Security Now 270
Recorded: October 13, 2010
Published: October 13, 2010
Microsoft breaks Patch Tuesday update record, Facebook adds OTPs and remote signout, What is The Evercookie?, and more.
6:27 - 10:38
- Microsoft breaks its own previous Patch Tuesday Update Record!
- 16 update bundles to fix a record-breaking 49 security vulnerabilities
- 35 of which are remote code execution vulnerabilities, in Windows, Internet Explorer, & Office.
- IE v6-v8 gets 10 security holes fixed, several are critical even under Windows 7 w/IE8.
- MSRT finally updated to detect the ZeuS Trojan.
10:39 - 12:51
- Oracle/Sun/Java - v1.6.0 22 (aka Version 6 update 22)
- Windows, Solaris, Linux - but not Apple. Apples maintains its own Java
- Some reports say 29 security holes fixed
- TLS/SSL Renegotiation hole fixed
- Added some "Entrust" Root CA's
12:52 - 14:07
- Foxit Reader - now at v4.2
- PDF files with a title longer than 512 characters will crash the reader, potentially opening it to a buffer overrun exploitation.
14:08 - 19:41
- A Akamai Employee has been charged with wire fraud:
- Elliot Doxer, age 42 in 2006 when this began, approached the US Consulate of a Foreign Government, offering insider information.
- The Consulate immediately turned this over to the FBI, which then setup a classic sting operation, including video recording of the "dead drops."
19:42 - 24:55
- Chuck Schumer of New York has introduced a bill into congress to extend existing electronic funds transfer consumer protections (@ $50 cap) to municipalities and schools.
- Earlier this year $378,000 was transferred from the town of Poughkeepsie, NY to Ukraine.
- $450,000 was stolen from Carson City, CA
- $600,000 from Brigantine, NJ
- $100,000 from the Egg Harbor Township, also in NJ
- $3.8 million from Duanesburg Central School District in NY
- All but approx $500,000 was recovered in this case
- It appears that the banking credentials were obtained by the infamous ZeuS online banking credential-stealing Trojan.
- The advice Steve has given before: DISABLE EFTS for all business accounts!
24:56 - 28:14
- Facebook has added OTPs and Remote Signout
- With your cell phone registered to your Facebook account, simply text "otp" to 32665 and you'll immediately receive a password that can be used only once and expires in 20 minutes.
- This feature is rolling out gradually and should be available widely within several weeks.
- Account Settings also allow you to see whether you're still logged on elsewhere and sign those instances out
28:15 - 31:00
- UAE & Blackberry have reached some sort of agreement
- Everybody's happy, but no one's saying why, or how.
- Saudi Arabia & India have also both backed down.
31:01 - 33:00
- Jailbroken Kindles can run Infocom's ZORK
- There are two free Amazon apps for the Kindle, and EA has Scrabble
33:01 - 33:41
- A analysis of where iPads are used has shown that they spend 20% of their time in bed
33:42 - 36:35 Russell Phillips (Australia)
Spinrites tech support is great
39:06 - 01:21:40
- The designer (Samy Kamkar) of the Evercookie has released a free API
- The Evercookie is a suite of 10 ways of inducing your computer to accept, store and return an immutable token
- From Samy's FAQ:
- Q: What is the user deletes their cookies?
- A: That's the great thing about evercookie. With all the methods available, currently ten, it only takes one cookie to remain for most, if not all, of them to be reset again. For example, if the user deletes their standard HTTP cookies, LSO data, and all HTML5 storage, the PNG cookie and history cookies will still exist. Once either of those are discovered, all of the others will come back!
- Where is the data stored?
- Traditional HTTP Cookies - where browser privacy controls exist
- Flash Cookies (LSOs - Local Shared Objects) where some control exists (This one BRIDGES browsers!)
- Silverlight "Isolated Storage"
- From Microsoft: "In Silverlight, there is no direct access to the operating system's file system, except through the Open File dialog box. However, you can use isolated storage to store data locally on the user's computer.
- There are two ways to use isolated storage.
- The first way is to save or retrieve data as key/value pairs by using the IsolatedStorageSettings class.
- The second way is to save or retrieve files by using the IsolatedStorageFile class.”
- In the RGB values of pixels in force-cached PNG images.
- It sets a 20 year PNG image expiration
- The Server returns a "304 Not Modified" which Causes the browser to load an "HTML Canvas" from its images cache.
- Introduced by Apple in Webkit for Dashboard widgets and Safari, then adopted by the Gecko browsers, Opera & Chrome and its now in the HTML 5 standard.
- Tucked away in "Web History"
- Using Jeremiah Grossman's 2006 CSS History Hack
- Samy first lays down a hierarchical history trail, then later successively explores for the "trail." And it's quite fast.
- The HTTP ETag:
- A hash to determine if the cached version of content is current
- Server hashes the resource and returns the ETag along with the resource.
- Client adds an "If-None-Match: "....." header.
- Server might return: "304 Not Modified"
- The Document Object Model (DOM) window object ".name" property
- DOM w/JS allows windows to be named, but they are NOT domain specific! (nor persistent across browser restarts.)
- Internet Explorer has a proprietary "UserData" extension.
- It USED to be disable "Enable UserData Persistence", but that's been removed.
- Session Storage
- Local Storage
- Global Storage
- Database Storage
- How can it be stopped
- Samy's FAQ: Private Browsing in Safari will stop ALL evercookie methods after a browser restart.
- Use a Linux live CD
Go To Assist
- Ad Times: 0:57-1:13 and 3:44-6:17
- Carbonite Pro
- Ad Times: 1:14-1:26 and 36:44-39:00
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|