Security Now 303

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 303

Security Now 303: Password Haystacks

Security Update

Apple issues Security Update for Mac Defender May 31st / Security Update 2011-003 / 2.1 mb Malware removal: Available for: Mac OS X v10.6.7, Mac OS X Server v10.6.7 (ONLY THE LATEST versions of Snow Leopard, earlier releases not supported) Impact: Remove the MacDefender malware if detected Description: The installation process for this update will search for and remove known variants of the MacDefender malware. If a known variant was detected and removed, the user will be notified via an alert after the update is installed. Additional information is available in this Knowledge Base article: <quote> Security Update 2011-003 provides additional protection by checking for the MacDefender malware and its known variants. If MacDefender malware is found, the system will quit this malware, delete any persistent files, and correct any modifications made to configuration or login files. After MacDefender is identified and removed, the message below will be displayed the next time an administrator account logs in. </quote>

Mac Defender evolves: No longer needs to trick the user into entering the admin password

Ed Bott / ZDNet / New Apple antivirus signatures bypassed within hours by malware authors <quote> Update June 1, 6:00AM PDT: The bad guys have wasted no time. Hours after Apple released this update and the initial set of definitions, a new variation of Mac Defender is in the wild. This one has a new name, Mdinstall.pkg, and it has been specifically formulated to skate past Apple’s malware-blocking code.

The file has a date and time stamp from last night at 9:24PM Pacific time. That’s less than 8 hours after Apple’s security update was released.

On a test system using Safari with default settings, it behaved exactly as before, beginning the installation process with no password required.

As PC virus experts know, this cat-and-mouse game can go on indefinitely. Your move, Apple. </quote>

Security News

Microsoft System Sweeper: Free, Bootable Malware/Rootkit removal tool (via @SimonZerafa)

Military Contractors breached due to RSA First Lockheed Martin, now L-3 Communications

Hurt-Locker's studio goes after 24,583 BitTorrent users Voltage Pictures, Hurt Locker's production studio. Already filed lawsuits against 5,000 BitTorrent users who illegally downloaded Hurt Locker. 10,532 are Comcast customers, 5,239 are Verison, 2,699 are Charter, and 1,750 are Time Warner. Verizon and Charter only offer up 100 and 150 customer IP-addresses per month respectively. Voltage Pictures would prefer to reach cash settlements with customers as opposed to taking each case to court individually.

IE "CookieJacking" Potential Session Cookie Hijack (that's what Firesheep was) ANY version of Windows or IE Demoed in Hack In A Box conference in Amsterdam Requires Drag & Drop within specially crafted page Facebook "Puzzle App" collected 80 Facebook session cookies from 180 of his Facebook "friends". Uses iFrames and IE's Security Zones. Microsoft was notified on January 28th & believed it was fixed in IE9, but it's still broken there.

Google Speeds Up SSL SSL "False Start" Jumps the gun and starts sending data BEFORE the final "SSL Finshed" message has been sent. "Finished" validates the entire handshake to date and is sent under the agreed cipher spec. From Google's Draft to the IETF: When the client has sent its "ChangeCipherSpec" and "Finished" messages, its default behavior following [RFC5246] is not to send application data until it has received the server's "ChangeCipherSpec" and "Finished" messages, which completes the handshake. With the False Start protocol modification, the client MAY send application data earlier (under the new Cipher Spec) if each of the following conditions is satisfied: The application layer has requested the TLS False Start option. The symmetric cipher defined by the cipher suite negotiated in this handshake has been whitelisted for use with False Start according to the Security Considerations in Section 6.1. The key exchange method defined by the cipher suite negotiated in this handshake, has been whitelisted for use with False Start according to the Security Considerations in Section 6.2. In the case of a handshake with client authentication, the client certificate type has been whitelisted for use with False Start according to the Security Considerations in Section 6.2.

From The Twitterverse

@SimonZerafa "QuickJava" : (Also via @SimonZerafa: Mark R. says "yes" to a sequel to Zero-Day)

@BenPike : I work for a major wireless retailer - we use Cellebrite machines to copy customer data from old phones to new phones...

@holtcg (Chris Holt) most of the Imation brand flash drives have a write protect switch. Perfect for carrying around your suite of anti-malware tools.

@BryanDort : Holy cow! @freshbooks is sending me a cake for just signing up for their service! Thanks @saulcolt! And thanks @leolaporte and @sggrc.

@TechJeeper (Cody Dean) Thanks for the recommendation of the book Zero Day by @markrussinovich. I'm HOOKED on this book!

@jlanners (Josh) : thanks @sggrc and @leolaporte for ZER0 DAY! It was fantastic!

@zkam : New privacy settings for Firefox: New feature in the nightly build: site-by-site granular control over site privacy "about:permissions" Store Passwords / Share Location / Set Cookies / Open Pop-up Windows / Maintain Offline Storage These can also now be set globally for all sites then overridden site-by-site


Password Haystacks

Entropy doesn't matter! SIZE does! I immediately changed my WPA WiFi Passwords (internal and guest) Common Password Usage: "123456" is the #1 most common. "Password" is 4th. Leo's "monkey" is the 14th most common password!


Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.