Security Now 300

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 300

Security Now 300: Your Questions, Steve's Answers #117

Reasons you should change your Facebook password right now, Zero Day, a new Do Not Track bill, and more.

Book Notes

Finished Mark Russinovich’s "Zero-Day" -- VERY enjoyable!

  • @EmpireSteve (Steve Wooding, Hampshire, UK) reports only in US Kindle store.

Security Updates

Microsoft's Patch Tuesday:

  • Following last month's again-record-breaking patch Tuesday
  • Just two updates today fixing three problems.
  • One of them "CRITICAL" but there, only for Enterprises using the Windows Server 2003 or 2008.
  • Vulnerability was in WINS (Windows Internet Name Service) which is not even installed by default.
  • Other two "Important" fixes were in PowerPoint. They were remote code execution, but still... only "Important"

Security News

The Tor Project is going to fork Firefox for simplified anonymous browsing using Tor access, and the Tor application, and Firefox add-on, will all be bundled into a single application. They will not need to wait for Mozilla to do things they want, and other privacy and anonymizing things can be built right in.

Syrian Man-In-The-Middle Attack against Facebook. Syrian Telecom Ministry / MITM using an unsigned Facebook certificate. Routers and proxies were used rather than DNS tampering (Mohammad had the real Facebook IP address.)

Don’t make the mistake of thinking that online file sharing services are secure and private!:

  • Research paper:
  • Services, which include sites such as RapidShare, FileFactory, and EasyShare, allow users to upload large files and make them available to anyone who knows the unique URI (or Uniform Resource Identifier) that's bound to each one.
  • According to researchers in Belgium and France, a “significant percentage” of the 100 FHSs (or file hosting services) they studied made it trivial for outsiders to access the files simply by guessing the URLs that are bound to each uploaded file.
  • “These services adopt a security-through-obscurity mechanism where a user can access the uploaded files only by knowing the correct download URIs.”
  • “While these services claim that these URIs are secret and cannot be guessed, our study shows that this is far from being true.”
  • The researchers trained web crawlers on the file services and uncovered hundreds of thousands of private files in less than a month.
  • They also used the sites to store private files that contained Internet beacons, so they'd know if anyone opened them. Over a month's span, 80 unique IP addresses accessed the so-called honey files 275 times, indicating that the weakness is already being exploited in the wild to harvest data many users believe isn't available for general consumption.

Senator Rockefeller's new DNT bill:

Meanwhile... Google and Facebook are screaming against new California legislation:

  • California Senate Bill 761 (Alan Lowenthal, D-Long Beach)
  • Proposed law would require companies doing online business in the Golden State to offer an 'opt-out' privacy mechanism for consumers.
  • In a letter signed by Google, Facebook, Yahoo, Amex, Experian, ALlstate, Time Warner Cable, MPAA, CTIA - The Wireless Association, CA Chamber of Commerce and more than 20 other associations and companies:
  • QUOTE: “Senate Bill 761 would create an unnecessary, unenforceable and unconstitutional regulatory burden on Internet commerce. The measure would negatively affect consumers who have come to expect rich content and free services through the Internet, and would make them more vulnerable to security threats."

Skype for Mac wormable?

I decided to investigate a little further and found that the Windows and Linux clients were not vulnerable. It was only the Mac Skype client that seemed to be affected. So I decided to test another Mac and sent the payload to my girlfriend. She wasn't too happy with me as it also left her Skype unusable for several days.

At this point I figured out what was needed to execute code. So I put together a proof of concept using metasploit and meterpreter as a payload. Low and behold I was able to remotely gain a shell.

So after a lot of trouble trying to find the right person in Skype to notify, I was able to get the correct details for the security team in Skype. I notified them on the security vulnerabilitity and I was given the standard: "Thank you for showing an interest in Skype security, we are aware of this issue and will be addressing it in the next hotfix."

That was over a month ago and there still has not been a fix released. The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

Pure Hacking won't give specifics on how to perform this attack until a patch from Skype is released. However we will give a full disclosure after Skype takes action or a reasonable responsible disclosure time.

UPDATE: 09/05/2011 We can confirm that Skype has fixed this issue in It requires a manual update. All prior versions are vulnerable. According to Skype, this patch will be pushed out next week.

  • (Steve’s Mac currently has v5.1.0.914 and “Check for Update...” says it’s current.)

"Facebook Applications Accidentally Leaking Access to Third Parties" Symantec blog posting: What Happens?: QUOTE: According to Symantec's analysis, the problem was caused by a flaw in the old Facebook API which apps used to authenticate their account access. When a user grants account access to a web application, the application is given an "access token" which it can then renew. Symantec said that this access token can be mistakenly inserted into a URL returned by Facebook to the application server when the user logs in to an application. If the application loads an ad banner or analytics code as a next step, it will send that URL, including the access token, in the referrer field of its HTTP request for the content. This referrer data is likely to have been stored in the log file on the advertising or analytics providers' server. User impersonation tokens changing the user's password will invalidate old tokens. New tokens are safe.

Facebook is making GOOD security improvements. 9.6 (and growing) users now using Facebook over HTTPS: Facebook now supports the much better OAuth 2.0 system. Facebook Applications need to support Oauth 2.0 by September

Firesheep check-in: Download count at 1,492,533 ... 1,492,549 … 1,492,829

Juniper Networks "Mobile Threats Report 2010/2011"

  • Steve's feeling: The problem is almost too big and elusive to talk about coherently.
  • Key findings of the report:
    • App Store anxiety: The single greatest distribution point for mobile malware is application download, yet the vast majority of smartphone users are not employing an antivirus solution on their mobile device to scan for malware
    • Wi-Fi Worries: Mobile devices are increasingly susceptible to Wi-Fi attacks, including applications that enable an attacker to easily log into victim email and social networking applications
    • The Text Threat: 17 percent of all reported infections were due to SMS trojans that sent SMS messages to premium rate numbers, often at irretrievable cost to the user or enterprise
    • Device Loss and Theft: 1 in 20 Juniper customer devices were lost or stolen, requiring locate, lock or wipe commands to be issued
    • Risky Teen Behavior: 20 percent of all teens admit sending inappropriate or explicit material from a mobile device
    • "Droid Distress": The number of Android malware attacks increased 400 percent since summer 2010
  • QUOTE: "These findings reflect a perfect storm of users who are either uneducated on or disinterested in security, downloading readily available applications from unknown and unvetted sources in the complete absence of mobile device security solutions," said Dan Hoffman, chief mobile security evangelist at Juniper Networks. "App Store processes of reactively removing applications identified as malicious after they have been installed by thousands of users is insufficient as a means to control malware proliferation. There are specifics steps users must take to mitigate mobile attacks. Both enterprises and consumers alike need to be aware of the growing risks associated with the convenience of having the Internet in the palm of your hand."
  • Suggested Actions:
    • Install an on-device anti-malware solution to protect against malicious applications, spyware, infected SD cards, and malware-based attacks on the device
    • Use an on-device personal firewall to protect device interfaces
    • Require robust password protection for device access
    • Implement anti-spam software to protect against unwanted voice and SMS/MMS communications
    • For parents, use device usage monitoring software to oversee and control pre-adult mobile device usage and protect against cyberbullying, cyberstalking, exploitative or inappropriate usage, and other threats

WebGL as the next (new) attack vector ("The H" Heise Online)

  • US-CERT recommends seeing the write-up (below) and DISABLING WebGL
  • The latest versions of Firefox, Chrome and Safari all support WebGL. Opera has released an Opera 11 preview with WebGL support.
  • (Context Info Sec)
  • QUOTE: Traditional browser content would not normally have direct access to the hardware in any form, if you drew a bitmap it would be handled by some code in the browser with responsibility for drawing bitmaps. This would then be likely to delegate that responsibility to an OS component, which would perform the drawing itself. While this distinction is blurring somewhat with the introduction of 2D graphics acceleration in all the popular browsers it is still the case that the actual functionality of the GPU is not directly exposed to a web page. The salient facts are that the content is pretty easy to verify, has a measurable render time relative to the content, and generally contains little programmable functionality (at least which would be exposed to the graphics hardware).

WebGL on the other hand provides, by virtue of its functional requirements, access to the graphics hardware. Shader code, while not written in the native language of the GPU, are compiled, uploaded then executed on the graphics hardware. Render times for medium to complex geometry can be difficult to determine ahead of time from the raw data as it is hard to generate an accurate value without first rendering it; a classic chicken and egg issue. Also some data can be hard to verify and security restrictions can be difficult to enforce once out of the control of the WebGL implementation.

This might not be such an issue, except for the fact that the current hardware and graphics pipeline implementations are not designed to be pre-emptable or maintain security boundaries. Once a display list has been placed on the GPU by the scheduler it can be difficult to stop it, at least without causing obvious, system-wide visual corruption and instabilities. By carefully crafting content it is possible to seriously impact the OS’s ability to draw the user interface, or worse. The difficultly in verifying all content and maintain security boundaries also have potential impact on the integrity of the system and user data.

Attacks & Breaches

Google Chrome Pwned by VUPEN, Sandbox Breached:

  • And ASLR & DEP bypassed
  • QUOTE: The exploit shown in this video is one of the most sophisticated codes we have seen and created so far as it bypasses all security features including ASLR/DEP/Sandbox (and without exploiting a Windows kernel vulnerability), it is silent (no crash after executing the payload), it relies on undisclosed (0day) vulnerabilities discovered by VUPEN and it works on all Windows systems (32-bit and x64).

The video shows the exploit in action with Google Chrome v11.0.696.65 on Microsoft Windows 7 SP1 (x64). The user is tricked into visiting a specially crafted web page hosting the exploit which will execute various payloads to ultimately download the Calculator from a remote location and launch it outside the sandbox (at Medium integrity level).

While Chrome has one of the most secure sandboxes and has always survived the Pwn2Own contest during the last three years, we have now uncovered a reliable way to execute arbitrary code on any default installation of Chrome despite its sandbox, ASLR and DEP.

  • Two zero-day vulnerabilities The exploit works on both Chrome versions 11.x and 12.x. It was tested with Chrome v11.0.696.65 and v12.0.742.30. According to Kelly Jackson Higgins of DARK READING: QUOTE: VUPEN -- which withheld technical details of the bugs in its disclosure -- had not disclosed the bugs or any details to Google as of this posting. The security firm provides details of vulnerabilities it discovers to its paying government customers. "We did not publicly disclose any technical details of the vulnerabilities for security reasons. We did not send the technical details of the vulnerabilities to Google, and Google did not ask us to provide these details," says Chaouki Bekrar, CEO and head of research at VUPEN.
  • Google??? A Google spokesperson said in a statement that without any details on the hack, the company is unable to verify it. "We're unable to verify VUPEN's claims at this time as we have not received any details from them. Should any modifications become necessary, users will be automatically updated to the latest version of Chrome," the spokesperson said.


OpenDNS now supporting IPv6

  • World IPv6 day - June 8th
  • The IPv6 addresses for the OpenDNS IPv6 DNS Sandbox are:
  • 2620:0:ccc::2 and 2620:0:ccd::2.

IMDB for iOS: iPhone/iPad/iPodTouch (and Android)

Tweets from the field:

@VonWelch (Von Welch): Cover webcam on Macbook Pro w/stickie -> Mac thinks I'm in dark room and dims screen. Turn off auto-dimming under Preferences/Dispay @SGgrc @grahamwetzler (Graham Wetzler): @SGgrc Steve, this is a great security tool: Give it a shortened URL and it'll tell you where it leads.


@n0ot (Niko Carpenter): @sggrc In a split handshake, how does a bad guy get the server to only send a SYN packet?

@lem0nhead (Luis Fernando): @SGgrc: do you know what happened to that capacitor idea you announced a while ago?

@cgcardona (Carlos Cardona): @SGgrc You often talk about password hashing/salting. Could you talk about password stretching?


  • IPV4 uses Octal not decimal and each number is considered an "Octet" Tuttlen 19:53, 11 May 2011 (PDT)
    • IPv4 dotted-quad notation uses decimal. Each number is sometimes referred to as an "octet", but this is simply another word for "byte". --Gperrow 08:37, 19 May 2011 (PDT)





Production Information

  • Edited by: Jeff
  • Notes:

Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.