Security Now!

#434 - 12-11-13
Q&A #179
Today on Security Now!
Patch Tuesday for Microsfot and Adobe.
A new Firefox release.
NSA using Googles pervasive cookie for pervasive tracking.
Nearly 2 million passwords found on a botnet controller.
FreeBSD UNIX dropping untrustworthy HW PRNGs.
A French CA gets caught being VERY bad.
A bunch of Miscellany.
And finally a Q&A!
Security News:
Zero-Day Fixes this week from both Microsoft and Adobe:
Microsoft Patch Tuesday
This month, Microsoft released 11 patches, repairing a total of 24 vulnerabilities:
12 were remote code execution vulnerabilities
8 elevation of privilege vulnerabilities
2 denial of service vulnerabilities
1 information disclosure vulnerability
1 security bypass vulnerability.
Order of update importance:
Critical: Admins are advised to patch MS13-096, MS13-097, MS13-098,
MS13-099, and MS13-105 immediately to prevent exploitation by attackers.
MS13-096 is a critical zero-day vulneratility in Windows & Office.
MS13-097 & 099 fix dangerous scripting issues in Windows.
(All three of these close vulnerability that Microsoft expects to be exploited in the
future -- and one that already is being.)
Then admins should patch MS13-100, MS13-101, MS13-102, MS13-104, and
MS13-106 as soon as possible.
Finally, admins should patch MS13-103 at their earliest convenience.
Adobe updated Flash & Shockwave
Newer Flash player addresses two security holes, including one that's already being
actively used in attacks. (Opening a Microsoft Word DOC with a malicious .SWF
attachment.)
New Firefox - v26
http://thenextweb.com/apps/2013/12/10/firefox-26-arrives-click-play-java-seamless-updates
-windows-home-redesigned-android/
New:
All JAVA plug-ins are now "click to play"
The built-in password manager now supports script-generated password fields.
Updates on Windows no longer require write permissions to the Firefox install directory
(when Mozilla Maintenance Service is used.)
Support for H.264 on Linux
Plus a bunch of developer-level improvements and miscellaneous fixes.
NSA is munching Google's cookies?
Washington Post reports:
http://www.washingtonpost.com/blogs/the-switch/wp/2013/12/10/nsa-uses-google-co
okies-to-pinpoint-targets-for-hacking/
<quote> The agency's internal presentation slides, provided by former NSA contractor
Edward Snowden, show that when companies follow consumers on the Internet to better
serve them advertising, the technique opens the door for similar tracking by the
government. The slides also suggest that the agency is using these tracking techniques to
help identify targets for offensive hacking operations.
Again: We MUST assume -- If it CAN be done it's being done.
So... yet another point of access: Tracking Advertisers, who are just as subject to
national security letters as anyone and, perhaps (this is my own bias) already likely to be
less finicky about the rights of the users they are tracking... since their entire business
model is doing something most people dislike and don't want.
Nearly 2 Million Account Login Credentials Found on Netherlands Server
The "Pony" Botnet
http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html
Botnet filtered everything through a proxy in The Netherlands.
~1,580,000 website login credentials stolen
~320,000 email account credentials stolen
~41,000 FTP account credentials stolen
~3,000 Remote Desktop credentials stolen
~3,000 Secure Shell account credentials stolen
FreeBSD (Steve's UNIX) developers say they cannot trust HW RNGs
http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-cry
pto-freebsd-developers-say/
With FreeBSD v10 the hardware will be fed into Yarrow.
Bruce Schneier, John Kelsey, and Niels Ferguson of Counterpane Labs
The Yarrow algorithm is explicitly unpatented, royalty-free and open source
Yarrow is incorporated in iOS, Mac OS X and FreeBSD for their /dev/random devices.
https://www.schneier.com/yarrow.html
Yarrow's entropy pools use SHA-1 contexts, thus each is 160 bits.
My (GRCs) UHEPRNG required VASTLY more entropy because there were so many
possible Latin Squares. (1536 bits, as I recall).
French CA mints Intermediate CA that's used in commercial MITM device
http://googleonlinesecurity.blogspot.ro/2013/12/further-improving-digital-certificate.html
Googles Online Security Blog, Saturday, December 7th:
<quote> Late on December 3rd, we became aware of unauthorized digital certificates for
several Google domains. We investigated immediately and found the certificate was
issued by an intermediate certificate authority (CA) linking back to ANSSI, a French
certificate authority. Intermediate CA certificates carry the full authority of the CA, so
anyone who has one can use it to create a certificate for any website they wish to
impersonate.
In response, we updated Chromes certificate revocation metadata immediately to block
that intermediate CA, and then alerted ANSSI and other browser vendors. Our actions
addressed the immediate problem for our users.
ANSSI has found that the intermediate CA certificate was used in a commercial device, on
a private network, to inspect encrypted traffic with the knowledge of the users on that
network. This was a violation of their procedures and they have asked for the certificate in
question to be revoked by browsers. We updated Chromes revocation metadata again to
implement this.
This incident represents a serious breach and demonstrates why Certificate Transparency,
which we developed in 2011 and have been advocating for since, is so critical.
Since our priority is the security and privacy of our users, we are carefully considering
what additional actions may be necessary.
http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html
ANSSI: Agence nationale de la scurit des systmes dinformation
<quote> As a result of a human error which was made during a process aimed at
strengthening the overall IT security of the French Ministry of Finance, digital certificates
related to third-party domains which do not belong to the French administration have
been signed by a certification authority of the DGTrsor (Treasury) which is attached to
the IGC/A.
The mistake has had no consequences on the overall network security, either for the
French administration or the general public. The aforementioned branch of the IGC/A has
been revoked preventively.
The reinforcement of the whole IGC/A process is currently under supervision to make
sure no incident of this kind will ever happen again.
This COULD NOT HAVE BEEN HUMAN ERROR. "Human Error" is when it doesn't work the
way you want it to. "Deliberate Function" is when it does. This HAD TO BE DELIBERATE.
iBeacon and iWallet
http://www.forbes.com/sites/tristanlouis/2013/12/07/the-iwallet-is-coming/
We may be seeing a Bluetooth-based payment technology coming from Apple.
"iBeacon" was rolled out in Apple's stores -- the phone is the receiver.
But an "iWallet" might make the phone into the transmitter:
The Objective-C interfaces of this framework allow you to do the following:
Scan for Bluetooth accessories and connect and disconnect to ones you find
Vend services from your app, turning the iOS device into a peripheral for other
Bluetooth devices
Broadcast iBeacon information from the iOS device
List of 2FA sites:
http://evanhahn.com/tape/two-factor-auth-list/
http://bit.ly/2falist
Miscellany:
Apple TouchID "Finger Fade"
A Hack to increase the recognition rate of Apple's TouchID:
Register the same finger in different "slots" under different conditions.
Register the same finger in different "slots" at different orientations.
Register more "edge" areas.
iPhone "Typo" Keyboard coming mid next month!
http://gigaom.com/2013/12/05/ryan-seacrest-funded-typo-iphone-keyboard-coming-in
-january-for-99/
http://typokeyboards.com/
"Focus@Will" / Curated Internet Music for less than Pandora. ($35/yr.)
Classical / Focus Spa / Up Tempo / Alpha Chill / Acoustical / Cinematic / Ambient / ADHD
Beta Test
For each choice: Low / Medium / High Intensity
FREE Personal Account
TONS of positive feedback from Twitter followers.
(Thanks to Leif Jantzen (@jantzen))
FTL Drive Update:
One hour video presentation by Dr. Harold White
http://www.youtube.com/watch?v=9M8yht_ofHc
hamishbuchan @hamishbuchan
@SGgrc More like: "less impossible". The solution described essentially requires
several tons of exotic matter with negative mass.
Not two weeks to Alpha Centauri -- 0.43 years (157 days, 22 weeks)
Security Now! to get Sign Language versions.
Creative Commons license allows it.
Starting back with the first episodes.
Sci-Fi Update:
"Almost Human" actually seems to be improving.
weckman (@weckman)
@SGgrc Did You know FOX is 'pulling a Firefly' on it, as they've released epsiodes
out of order 4 unknown reasons? So far: 1, 5, 6, 7, 8, 3.
What about Continuum ??
SQRL Update: Major Milestone Yesterday
The Protocol work is completed - both the Syntax and the Semantics
After the dust settles code will finally commence.
SpinRite:
Jared in Australia asked a question about Spinrite & Solid-State media:
Hearing a previous question on recovering data on SSD, I don't really get this.
On the one hand you say: "Yes, Spinrite can be run on SSD", and you don't do anything
to prevent this. But you also say that SSD/flash media have limited write cycles. So
running SpinRite on SSD's also wears them out! How can this be a good thing?
Customer Photo of SpinRite running on a BRAND NEW Kingston SSD:
Not good to have the drives own SMART data unhappy
when running SpinRite on a BRAND NEW SSD!
Also not only a large absolute number of ECC (error correction) errors, but a WIDE variation
between the low and the high. (Thats errors per megabyte of data read.)
-- 30 --