Security Now 292

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 292


Security Now 292: Your Questions, Steve's Answers #113

Postmortem of SXSW 2011, Google vs Bing, Wave like Google Doc feature, and more.

Security Updates

  • Nothing since the pre-Pwn2Own flurry last week!

Security News

Exactly as predicted: Unpatched MHTML vulnerability now being exploited

  • http://www.microsoft.com/technet/security/advisory/2501696.mspx
  • “Why was this advisory revised on March 11, 2011?”
  • Microsoft revised this advisory to announce that Microsoft is aware of public proof-of-concept code being used in limited, targeted attacks.
  • Users who have applied the automated Microsoft Fix it solution described in Microsoft Knowledge Base Article 2501696 or manually applied the "Enable the MHTML protocol lockdown" workaround described in this advisory to their systems are not exposed to this vulnerability. We recommend that users who have not already applied the Fix it solution or the corresponding workaround to their systems, evaluate the applicability of this workaround for their systems. For more information about the workaround, see the Suggested Actions section.
  • Google Security is seeing it too and agrees:

Adobe reports: New FLASH 0-Day exploits in the wild

  • Windows, Macintosh, Linux, Solaris / Anything that plays Flash including Chrome and Android.
  • Our old friend the "Authplay.dll"
  • SWF file embedded in a Microsoft Excel file delivered as an eMail attachment.
  • No fixes yet.

Twitter adds "Always use HTTPS"

  • Main "Settings" page, Last item at the bottom: "Always use HTTPS"
  • WARNING: "mobile.twitter.com" is only HTTPS during logon so be SURE to use "https:// mobile.twitter.com" yourself. (They say they're going to fix that.)
  • While there: Review your "Connections" permissions. (thanks Simon Zerafa)
  • http://blog.twitter.com/2011/03/making-twitter-more-secure-https.html

Pwn2Own Results / CanSecWest Security Conference in Vancouver

  • Safari:
    • Apple plugged 62 security holes in Safari, but it should have been 63!
    • French security firm Vupen required 5 seconds to exploit Safari and win $15K.
    • The first time in four years that Charlie Miller wasn't the first to crack Safari.
    • (The exploit was pre-written for Safari v5.0.3 on a MacBook Air.)
  • IE
    • IE8 fell to Stephen Fewer of Harmony Security and in the process Stephen slipped right around and bypassed IE8's "Protected Mode" sandbox.
    • Doing that required chaining together three unpatched vulnerabilities. Fewer said: "I spent about six weeks finding the vulnerabilities and engineering the exploit, then I decided to give [Pwn2Own] a go, and bought a plane ticket." And he won $15K and a Sony laptop.
    • Two of the three were required to bypass ASLR and DEP. The third was the one that got him out of the sandbox which allowed him to add a file to the system.
    • Microsoft is "already on the case" ~ Oh... Joy!
  • iPhone
    • Charlie Miller teamed up with Dion Blazakis working on the iPhone exploit the night before. Charlie said that Dion did much of the heavy lifting.
  • Blackberry
    • An multi-national team took down the Torch in seconds using a previously prepared attack.
  • Firefox and Chrome - Untouched.
    • Though one researcher had recently given Google an unknown XSS vulnerability that he could have used to win the Android/Chrome prize.

IE9 was Released Monday

  • Includes DO-Not-Track header as well as Tracking Block Lists (added at the last minute).
  • FULL Security Now! Security Review to follow...

More Car Hacking:

  • Last year we talked about the researchers at UCSD and University of Washington
  • By plugging a laptop into a car's diagnostic system they were able to shut off a car's engine, lock the doors, turn off the brakes and falsify odometer readings.
  • They back... and can now break in via a song played on the car's audio CD, or via Bluetooth or cellular.
  • http://www.itworld.com/security/139794/with-hacking-music-can-take-control-your-car
  • Note: these are highly car-specific attacks.

U.S. Pacific Command:

  • Requested that 13 high profile sites be blocked across the DoD's .MIL network in Japan to conserve bandwidth. The sites blocked are: Youtube.com, Googlevideo.com, Amazon.com, ESPN.go.com, eBay.com, Doubleclick.com, Eyewonder.com, Pandora.com, streamtheworld.com, Mtv.com, Ifilm.com, Myspace.com, Metacafe.com.

Errata

Logging onto Google Docs, recently it prompted Steve to check that his Access Recovery Verification is correct. This information is used to re-establish access to your account if you ever forget your password. It is impressive that Google proactively tries to make sure this information is up to date.

SpinRite

Anthony Ungerman

Interesting links

Periodic Table of Videos

Nuclear Reactors in Japan <http://www.youtube.com/watch?v=-bcrLiATLq0> video from the Periodic Table of Videos <http://www.periodicvideos.com/> (University of Nottingham).

Questions & Answers

Question [ 01 ] - Jeff in Chicago Illinois wonders about Reverse DNS...

Hi Steve and all. I recently found the podcasts of Security NOW. I am enjoying them and learning a lot.

I had ONE question about the Reverse DNS message under the ShieldsUP! proceed page. IT was "The text below might uniquely identify you on the Internet." One time it showed no listing and it was rated as a good thing. Then after an hour or so, my DSL or ISP listing was on that page, WHICH I guess is bad? Someone could track your descriptors? What would keep this IP/DSL listing from showing up to begin with? and why would it later show up when I did a ShieldsUP! scan? I did switch to a dual boot with Linux/WinXP, maybe that has something to do with it? Keep up the good work and thanks. Jeff in IL.

Question [ 02 ] - Chris "B" in Northern California wonders about Aegis Padlock Hardware Encryption & SPINRITE?

Good Afternoon Mr Steve Gibson, I've been a fan, and devote follower of Security Now since the beginning, and have used ShieldsUP more times than I can shake a stick at.

Well, I'm curious of the Security of Hardware-based encryption, primarily related to www.apricorn.com (Aegis Padlock) USB & eSATA drives. Also being a SPINRITE owner I'm curious if hardware-encryption will have any impact to SPINRITE's operation? (P.S. you can use my name, but just Chris-B, if you mention on SecNow?!)

P.S. A short shout-out to SpinRite's AWESOMENESS...I have used SpinRite to fix an ARCHOS-605WiFi 30GB harddrive prior to vacation, and I used this to store PICS from my vacation in Central-America (Belize & Guatamala), and I can tell you that the drive was SO HANDY & convenient, it's working flawlessly, and the value of SPINRITE, has just become PRICELESS, in my honest opinion. Thanks much, and keep up the excellent work!

Question [ 03 ] - Dick Nelson in Melbourne, Florida wonders about "Uncovering Spoken Phrases in Encrypted Voice over IP Conversations"

A very interesting article from the ACM on VOIP encrypted calles. http://portal.acm.org/citation.cfm?doid=1880022.1880029

Love the show.

Question [ 04 ] - Hendrik in Utrecht, The Netherlands has been playing with PLC's...

Greetings from Holland Steve and Leo,

As an intern I have been doing research into security related applications of PLCs (can't tell you much more than that I'm afraid). I was therefore greatly interested in your Security Now episode on Stuxnet. As usual, I have learned a lot!

One thing I noticed was that you mentioned that PLC's have their own network, and therefore a Windows machine is needed to infect them. In my research I have come across various PLC models, most of which supported many connection types to create a network. One of these connection types is Ethernet which can be used with a standard network cable.

In my security research report I mentioned that there is a reasonable risk of someone misconfiguring a network, or accidentally plugging a PLC onto another network, say one connected to the internet. This was one of the reasons the company I was doing the research for chose to only use models using different connections (RS-485 in this case). I can imagine other companies finding the ease of ethernet to attracting not to use.

Another thought was that some system administrators might find it useful to connect the entire system to the internet anyway, so they could fix something without getting out of bed.

Now I don't like being a pessimist, though it seems second nature in the security branch, but I am sure there are plenty of PLCs, SCADA systems and other such networks that are in some way connected to the internet. This combined with the frightening malware advances you have told us about in last week's podcast didn't make me feel to great about the whole thing.

Anyway just wanted to share my thoughts on the subject and thank you all, Steve, Leo and all the other people that make it happen, for a great podcast!

Regards, Hendrik (Malachy on twit irc)

(p.s. NONE of the PLCs I have worked with have ANY form of encryption while communicating over Ethernet. Usernames, passwords etc. were all visible in clear text on the network)

Question [ 05 ] - Robert Osthelder in Fond du Lac, Wisconsin wonders about: "How to switch from Windows to Mac OS, without loosing all his security tools??"

Steve & Leo,

I've been a long time windows user and the go-to guy for IT support for all my family's windows machines.

I've been considering purchasing a new laptop since mine is getting very old and clunky. Doing some shopping around online, I'm very interested in the new Macbook Air. The big reasons for being so interested in the Air are the size, weight and build quality (and to be honest I've always wanted to see what Leo loves so much about his Macs). Right now my biggest concern switching to a Mac is figuring out where to get started when it comes to securing and protecting a device running the Mac OS.

For example, on my windows machine I'm running Malwarebytes, Spybot, Comodo Firewall, and AVG anti virus. The problem is that I don't have a clue if those types of programs exist or weather or not they are necessary on a mac (or in what combination). Would you mind giving me a quick run-down of how to getting started keeping a Mac OS squeaky clean?

Thank you for the all the work you and Leo do on the Security Now! podcast. I've been a regular listener for the past couple years and a proud owner of SpinRite since shortly after I started listening (which I have used to recover several drives)!

Best Regards, Robert Osthelder

Question [ 06 ] - Greg in Brisbane, Australia wonders about IPv6 and ShieldsUP!

I'm currently trialling IPv6 on my home connection with my ISP in Australia (Internode). Curiously, there appear to be no testing sites such as Shields Up that support testing an IPv6 firewall. Are there any plans to support IPv6 firewall testing in ShieldsUP! ?

Question [ 07 ] - Anthony Woodall in Santa Rosa, California comments about the IE6 Countdown...

I just thought I would mention that some business are using I.E 6 internally and are probably not included in the ie6 countdown website. This is true within the company that I work for. We're using a heavily customized- with-code IE6 for all of the web-style internal network resources. And I also remember that you mentioned that a specific government in Europe has refused to move from IE 6 due to all the custom code written in the IE 6 heyday.

Question [ 08 ] - Kevin York (wickedproxy on twit's irc) and in Harrisburg Illinois in the real world mentions "Malware that hides in strange places"...

I was looking at an article here http://english.aljazeera.net/indepth/opinion/2011/03/20113981026464808.h tml and I found a disturbing sentence that if true could be a game changer in computer security.

"Even next generation rootkits were explored - to remain active despite the removal of a hard drive, to persist on a machine through its video card."

It has been the case to the best of my knowledge that if you wipe or replace the hard drive and put a fresh install of the operating system back on you would have a "clean" machine at that point. Well no more if such things can live on your video card or some other device inside your computer.

This is at the least troublesome and scary to think what would happen if this was to get in the wrong hands. But who is to say who's hands are the right ones for something like this.

~30~

Sponsors

GoToMeeting

Astaro

  • Astaro.com, or phone 877-4-ASTARO
  • ad times: 1:01-1:14 and 39:48-43:05


Squarespace

  • SqSp 3
  • ad times: 1:14-1:27 and 1:10:22-1:12:54

Squarespace.com/securitynow

Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.