Security Now 301
Recorded: May 18, 2011
Published: May 18, 2011
Security Now 301: Going Random Part 2
Mozilla about to start pushing people away from Firefox v3.5
- 12 million people still using FFv3.5
- FFv5 to be released on
- On that day, FFv3.6.18 will be offered to v3.6.17 & v3.5.19 users
- It will appear like any other "autoupdate" --
so the first time users have been "updated" to a new major version.
- Fortunately, v3.6 is still okay!
- BUG 650030: "major
update automation should support background updates, not just advertised ones"
- "Major Update" 3.5.x -> 3.6.x
Update" : FF downloads and applies at next restart without user interaction or acceptance.
- "Advertised Update" : An update
FF prompts the user to accept before downloading and applying it.
Ed Bott reporting for ZDNet:
- BECAUSE Mac users tend to believe that their Macs are impervious, they tend to believe the "Mac Defender" (and "Apple
- Installs by obtaining their admin password from them.
- Says it can't process their credit card, asks
- Even though it's easy to remove, AppleCare is told NOT to remove since customers should not be given the
expectation that AppleCare will remove it.
- Several weeks ago, it was a couple of calls per day per person. Now it's every
New "DIY" Malware Kit for Mac OS:
- Dubbed: "Weyland-Yutani BOT" (W-Y the terraforming co. from Aliens)
- Brian Krebs
contacted the author through a Russian language forum
- Obtained a video showing the kit's UI components
- Still low profile,
but circulating through underground forums
- Includes a Builder, Admin panel, and encryption support
- Supports web injection
and local form grabbing in Firefox & Chrome with Safari to follow.
- "Web Inject" enhances, for example, banking web pages to
solicit additional information from the user for later use.
- Dedicated iPad and Linux versions are reportedly also underway.
- BEST THOUGHTS I'VE HEARD from Brian Krebs:
- If you've installed a program, update it regularly
- If you no longer need a
program, remove it.
- If you didn't go looking for a program, add-on, or download, don't install it.
American Civil Liberties Union (ACLU)
- Filed FOIA (Freedom of Information Act) requests asking for information about which
ISP's are working with the FBI in their FISA (warrantless wiretapping):
- Court documents filed in reply by the FBI stated:
"Specifically, these businesses would be substantially harmed if their customers knew that they were furnishing information to the FBI. The stigma of working with the FBI would cause customers to cancel the companies' services and file civil actions to prevent further disclosure of subscriber information."
New "Protect IP Act" (Intellectual Property)
- The old COICA (Combating Online Infringement and Counterfeits Act) allowed the
GOV to block domains (and we saw how well that worked!)
- Instead of "domain seizure", the new PIPA would allow the Justice
Department to obtain court orders compelling ISP's DNS servers to stop returning results for particular web sites -- meaning that the sites would still be available outside of the U.S.
- (I recently tweeted that NetFlix was now #1, and BitTorrent is
- 2 traffic generator on the Internet.)
- French security group VUPEN 0-day against Chrome's Sandbox
- Three days later, Chris
Evans, Google's Information Security Engineer and Tech Lead tweeted: "It's a legit pwn, but if it requires Flash, it's not a Chrome pwn"
- VUPEN tweeted in reply: "Flash bugs are equivalent to Chrome sandbox escapes from an attacker's perspective.
You're thinking like developers."
Attacks & Breaches
Great "Zero-Day" book feedback TED Talk: "Beware online "filter bubbles" YouTube Search: "Filter Bubble" -- Eli Pariser Ted 2011 http://youtu.be/B8ofWFx525s Favorite Tweet of the Week: @luridsorcerer (Andrew Lingenfelter): The online software license I'd like to see would have a third option: "Didn't read the license but agree anyway." @bodger (Simon Bodger in Canada) @SGgrc Love the PEE acronym. As a parent, I'm always saying "Before we leave, did you pee?". Sounds like good advice for my data too!
Going Random, Pt. 2
The need for secrets
- "Security through Obscurity"
- Non-Keyed Cipher - Cracked through observation or reverse engineering ●
A "nonce" (for the nonce - for the time being)
- An ephemeral secret, NOT a static algorithm
The "State" of a machine - what does that mean?
- The more "state", the less likely that it can all be known
Sources of true randomness - Physical processes
- Uncoupled "Independent Events"
- Electrical "Noise"
- CCD imaging array in
the dark: http://www.lavarnd.org
- A/D input "Hiss" (LSB)
- Radio Hiss
- Geiger counter
- Chaotic processes: Lava Lamp / SGI /
US Patent 5,732,138
- Semitransparent mirror and photon detector
- TPM: True Random Number Generator
Tests of Randomness
- NIST Special Publication 800-22
- 1. Monobit Frequency
- 2. Block Frequency
- 3. Cumulative Sums
- 5. Longest Run of Ones
- 6. Binary Matrix Rank
- 7. DFT Spectral
- 8. Nonoverlapping Template Matchings
Overlapping Template Matchings
- 10. Maurer's Universal Statistical
- 11. Approximate Entropy
- 12. Random Excursions
Random Excursions Variant
- 14. Serial
- 15. Lempel-Ziv Compression
- 16. Linear Complexity
- Edited by:
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|