the FBI know what software encrypted the data ?
  • Law enforcement could read encrypted data by installing spyware on a suspects computer and reading it as its decrypted
  • Criminals will just ignore this law and use uncrackable encryption
  • There is also the issue of what about international software, they wont have to follow these laws
  • This law would require massive architectural changes for software
  • Steve and Leo point out that most criminals are dumb and dont use encryption
  • Steve and Leo recommend going to the Electronic Frontier Foundation where there are forms you can fill in opposing this

Sponsors

MailRoute

  • Mailroute for 10% discount
  • Ad Times: 1:00-1:12 and 28:43-35:09

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.