Security Now 296

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 296

Security Updates

Microsoft Mega Update:

  • Another record breaking Patch Tuesday.
  • 64 known security flaws patched INCLUDING:
    • Finally the MHTML flaw that is being actively exploited
    • And the Pwn2Own flaw that took down IE.
    • Two fixes in the SMB (file & printer sharing) that was a concern for local network worm spreading.

Attacks & Breaches

A BIG Texas-size screw-up in Texas!

  • residents.ars
  • The State of Texas revealed that the personal information of 3.5 MILLION citizens, including names, addresses, Social Security numbers and more has been exposed to the public.
  • ARS Technica: According to Texas State Comptroller Susan Combs, the data wasn't exposed by a hacker or a group of vigilante script kiddies—it ended up on a state-controlled public server after having been passed around between various state agencies. The data came from the Teacher Retirement System of Texas, the Texas Workforce Commission, and the Employees Retirement System of Texas, all of whom transferred the unencrypted data (against state policy) between January and May of 2010. The information was only discovered on the public server on March 31, 2011, meaning it has been available for almost a year.
  • Combs said that other data, like date of birth and driver's license numbers had been exposed "to varying degrees."
  • Combs: "I want to reassure people that the information was sealed off from any public access immediately after the mistake was discovered and was then moved to a secure location," Combs said in a statement. "We take information security very seriously and this type of exposure will not happen again."

Adobe: A new 0-day exploit

  • All current versions of Flash on all platforms.
  • Brian Krebs: "It’s not clear how long attackers have been exploiting this newest Flash flaw, but its exploitation in such a similar manner as the last flaw suggests the attackers may have a ready supply of unknown, unpatched security holes in Flash at their disposal."
  • Expected to be fixed Friday.

Hackers gain root access to Wordpress servers

  • Wordpress founder, Matt Mullenweg blogged:
  • <quote> Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

Based on what we’ve found, we don’t have any specific suggestions for our users beyond reiterating these security fundamentals:

    • Use a strong password, meaning something random with numbers and punctuation.
    • Use different passwords for different sites.
    • If you have used the same password on different sites, switch it to something more secure.
  • (Tools like 1Password, LastPass, and KeePass make it easy to keep track of different unique logins.)
  • Our investigation into this matter is ongoing and will take time to complete. As I said above, we’ve taken comprehensive steps to prevent an incident like this from occurring again. If you have any questions or concerns, please leave a comment below or contact our support.

Barracuda Networks

  • From blog posting by Michael Perone, EVP & CMO (CMO?)
  • Compromised Names & eMail addresses.
  • The databases contained just one-way cryptographic hashes of salted passwords. All active passwords for applications remain secure.
  • <quote> So, the bad news is that we made a mistake. The Barracuda Web Application Firewall in front of the Barracuda Networks Web site was unintentionally placed in passive monitoring mode and was offline through a maintenance window that started Friday night (April 8, 2011) after close of business Pacific time. Starting Saturday night at approximately 5pm Pacific time, an automated script began crawling our Web site in search of unvalidated parameters. After approximately two hours of nonstop attempts, the script discovered a SQL injection vulnerability in a simple PHP script that serves up customer reference case studies by vertical market. As with many ancillary scripts common to Web sites, this customer case study database shared the SQL database used for marketing programs which contained names and email addresses of leads, channel partners and some Barracuda Networks employees. The attack utilized one IP address initially to do reconnaissance and was joined by another IP address about three hours later. We have logs of all the attack activity, and we believe we now fully understand the scope of the attack.

This latest incident brings home some key reminders for us, including that:

    • You can’t leave a Web site exposed nowadays for even a day (or less)
    • Code vulnerabilities can happen in places far away from the data you’re trying to protect
    • You can’t be complacent about coding practices, operations or even the lack of private data on your site – even when you have WAF technology deployed Security News:

Apple to also add Do Not Track to their browser (OS X Lion release)

France - "We need the actual password"

Dropbox Authentication: "Insecure by Design?"


Amazon Ad-Supported Kindle

Absolute necessity of iPad “developer gestures”

  • Backed up and restored, lost developer status

"Jared" in Western Australia wondered about Leo and his iPad:

  • You guys on MacBreak are nutters..
  • Did Leo actually take his iPad 2 everywhere, even to the bathroom on a cruise ship ?
  • I couldn't believe what i heard.
  • Next thing, would be Leo taking his iPad to bed with him *sheesh*
  • Now thats an Apple Fanatic. Maybe you never heard of something, its called "privacy"

Steve and iPad2


Evan Drosky

Questions & Answers

Question [ 01 ] - Beau (via Twitter) asks:

Steve is there a do not track option in chrome?

Question [ 02 ] - Bruce Powers in New Jersey wonders about “Certificate Authorities”...

I see that Comodo has another bad CA event. Do you remove any authorities from your browser? What disadvantage is there from removing one I don't know or use?

Question [ 03 ] - Lisa Matias in San Jose wonders why we like Android's Java VM?

Greetings: I heard both you (Steve) and Leo speaking favourably of the Android OS and its openness. But it seems to me that, as a 3rd party developer, Android OS is the most closed system, since it restrict me to only develop "glorified web- apps" (Java, JavaScript, Flash, ...) apps. It also seems strange that whenever Google needs a new type of processor intensive app, as the Android guardians, they create extensions to their Java VM to support it. This is not an option that 3rd party developers have. Android apps are restricted to the VM. In contrast, only iOS allows me to create *NATIVE BINARY* apps using the same API, libraries, and SDK that Apple uses for their own native apps that come bundled with it. Apple apps are not restricted to any VM since they run natively, but are restricted in the app-store. Note that like Android, you can still develop and install your "glorified web-apps" (using HTML+CSS+JavaScript), without any app-store restrictions. Steve could easily write his own iOS apps in assembler, and publish them in the iTunes app-store, an option that Steve does not have with Android. So, could you guys please explain why you like the Android OS, when it seems to me to be nothing more than a glorified web-browser, like Google's other ChromeOS. Sincerely, Lisa.

Question [ 04 ] - Dan Hummon in Pennsylvania offers a minor nitpick about our discussion of passwords in Episode 294

Steve, I just wanted to drop a quick note about how passwords are stored in databases. I totally agree with hashing and salting passwords, but I think you left out an important final step. When choosing a hash algorithm, make sure it is one that has some significant computational load associated with it. The one I personally use is bcrypt. If there's a small (but real) computational cost to hashing one password, then if the database is compromised, brute force attacks against the stored database hashes are much less effective. I only mention this because I know many up and coming web programmers are listening, and I want them to have the best possible tools available to them. Thanks again, Dan

Question [ 05] - Russ in Austin Texas takes issue with Steve's “Toy” operating systems characterization...

Steve: I think it's unfair to criticize Windows for having hundreds of files and modules. As well as distributed development teams. Are you saying every other "Real" OS such as Linux, BSD and other are made by a single team of programmers that handle all aspects of the OS? I know this is not true and I know there are tons of files as part of the distributions. I also think it's fair to differentiate a consumer OS such as Windows 7 and Window 2008 and their roles. Lack of proper configuration and maintenance of an OS will leave everyone vulnerable. IT professionals working at companies need to responsible for their configuration regardless of OS. It's unfair to imply that BSD, Linux or others would be secure with no additional configuration or maintenance out of the box.

Question [ 06] - Glenn Edward in Nottingham, Maryland offers a "silver lining" observation about this recent April 2011 Windows Patch Tuesday:

Hello Steve. One thing you can say about this month's patch Tuesday, is that the majority of the vulnerabilities that are being patch, exist mainly in Windows 7. Which could either mean that, (A) No more faults exist in Windows XP, (B) Microsoft isn't bothering to fix Windows XP faults now, or (C) hackers are abandoning XP for the more exploitable playground of Windows 7 and Vista. A silver lining for those of us still using Windows XP, is of course, we may finally be slipping off the radar -- hacker attack wise. Even if it's not true it feels kind of nice to believe so. Almost like running Linux, and knowing that nobody's actively after your system.

Question [ 07] - John O in Argyle Texas found MRT debris...

I enjoyed your nice discussion of the Windows MRT tool in episode #293. You might add a note on the next show about where the MRT logs are stored: Location C:Windows\Debug\mrt.log There are other interesting logs in there also. (Strange that, Microsoft calls it MSRT in this KB article, I suppose the different departments don't speak to each other too much, )

Question [ 08] - Craig in Chicago asks us to “PLEASE Help put pressure on Yahoo!”

Hi Steve and Leo! Steve, I've been with you on SpinRite since the mid 80's, and yes I have used it many many times and have referred SpinRite to many over the years. I need to ask you too a favor: I have been a Yahoo user, for way too many years, and I have for the last 5 years been sending them requests to go SSL for the complete session as Google and others are now doing. But apparently they just do not care. If you could talk about this and ask all who have yahoo accounts to contact them demanding that they get their act together. There is no reason for them at this point to keep their customers at such a high level of risk. I do understand why they lost their, lead and if I was not so entrenched I would just move. But there is no easy way to move years of e-mails and other things. I do pay them for a premium service what a joke that is. I guess I pay for no SSL. So if maybe with the quality and quantity of your listeners is sufficient they might finally get the message? But after them being so deaf to the world for the past 10 years, it's probably wishful thinking since they appear to just not get it. You and Leo are the best! I have been listening since the very first pod cast and I cannot thank you enough for all you do. Thank you, Craig

Question [ 09] - David M in Seattle, Washington notes that we're “overdoing” the VoIP cracking article...

You can see the whole article here: What you're failing to note is that the system as-is has 50% accuracy for the words/phrases in its list!! This is NOT the same as the ability to discern 50% of the conversation! - that is Hype! See Figure 11 titled “Performance on selected phrases.” All this setup can do is look for SELECT phrases/words. Even the authors' ‘evil scenario’ means the villain has to create a ‘rainbow table’ of select words. One cannot use a dictionary pronunciation guide because people don't “speak right” (sic). I know we security folks are pushed to be paranoid in order to balance our society's lack of logic (ha), but I think you've taken this to the Hype level which I am defining as 'past what the data supports.' Love the show and my SpinRite license! David in Seattle

Question [ 10] - A anonymous listener wrote: Security Now!... there's an app for that (not kidding)!!

In case you haven't seen it, your show has an app on the iTunes store called "Security Now Catalog" that came out on Friday. No, I have nothing to do with it. I figured you would be amused and flattered to know this. App Store > Education > Tom Chrisholm




Production Information

  • Edited by: Jason
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.