Security Now 329

From The Official TWiT Wiki
Jump to: navigation, search
Security Now
Episode 329

Security Now 329: BrowserID

News & Errata

Planning on doing a science fiction special instead of "best of" for the holiday episode.

Illinois water pump SCADA Failure and "Hacking" Follow-up

Microsoft will deliberately consolidate any changes requiring a reboot starting with Windows 8 so that only one reboot will be required.

Android Malware

  • 472% increase in Android malware samples since July
  • News Article
  • Early spring - Malware began using vulnerabilities to gain root access and install more packages, extending its capabilities.
  • Be careful with the apps you load.

Java exploit attacks a vulnerability that exists in Oracle Java, the JDK and the Runtime 7 and 6 Update 27 and earlier.

  • Exploit being folded into automated attack tools.
  • Java 6 Update 29, and Java 7 Update 1,which is still not quite released yet,are secure.
  • Do I Have Java?

Firesheep (Impersonation Tool and proof-of-concept)


  • Term coined by Brian Krebs
  • "Members of an exclusive underground hacker forum recently sought to plant malware on KrebsOnSecurity by paying to run tainted advertisements through the site's advertising network, which was Federated Media. The attack was unsuccessful, thanks to a variety of safeguards, but it highlights the challenges that many organizations face in combating the growing scourge of 'malvertising.'"

YubiCo Holiday Discount

  • YubiKeys normally $25 each.
  • Through to end of year, offering 10-pack for $99.
  • YubiCo

HP Printer Vulnerability

  • Internet vulnerability on HP firmware which allows bad guys to change the firmware and shut down your printer over the Internet.
  • Steve will research further and follow-up on a future episode.

Mazda putting large capacitors in their next-year model cars, their 2012 cars

  • When the driver takes their foot off the accelerator, an alternator is engaged as part of the braking system to charge a large capacitor.
  • It then uses the charge in the capacitor for the car's electrical system
  • The electrical demands on a contemporary car are enough that it substantially affects the car's gas mileage.
  • That lightens the load on the alternator, which would otherwise be doing that, and substantially improves gas mileage.
  • GizMag Article

Mega-rover was launched on Saturday by an unmanned Atlas V rocket

  • 8.5 months from now this podcast will most likely note its arrival.
  • It's called the "MSL", the Mars Science Laboratory
  • This one is called "Curiosity"
  • It's a $2.5 billion mission. It weighs a ton.
  • It's the size of a car. It is nuclear powered.
  • It contains 10.6 pounds of radioactive plutonium for power.
  • Launch of MSL
  • Rover will be lowered involving a skyhook like technology. Drops rover down via wires.

Spinrite Story - Samuel Gordon-Stewart

"I have an old DOS application which for years I've been running off my hard drive. I only need to use it occasionally. And when I went to use it today, I discovered that I'd accidentally deleted it, probably in my recent cleanout of files I supposedly didn't need. Clearly I did. So I whipped out the floppy disk which has the application and related files on it. I went to copy it to the hard drive and nearly had a heart attack when it would no longer copy. Windows couldn't read the main executable. I took this as an opportunity to do something I've been meaning to do for a while. I bought SpinRite. I let it loose on the floppy disk. It went a few minutes working, then dropped into DynaStat in various places. When I got back into Windows, I was able to copy the disk to the hard drive. I don't think it's possible to get a replacement copy for this DOS application that I'm using these days, so the $89 I spent on SpinRite bought me enough time to get the files one last time off the diskette, and saved me an awful lot of trouble. Thanks, Steve. SpinRite is fantastic. Regards, Samuel Gordon-Stewart in Canberra."

Topic - Mozila's BrowserID

  • The big problem we need to solve: How do the services that we want to use on the Internet know that we are who we say we are?
  • Well, there's another entry into the game that's only a few months old and was recently launched by the Mozilla folks.
  • It's open everything, nonproprietary. It is cross-browser.
  • It is incredibly easy, not only for the user to use, but for a website to decide they want to support, that is, in order - if they wish to allow users to authenticate to them, to log in with a verifiable identity.

  • So what the Mozilla guys decided was, okay, let's see what's the simplest thing we can use? And they thought about it and decided, well, that's our email address.
  • It is the thing that we are constantly proving we have control of.
  • Control of our email address is already the lowest common denominator.
  • Let's use that which we already have as the means for identifying users.

  • Demonstration of how this works Sample Site
  • It has just a little icon that says "Sign in." You're presented with a dialogue asking for an email address which you want to use as your identity.
  • If the browser knows that you have authenticated more than one email address, then it'll give you a list of them, and you can decide which identity, that is, email identity, you choose to use, that is, you choose to present as your login for that site.

  • If you haven't yet created a BrowserID identity, and you typically wouldn't have by then, you would give it an email address that you control and submit that.
  • It would explain that it is going to send that address a link which you need to click in order to prove your ownership of that email account.
  • So the act of doing that works with JavaScript that's running in your browser and with asymmetric keys.
  • The browser generates a public and private key, given the fact that it has gotten verification that you own this email address. And using HTML5 local private storage, it's able to maintain that.
  • There are a number of ways that the public key can be stored. For example, there is is a facility that will maintain, on behalf of users, their email address and public keys that allow other sites to query them for the public key.
  • The browser maintains a set of email addresses and the private key.

  • Then, if you want to log into a website that supports BrowserID, the website will just show you a little login and typically say you could use BrowserID in order to log into me, much like this site does. And you're simply presented with, when you click the login, a list of any email addresses which your browser has had confirmed for it, and you log in.
  • Now, the website that you're logging into can essentially make a query to the site that contains the public key that matches in order to verify your certificate.
  • So there is a trusted third party which can - and there can be as many of them as you like.
  • As part of this trusted email technology, there is a facility where you would not need a third party at all, that is, the actual email service can provide this certificate signing and storage and verify email ownership to third parties.

  • In fact it is possible for email systems themselves to support this BrowserID protocol.
  • Then any website that you want to authenticate to is able to receive that certificate, essentially, from your browser, which asserts that you are who you are, that is, that you have proven your ownership of this email identity.
  • It then queries the trusted third party that you have associated with that to get your public key, which it uses to verify the signature, and that's all there is to it. So it ends up being very easy to use.

  • It is possible to avoid that, and that is to have - and the way that's done is that you can have your browser contain that authentication with, for example, a time limit where you can say this is good for a week of no additional authentication use. It then has that signed with a time limit. And so the public key of the authenticator is used to verify the signature, rather than the individual's public key.
  • The site you're logging into isn't querying for your credentials, they're just querying for the authenticator's signature, very much the way our public key system works now, where you're just getting the private key of the certificate authority and verifying that it signed the identity certificate.

  • Demostrating BrowserID Youtube Video
  • No plug-ins necessary, can run using only javascript.

Next Week

  • Tom Merritt will be filling in for Leo on next week's Q&A episode.
  • Leo at TWit in Paris.




Production Information

  • Edited by:
  • Notes:
Info.png This area is for use by TWiT staff only. Please do not add or edit any content within this section.