Defensive Security is a weekly information security podcast which reviews recent high profile security breaches, data breaches, malware infections and intrusions to identify lessons that we can learn and apply to the organizations we protect.
https://defensivesecurity.org
Defensive Security Podcast Episode 10
Feedback/comments – info@defensivesecurity.org
@defensivesec
Interesting Writeup by ESET on sink holing the zortob.b botnet http://www.welivesecurity.com/2013/03/08/sinkholing-trojan-downloader-zortob-b-reveals-fast-growing-malware-threat/
– common phishing emails emanating from it at the rate of 80m per hour
Ryan Naraine interviewed VUPEN CEO: http://www.securityweek.com/podcast-vupen-ceo-chaouki-bekrar-addresses-zero-day-marketplace-controversy-cansecwest
– all browsers and all plugins have vulnerabilities
Results of the pwn2own contest: http://nakedsecurity.sophos.com/2013/03/08/pwn2own-results-day-two-adobe-reader-and-flash-owned-java-felled-yet-again/
- Firefox – owned
- IE10 – owned
- Chrome – owned
- Flash – owned
- PDF reader – owned
- Java – owned x4
Suggestion to limit exposure to malicious web sites: block “uncategorized” sites – will catch new sites which are often recently set up exploit distribution sites.
Listen to the Secure Ideas podcast: http://secureideas.libsyn.com/rss
- Good stuff!
Follow-up on Evernote breach: passwords md5 hashed and salted
– better than others, but still not great
– md5 was built for performance, and GPU accelerated cracking can check hundreds of millions of passwords per second
– been some discussion about using a more expensive hash like bcrypt, but more expensive means it’s easier to DOS a web app, because it is by definition more computationally intensive.
I reject this – thousands of operations can be performed per second, and unless the app is badly designed, the server should not see anything like that – remember the hash operation will only need to happen ONCE when someone attempts a login, and ONCE when the password is reset. Certainly very busy sites may have thousands of login/password operations simultaneously, but those will generally be split across many sites, anyhow.
But the argument is a bit of a paper tiger anyhow
– if it’s the responsible thing to do, we should do it
– SSL takes extra CPU power too, but the infosec community seems to have little sympathy for anyone who complains about that.