Security Now 275
Topic: Your Questions, Steve's Answers #105
Recorded: November 17, 2010
Published: November 17, 2010
- 1 Security Now 275: Your Questions, Steve's Answers #105
- 1.1 Security Updates
- 1.2 Security News
- 1.3 Errata
- 1.4 SpinRite Testimonial
- 1.5 Questions & Answers
- 1.5.1 Question [ 01 ] - Jon H in Excelsior, Minnesota wonders about mixed security...
- 1.5.2 Question [ 02 ] - Mark Cyrulik in Oshkosh, WI wonders about "Network masking on networks"
- 1.5.3 Question [ 03 ] - Chris in London, United Kingdom was shocked by the "WPA key setup"
- 1.5.4 Comment [ 04 ] - Shawn Poulson in Middletown, Deleware articulates some "Challenges of going full SSL"
- 1.5.5 Question [ 05 ] - William McMahon in Toronto Ontario has a question about router DNS configuration...
- 1.5.6 Question [ 06 ] - Pete, listening in Rochester New York wonders about GRC's transcripts:
- 1.5.7 Question [ 07 ] - Dave Solon in Lancaster, PA will share his podcast survey results...
- 2 Sponsors
- 3 Production Information
Security Now 275: Your Questions, Steve's Answers #105
Big Apple update, IE6/7 0-day unpatched, infected Chinese cell phones, Stuxnet's probable target, your questions, and more.
6:10 - 8:18
- 7th Mac OS X Patch of the year (~500 MB)
- Fixes 130 security vulnerabilities including 55 flaws in Abode's Flash player.
- Also QuickTime, Time Machine, Safari RSS
8:19 - 9:10
- Adobe Reader and Acrobat platforms now at v9.4.1
- Windows, Macintosh and Unix.
9:11 - 9:54
- UK is now saying copyright infringers will NOT be disconnected from the Internet.
- The recently passed "Digital Economy Act" does include provisions, but the government is hastily adding that they don't foresee taking such measures.
9:55 - 11:10
- The still-unpatched zero-day IE6/7 (not 8) flaw is now on Amnesty International's Hong Kong web site
- Previously, it was on the Nobel web site
- Still no word from Microsoft.
11:11 - 15:05
- Sweden is considering legislation to require ISP data retention:
- Six months of eMail and cell phone TXT messages
- Steve says this is a massive ask and challenge for the ISP's
15:06 - 18:42
- More than one million Chinese cell phones infected with "the Zombie virus" which masquerades as an anti-virus application. It:
- Texts links to itself to everyone in the user's phonebook
- Sends texts to premium numbers, draining users accounts
- Is costing Chinese users $300,000 US per *DAY*
18:43 - 24:30
- Symantec has been continuing to reverse engineer Stuxnet
- It is now looking highly likely it was targeted at Iranian nuclear power plants
- Only targets "specific frequency-converter drives" - power supplies used to control the speed of devices such as motors.
- Stuxnet intercepts commands to vary the speed wildly, but intermittently.
- Doesn’t sabotage just any frequency converter. It inventories a plant’s network and only springs to life if the plant has at least 33 frequency converter drives made by Fararo Paya in Teheran, Iran, or by "Vacon" in Finland.
- Only targets frequency drives from these two companies that are running at high speeds — between 807 Hz and 1210 Hz. Such high speeds are used only for select applications.
- Symantec, who has continued to perform the analysis is careful not to say that Stuxnet was targeting a nuclear facility, but notes that “frequency converter drives that output over 600 Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment.”
24:31 - 26:07 DNS Benchmark Feedback:
- Subject: DNS Benchmark - UK
In a word - Marvellous, I am going to inform everyone I know about this.
Configured home router and all computers to use the same Primary and Secondary resolvers after running several custom benchmarks .... Amazing difference.
Without this tool I thought I had a marvellous broadband connection - It has been an eye opening experience and page refreshes/loads are visually better without any need for precise measurement, it made that much difference.
Thank you Steve.
26:08 - 26:24
- 163k worth of digital voodoo magic.
I love DNS benchmark, it enabled me to optimize my network further. I found a lot of faster DNS servers than OpenDNS.
26:25 - 27:42
- Subject: DNS benchmark success
I often listen to "Security Now" and always enjoy it when I do. Today I watched the live podcast and heard DNS benchmark mentioned so I gave it a whirl on my Linux machine at home, home is Dublin Ireland.
The tool found 40 servers faster than my default (22.214.171.124) and the fastest was surprisingly my ISPs, I say surprisingly because I moved away from using their DNS server last year because it was taking 1 or 2 seconds to resolve many IP address, obviously they have fixed their problems.
Thanks for a interesting and useful tool, I work in the electronics engineering company pretty much everyone in the department I work in has configured their machines to use some or other public DNS server and not the company one, be interesting to see who chosen well.
27:43 - 31:02
- Google Chrome is adding Googles own PDF document viewer
- It will sandbox PDF files
- And available now in the dev channel, coming to the standard version soon
31:03 - 38:30 Paul Oaten (Unknown)
- SpinRite partially fixed a broken hard drive and allowed the data to be recovered
- Steve thinks the owner dropped the hard drive
Questions & Answers
42:10 - 01:30:34
Question [ 01 ] - Jon H in Excelsior, Minnesota wonders about mixed security...
42:10 - 48:43
Question: Can you comment on the security implications of mixing secure and insecure elements on the same web page? Obviously, fully secure is best, but is it reasonable to send part/most of the content securely, but send image-content, for example, in the clear, or is there no way to do this that doesn't compromise the session cookie?
Answer: Mixed content means that the base page is secure, but assets of the page like images are not secure. This is not secure as when the browser asks for the insecure content it will send the session cookies in the clear UNLESS they have been marked as secure.
Question [ 02 ] - Mark Cyrulik in Oshkosh, WI wonders about "Network masking on networks"
48:44 - 58:16
Question: I lived in an apartment complex that gave us free Internet access while we lived there. They ran the switches and the connection, and all we had to do was plug our devices into a wall jack.
In trying to share music with my roommate, however, we ran into a ton of problems because the admin had done something I had never seen before: He had set up the DHCP server to give out IP info as such:
IP Address: 10.1.3.24 subnet mask: 255.255.255.254 Dns: 10.1.3.1 Gateway: 10.1.3.1
What I found very interesting was that he had set up the subnet mask in such a way that your computer though that it was the only computer on the network, and I was not even able to see any other machine on the network.
I know that you mentioned in SN272 that Starbucks could enable WPA2 as a partial interim solution to solving the Firesheep problem, but I’m wondering whether a solution like the one above also help to solve that problem?
Answer: This is an interesting configuration. Imagine an apartment complex where they're giving you free Internet access. And as we know, a 10-dot network - so it's behind its own NAT router, there's a NAT router somewhere, probably a big one, in the manager's office somewhere, which is basically creating a 10-dot network. And we know that that's 16 million IP addresses because the 10 is the first eight bits of the IP address, and then the other 24 can be anything. The first eight of the 32-bit IP addresses have to be 10. Then the next 24 bits can be anything. So that's 16 million IP addresses. So of course there aren't 16 million apartments, nor 16 million connections.
But so what they did was, if they simply set up a big LAN with a normal 10-dot network, there would be this problem that individual connections in different rooms and different apartments in this apartment complex were on the same 10-dot network. So they could see each other, they could ping each other, and there was some connectivity there. Now, probably they were using a switch rather than a hub.
So the point is, if you just did a packet sniff on your connection, you probably were not seeing everybody else's traffic. But you'd be seeing their ARP requests, which are broadcast, and a switch inherently broadcasts everything. So you would see other machines on the network announcing themselves. And with a little bit of cleverness you could get other IPs that other people were using. You could play ARP games. I mean, there are things you could do. So what this particular installation did was interesting.
On a normal 10-dot network, your subnet mask would be 255.0.0.0, meaning that the 255 portion of the subnet mask specifies the network, the so-called network number, which is 10. And those three zeroes, the 0.0.0, say that all the other bits are variable within this 10-dot network. Well, what this subnet mask does in this particular apartment complex is it's all ones except a zero at the very end, meaning that essentially every connection in the apartment complex sees itself on its own network. It says, only my IP - and technically there's one other IP because the last bit could be a zero or a one, but probably they were always zero - essentially, only my IP is on this network. So things like pinging other IPs would not work because they would, if you tried to - normally, if you ping another IP in your own LAN, then that packet is sent to the MAC address of that IP address. And if you're pinging an IP address not on your LAN, then it's sent to the MAC address of the gateway.
Well, what this apartment complex cleverly did was they set a subnet mask that said there are no other IP addresses on this network. So everything, if you sent anything to anywhere, it's going to go to the gateway. So what that does is create some isolation. Which I think is really very clever. It's an interesting way of taking a large private network, which a lot of untrusted people are sharing, and allowing them, dividing this private network up so that it creates interperson privacy to a much greater degree than you would normally have. All that said, he then asks, what does this do for, like, Firesheep and the Starbucks open network hotspot example? And unfortunately, not much, because wireless is always like a hub. And that's one of the problems is that when you broadcast anything, everybody can receive it. So this solution that the apartment complex used works because it's essentially created a very - there's a notion in LANs known as the broadcast domain, that is, when you broadcast, for example, ARP, an ARP request for, hey, who has this IP address, it's sent out to the broadcast IP address of the network, which in this case would be - that's where the other IP address is. It's like all ones in the IP address. So whereas the IP address, for example, was 10.1.3.24, the broadcast would be 10.1.3.25. So even ARP broadcasts would be constrained within these little individual networks. Not so in the case of using this approach on a wireless hotspot because you could still receive everything. Now, it would be trickier to impersonate a person because you'd have to be - you're not all on the same network. So you're on individual little networks. But it does not provide you the same level of isolation that this does in the apartment complex, which actually is a very clever solution.
Question [ 03 ] - Chris in London, United Kingdom was shocked by the "WPA key setup"
01:03:35 - 01:10:46
Question: I was amazed by your description of WPA's initial key exchange on the current security now podcast. Diffie Hellman key exchange http://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange has existed for the best part of 30 years, and is a straightforward solution to this problem - why is it not used?
Answer: Its complicated and the numbers have to be on the order of 100 digits long. The modulus also needs to be a 300 digit long prime number. This means its resource intensive and slow and wouldn't work on low powered hardware
Comment [ 04 ] - Shawn Poulson in Middletown, Deleware articulates some "Challenges of going full SSL"
01:10:47 - 01:19:27
Listener Comment: I think you make a great point that SSL is not computationally expensive these days. However, as a web developer and having been part of a production deployment of a commercial web site using a content distribution network (CDN), I can offer to you that switching to SSL is not always as easy as just throwing a certificate on your servers. Site owners can be compounded with significant certificate and bandwidth costs.
If a site were just a handful of web servers, it would be as easy as installing Certs and going full SSL. However, some amount of additional bandwidth throughput will be utilized because browsers and intermediate caching proxies cannot cache secure content like it can with non-secure content. Browsers will temporarily cache in memory during a session, but afterwards it is thrown away. Returning to the site under a new session will require redownloading all the images, scripts, etc.
Furthermore, when implementing a CDN, such as what Facebook has for pictures at sphotos.ak.fbcdn.net, certificates will not come cheap.
CDNs work like a giant distributed caching proxy server: - A user hits a link hosted by CDN. - DNS resolves to a CDN "edge" server geographically close to the user. - The edge fetches the requested content from its source server at Facebook and caches it. - The edge delivers the cached content back to the user. - Edge servers will synchronize its caches to gain greater geographic coverage. - SSL caching at the edge is still possible because the SSL is only between user and edge server. The edge requests the content from the source server in a separate session (hopefully also using SSL).
Every edge server in the CDN needs an SSL cert installed for your hostname and there are potentially hundreds, if not thousands, of them depending on the CDN provider. If your organization requires the $1000/yr Verisign certs, that can quickly become cost prohibitive.
One alternative is that CDNs may offer a shared secure hosting wildcard cert with a shared domain name that may be free or cheap to use. e.g. https://facebook.somecdn.com
My suspicion is that Facebook needs to rearchitect their CDN infrastructure to avoid excessive costs.
Steve's Comment: He is right. Caching proxies can only see into non SSL connections. There is a cost and performance hit when switching to SSL
Question [ 05 ] - William McMahon in Toronto Ontario has a question about router DNS configuration...
01:19:28 - 01:25:21
Question: I've been using your new DNS Benchmark tool - great job by the way - and am I little curious on some of the settings. I've never used a custom DNS server before, always just used my home router as my DNS (which uses my ISPs DNS Servers). My network at home is running DHCP, so as you know, it pushes the DNS servers as well (in my case the router gateway). I was wondering if there was a way for my router to push the public DNS servers IP instead of pushing the routers gateway address to the machines in my home. I can statically configure my DNS ips on my router, but it still pushes the routers gateway address as the DNS IPs. The only other way around this would be for me to go to each computer (or device) and manually type in the custom DNS servers I want to use!! What a pain!!
Lastly, a comment. Now that you are done with DNS Benchmark you should have all the time to work on CryptoLink!! Right? RIGHT?! Any updates... I'm dying to hear more!!!
Answer: There is normally a setting in the router to turn off DNS proxying. Called "use router for DNS". Steve has other things to do before cryptolink and is cautious to start due to the FBI's recent proposal to wiretap secure connections.
Question [ 06 ] - Pete, listening in Rochester New York wonders about GRC's transcripts:
01:25:22 - 01:27:07
Question: I enjoy reading the PDF of the show. Do you use a software program to transcribe from the audio recording?, and if so, could you please provide the name. Great show, I learned a lot about SSL from the Firesheep discussion.
Answer: A human called "Elaine" transcribes the shows. "On Site Media" is her company
01:27:08 - 01:30:34
Question: Huge fan of your podcast for years along with "This Week in Tech." I was wondering if you might help me out with a grad class research project. I'm a K12 Instructional Technology Specialist in Lancaster, PA and I'm also an avid podcaster (twentyfortech.com).
I'm a huge advocate for teachers and students to start their own podcasts and I'd like to help guide them to create podcasts in formats that most folks like to listen to or watch. I've developed a short survey to try to find some things out to help me in my quest for podcasting proliferation!
Might you share my survey URL for the good of the education and podcasting community? Thank you for your consideration. Here's the page with the links:
I'm going to share all my data and paper after all is complete.
Thanks so much for your consideration! If somehow Leo would also share this study, I'd be forever indebted to you both!
Answer: Steve would love the listeners to fill out the survey and likes the technology behind it
- G2AX #7
- ad times: :59 - 1:14 and 3:15 - 6:02
- Carbonite.com offer code SecurityNow
- Carb #3
- ad times: 1:14 - 1:28 and 38:30 - 42:04
- Sync #8
- ad times: 1:28 - 1:44 and 58:50 - 1:02:46
- Edited by: Jeff
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|