#HackerKast 28: Unicode Chrome Crash, Brain Waves, Top 10 Web Hacks, PWN2OWN, Wind Turbine CSRF, TLS certificates

Hey Everybody! Thanks for checking out this week’s HackerKast! We’ve got some fun stories this week that were a good time to chat about.

First we mentioned a bit of a concerning story but also an amusing one. There was a little magic string of Unicode characters that would crash Chrome completely when viewed. This had to do with some language libraries that were installed locally that didn’t play nicely together. Robert, being the hacker he is, couldn’t resist but putting this string of characters in a Facebook status and tweet. He got a lot of hate mail. (Oh and if Chrome crashes while reading this post, you should really install updates ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ).

Now we all love when security topics get themselves out of the echo chamber, but I think this next story is fairly unique as to what industry it popped up in. Turns out some biology research went on when some scientists decided to perform an MRI of people while they were browsing the web. We all know users just click things to get them out of the way but it turns out there is a biological reason for this! Certain parts of the brain actually turn off and become inactive on the MRI when the users were viewing security warnings, like the ones for invalid SSL certificates. Now we can all collectively say that security is making people brain dead.

Finally my life is a bit back to normal as the Top 10 Web Hacks talk is complete and published. For those of you who missed the webinar you can check it out here: Recording. I went through the run down of what this talk is and touched on a few of the interesting pieces of research that made the list in the video. I’ll also be giving the talk again in person at RSA for all of you there! Check it out.

Next, we talked a bit about PWN2OWN contest up at CanSecWest this year. All major browsers fell by the 2nd day of trying. For those unfamiliar, PWN2OWN is basically an 0-Day contest. Show up and own a box completely by navigating an up to date browser/OS to a website. One researcher scored a total of $225K in a single day for his exploits. That is some serious 0-day cash! Jeremiah also mentioned, as he does every now and then, his idea of a PWN2OWN category that rewards bugs found via AntiVirus software. Owned by the software you installed to protect yourself.

Another fun one I touched on next was a vulnerability that was found in an actual wind turbine. This turbine, for whatever reason, has a web admin portal. The portal was vulnerable to CSRF via an HTTP GET request to force a credential change for the admin account. Once credentials are changed, the attacker can completely control the turbine and even stop it from generating power.

The last story we touched on was a complicated story about SSL/TLS certificates where Google was warning this week that some unauthorized TLS certs were trusted by almost any Operating System. Robert goes into the technical details here for those interested listen up! The cliff notes is that if you are in Egypt, you should watch what you say online, especially while using Google via Internet Explorer. FireFox and Chrome’s certificate pinning helps a bit here if in use so those should be slightly better off.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Crashing Chrome Tabs with Unicode
MRIs Shows Brains Shutting Down With Security Prompts
Top 10 Web Hacking Techniques of 2014
All Major Browsers Fall At PWN2OWN Day 2
Wind turbine blown away by control system vulnerability
Google warns of unauthorized TLS certificates trusted by almost all OSes

Notable stories this week that didn’t make the cut:
North Korea Web Outage Was Response To Sony Hack, Congressman Says
China Admits To Having a Hacking Group
Cisco to Ship Boxes to Empty Houses To Evade the NSA
Kapersky Being Accused Of Ties To Russian Military
No password or PIN, but I have a fake ID. Sure, take the domain
FREAK uses Similar Modulo Attacks
Brute Forcing IOS Screenlock
Need a security expert? Hire a coder

Top 10 Web Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Web Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out!

Agree with the list? Disagree? Share your comments below.
END UPDATE

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:

2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31).

Phase 1: Open community submissions [Jan 7-Jan 30]
Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Feb 2-Feb 20]
Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall.

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014!

Prizes [to be announced]

The winner of this year’s top 10 will receive a prize!

Ongoing List of 2014 Hacks (in no particular order)
Heartbleed
TweetDeck XSS
OpenSSL CVE-2014-0224
Rosetta Flash
Unauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445
CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS Auditor
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Facebook hosted DDOS with notes app
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
The PayPal 2FA Bypass
AIR Flash RCE from PWN2OWN
PXSS on long length videos to DOS
MSIE Flash 0day targeting french aerospace
Linskys E420 Authentication Bypass Disclosure
Paypal Manager Account Hijack
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
How I hacked Instagram to see your private photos
How I hacked GitHub again
ShellShock
Poodle
Residential Gateway “Misfortune Cookie”
Recursive DNS Resolver (DOS)
Belkin Buffer Overflow via Web
Google User De-Anonymization
Soaksoak WordPress Malware
Hacking PayPal Accounts with 1 Click
Same Origin Bypass in Adobe Reader CVE-2014-8453
RevSlider
HikaShop Object Injection
Covert Timing Channels based on HTTP Cache Headers
NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE
Bypassing NoCAPTHCA
Delta Boarding Pass Spoofing
Cryptophp Backdoor
Microsoft SChannel Vulnerability
Google Two-Factor Authentication Bypass
Drupal 7 Core SQLi
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Reflected File Download
Misfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routers
Hostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2
File Name Enumeration in Rails
FlashFlood
Canadian Beacon
setTimeout Clickjacking

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Final 15 (in no particular order):
AIR Flash RCE from PWN2OWN
Belkin Buffer Overflow via Web
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Heartbleed
Covert Timing Channels based on HTTP Cache Headers
Canadian Beacon
Cryptophp Backdoor
Hacking PayPal Accounts with 1 Click
Google Two-Factor Authentication Bypass
ShellShock
Facebook hosted DDOS with notes app
Rosetta Flash
Poodle
Residential Gateway “Misfortune Cookie”

#HackerKast 27: SXSW, Copy Magic Paste, Tinder AI, GTA V, Mystery SSL Fix

Hey everybody! Quick recap this week as we are gearing up for the Top 10 Web Hacks Webinar (Which you can register to watch here)

Robert and I just got back from SXSW this weekend and that was a very interesting experience. My first big trade show floor that wasn’t security related. Tons of interesting stuff floating around Austin this week!

First story we covered was about a Copy Magic Paste trick that Robert found from the SEO crowd. This idea started as a way for websites to force citation for people stealing content but Robert was talking about the possibility of utilizing this to sneak javascript in places.

Next, I touched on a fun Tinder story from SXSW where a movie about AI used a robot Tinder profile to match with people at the conference and after a short conversation the bot would point the person they tricked towards an Instagram promoting the movie. This brought up a lot of topics related to AI that were floating around the conference which Robert has a ton to say about.

A quick fun logic flaw in GTA V wound up with some real $ consequences. Jer and I love logic flaws, they feel like hacking without hacking. This was a pretty simple, make an in game car for a few thousand in game dollars and sell it for about 10x that. The writers of this article did the conversion on how much money real world this would turn into and it seemed people could make about $5 every 20 minutes. If this could be automated it would’ve been some nice passive income.

Jer talked about a new exciting story that we are all very hopeful about, Yahoo Mail end to end encryption. Alex Stamos, CISO over at Yahoo, announced a new program to use end to end encryption in their webmail client. The big question here is how usable this will be. If it is as usable as PGP, we probably won’t see a huge uptick in adoption. We’ll be watching this closely as it has huge potential.

Lastly we touched on a “mystery” SSL fix from the OpenSSL community. A mailing list announcement mentioned some new version patches coming out that fix a high severity vulnerability. We don’t have much detail here but once we do know, it will be pretty interesting. In the wake of Heartbleed, we are all a bit nervous when OpenSSL is mentioned in the context of vulnerabilities.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Copy Magic Paste Modifies Copy Event on your Website
Tinder Users at SXSW Are Falling For a Robot
Grand Theft Auto Logic Flaw Leads To Real Money
User-Focused Security: End-to-End Encryption Extension for Yahoo Mail
New Mystery SSL Fix To Be Released Thursday

Notable stories this week that didn’t make the cut:
Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine
Microsoft Is Killing off the Internet Explorer Brand (now called Spartan)
Chromium to Block RFC1918 (Probably)

#HackerKast 26: Rowhammer, uTorrent bitcoin trojan, Chrome Same Origin Policy Bypass

Hey Everybody! Hard to believe we’ve done 26 of these already. Hope you’re having as much fun watching/listening to these as we are having while making them!

First and most importantly this week we HAD to cover Rowhammer. For those of you who haven’t heard, the latest research to come from some smart folks over at Google is pretty scary. This creative attack has to do with circuits in memory being lined up in specific rows (hence “Rowhammer”). By sending different signals to these circuits, these researchers were able to predictably flip certain adjacent bits which would allow for privilege escalation. Robert goes into way more detail so listen up if you’re interested!

Next, I touched a bit on the recent uTorrent debacle. For those of you who use the popular torrent software, beware of the latest update! It comes with a bit of a surprise piece of software. Where I come from, we call that a trojan. Anyway, this time they included a Bitcoin miner called Epic Scale. This of course would cause your performance on your machine to suffer, along with your electric bill. All the while making uTorrent some cash. Not trivial to uninstall this whole mess either, so needless to say, people are pissed.

Finally we finished up with some more great research, this time having to do with a new Chrome Same Origin Policy bypass. This one was super creative and had similar lines of thought from the Pixel Perfect Timing research from last summer because it utilizes some SVG tricks. The researcher will set up a malicious page, source in an image from an external page, and then via javascript can read the image data by jumping through a few hoops. This could be utilized for login detection, private photo snooping, etc.

We didn’t feel like squeezing FREAK into a HackerKast with other stories, so we’ll give it the time it deserves soon. (I know there is some AppSec junkie somewhere out there wondering why we left it out!)

Thanks for listening! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

References:
Rowhammer
Beware, μTorrent is installing a Bitcoin miner software
Chrome SOP Bypass with SVG (CVE-2014-3160

Notable stories this week that didn’t make the cut:
To protect itself from attack, Estonia is finding ways to back up its data
Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all
Where there’s a will, there’s a way – The Ambassador who worked from a Nairobi bathroom to avoid State Dept. IT
The CIA Campaign To Steal Apple’s Secrets

Hillary Clinton’s Emails And The Internet Services Supply Chain

Do you want the blue pill? Then leave. Up for the red pill? Then keep reading.

There has been a lot of talk about Hillary Clinton’s emails lately, and for good reason. People are genuinely concerned about national secrets falling into the hands of those who might hurt people. Regardless of the merit of the claims of how her private email address was used, I wanted to spend some time talking about something that hasn’t been talked about enough – the Internet Services Supply Chain (a made up term, like all the others). ;)

What is the Internet Services Supply Chain? Whenever you build a website or email account that you host yourself, there are a number of things that you need to rely on. First, you need to rely on the physical hardware and its components – that’s called the Hardware Supply Chain and is a well understood (although not at all solved) issue. Then you have software components that your site utilizes – that’s called the Software Supply Chain and is also a well understood (although not at all solved) issue. Lastly, there are a number of service providers that are incredibly important for the continuity and security of your site, and that is the Internet Services Supply Chain. Those can include – but are not limited to – hosting providers, DNS providers, email providers and registrars.

For example, Hillary Clinton’s email MX records are actually on two separate IP addresses:

clintonemail.com.inbound10.mxlogic.net - 208.65.144.3
clintonemail.com.inbound10.mxlogicmx.net - 208.65.144.2

Unfortunately, it’s not that easy. Mxlogic relies on companies too. And those companies rely on other companies, and so on. Here’s just a simple mapping of all of the companies who could theoretically have taken over her domain as a result of that supply chain:

clintonemail.com
	Relies on ns16.worldnic.com for DNS
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies on droneteam@web.com for Domain Admin Control
	Relies on networksolutions.com for Registrar
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies droneteam@web.com for Domain Admin Control
	Relies on mxlogicmx.net for Email
		Relies on hostmaster@mcafee.com for Domain Admin Control
			Relies on akam.net for DNS
				Relies on hostmaster-billing@akamai.com for Domain Admin Control
		Relies on pdns3.ultradns.org for DNS
			Relies on Godaddy.for DNS
				Relies on domains@neustar.biz for Domain Admin Control
					Relies on pphosted.com for Mail
						Relies on proofpoint.com for DNS
						Relies on dns@proofpoint.com for Domain Admin Control
					Relies on NEUSTARREGISTRY.BIZ for Registrar
						Relies on Godaddy for Registrar
							Relies on outlook.com for Mail
								Relies on msft.net for DNS
									Relies on domains@microsoft.com for Domain Admin Control
								Relies on o365filtering.com for DNS
								Relies on hotmail.com for Mail
								Relies on domains@microsoft.com for Domain Admin Control
						Shares Host with dominios.com.co
						Shares Host with ddosattacks.com
						Shares Host with startknowing.biz
						Shares Host with neustarportingxpress.biz
						Shares Host with neustartcpa.biz
						Shares Host with dset.net
						Shares Host with m.dset.com
						Shares Host with neustar.tw
						Shares Host with neustarportingxpress.com
						Shares Host with mydotnyc.info
						Shares Host with neustarpartners.org
						Shares Host with npac4america.net
						Shares Host with neustarintelligentcloud.org
						Shares Host with ipenablers.biz
						Shares Host with ddosattacks.info
						Shares Host with extranet.sipix.neustar.biz
						Shares Host with neustarinfoservices.us
						Shares Host with socialscoop.us
						Shares Host with buy.us
						Shares Host with themobilecloud.us
						Shares Host with neustarportxpress.com
						Shares Host with dset.biz
						Shares Host with neustarreferrals.us
						Shares Host with neustarxpressport.biz
						Shares Host with getonlinewith.us
						Shares Host with intelligentcloud.us
						Shares Host with neustaripenablers.biz
						Shares Host with betterintelligence.com
						Shares Host with usblog.neustar.us
						Shares Host with themobilecloud.co
						Shares Host with identitymatters.biz
						Shares Host with campaignadministrator.biz
						Shares Host with neustarportxpress.biz
						Shares Host with npacforamerica.biz
						Shares Host with advantageoptout.com
						Shares Host with mobilecloudsolutions.us
						Shares Host with themobilecloud.biz
						Shares Host with npac4america.biz
						Shares Host with neustaripenablers.net
						Shares Host with campaignadministrator.org
						Shares Host with portxpress.biz
						Shares Host with themobilecloud.org
						Shares Host with www.neustarultraservices.biz
						Shares Host with kickstartamerica.net
						Shares Host with www.neustarregistry.biz
						Shares Host with kickstartamerica.info
						Shares Host with account.neustar.us
						Shares Host with portxpress.neustar.biz
						Shares Host with nic.us
						Shares Host with neulevel.biz
						Shares Host with neustarregistry.biz
						Shares Host with neustar-creative.biz
						Shares Host with neustarinfoservices.biz
						Shares Host with simpleportportal.biz
						Shares Host with kickstartamerica.us
						Shares Host with neustargovsolutions.biz
						Shares Host with neustargovsolutions.co
						Shares Host with ddosattacks.co.uk
						Shares Host with kickstartamerica.org
						Shares Host with neustarreferrals.net
						Shares Host with archerdev.neustar.biz
						Shares Host with getonlinewith.biz
						Shares Host with neustaraffiliates.biz
						Shares Host with nic.biz
						Shares Host with neustarpartners.eu
						Shares Host with neustarpartners.com
						Shares Host with neulevel.com
						Shares Host with neustarultraservices.com
						Shares Host with neustar-registry.com
						Shares Host with neustarsummit.biz
						Shares Host with billing.neustar.com
						Shares Host with archer.neustar.biz
						Shares Host with neustarmobilecloudsolutions.biz
						Shares Host with neustarplatformone.biz
						Shares Host with neustar.cn
						Shares Host with billing.neustar.biz
						Shares Host with neustaraffiliates.net
						Shares Host with neustarpartners.us
						Shares Host with neustarpartner.us
						Shares Host with uvvu.com
						Shares Host with neustaraffiliate.org
						Shares Host with gomocode.co
						Shares Host with gomocode.net
						Shares Host with getmy.us
						Shares Host with neustarpartner.org
						Shares Host with gomocode.com
						Shares Host with neustaraffiliates.us
						Shares Host with neustarintelligentcloud.com
						Shares Host with loadtesting.biz
						Shares Host with neustarpartners.cn
						Shares Host with neustarpartners.asia
						Shares Host with neustarmobilecloudsolutions.net
						Shares Host with neustar.biz
						Shares Host with neustaraffiliate.us
						Shares Host with neustarinfoservices.info
						Shares Host with neustarreferrals.biz
						Shares Host with neustarintelligentcloud.co
						Shares Host with mobilecloudsolutions.co
						Shares Host with dotyou.biz
						Shares Host with neustaradadvisor.us
						Shares Host with mobilecloudsolutions.net
						Shares Host with neustarmedia.biz
						Shares Host with neustar-registry.biz
						Shares Host with intelligentcloud.biz
						Shares Host with socialscoop.biz
						Shares Host with neustaradadvisor.info
						Shares Host with npac4america.us
						Shares Host with mobilecloudsolutions.biz
						Shares Host with neustarpartner.com
						Shares Host with neustarreferrals.org
						Shares Host with neulevel.cn
						Shares Host with library.us
						Shares Host with nightfire.com
						Shares Host with neulevel.net
						Shares Host with neustarultraservices.biz
						Shares Host with neustaradadvisor.biz
						Shares Host with neustarplatformone.com
						Shares Host with neustarmobilecloudsolutions.co
						Shares Host with npacforamerica.com
						Shares Host with redirect.neustar.biz
						Shares Host with mydotnyc.org
						Shares Host with neustarintelligentcloud.net
						Shares Host with registry.neulevel.biz
						Shares Host with ownit.nyc
						Shares Host with neustarpartner.net
						Shares Host with rfc2916.net
						Shares Host with agile.neustar.biz
						Shares Host with platformone.biz
						Shares Host with npac4america.com
						Shares Host with enum.org
						Shares Host with neustarplatformone.us
						Shares Host with neustaradadvisor.com
						Shares Host with neustarmobilecloudsolutions.us
						Shares Host with gomocodes.com
						Shares Host with my.biz
						Shares Host with neustaraffiliate.net
						Shares Host with parks.us
						Shares Host with dset.com
						Shares Host with gomocode.org
						Shares Host with neustarpartners.net
						Shares Host with neustarmobilecloudsolutions.org
						Shares Host with neustarlocaleze.info
						Shares Host with www.betterintelligence.com
						Shares Host with neustarmobilecloudsolutions.com
						Shares Host with neustaripenablers.com
						Shares Host with campaignadministrator.us
						Shares Host with campaignadministrator.com
						Shares Host with gomocodes.biz
						Shares Host with mydotnyc.biz
						Shares Host with neustaripenablers.org
						Shares Host with payment.neustar.biz
						Shares Host with campaignadministrator.net
						Shares Host with npac4america.co
						Shares Host with mobilecloudsolutions.org
						Shares Host with neustarsecretariat.biz
						Shares Host with mydotnyc.us
						Shares Host with neustarpartner.biz
						Shares Host with mydotnyc.net
						Shares Host with totalview.biz
						Shares Host with neustarreferrals.com
						Shares Host with platformone.neustar
						Shares Host with interactiveinsightssummit.com
						Shares Host with neustarinfoservices.com
						Shares Host with neustarlocaleze.us
						Shares Host with portingxpress.biz
						Shares Host with decellc.com
						Shares Host with support.neustar
						Shares Host with npacforamerica.us
						Shares Host with gomocode.biz
						Shares Host with mobilenextbigthing.biz
						Shares Host with npac4america.org
						Shares Host with vote.us
						Shares Host with neustarultraservices.net
						Shares Host with neustarintelligentcloud.us
						Shares Host with portingxpress.com
						Shares Host with dset.mobi
						Shares Host with loadtesting.us
						Shares Host with about.us
						Shares Host with neustaraffiliate.biz
						Shares Host with www.whobiz.biz
						Shares Host with stateofddos.biz
						Shares Host with ddosattacks.us
						Shares Host with xpressport.biz
						Shares Host with lookup.neustar.biz
						Shares Host with neustarpartners.biz
						Shares Host with portdr.org
						Shares Host with neustaraffiliates.com
						Shares Host with portdr.biz
						Shares Host with dotbiz.biz
						Shares Host with blog.neustar.biz
						Shares Host with identitymatters.co
						Shares Host with identitymatters.com
						Shares Host with kickstartamerica.biz
						Shares Host with kickstartamerica.co
						Shares Host with redir.neustar.biz
						Shares Host with identitymatters.us
						Shares Host with portdr.com
						Shares Host with neustaraffiliates.org
						Shares Host with portdr.us
						Shares Host with neustar.com.cn
						Shares Host with portdr.net
						Shares Host with neustarsimpleportportal.biz
						Shares Host with cloudnames.biz
						Shares Host with neusentry.biz
						Shares Host with etns.org
						Shares Host with dset.us
						Shares Host with neustar.com
						Shares Host with neustarlife.biz
						Shares Host with neustarintelligentcloud.biz
						Shares Host with payment.neustar.com
						Shares Host with neustarxpressport.com
						Shares Host with ddosattacks.biz
						Shares Host with mydotnyc.com
						Shares Host with neustargovsolutions.us
						Shares Host with neustargovsolutions.net
						Shares Host with neustartechnology.biz
						Shares Host with startwithus.biz
						Shares Host with www.neustarultraservices.com
						Shares Host with startwithus.net
						Shares Host with startwithus.us
						Shares Host with startwithus.org
						Shares Host with neustar.us
						Shares Host with dset.org
			Relies on PDNS196.ULTRADNS.BIZ for DNS
			Relies on PDNS196.ULTRADNS.CO.UK for DNS
			Relies on DNS196.ULTRADNS.COM for DNS
			Relies on PDNS196.ULTRADNS.INFO for DNS
			Relies on PDNS196.ULTRADNS.NET for DNS
			Relies on PDNS196.ULTRADNS.ORG for DNS
		Relies on pdns2.ultradns.net for DNS
		Relies on pdns5.ultradns.info for DNS
		Relies on pdns6.ultradns.co.uk for DNS
		Relies on dnsadmin@mxlogic.com for Domain Admin Control
		Relies on register.com for Registrar
			Relies on NS-1119.AWSDNS-11.ORG for DNS
				Relies on hostmaster@amazon.com for Domain Admin Control
					Relies on dynect.net for DNS
						Relies on dynamicnetworkservices.net for DNS
							Relies on dynamicnetworkservices.net@secretregistration.com for Domain Admin Control
						Relies on mailhop.org for Mail
							Relies on tucowsdomains.com for Registrar
								Relies on tucowsdomains.com@contactprivacy.com for Domain Admin Control
								Relies on TUCOWS.COM on DNS
						Relies on hostmaster@dyn.com for Domain Admin Control
					Relies on markmonitor.com for Registrar
						Relies on psmtp.com for MX					
							Relies on google.com for MX
							Relies on google.com for DNS
	                                        Shares Host with allwhois.co.uk
	                                        Shares Host with allwhois.com
	                                        Shares Host with bannermonitor.com
	                                        Shares Host with brandseyeview.com
	                                        Shares Host with collectivetrust.com
	                                        Shares Host with collectivetrust.net
	                                        Shares Host with collectivetrust.org
	                                        Shares Host with collectivetrustsolutions.com
	                                        Shares Host with dtecnet.com
	                                        Shares Host with dtecnet.dk
	                                        Shares Host with dtecnet.net
	                                        Shares Host with dtecnetusa.com
	                                        Shares Host with emarkmonitor.biz
	                                        Shares Host with emarkmonitor.cn
	                                        Shares Host with emarkmonitor.com
	                                        Shares Host with emarkmonitor.info
	                                        Shares Host with emarkmonitor.net
	                                        Shares Host with emarkmonitor.org
	                                        Shares Host with emarkmonitor.us
	                                        Shares Host with idaworks.com
	                                        Shares Host with insiderforum07.com
	                                        Shares Host with mark-monitor.at
	                                        Shares Host with mark-monitor.biz
	                                        Shares Host with mark-monitor.fr
	                                        Shares Host with mark-monitor.info
	                                        Shares Host with mark-monitor.it
	                                        Shares Host with mark-monitor.net
	                                        Shares Host with mark-monitor.org
	                                        Shares Host with mark-monitor.ru
	                                        Shares Host with markmonitor.am
	                                        Shares Host with markmonitor.at
	                                        Shares Host with markmonitor.be
	                                        Shares Host with markmonitor.biz
	                                        Shares Host with markmonitor.ca
	                                        Shares Host with markmonitor.ch
	                                        Shares Host with markmonitor.ci
	                                        Shares Host with markmonitor.cn
	                                        Shares Host with markmonitor.co.kr
	                                        Shares Host with markmonitor.co.nz
	                                        Shares Host with markmonitor.co.uk
	                                        Shares Host with markmonitor.com
	                                        Shares Host with markmonitor.com.au
	                                        Shares Host with markmonitor.com.br
	                                        Shares Host with markmonitor.com.kh
	                                        Shares Host with markmonitor.com.py
	                                        Shares Host with markmonitor.com.ru
	                                        Shares Host with markmonitor.cz
	                                        Shares Host with markmonitor.de
	                                        Shares Host with markmonitor.dk
	                                        Shares Host with markmonitor.es
	                                        Shares Host with markmonitor.eu
	                                        Shares Host with markmonitor.fi
	                                        Shares Host with markmonitor.fr
	                                        Shares Host with markmonitor.gr
	                                        Shares Host with markmonitor.gy
	                                        Shares Host with markmonitor.hu
	                                        Shares Host with markmonitor.in
	                                        Shares Host with markmonitor.info
	                                        Shares Host with markmonitor.it
	                                        Shares Host with markmonitor.jp
	                                        Shares Host with markmonitor.la
	                                        Shares Host with markmonitor.lt
	                                        Shares Host with markmonitor.lu
	                                        Shares Host with markmonitor.lv
	                                        Shares Host with markmonitor.name
	                                        Shares Host with markmonitor.net
	                                        Shares Host with markmonitor.nl
	                                        Shares Host with markmonitor.nu
	                                        Shares Host with markmonitor.org
	                                        Shares Host with markmonitor.pl
	                                        Shares Host with markmonitor.pt
	                                        Shares Host with markmonitor.ro
	                                        Shares Host with markmonitor.se
	                                        Shares Host with markmonitor.sk
	                                        Shares Host with markmonitor.su
	                                        Shares Host with markmonitor.tc
	                                        Shares Host with markmonitor.tv
	                                        Shares Host with markmonitor.us
	                                        Shares Host with markmonitor.vg
	                                        Shares Host with markmonitorglobal.com
	                                        Shares Host with mm-test-08c.info
	                                        Shares Host with mmdomain53.biz
	                                        Shares Host with mmdomain53.net
	                                        Shares Host with mmdomain53.org
	                                        Shares Host with wwwmarkmonitor.ch
	                                        Shares Host with wwwmarkmonitor.it
	                                        Shares Host with wwwmarkmonitor.ru
			Relies on NS-1887.AWSDNS-43.CO.UK for DNS
			Relies on NS-226.AWSDNS-28.COM for DNS
			Relies on NS-948.AWSDNS-54.NET for DNS

And this doesn’t even cover the Supply Chain for her hosting providers for mail.clintonemail.com or sslvpn.clintonemail.com. Now step back for a minute and ask yourself not “how easy would it be to break into all of these,” but “how easy would be for someone to break into any one of these domains?” I know both Rackspace and Google are on the list, and they were both targeted in the Aurora attacks that were allegedly attributed to the Chinese military (as an example). So it’s not a matter of whether it is possible to break into a domain, it’s just a matter of how hard someone is willing to try. Can you have a secure website without secure email? (Spoiler no you cannot).

We are putting all our eggs in a very small basket that hundreds of thousands of people could potentially have access to. The real issue isn’t Hillary Clinton and her blackberry. The real problem is that everyone everywhere who is on the public Internet is subject to this Internet Service Supply Chain. It’s inescapable because the Internet isn’t a bunch of islands; it’s far more interconnected, with consolidated power resting with a handful of service providers. We are all just as vulnerable as Hillary is, if we use the same Internet that she does.

Hillary is no different from anyone else. I could have done this same analysis on any company anywhere, and gotten roughly the same results. Let’s say the target was actually secure (Hillary’s email in this case); it doesn’t matter. If there is any vulnerability in any one of the companies the target relies on, the target is vulnerable. That is what happened with Lenovo, whose Registrar (Webnic) was hacked. And that’s just one example from less than a month ago.

That’s the problem with the Internet Services Supply Chain – any weak link in the chain can cause a cascade/ripple effect. It also means the stakes are getting even higher for those service providers and those who use them as power is consolidated to a few mega-companies that have the reach and access to control so many other companies. At some point no company and no individual will be able to ensure their own or their partners’ security.

And now you’re probably asking yourself, “Why, oh why did I pick the red pill?”

#HackerKast 25: Email Tripwire – How to Tell if My Email Has Been Hacked Into

How can you tell if someone is reading your email? Recently there has been concern about not just hacker but also employees of companies, administrators and so on who can access your account. Even in a non-nefarious situation it’s still important to know that someone has been looking through your inbox.

Jer took me on a trip down memory lane and asked me to look into an old blog post he had written a while back about how you can detect if your webmail account has been hacked into. The theory is simple, send yourself an HTML encoded MIME email, attach a reference to an image, and when the image is called you know someone has read that email.

By looking through your logs and identifying if the image ever loads, you’ll be able to tell that someone has looked through your email. It’s not bullet-proof and doesn’t work on all types of mail clients, for a number of reasons, but it’s a solid idea.

So I went back and wrote a little Perl script called “emailtripwire” that sends just such an email. I tested it on Yahoo mail and it worked perfectly. Google had delivery issues that I never got around to diagnosing. Outlook works great if you allow the image to load once – Outlook remembers that and will continue to do so, however that setting may be dependent on your local setup and may not carry over to other Outlook installs. But it does appear to work, and that’s the important part.

Using your own server to host the image is naturally the best solution if you already have a server, but a lot of people don’t have access to their own server. Instead, people interested in this technique can use an image-based tracking server like Fraudlog that can show you when someone has visited the image after reading the email.

So it is still possible to use this method to detect if your email has been compromised or detect when someone like an administrator has been in your account, even without the ability to host your own image. Sometimes it’s the simple tricks that work the best!

Resources:
Facebook explains when employees can access your account without your password
How to check if your WebMail account has been hacked
emailtripwire
Fraudlog

#HackerKast 24: Uber driver data hacked, Hilary Clinton’s personal email, Relative Path Overwrite

Hey Everybody! Thanks for checking out this week’s HackerKast. Lets get started!

Started off this week talking about Uber’s data breach that happened recently. For those who haven’t heard about it, it seems 50,000 of their drivers personal information was accessed illegally. Info such as their names, drivers license info, plate numbers, etc. The culprit here was a familiar one to us which is private database keys ending up on a public github repository. GitHub and Amazon actively scan GitHub repos for private keys to notify their users they might want to take them down. Shows that apparently this is happening enough for it to be a big enough problem for these guys to be monitoring for.

Next, we did some shameless self promotion on a cool thing Robert whipped up. A huge problem lately, has been registrars and DNS providers being hacked in order to redirect domains to malicious servers. In order to stay on top of this Robert wrote a tool to monitor your DNS so that if your record ever changes you’ll get an alert and can minimize the problem. Feel free to download the little script and mess around with it!

Hillary Clinton made security news this week due to some email issues that came to light after a few years. Turns out she was utilizing a personal email address instead of a state department email address during her time there. Tons of speculation on why she did this and if it was a good idea or not but it certainly seems out of the norm. The fact that this email server’s login page is public facing and being talked about is probably a bad thing since anybody can try to login.

In top level domain news, all sites on the .tp TLD are being phased out and switched over the .tl space. Now that TLDs are open to registration, if somebody goes back and registers .tp domains they’ll start getting a lot of unintended inbound traffic. This is the first time any of us have heard of a TLD switching. Robert points out if somebody registers google.tp the implications will be pretty nasty.

We gave a quick shout out to a bunch of our favorite conferences coming up that a few of us are getting involved in. Jer and I are both speaking at RSA and the AppSecUSA CFP is open. We always love AppSecUSA as one of our favorite conferences of the year.

Lastly, Robert covered some really cool new research called a Relative Path Overwrite. This comes to us from Gareth Hayes who is always coming out with great stuff and this is no exception. The attack has to do with the way paths are coded into websites with some popular shorthand in relative paths. Simply leaving off a slash at the end of a path or using some ../../ notation will make you vulnerable to this attack in certain browsers. Be sure to check out this research for some juicy new web app fun.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources

Notable stories this week that didn’t make the cut:
Alleged Anonymous hacker, deported to U.S. after Canada refused to grant asylum
Apple Pay Scam
PayPal Drops Mega Due to End-To-End Encryption
D-LINK ROUTERS HAUNTED BY REMOTE COMMAND INJECTION BUG

CVE-2015-0204 Freak Attack

It has been discovered that OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are vulnerable to a downgrade attack. In short, an attacker could man-in-the-middle a user and web server, force the user and server to downgrade to a set of export ciphers which are weak and outdated. They could then brute force the key and thus decrypt the HTTPS traffic between the user and the web application. Once the key has been decrypted the attacker can use the key for all HTTPS traffic from the server until a new key is produced.

The current solution is to disable support for any export suites. According to freakattack.com the best solution is to “disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols beyond RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site using the SSL Labs’ SSL Server Test.”

WhiteHat Security already tests for weak cipher suites as part of our Premium Edition service. If you have any questions about this vulnerability please reach out to our Customer Support team at support@whitehatsec.com

#HackerKast 23: Lenovo, Venmo Sex, Drugs, and Guns, Casino Hacked, WordPress, Remotely Hacking Cars

Hey everybody! Welcome to this week’s HackerKast. We’ve got Jer back! We put this one out late this week just to get him back in the mix.

First, we absolutely HAD to talk about Lenovo and Superfish. For those living under a rock, Superfish is default installed on Lenovo laptops and does all sorts of nasty MiTM things by breaking SSL locally to inspect traffic. They did this under the guise of advertising (of course) but it was awful once we all found out. Robert Graham over at Errata Security did a great writeup on all of some technical deep diving he did into what was going on with these certificates.

Tied to that same story, Lizard Squad reared their head again with their specialty, a DNS hack! Their target this time was Lenovo due to recent events and they were able to take over their domain registrar through Command Injection. Brian Krebs did some digging and realized it was all due to the WebNIC registrar being vulnerable to an attack.

Moving along to some fun clickbait story with an actual funny privacy twist, Venmo made the news this week in a bad way. The headline we couldn’t ignore was “New Site Tells You Who’s Paying For Sex, Drugs, and Alcohol Using Venmo.” Sounds interesting right? Well turns out Venmo has turned itself into a bit of a social network on who is giving money to whom and for what. The kicker here is that all that information goes to a public timeline unless specifically turned private. Nobody bothers to change anything to private so a site called Vicemo popped up to gather all the illicit payments and put them in their own feed. Check out all the amusing things people are sharing money for.

Next, Jer talked about a few more details of a story we talked about back in 2014 of a Las Vegas Casino getting hacked via a publicly facing development site. The hack is being attributed to the Iranians who ran amok once they got in the network of the Casino. They did this after a lot of time brute forcing their VPN to no avail. Just goes to show how important it is to figure out what websites are public facing!

We had to talk about this next one even though it’s a bit embarrassing. We’ve all got vulns! Even WhiteHat! We eat our own dog food and run our scanner on our website constantly and we found a bug on our blog caused by the WordPress plugin we use to publish our podcast on iTunes. Imagine that… A WordPress plugin causing a vulnerability… Who woulda thunk? Anyway, we emailed them and in the mean time coded up a hotfix after immediately removing the plugin from production. Before we even got a chance to hot patch with our own code though, the developer of the plugin from South Africa woke up and rolled out his own fix in less than 1 day. Good news all around!

Lastly we talked about a fun and scary news story about remotely bricking cars. Some car dealerships install these little black boxes they install in cars that they sell. These boxes are used to remotely disable the car if people get behind on their payments making the cars easier to repossess. What were all of these black boxes controlled by? A web app! Some IT guy who left the company “hacked” back in (I’m guessing used his access that wasn’t turned off yet) and started remotely shutting down cars in Texas left and right. This brings up a bit of a conversation about Internet of Things where Robert does what he does best and scares everybody off the Internet.

Sorry for the late one this week, hope you all enjoyed!

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

Lenovo shipping with pre-installed Adware and SSL certificate “Komodia”
Extracting the Superfish Certificate
Lenovo’s DNS Gets Hijacked by Lizard Squad using Command Injection in Registrar
Webnic Registrar Blamed for Hijack of Lenovo, Google Domains
Site Discloses Who is Paying for Sex, Drugs and Guns
Las Vegas Casino Hacked by Iranians in 2014
The time a hacker remotely bricked cars in Texas

Notable stories this week that didn’t make the cut:
AT&T Extorts Users For Privacy
Cybersecury Czar Claims Selfies Are Good Biometrics
HTTP/2.0 “Finalized”
Google’s new Hacker Classifier Misclassifies Websites As Hacked
GCHQ & NSA’s Great SIM Heist
Turbotax’s Anti-Fraud Efforts Under Scrutiny
Origins of Russian Astroturfing
Google Making Adult Blogs Private – Effectively Shutting Them Down
Infinity Million Bug Bounty for Pwnium
Net Neutrality Passed!

dnstest – Monitor Your DNS for Hijacking

In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don’t know what to do about it. More importantly, many companies don’t even notice they’ve been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only accept comments through a website, they may never know unless they randomly check, or the attacker releases the site and the flood of complaints comes rolling in after the fact.

So I wrote a little tool called “dnstest.pl” (yes a Perl script) that can be run out of cron and can monitor one or more hostname-to-IP-address pairs of sites that are critical to you. If anything happens it’ll send you an alert via email. There are other tools that do this or similar things, but it’s another tool in your arsenal; and most importantly dnstest is meant to be very lightweight and simple to use. You can download dnstest here.

Of course this is only the first step. Reacting quickly to the alert simply reduces the outage and the chance of customer complaints or similar damage. If you like it but want it to do something else, go ahead and fork it. Enjoy!