Podcast: Play in new window | Download | Embed
Subscribe: RSS
Feedback/comments – info@defensivesecurity.org
@defensivesec
Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/
– common phishing emails emanating from it at the rate of 80m per hour
Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest
– all browsers and all plugins have vulnerabilities
Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/
- Firefox – owned
- IE10 – owned
- Chrome – owned
- Flash – owned
- PDF reader – owned
- Java – owned x4
Suggestion to limit exposure to malicious web sites: block “uncategorized” sites – will catch new sites which are often recently set up exploit distribution sites.
Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss
- Good stuff!
Follow-up on Evernote breach: passwords md5 hashed and salted
– better than others, but still not great
– md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second
– been some discussion about using a more expensive hash like bcrypt, but more expensive means it’s easier to DOS a web app, because it is by definition more computationally intensive.
I reject this – thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that – remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.
But the argument is a bit of a paper tiger anyhow
– if it’s the responsible thing to do, we should do it
– SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.