Defensive Security Podcast Episode 10

Feedback/comments –

Interesting Writeup by ESET on sink holing the zortob.b botnet
– common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO:
– all browsers and all plugins have vulnerabilities

Results of the pwn2own contest:

  • Firefox – owned
  • IE10 – owned
  • Chrome – owned
  • Flash – owned
  • PDF reader – owned
  • Java – owned x4

Suggestion to limit exposure to malicious web sites: block “uncategorized” sites – will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast:

  • Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted
– better than others, but still not great
– md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second
– been some discussion about using a more expensive hash like bcrypt, but more expensive means it’s easier to DOS a web app, because it is by definition more computationally intensive.
I reject this – thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that – remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.
But the argument is a bit of a paper tiger anyhow
– if it’s the responsible thing to do, we should do it
– SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.



Leave a Reply