March 10, 2013

Defensive Security Podcast Episode 10

Listen Later

14 minutes

Feedback/comments - [email protected]

@defensivesec

Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

- common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest

- all browsers and all plugins have vulnerabilities

Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/

Firefox - owned

IE10 - owned

Chrome - owned

Flash - owned

PDF reader - owned

Java - owned x4

Suggestion to limit exposure to malicious web sites: block "uncategorized" sites - will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss

Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted

- better than others, but still not great

- md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second

- been some discussion about using a more expensive hash like bcrypt, but more expensive means it's easier to DOS a web app, because it is by definition more computationally intensive.

I reject this - thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that - remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.

But the argument is a bit of a paper tiger anyhow

- if it's the responsible thing to do, we should do it

- SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.

...more

View all episodes

View all episodes

Download on the App Store

Download on the App Store

Get it on Google Play

Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

By Jerry Bell and Andrew Kalat

4.7

368368 ratings

March 10, 2013

Defensive Security Podcast Episode 10

Listen Later

14 minutes

Feedback/comments - [email protected]

@defensivesec

Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/

- common phishing emails emanating from it at the rate of 80m per hour

Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest

- all browsers and all plugins have vulnerabilities

Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/

Firefox - owned

IE10 - owned

Chrome - owned

Flash - owned

PDF reader - owned

Java - owned x4

Suggestion to limit exposure to malicious web sites: block "uncategorized" sites - will catch new sites which are often recently set up exploit distribution sites.

Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss

Good stuff!

Follow-up on Evernote breach: passwords md5 hashed and salted

- better than others, but still not great

- md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second

- been some discussion about using a more expensive hash like bcrypt, but more expensive means it's easier to DOS a web app, because it is by definition more computationally intensive.

I reject this - thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that - remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.

But the argument is a bit of a paper tiger anyhow

- if it's the responsible thing to do, we should do it

- SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.

...more

More shows like Defensive Security Podcast - Malware, Hacking, Cyber Security & Infosec

Hacked by Hacked

Hacked

190 Listeners

Security Now (Audio) by TWiT

Security Now (Audio)

2,011 Listeners

Risky Business by Patrick Gray

Risky Business

374 Listeners

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast) by Johannes B. Ullrich

SANS Internet Stormcenter Daily Cyber Security Podcast (Stormcast)

653 Listeners

CyberWire Daily by N2K Networks

CyberWire Daily

1,022 Listeners

Smashing Security by Graham Cluley

Smashing Security

318 Listeners

Click Here by Recorded Future News

Click Here

418 Listeners

Darknet Diaries by Jack Rhysider

Darknet Diaries

8,039 Listeners

Cybersecurity Today by Jim Love

Cybersecurity Today

181 Listeners

Hacking Humans by N2K Networks

Hacking Humans

315 Listeners

CISO Series Podcast by David Spark, Mike Johnson, and Andy Ellis

CISO Series Podcast

189 Listeners

Defense in Depth by David Spark, Steve Zalewski, Geoff Belknap

Defense in Depth

74 Listeners

Cyber Security Headlines by CISO Series

Cyber Security Headlines

138 Listeners

Risky Bulletin by risky.biz

Risky Bulletin

44 Listeners

Hacker And The Fed by Chris Tarbell & Hector Monsegur

Hacker And The Fed

169 Listeners