Security Now 302

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 302

Security Now 302: Q&A 118

Security Updates

Google Updating Android

  • SANS: "Google is rolling out a fix for a vulnerability in the majority of Android phones that allows attackers to access and modify users' Google contacts and calendar when they are being accessed over unsecured Wi-Fi networks. The flaw affects versions 2.3.3 and earlier of the Android platform, which is running on 99.7 percent of Android devices. The fix does not require action from users; it will be pushed out automatically.

Adobe Updates FLASH once again:

  • Obsoletes:
    • Adobe Flash Player and earlier for Windows, Macintosh, Linux and Solaris operating systems
    • Adobe Flash Player and earlier for Chrome
    • Adobe Flash Player and earlier for Android
  • Adobe has released patches for multiple security vulnerabilities affecting its Flash Player. Adobe reports that malware in the wild is exploiting one of the vulnerabilities, a memory corruption vulnerability. By enticing a target to view a malicious file, an attacker can exploit these vulnerabilities in order to execute arbitrary code.

Security News

Facebook adds phone-loop two-factor authenticaton

  • First login from a new device requires two-factor authentication
  • You've got to give up your cellphone number, but it seems like a good thing.

Kaspersky finds another Windows rootkit with x64 support:

  • Variant of the Banker Rootkit targets online banking access credentials
  • Injected into systems via a hole in obsolete Java.
  • 1) Disables Windows UAC (user account control) so that it can go about its business without being interrupted.
  • 2) Installs bogus Root Certificates and modifies the HOSTS file so that accesses to popular banking web sites are redirected to phishing sites operated by the criminals.
  • 3) Rootkit installs a driver, and like the Alureon Rootkit for 64-bit systems, it uses the "test mode" built into Windows PatchGuard to bypass the requirement for signed drivers.

More on Apple not being very helpful with Mac Defender

  • A leaked support document apparently from Apple seemingly directs AppleCare workers not to "confirm or deny" whether a user's Mac is infect, and not to attempt to remove or uninstall any infections.
  • The document, leaked to ZDNet, tells support workers to stress that Apple doesn't provide "help or support for removal of the malware."
  • Graham Cluley of Sophos (Astaro's new parent) said:
    • [Mac's increased market share has] “Effectively ... reached a tipping point where people are now getting hit with malware on their Macs," said Cluley. "On the support forums you'll see plenty of people who say they were just Googling around when a message popped up and convinced them they had a security problem.” “In terms of Mac malware, Mac Defender is the biggest event to date, there were earlier viruses and malware, but this is big.

Attacks & Breaches

Sony's continuing trauma

  • Sony GMG Greece and also some Asian sites

NASA confirmed that the FTP server at their Goddard Flight Center had been breached.

  • The same person, a Romanian known as TinKode, also breached security at a European Space Agency network in April. He refused requests to discuss the details of the network vulnerability he exploited in the intrusion, but said that he has not been contacted by NASA. TinKode said he obtained confidential satellite data.


Mark Russinovich's Zero-Day

Unintended Consequences: Bitcoin Miners house searches

  • Canadian town of Mission, BC has a bylaw that allows the town's Public Safety Inspection Team to search people's homes for "marijuana grow-ups" if they are using more than 93 kWh of electricity per day.
  • Also...
    • BTC exchange rate North of $7, around $7.50
    • Jason Calacanis "Bitcoin is the worst idea ever"

Really Annoying Overreach Department:

From the Twitterverse:

  • @3ichaelL (Michael Leonard in San Diego): Just listened to SN, great show. I think I have a better name for you, PIE - Pre Internet Encryption.


Mark Wright


Question [ 01 ] - Listener and Programmer Jim Hyslop rants against Steve's claim...

Steve, In Episode 256, Q&A #115, your very passionate claims that it is possible to have bug-free software is a major slap in the face to those of us who build software for a living.

Sir, you have stained the honour of all professional programmers, and I will have satisfaction. As the injured party, I hereby challenge you to a thumb wrestling duel to be held at a place and time that is mutually convenient.

All joking aside, though, you exclaimed "Come on, it's math!" No, it's not. Good programming is communication: communicating your intentions to the compiler, and more importantly to other programmers in such a way that there can be no confusion. That's why, as you pointed out in your (very much justified) rant against Javascript, every browser interpreted a particular code snippet in a different way. Communication is a human activity, and no matter how carefully you choose your words, someone will interpret what you say in a different manner. I can't count the number of times I have had QA testers file bug reports, only to tell them "uh, no, that's how it's supposed to work. Look at this section in the design document."

And, of course, people make mistakes. Add in the complexities of multi- threaded and event-driven programs, and you are now talking about programs whose complexity is several orders of magnitude greater than most programs that could be written in assembler. At that point, proving that a program is bug-free is an almost impossible task.

You said "By definition it's possible for us to have an absolutely bug free environment and not a bug in any apps, but it'll never happen." Well, it is also possible to win the lottery five times in a row, but that'll never happen.

Just to be clear, I'm not saying that because we can't write bug-free code, we should just shrug our shoulders and say "Oh, well," or that we should expect such basic mistakes as not sanitizing inputs, allowing buffer overruns, and so on.

Good software developers should - no... they MUST - always do their best to write code that is as bug-free as they know how to make it. And yes, Steve, I'm afraid that means there will always be bugs, and people will always make mistakes like shutting off a firewall.

Question [ 02 ] - Pat Cho in Sacramento, California wonders about disabling browser plug-ins:


While I would prefer not to have Java and other plug-ins installed on my computer, I need them for a few sites. Firefox and most other browsers give you the option to disable them, which I do when unless I need them for a specific web page.

Am I gaining any additional security by doing this, or am I just wasting my time because the malware can somehow access the needed dll files if they exist on my computer?

If this does provide some additional security, I hope someone develops an extension to make it easier to turn the plug-ins on and off.

Thanks for the great show and for Spinrite.

Question [ 03 ] - Cory in New York City uses the Subject: "Police State" to worry about privacy:

Dear Steve,

First of all, thanks for all your great work on Security Now. Now, on to business: I came across an interestingly disturbing article on Ars Technica yesterday.

Basically, they describe the technology the Police can (and often do) use to grab data from cell phones when they pull someone over. They can do it via a physical connection, or even Bluetooth. I was wondering what, if anything, can be done about this? Would encrypting your phone help? Certainly a TrueCrypt-style encryption would mean nothing useful could be gotten, but are such things readily available or computationally feasible on phones? What about older phones or early generation Smartphones (iPhone 3G or first Droid, or original G1 for example), surely they would take the biggest computational hit for encryption. Is there anything else that could be done? I'm sick and tired of governments assuming that wanting privacy means we're hiding something. Can't wait to hear your thoughts, and thanks again for all your hard work.

Question [ 04 ] - Martin Rojas in Atlanta, Georgia wants to setup a secure eMail community:

Steve, I love the show and I have been listening since episode 30 and I have to say it made me appreciate what I was learning at my CS classes and how it applied to the real world. I love hearing your explanations and propeller hat episodes, but recently me and some friends have been trying to figure out how to encrypt email while communicating within our group. I immediately though of public key encryption, but I have no idea of any software or how I would go about setting this up for our group. I know most time topics are theoretical, but I think a lot of people would love a practical way to apply encryption to our email.

Love the show and please keep up the awesome job you and Leo do with the podcast.

Question [ 05 ] - Tim Roesslein (ROZ-lin) Saint Louis, MO, wonders about optimum password brute forcing strategy...

Hello Steve. I am listening to Security Now thanks to a friend of mine, Andy Gibson (no relation I'm sure, other than a strong security mindset *for sure*). I started from the beginning, and am almost up to episode 100, and am excited to find out what the surprise was you promised for that milestone! :)

Every once in a while I sprinkle in a more recent episode as well. I just finished listening to #297. I am writing this shortly after hearing you say that in terms of password or phrase vulnerability, the attacker has no knowledge of your password character scheme, with Leo adding that it might even be foolish for the attacker to make any assumptions about it.

But they have to start somewhere, and that got me wondering if brute force attacks were "tiered" --- in other words, does a typical brute force attack in fact start with the assumption of a simpler password, perhaps with a limited character set of all lower case alpha, and then "tier up" to include upper case, then numerical, and then ultimately special characters?

The bottom line is, if so, wouldn't you be "most secure" by only picking from the special character set, as that would be at the tail end of any brute force attempts --- thereby making the attacker's job more difficult simply by choosing exclusively from the last upper tier?

P.S., you can't very well listen to 100 episodes of Security Now without eventually buying a copy of SpinRite, so one of those Yabba Dabba Doos was me. :) No problems with any of my drives, but it's nice to have bit- level confirmation that they're still in good shape.

Grateful for your and Leo's contributions to the field, Tim Roesslein (ROZ-lin) Saint Louis, MO

Question [ 06 ] - Levi D. Smith in Oak Ridge, TN wants his WebGL!

This afternoon I listened to Security Now #300, and I was concerned about the comments about WebGL. WebGL is a powerful technology, which provides a standard method for rendering 3D applications in web browsers. I agree that there are security flaws in the initial implementations of the WebGL standard, but to blackball the entire WebGL API as security risk is unfair. The focus should be placed on fixing the security venerabilities of the browser implementations, instead of rejecting the WebGL library in its entirety.

Question [ 07 ] - An anonymous listener writes...

Hi Steve! I just finished listening to SN 299 and went straight to your ... page.

Of course I use NoScript (d'uh) ... Sooooo ... Best “No JavaScript” warning ever!!

Question [ 08 ] - Aaron in Bend, Oregon wonders about "USB prophylactics"...

Hi Steve and Leo!

Tonight I'm sitting here with my thumb drive stuck inside a friends deeply infected PC trying various tools to clean it -- including the new MS Safety Scanner you mentioned a couple episodes ago.

When I'm done, and want to use this thumb drive again, what is the safest way to use it in my own computer again after being in an infected PC?

Is it enough to have auto-run turned off on my PC? Then I'd format and copy the programs I use back on it.

I did some Googleing tonight and found a couple free programs that claim to make your USB flash read-only. And I also see that you can buy flash drives with a right-protect switch like an old floppy disk. But I don't want to buy another flash drive when I have so many laying around and I didn't find any software from a source I recognized/trusted.

I also thought of formatting while on the infected PC after I'm done. But I don't trust malware to not hop back on after it's formatted and before I can yank it out.

As always, thank you for the podcast. Aaron

Question [ 09 ] - Frank Varela in Boyle Heights, California wants more on PEE....

Long time listener and always fascinated with the topics guys!

Steve, you brought up the term Pre-Egression Encryption (PEE) could you talk a little more about this?

Question [ 10 ] - Kevin Yong in Los Angeles, California asks about password strength and dictionary attacks...

I'm a fan of your Security Now podcasts, and I had a question about password strength and dictionary attacks.

I know from your past advice that any normal word used as a password can easily be cracked in a dictionary attack. Does the same hold true for a dictionary word with alphanumeric additions mixed in (such as "eXample05%")?

Also, what about longer passwords containing a mix of dictionary words with numbers and symbols? For example, if my 20+ character password was something like "[I~Can`t*Remember!]#8", would it still be vulnerable to dictionary attacks or similar brute force hacking?

I'm trying to strike a balance between password strength and memorability, and being able to include words or phrases within the mix of alphanumeric characters would make things much easier for me. I just don't want to make it easier for hackers too -- especially if I use it for something like a Lastpass master password.

Thanks for any advice you and Leo might have!



Fresh Books

Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.