Security Now 270

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 270


Security Now 270: The Evercookie

Microsoft breaks Patch Tuesday update record, Facebook adds OTPs and remote signout, What is The Evercookie?, and more.

Security Updates

6:27 - 10:38

  • Microsoft breaks its own previous Patch Tuesday Update Record!
  • 16 update bundles to fix a record-breaking 49 security vulnerabilities
  • 35 of which are remote code execution vulnerabilities, in Windows, Internet Explorer, & Office.
  • IE v6-v8 gets 10 security holes fixed, several are critical even under Windows 7 w/IE8.
  • MSRT finally updated to detect the ZeuS Trojan.

10:39 - 12:51

  • Oracle/Sun/Java - v1.6.0 22 (aka Version 6 update 22)
  • Windows, Solaris, Linux - but not Apple. Apples maintains its own Java
  • Some reports say 29 security holes fixed
  • TLS/SSL Renegotiation hole fixed
  • Added some "Entrust" Root CA's

12:52 - 14:07

  • Foxit Reader - now at v4.2
  • PDF files with a title longer than 512 characters will crash the reader, potentially opening it to a buffer overrun exploitation.

Security News

14:08 - 19:41

19:42 - 24:55

  • Chuck Schumer of New York has introduced a bill into congress to extend existing electronic funds transfer consumer protections (@ $50 cap) to municipalities and schools.
  • Earlier this year $378,000 was transferred from the town of Poughkeepsie, NY to Ukraine.
  • $450,000 was stolen from Carson City, CA
  • $600,000 from Brigantine, NJ
  • $100,000 from the Egg Harbor Township, also in NJ
  • $3.8 million from Duanesburg Central School District in NY
    • All but approx $500,000 was recovered in this case
  • It appears that the banking credentials were obtained by the infamous ZeuS online banking credential-stealing Trojan.
  • The advice Steve has given before: DISABLE EFTS for all business accounts!

24:56 - 28:14

  • Facebook has added OTPs and Remote Signout
  • http://blog.facebook.com/blog.php?post=436800707130
  • With your cell phone registered to your Facebook account, simply text "otp" to 32665 and you'll immediately receive a password that can be used only once and expires in 20 minutes.
  • This feature is rolling out gradually and should be available widely within several weeks.
  • Account Settings also allow you to see whether you're still logged on elsewhere and sign those instances out

28:15 - 31:00

  • UAE & Blackberry have reached some sort of agreement
  • Everybody's happy, but no one's saying why, or how.
  • Saudi Arabia & India have also both backed down.

Errata

31:01 - 33:00

33:01 - 33:41

  • A analysis of where iPads are used has shown that they spend 20% of their time in bed

SpinRite

33:42 - 36:35 Russell Phillips (Australia)

Spinrites tech support is great

The Evercookie

39:06 - 01:21:40

  • The designer (Samy Kamkar) of the Evercookie has released a free API
  • The Evercookie is a suite of 10 ways of inducing your computer to accept, store and return an immutable token
  • In Samy's words: "evercookie is a javascript API available that produces extremely persistent cookies in a browser. Its goal is to identify a client even after they've removed standard cookies, Flash cookies (Local Shared Objects or LSOs), and others.


  • From Samy's FAQ:
    • Q: What is the user deletes their cookies?
    • A: That's the great thing about evercookie. With all the methods available, currently ten, it only takes one cookie to remain for most, if not all, of them to be reset again. For example, if the user deletes their standard HTTP cookies, LSO data, and all HTML5 storage, the PNG cookie and history cookies will still exist. Once either of those are discovered, all of the others will come back!


  • Where is the data stored?
  • Traditional HTTP Cookies - where browser privacy controls exist
  • Flash Cookies (LSOs - Local Shared Objects) where some control exists (This one BRIDGES browsers!)


  • Silverlight "Isolated Storage"
    • From Microsoft: "In Silverlight, there is no direct access to the operating system's file system, except through the Open File dialog box. However, you can use isolated storage to store data locally on the user's computer.
    • There are two ways to use isolated storage.
    • The first way is to save or retrieve data as key/value pairs by using the IsolatedStorageSettings class.
    • The second way is to save or retrieve files by using the IsolatedStorageFile class.”
  • In the RGB values of pixels in force-cached PNG images.
    • It sets a 20 year PNG image expiration
    • The Server returns a "304 Not Modified" which Causes the browser to load an "HTML Canvas" from its images cache.
    • "HTML Canvas" is a full JavaScript pixel-drawing API.
    • Introduced by Apple in Webkit for Dashboard widgets and Safari, then adopted by the Gecko browsers, Opera & Chrome and its now in the HTML 5 standard.


  • Tucked away in "Web History"
    • Using Jeremiah Grossman's 2006 CSS History Hack
    • Javascript code builds "<a href> tags then queries their "visited" color
    • Samy first lays down a hierarchical history trail, then later successively explores for the "trail." And it's quite fast.


  • The HTTP ETag:
    • A hash to determine if the cached version of content is current
    • Server hashes the resource and returns the ETag along with the resource.
    • Client adds an "If-None-Match: "....." header.
    • Server might return: "304 Not Modified"


  • The Document Object Model (DOM) window object ".name" property
    • DOM w/JS allows windows to be named, but they are NOT domain specific! (nor persistent across browser restarts.)


  • Internet Explorer has a proprietary "UserData" extension.
    • It USED to be disable "Enable UserData Persistence", but that's been removed.


  • HTML5
    • Session Storage
    • Local Storage
    • Global Storage
    • Database Storage


  • How can it be stopped
    • Samy's FAQ: Private Browsing in Safari will stop ALL evercookie methods after a browser restart.
    • NoScript or anything to block Javascript is largely effective. BUT it wont block the ETag's
    • Use a Linux live CD

Sponsors

Go To Assist

Carbonite Pro

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.