March 10, 2013

Defensive Security Podcast Episode 10

Listen Later

14 minutes

Feedback/comments - [email protected]

@defensivesec

Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

- common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest

- all browsers and all plugins have vulnerabilities

Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/

Firefox - owned

IE10 - owned

Chrome - owned

Flash - owned

PDF reader - owned

Java - owned x4

Suggestion to limit exposure to malicious web sites: block "uncategorized" sites - will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss

Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted

- better than others, but still not great

- md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second

- been some discussion about using a more expensive hash like bcrypt, but more expensive means it's easier to DOS a web app, because it is by definition more computationally intensive.

I reject this - thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that - remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.

But the argument is a bit of a paper tiger anyhow

- if it's the responsible thing to do, we should do it

- SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

By Jerry Bell and Andrew Kalat

4.7

368368 ratings

March 10, 2013

Defensive Security Podcast Episode 10

Listen Later

14 minutes

Feedback/comments - [email protected]

@defensivesec

Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

- common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest

- all browsers and all plugins have vulnerabilities

Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/

Firefox - owned

IE10 - owned

Chrome - owned

Flash - owned

PDF reader - owned

Java - owned x4

Suggestion to limit exposure to malicious web sites: block "uncategorized" sites - will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss

Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted

- better than others, but still not great

- md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second

- been some discussion about using a more expensive hash like bcrypt, but more expensive means it's easier to DOS a web app, because it is by definition more computationally intensive.

I reject this - thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that - remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.

But the argument is a bit of a paper tiger anyhow

- if it's the responsible thing to do, we should do it

- SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.

...more

More shows like Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

Hacked by Hacked

Hacked

189 Listeners

The Changelog: Software Development, Open Source by Changelog Media

The Changelog: Software Development, Open Source

289 Listeners

Security Now (Audio) by TWiT

Security Now (Audio)

2,007 Listeners

Software Engineering Daily by Software Engineering Daily

Software Engineering Daily

623 Listeners

Risky Business by Patrick Gray

Risky Business

373 Listeners

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

649 Listeners

CyberWire Daily by N2K Networks

CyberWire Daily

1,028 Listeners

Click Here by Recorded Future News

Click Here

420 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,113 Listeners

Cybersecurity Today by Jim Love

Cybersecurity Today

175 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

191 Listeners

Practical AI by Practical AI LLC

Practical AI

211 Listeners

Defense in Depth by David Spark, Steve Zalewski, Geoff Belknap

Defense in Depth

74 Listeners

Cybersecurity Headlines by CISO Series

Cybersecurity Headlines

138 Listeners

The AI Daily Brief: Artificial Intelligence News and Analysis by Nathaniel Whittemore

The AI Daily Brief: Artificial Intelligence News and Analysis

654 Listeners