Defensive Security Podcast Episode 10

Podcast, Security, , ,

Podcast: Play in new window | Download | Embed

Subscribe: RSS

Feedback/comments – info@defensivesecurity.org
@defensivesec

Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/
– common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest
– all browsers and all plugins have vulnerabilities

Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/

  • Firefox – owned
  • IE10 – owned
  • Chrome – owned
  • Flash – owned
  • PDF reader – owned
  • Java – owned x4

Suggestion to limit exposure to malicious web sites: block “uncategorized” sites – will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss

  • Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted
– better than others, but still not great
– md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second
– been some discussion about using a more expensive hash like bcrypt, but more expensive means it’s easier to DOS a web app, because it is by definition more computationally intensive.
I reject this – thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that – remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.
But the argument is a bit of a paper tiger anyhow
– if it’s the responsible thing to do, we should do it
– SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.

 

 

Leave a Reply