Security Now 276

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 276


Security Now 276: Testing DNS Spoofability

Security Updates

9:32 - 10:23

  • Apple Safari Updated: to v4.1.3 or v5.0.3
    • Fixed 27 vulnerabilities in its Safari web browser for Mac OS X and Windows.
    • Four of the 27 flaws were already been fixed in Apple's iOS mobile operating system, and at least three have already been fixed in Google's Chrome browser (due to WebKit commonality.)

10:24 - 13:48

  • EFF's HTTPS Everywhere enhanced to deal with Firesheep http://www.eff.org/https-everywhere
    • Google Search
    • Wikipedia
    • Twitter
    • Facebook
    • bit.ly
    • GMX
    • Wordpress.com blogs
    • The New York Times
    • The Washington Post
    • Paypal
    • EFF
    • Tor
    • Ixquick
    • and many other sites

13:49 - 16:59

  • Adobe's "Reader X" with Sandboxing now available:
    • Windows, Mac & Android (from the Android Marketplace)
    • http://get.adobe.com/reader/
    • Sneaky checkbox for "McAfee Security Scan Plus" in download
    • Also includes Adobe AIR.

Security News

17:00 - 21:05

  • Stuxnet:
    • Washington Post story begins with: "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday.”
    • It is likely Stuxnet will be re targeted to attack new targets
    • The government is looking to take mission critical systems off the internet

21:06 - 26:16

  • China briefly rerouted 15% of the Internet's 341,000 network prefixes (last April)
    • IETF S-BGP, TCP hijacking

26:17 - 31:06

  • The New York Times (Charlie Savage) - November 16, 2010
    • F.B.I. Seeks Wider Wiretap Law for Web By CHARLIE SAVAGE Published: November 16, 2010

WASHINGTON — Robert S. Mueller III, the director of the Federal Bureau of Investigation, traveled to Silicon Valley on Tuesday to meet with top executives of several technology firms about a proposal to make it easier to wiretap Internet users.

Mr. Mueller and the F.B.I.’s general counsel, Valerie Caproni, were scheduled to meet with senior managers of several major companies, including Google and Facebook, according to several people familiar with the discussions. How Mr. Mueller’s proposal was received was not clear.

“I can confirm that F.B.I. Director Robert Mueller is visiting Facebook during his trip to Silicon Valley,” said Andrew Noyes, Facebook’s public policy manager. Michael Kortan, an F.B.I. spokesman, acknowledged the meetings but did not elaborate.

Mr. Mueller wants to expand a 1994 law, the Communications Assistance for Law Enforcement Act, to impose regulations on Internet companies.

The law requires phone and broadband network access providers like Verizon and Comcast to make sure they can immediately comply when presented with a court wiretapping order.

Law enforcement officials want the 1994 law to also cover Internet companies because people increasingly communicate online. An interagency task force of Obama administration officials is trying to develop legislation for the plan, and submit it to Congress early next year.

The Commerce Department and State Department have questioned whether it would inhibit innovation, as well as whether repressive regimes might harness the same capabilities to identify political dissidents, according to officials familiar with the discussions.

Under the proposal, firms would have to design systems to intercept and unscramble encrypted messages. Services based overseas would have to route communications through a server on United States soil where they could be wiretapped.

A Google official declined to comment. Mr. Noyes said it would be premature for Facebook to take a position.

31:07 - 37:33

  • Alureon Rootkit - now on 64-bit Windows
    • Boot sector infection
    • Bypasses driver signing and "PatchGuard kernel protection"

37:34 - 39:15

  • Google Apps Script API glitch quickly fixed:
    • 21-year-old Armenian calling himself "Vahe G" created a demo on Google's "Blogspot" blogging platform that was able to send eMail from Google to any visiting gMail user who was currently logged onto their Google account.

39:16 - 44:32

Errata

44:33 - 45:02

  • iOS 4.2.1 - now for iPads

SpinRite

45:03 - 47:47 Harry Lindenfeld (Unknown)

Spinrite fixed a broken hard drive

GRC's Comprehensive Spoofability Test

50:55 - 58:00

What's the problem:

  • When a user enters a web address the computer needs to find that servers IP so they use DNS to go and look it up and return the IP
  • In the beginning when DNS was developed security wasn't a consideration
  • Initially a 16 bit query ID was used so the computer could differentiate between DNS queries and it was simply incremented by 1 for each query
  • The bad guys realised that if the queries were always sent from the same port and the ID was incremented linearly you could spoof the reply from a remote server
  • Dan Kaminsky suggested:
    • Query ID's and Ports generated randomly


01:02:20 - 01:25:35

GRC Spoofability Test
http://www.grc.com/dns

Operation:

  • The Creation of a Pseudo DNS Nameserver
    • Ask grc.com's Nameserver for dns.grc.com
    • Ask the dns.grc.com nameserver for the IP of xxxxxxxxxxxxx.dns.grc.com
    • CNAME (canonical name) is returned


  • Protocols:
    • //4ssveussl4azk.dns.grc.com/4ssveussl4azk.gif
    • CNAME (canonical name) - the real name for an alias
    • ...a.a.a.a.a.a.a.a.a.a.a.a.XXXXXXXXXXX.dns.com
    • 43 "a's" to avoid crashing routers!
    • ns1.a.a.a.a.a.a.a.a.a.a.a.XXXXXXXXXXX.dns.com
    • Deliberately delayed replies to stimulate additional querying
    • Deliberately FAIL the lookup after enough work has been done to protect lame consumer routers that are proxying DNS


  • The Display:
    • Scatter chart for instant visual recognition of patterns
    • Individual bit predictibility to reveal what our eyes might miss
    • Statistical analysis of the query set
    • Additional factors: Pingable?, External queries?


  • Router Crash Test
    • Some routers are crashed by returning a valid but unusal query
    • E.g. a longer than normal domain name
    • 111 a's in subdomain / and final resolution provided.

Sponsors

Ford

  • twitfordfocus.com Ford 2012 Ford Focus Global Test Drive
  • Drive One #3
  • Ad Times: 1:00-1:17 and 48:15-50:54

Astaro

  • Astaro.com, or phone 877-4-ASTARO
  • Astaro #2
  • Ad Times: 1:32-1:45 and 58:15-1:01:39

GoToMeeting

Production Information

  • Edited by: Tony
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.