Security Now 274

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 274

Security Now 274: DNS Benchmarking

Second Tuesday updates, critical Outlook fix, Android risks, Google expands "bug bounty", GRC's DNS Benchmark, and more.

Security Updates

10:22 - 14:17

  • Microsoft's 2nd Tuesday of the Month Updates:
    • Fix for Office problems, including a CRITICAL one for Outlook that allows infection upon preview-pane viewing.
    • NO FIX for the 0-day IE flaw we discussed last week. IE 6 & 7 are very vulnerable, IE8 not so much.
    • Brian Krebs reports that the flaw has appeared in at least one highly used hacker toolkit.
    • Microsoft saying that flaw does not warrant an out-of-cycle patch.
    • Best advice, upgrade to IE8 if possible.
    • Otherwise, there are FixIt tools, but they are messy:

14:18 - 16:34

  • Google Chrome updated to v7.0.517.44
  • The vulnerabilities fixed include:
    • Two use-after-free error
    • Two unspecified memory corruption errors
    • A bad cast
    • An invalid memory read
    • Integer overflows
    • An out-of- bounds array access.
    • Eleven of the 12 vulnerabilities were reported by researchers, to whom Google paid a total of $8,674 (dollars US).

Security News

16:35 - 18:22

  • Proof-of-Concept demonstration code is now available exploiting a flaw in androids webkit based browser that is only fixed in v2.2 and above
  • The researcher apparently wants to get Android phone updated more quickly.

18:23 - 19:34

19:35 - 20:46

  • Google expands "Bug Bounty" program...
  • Adding Gmail, YouTube & Blogger (but not Android, Picasa or Google Desktop).
  • Standard payments will be $500 with public recognition whereas really severe or clever discoveries could pay up to $3,133.7

20:47 - 22:18

  • The folks at Anonymizer are in the process of finalising a add on for Firefox which deals with the EverCookie called "Nevercookie"
  • Steve has a copy of the add on and is analysing it

22:19 - 22:58

22:59 - 26:11

  • “Blacksheep” is a Firefox add on which detects if someone on the network is using Firesheep
  • Cleverly it puts a fake credential out on the net and watches to see whether someone running Firesheep attempts to pull the user’s photo from their page.

26:12 - 26:51

  • Microsoft has responded to Firesheep and added always-on SSL to Hotmail

Spinrite Story

26:52 - 28:15 Jonathan D. Kramer (New York)

Spinrite fixed a broken hard drive

GRC’s DNS Benchmark

4:26 - 7:55

  • After 9/11 Steve was asked by the Whitehouse to explore the idea of a communication system for the internet that could deliver a message to a huge number of devices quickly
  • Steve created a DNS research utility to experiment with how DNS works and wrote a benchmark
  • When Dan Kaminski revealed a flaw in DNS Steve picked up development of it again and this tool was born

31:35 - 56:50 & 01:01:00 - 01:11:07

  • Why Benchmark DNS?
    • It had never been done before.
    • It can matter ... and people want to know.
    • Performance is ALL about proximity (and server load/overload)
    • Just HOW slow is my ISP's DNS compared to alternatives?
    • If I switch to "OpenDNS", how much speed will I be sacrificing?
    • Emerging "Security Enhancing" DNS, any performance penalty?
    • Creating measurable accountability, putting some pressure on providers to keep their DNS speedy.
    • People running their own local resolvers, instant cached replies, but how about non- cached?
  • Redirects?
  • Supports DNSSEC?
  • DNS Rebinding protection?

  • A DNS Benchmark:
    • Windows & Linux w/WINE
    • 163 Kbytes - no installation, no modification to user's system
    • Fully Scriptable/Automatable, exports comprehensive CSV

  • What to measure:
    • Cached Lookups - access from local cache
    • Non-cached Lookups - need to ask remote .COM nameserver
    • DotCom Lookups - need to ask remote ROOT nameserver
    • Reliability - how many queries replied to?
    • DNS Rebinding Protection - blocking private networks?
  • Domains Tested: (from Alexa's Top Domains List)
    • Domain names are user-replaceable

  • Graphical results + Detailed tabular results

  • Are differences significant?
    • Sampling Theory - 95% Statistical Confidence

  • Optional:
    • DNSSEC

  • The "Conclusions" Page
    • Detailed Heuristic Analysis providing: "What does it all mean?" in plain English.
  • Custom Lists? (speaking of resolver proximity...)
    • Built-in "US Centric" list
    • User-replaceable list.
    • Custom List builder!
    • Google's "namebench"
    • 4,854 global resolvers tested
    • Top 50 and Top200 (returned to GRC)

  • Final Niceties:
    • Every test or graphical "page" can be "copied"
    • Graphical copy copies the *entire* object, not just what's visible
    • Scaling can be "locked" to make graphical bar charts A/B comparable


Go To Assist Express

Carbonite Pro


Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.