Security Now 301

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 301

Security Now 301: Going Random Part 2

Security Updates

Mozilla about to start pushing people away from Firefox v3.5

  • 12 million people still using FFv3.5
  • FFv5 to be released on

June 21st

  • On that day, FFv3.6.18 will be offered to v3.6.17 & v3.5.19 users
  • It will appear like any other "autoupdate" --

so the first time users have been "updated" to a new major version.

  • Fortunately, v3.6 is still okay!
  • BUG 650030: "major

update automation should support background updates, not just advertised ones"

    • "Major Update" 3.5.x -> 3.6.x
    • "Background

Update" : FF downloads and applies at next restart without user interaction or acceptance.

    • "Advertised Update" : An update

FF prompts the user to accept before downloading and applying it.

Security News

Ed Bott reporting for ZDNet:

  • BECAUSE Mac users tend to believe that their Macs are impervious, they tend to believe the "Mac Defender" (and "Apple

Security") pop-ups.

  • Installs by obtaining their admin password from them.
  • Says it can't process their credit card, asks

for another...

  • Even though it's easy to remove, AppleCare is told NOT to remove since customers should not be given the

expectation that AppleCare will remove it.

  • Several weeks ago, it was a couple of calls per day per person. Now it's every

other call.

New "DIY" Malware Kit for Mac OS:

  • Dubbed: "Weyland-Yutani BOT" (W-Y the terraforming co. from Aliens)
  • Brian Krebs

contacted the author through a Russian language forum

    • Obtained a video showing the kit's UI components
  • Still low profile,

but circulating through underground forums

  • Includes a Builder, Admin panel, and encryption support
  • Supports web injection

and local form grabbing in Firefox & Chrome with Safari to follow.

    • "Web Inject" enhances, for example, banking web pages to

solicit additional information from the user for later use.

  • Dedicated iPad and Linux versions are reportedly also underway.
  • BEST THOUGHTS I'VE HEARD from Brian Krebs:
    • If you've installed a program, update it regularly
    • If you no longer need a

program, remove it.

    • If you didn't go looking for a program, add-on, or download, don't install it.

American Civil Liberties Union (ACLU)

  • Filed FOIA (Freedom of Information Act) requests asking for information about which

ISP's are working with the FBI in their FISA (warrantless wiretapping):

  • Court documents filed in reply by the FBI stated:

"Specifically, these businesses would be substantially harmed if their customers knew that they were furnishing information to the FBI. The stigma of working with the FBI would cause customers to cancel the companies' services and file civil actions to prevent further disclosure of subscriber information."

New "Protect IP Act" (Intellectual Property)

  • The old COICA (Combating Online Infringement and Counterfeits Act) allowed the

GOV to block domains (and we saw how well that worked!)

  • Instead of "domain seizure", the new PIPA would allow the Justice

Department to obtain court orders compelling ISP's DNS servers to stop returning results for particular web sites -- meaning that the sites would still be available outside of the U.S.

  • (I recently tweeted that NetFlix was now #1, and BitTorrent is
  1. 2 traffic generator on the Internet.)
  • French security group VUPEN 0-day against Chrome's Sandbox
  • Three days later, Chris

Evans, Google's Information Security Engineer and Tech Lead tweeted: "It's a legit pwn, but if it requires Flash, it's not a Chrome pwn"

  • VUPEN tweeted in reply: "Flash bugs are equivalent to Chrome sandbox escapes from an attacker's perspective.

You're thinking like developers."

Attacks & Breaches



Great "Zero-Day" book feedback TED Talk: "Beware online "filter bubbles" YouTube Search: "Filter Bubble" -- Eli Pariser Ted 2011 Favorite Tweet of the Week: @luridsorcerer (Andrew Lingenfelter): The online software license I'd like to see would have a third option: "Didn't read the license but agree anyway." @bodger (Simon Bodger in Canada) @SGgrc Love the PEE acronym. As a parent, I'm always saying "Before we leave, did you pee?". Sounds like good advice for my data too!


“Jeffrey Wurzbach”

Going Random, Pt. 2

The need for secrets

  • "Security through Obscurity"
  • Non-Keyed Cipher - Cracked through observation or reverse engineering ●

A "nonce" (for the nonce - for the time being)

  • An ephemeral secret, NOT a static algorithm

The "State" of a machine - what does that mean?

  • The more "state", the less likely that it can all be known

Sources of true randomness - Physical processes

  • Uncoupled "Independent Events"
  • Electrical "Noise"
    • CCD imaging array in

the dark:

    • A/D input "Hiss" (LSB)
    • Radio Hiss
  • Geiger counter
  • Chaotic processes: Lava Lamp / SGI /

US Patent 5,732,138

  • Semitransparent mirror and photon detector
  • TPM: True Random Number Generator

Algorithms My first JavaScript: Yarrow / Bruce Schneier & John Kelsey Fortuna / Bruce Schneier & Niels Ferguson

Tests of Randomness

  • NIST Special Publication 800-22
  • 1. Monobit Frequency
  • 2. Block Frequency
  • 3. Cumulative Sums
  • 4.


  • 5. Longest Run of Ones
  • 6. Binary Matrix Rank
  • 7. DFT Spectral
  • 8. Nonoverlapping Template Matchings
  • 9.

Overlapping Template Matchings

  • 10. Maurer's Universal Statistical
  • 11. Approximate Entropy
  • 12. Random Excursions
  • 13.

Random Excursions Variant

  • 14. Serial
  • 15. Lempel-Ziv Compression
  • 16. Linear Complexity


Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.