Security Now 274
Topic: DNS Benchmarking
Recorded: November 10, 2010
Published: November 11, 2010
Security Now 274: DNS Benchmarking
Second Tuesday updates, critical Outlook fix, Android risks, Google expands "bug bounty", GRC's DNS Benchmark, and more.
10:22 - 14:17
- Microsoft's 2nd Tuesday of the Month Updates:
- Fix for Office problems, including a CRITICAL one for Outlook that allows infection upon preview-pane viewing.
- NO FIX for the 0-day IE flaw we discussed last week. IE 6 & 7 are very vulnerable, IE8 not so much.
- Brian Krebs reports that the flaw has appeared in at least one highly used hacker toolkit.
- Microsoft saying that flaw does not warrant an out-of-cycle patch.
- Best advice, upgrade to IE8 if possible.
- Otherwise, there are FixIt tools, but they are messy:
14:18 - 16:34
- Google Chrome updated to v7.0.517.44
- The vulnerabilities fixed include:
- Two use-after-free error
- Two unspecified memory corruption errors
- A bad cast
- An invalid memory read
- Integer overflows
- An out-of- bounds array access.
- Eleven of the 12 vulnerabilities were reported by researchers, to whom Google paid a total of $8,674 (dollars US).
16:35 - 18:22
- Proof-of-Concept demonstration code is now available exploiting a flaw in androids webkit based browser that is only fixed in v2.2 and above
- The researcher apparently wants to get Android phone updated more quickly.
18:23 - 19:34
- "Coverity" reports having found 88 "high risk" flaws in the Android kernel after having run an automated analysis of the code base downloaded from HTC's developer's site.
- Google has been notified and given 60 days grace period to address the issues before any more is disclosed.
- http://blog.coverity.com/open-source/launch-of-the-coverity-scan-2010-open-source- integrity-report/
19:35 - 20:46
- Google expands "Bug Bounty" program...
- Adding Gmail, YouTube & Blogger (but not Android, Picasa or Google Desktop).
- Standard payments will be $500 with public recognition whereas really severe or clever discoveries could pay up to $3,133.7
20:47 - 22:18
- The folks at Anonymizer are in the process of finalising a add on for Firefox which deals with the EverCookie called "Nevercookie"
- Steve has a copy of the add on and is analysing it
22:19 - 22:58
- Firesheep Download Update - 702,000+
22:59 - 26:11
- “Blacksheep” is a Firefox add on which detects if someone on the network is using Firesheep
- Cleverly it puts a fake credential out on the net and watches to see whether someone running Firesheep attempts to pull the user’s photo from their page.
26:12 - 26:51
- Microsoft has responded to Firesheep and added always-on SSL to Hotmail
26:52 - 28:15 Jonathan D. Kramer (New York)
Spinrite fixed a broken hard drive
GRC’s DNS Benchmark
4:26 - 7:55
- After 9/11 Steve was asked by the Whitehouse to explore the idea of a communication system for the internet that could deliver a message to a huge number of devices quickly
- Steve created a DNS research utility to experiment with how DNS works and wrote a benchmark
- When Dan Kaminski revealed a flaw in DNS Steve picked up development of it again and this tool was born
31:35 - 56:50 & 01:01:00 - 01:11:07
- Why Benchmark DNS?
- It had never been done before.
- It can matter ... and people want to know.
- Performance is ALL about proximity (and server load/overload)
- Just HOW slow is my ISP's DNS compared to alternatives?
- If I switch to "OpenDNS", how much speed will I be sacrificing?
- Emerging "Security Enhancing" DNS, any performance penalty?
- Creating measurable accountability, putting some pressure on providers to keep their DNS speedy.
- People running their own local resolvers, instant cached replies, but how about non- cached?
- Supports DNSSEC?
- DNS Rebinding protection?
- A DNS Benchmark:
- Windows & Linux w/WINE
- 163 Kbytes - no installation, no modification to user's system
- Fully Scriptable/Automatable, exports comprehensive CSV
- What to measure:
- Cached Lookups - access from local cache
- Non-cached Lookups - need to ask remote .COM nameserver
- DotCom Lookups - need to ask remote ROOT nameserver
- Reliability - how many queries replied to?
- DNS Rebinding Protection - blocking private networks?
- Domains Tested: (from Alexa's Top Domains List)
- Google.com Yahoo.com Youtube.com Live.com Facebook.com Msn.com Wikipedia.org Blogger.com Myspace.com Yahoo.co.jp Baidu.com Google.co.in Google.de Microsoft.com Rapidshare.com Google.fr Ebay.com Google.co.uk Wordpress.com Craigslist.org Aol.com Google.it Flickr.com Amazon.com Google.co.jp Photobucket.com Imdb.com Bbc.co.uk Go.com Skyrock.com Ask.com Friendster.com Cnn.com Naver.com Youku.com Google.ca Adobe.com Ebay.de Dailymotion.com Conduit.com Sohu.com Vmn.net Apple.com Globo.com About.com Tagged.com Mediafire.com Ku6.com Soso.com Livejournal.com
- Domain names are user-replaceable
- Graphical results + Detailed tabular results
- Are differences significant?
- Sampling Theory - 95% Statistical Confidence
- The "Conclusions" Page
- Detailed Heuristic Analysis providing: "What does it all mean?" in plain English.
- Custom Lists? (speaking of resolver proximity...)
- Built-in "US Centric" list
- User-replaceable list.
- Custom List builder!
- Google's "namebench"
- 4,854 global resolvers tested
- Top 50 and Top200 (returned to GRC)
- Final Niceties:
- Every test or graphical "page" can be "copied"
- Graphical copy copies the *entire* object, not just what's visible
- Scaling can be "locked" to make graphical bar charts A/B comparable
Go To Assist Express
- GoToAssist Express
- G2A #3
- Ad Times: 0:57-1:15 and 7:57-10:19
- Carbonite Pro
- CarbPro #2
- Ad Times: 1:16-1:31 and 28:47-31:34
- Sync #8
- Ad Times: 1:33 and 1:50 and 56:45-1:00:10
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|