Security Now 285

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 285


Security Updates

2:33 - 4:18

  • Google awards its first "Elite" Chromium Security Award of $3133.7 to Sergey Glazunov for finding and reporting a CRITICAL problem with a stale pointer in speech handling.
  • Sergey also made a bunch more money with multiple $1,000 rewards.
  • Overall: 1 - Critical, 13 - High, 2- Medium

Security News

4:19 - 7:52

  • Facebook offers 100% SSL & HTTPS option beginning today
    • http://on.fb.me/ihQZjy
    • "Starting today we'll provide you with the ability to experience Facebook entirely over HTTPS. You should consider enabling this option if you frequently use Facebook from public Internet access points found at coffee shops, airports, libraries or schools. The option will exist as part of our advanced security features, which you can find in the "Account Security" section of the Account Settings page."

7:53 - 11:26

  • Attorney-Client Privilege does not apply with employer-based eMail
    • http://technolog.msnbc.msn.com/_news/2011/01/19/5877181-attorney-client-privileges-dont-apply-to-work-e-mail
    • California Appeals court (Sacramento 3rd Appellate District) found that a secretary's eMail communication to her attorney over an employment dispute was not privileged.
    • “… [T]he e-mails sent via company computer under the circumstances of this case were akin to consulting her lawyer in her employer’s conference room, in a loud voice, with the door open, so that any reasonable person would expect that their discussion of her complaints about her employer would be overheard,” the court wrote."

11:27 - 12:25

  • Verizon is challenging the FCC's recent Net Neutrality position, banning providers from selectively throttling broadband traffic over their networks.

12:26 - 15:29

  • A US Congressional panel is holding a hearing this week to consider reviving the impossible to implement ISP Data Retention Bill.
    • Would require ISP to retain their customer's Internet data for two years.

15:30 - 16:06

  • Cisco's annual 2010 Security Report indicates that cybercrime appears to be migrating from desktops which are increasingly well secured to mobile devices, which are inherently much more vulnerable.

16:07 - 28:35

  • Browser vendors stir over behavioral advertising tracking & profiling
  • Mozilla introduces a different Do Not Track header:
    • Tracking-Preference: do-not-track
    • Georgio replied:
    • Why inventing yet another header ("X-Tracking-Choice") rather than reusing the "X-Do- Not-Track" proposal, which is already implemented in NoScript and Adblock Plus, and also endorsed by yourself?
  • IE9 - XML-based TPL (Tracking Protection Lists)

28:36 - 30:24

  • Bruce Schneier blogs that:
  • A group of students at the Chinese University in Hong Kong have figured out how to store data in bacteria. The article talks about how secure it is, and the students even coined the term "bioencryption," but I don't see any encryption. It's just storage.
  • http://2010.igem.org/Team:Hong_Kong-CUHK
  • Massively parallel bacterial data storage system
  • Error tolerant data encoding/decoding system
  • Recombination module for data encryption
  • Ready for the exciting future of Biocomputer!

Errata

30:25 - 33:40

SpinRite

33:41 - 35:50 Peter Elkins (Unknown)

Spinrite fixed a broken hard drive

Fuzzy Browsers

38:13 - 1:09:21

  • Michal Zalewski (A Google engineer) releases cross_fuzz for browsers


  • Fuzzing is a software testing technique which sends malformed junk (invalid, unexpected or pseudo-random data) to the inputs of an interpreter or parser of some sort to see whether it can be destabilized by input it was not designed to handle.


  • Wikipedia:
    • The term Fuzz originated in the fall of 1988 from a class project topic in Prof. Barton Miller's graduate University of Wisconsin Advanced Operating System class. The assignment was titled "Operating System Utility Program Reliability - The Fuzz Generator."


  • Formal Test Suite development parallels Code Generation
    • AKA Regression Testing
    • A common functional Specification drives:
    • A team of product coders, and A parallel team of test suite coders


  • Cross_Fuzz
  • Initial results:
    • The largest number of bugs were identified in Firefox, ten by Michal and another 50 after Cross_Fuzz was integrated into Mozilla's existing testing platform.
    • The Firefox issues have since largely been addressed, but some more obscure and hard to analyze crashes still occur.
    • All Webkit-based browsers: Approximately 24 crashes identified.
    • Developers notified in July of 2010.
    • Relevant patches have been released. Some very subtle problems persist.
    • Opera was also notified in July 2010 and all of the frequent crashes were fixed in Opera 11.


  • What is DOM?
    • Contemporary web browser layout engines parse incoming HTML into a DOM for the page.
    • Document Object Model:
    • The Document Object Model is the way JavaScript "sees" its containing HTML page and browser state.
    • A means for client-side scripting to access, examine and manipulate web pages described by documents in HTML, XHTML and XML.
    • E.g. document.formName.inputName
    • Items can be created, deleted, read, written (populated) on the fly.
    • Client-side form validation and dynamic tricks like "rollovers"
    • The DOM is organized like a tree with the document ROOT
    • Paragraph content, image references, form fields, tables, etc.
    • Each element of the document is a named descendant off the root and sub-elements are descendants of those... and so on.


  • Michal's Cross_Fuzz Algorithm:
    • Open two windows with documents of any (DOM-enabled) type. Simple HTML, XHTML, and SVG documents are randomly selected as targets by default - although any other, possibly plugin-supported formats could be targeted instead.
    • Crawl DOM hierarchy of the first document, collecting encountered object references for later reuse. Visited objects and collected references are tagged using an injected property to avoid infinite recursion; a secondary blacklist is used to prevent navigating away or descending into the master window. Critically, random shuffling and recursion fanout control are used to ensure good coverage.
    • Repeat DOM crawl, randomly tweaking encountered object properties by setting them to a one of the previously recorded references (or, with some probability, to one of a handful of hardcoded "interesting" values).
    • Repeat DOM crawl, randomly calling encountered object methods. Call parameters are synthesized using collected references and "interesting" values, as noted above. If a method returns an object, its output is subsequently crawled and tweaked in a similar manner.
    • Randomly destroy first document using one of the several possible methods, toggle garbage collection.
    • Perform the same set of crawl & tweak operations for the second document, but use references collected from the first document for overwriting properties and calling methods in the second one.
    • Randomly destroy document windows, carry over a percentage of collected references to the next fuzzing cycle.


  • A Web Browser DOM Fuzzer in a maximally aggressive script that thrashed around inside the browser trying to cause trouble.


  • Classic Fuzzing Problems
    • Making something mysteriously break is VERY different from finding a bug (You're demonstrating an unknown bug)
    • To wit: The fuzzer is STILL ABLE to break EVERY web browser. Many problems were easy to find and fix, others are still not understood
    • Remember: Microsoft's dilemma of not being able to make IE break last summer.

Sponsors

Ford


Production Information

  • Edited by: Jeff
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.