Security Now 274

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 274


Security Now 274: DNS Benchmarking

Second Tuesday updates, critical Outlook fix, Android risks, Google expands "bug bounty", GRC's DNS Benchmark, and more.

Security Updates

10:22 - 14:17

  • Microsoft's 2nd Tuesday of the Month Updates:
    • Fix for Office problems, including a CRITICAL one for Outlook that allows infection upon preview-pane viewing.
    • NO FIX for the 0-day IE flaw we discussed last week. IE 6 & 7 are very vulnerable, IE8 not so much.
    • Brian Krebs reports that the flaw has appeared in at least one highly used hacker toolkit.
    • Microsoft saying that flaw does not warrant an out-of-cycle patch.
    • Best advice, upgrade to IE8 if possible.
    • Otherwise, there are FixIt tools, but they are messy:
    • http://support.microsoft.com/kb/2458511

14:18 - 16:34

  • Google Chrome updated to v7.0.517.44
  • The vulnerabilities fixed include:
    • Two use-after-free error
    • Two unspecified memory corruption errors
    • A bad cast
    • An invalid memory read
    • Integer overflows
    • An out-of- bounds array access.
    • Eleven of the 12 vulnerabilities were reported by researchers, to whom Google paid a total of $8,674 (dollars US).

Security News

16:35 - 18:22

  • Proof-of-Concept demonstration code is now available exploiting a flaw in androids webkit based browser that is only fixed in v2.2 and above
  • The researcher apparently wants to get Android phone updated more quickly.

18:23 - 19:34

19:35 - 20:46

  • Google expands "Bug Bounty" program...
  • Adding Gmail, YouTube & Blogger (but not Android, Picasa or Google Desktop).
  • Standard payments will be $500 with public recognition whereas really severe or clever discoveries could pay up to $3,133.7

20:47 - 22:18

  • The folks at Anonymizer are in the process of finalising a add on for Firefox which deals with the EverCookie called "Nevercookie"
  • Steve has a copy of the add on and is analysing it

22:19 - 22:58

22:59 - 26:11

  • “Blacksheep” is a Firefox add on which detects if someone on the network is using Firesheep
  • Cleverly it puts a fake credential out on the net and watches to see whether someone running Firesheep attempts to pull the user’s photo from their page.

26:12 - 26:51

  • Microsoft has responded to Firesheep and added always-on SSL to Hotmail

Spinrite Story

26:52 - 28:15 Jonathan D. Kramer (New York)

Spinrite fixed a broken hard drive

GRC’s DNS Benchmark

4:26 - 7:55

  • After 9/11 Steve was asked by the Whitehouse to explore the idea of a communication system for the internet that could deliver a message to a huge number of devices quickly
  • Steve created a DNS research utility to experiment with how DNS works and wrote a benchmark
  • When Dan Kaminski revealed a flaw in DNS Steve picked up development of it again and this tool was born

31:35 - 56:50 & 01:01:00 - 01:11:07


  • Why Benchmark DNS?
    • It had never been done before.
    • It can matter ... and people want to know.
    • Performance is ALL about proximity (and server load/overload)
    • Just HOW slow is my ISP's DNS compared to alternatives?
    • If I switch to "OpenDNS", how much speed will I be sacrificing?
    • Emerging "Security Enhancing" DNS, any performance penalty?
    • Creating measurable accountability, putting some pressure on providers to keep their DNS speedy.
    • People running their own local resolvers, instant cached replies, but how about non- cached?
  • Redirects?
  • Supports DNSSEC?
  • DNS Rebinding protection?


  • A DNS Benchmark:
    • Windows & Linux w/WINE
    • 163 Kbytes - no installation, no modification to user's system
    • Fully Scriptable/Automatable, exports comprehensive CSV


  • What to measure:
    • Cached Lookups - access from local cache
    • Non-cached Lookups - need to ask remote .COM nameserver
    • DotCom Lookups - need to ask remote ROOT nameserver
    • Reliability - how many queries replied to?
    • DNS Rebinding Protection - blocking private networks?
  • Domains Tested: (from Alexa's Top Domains List)
    • Google.com Yahoo.com Youtube.com Live.com Facebook.com Msn.com Wikipedia.org Blogger.com Myspace.com Yahoo.co.jp Baidu.com Google.co.in Google.de Microsoft.com Rapidshare.com Google.fr Ebay.com Google.co.uk Wordpress.com Craigslist.org Aol.com Google.it Flickr.com Amazon.com Google.co.jp Photobucket.com Imdb.com Bbc.co.uk Go.com Skyrock.com Ask.com Friendster.com Cnn.com Naver.com Youku.com Google.ca Adobe.com Ebay.de Dailymotion.com Conduit.com Sohu.com Vmn.net Apple.com Globo.com About.com Tagged.com Mediafire.com Ku6.com Soso.com Livejournal.com
    • Domain names are user-replaceable


  • Graphical results + Detailed tabular results


  • Are differences significant?
    • Sampling Theory - 95% Statistical Confidence


  • Optional:
    • DNSSEC


  • The "Conclusions" Page
    • Detailed Heuristic Analysis providing: "What does it all mean?" in plain English.
  • Custom Lists? (speaking of resolver proximity...)
    • Built-in "US Centric" list
    • User-replaceable list.
    • Custom List builder!
    • Google's "namebench"
    • 4,854 global resolvers tested
    • Top 50 and Top200 (returned to GRC)


  • Final Niceties:
    • Every test or graphical "page" can be "copied"
    • Graphical copy copies the *entire* object, not just what's visible
    • Scaling can be "locked" to make graphical bar charts A/B comparable

Sponsors

Go To Assist Express

Carbonite Pro

Ford

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.