Author Archives: Robert Hansen

About Robert Hansen

Robert Hansen is the Vice President of WhiteHat Labs at WhiteHat Security. He's the former Chief Executive of SecTheory and Falling Rock Networks which focused on building a hardened OS. Mr. Hansen began his career in banner click fraud detection at ValueClick. Mr. Hansen has worked for Cable & Wireless doing managed security services, and eBay as a Sr. Global Product Manager of Trust and Safety. Mr. Hansen contributes to and sits on the board of several startup companies. Mr. Hansen has co-authored "XSS Exploits" by Syngress publishing and wrote the eBook, "Detecting Malice." Robert is a member of WASC, APWG, IACSP, ISSA, APWG and contributed to several OWASP projects, including originating the XSS Cheat Sheet. He is also a mentor at TechStars. His passion is breaking web technologies to make them better.

Anonymity or Accountability?

Over a decade ago, when I was just starting in the computer security scene, I went to a conference for managed security services providers as the sole representative for my company. Near the end of the day-long conference there was a large discussion in which people were asked, “If you could change one thing with a magic wand to have the biggest impact on security, what would it be?”

When it finally got to me, I said the only thing that came to mind, “Attribution.” I explained, “If I had a magic wand and could change anything to have the largest impact on security, I’d make it so that everything on the Internet could be attributed to people so that we could have accountability. If you knew the packet you sent would be tagged with the information necessary for someone to track you down, you’d be extremely unlikely to commit any crimes using the Internet.”

I know it’s impossible to do that, but it was a magic wand after all. But that’s not the end of the story. Over the years I have become a privacy “guy” insomuch as I take people’s privacy seriously. However, I also have one foot squarely in the world of banking, finance, retail and so on – where attribution is hugely important for security, and also as an unintended consequence *ahem* marketing. So as much as I’d love to have people live in a free and open society, we all know what a bunch of jerks people can be when they know there’s nothing at risk when they break the law.

On the flip side, 100% attribution is terrible for privacy when you’re not doing anything illegal, or if you are a political dissident. The very last thing our forefathers wanted when they were talking amongst themselves in pubs on the East coast, considering creating a new nation, was attribution. They saw fit to write amendments to the constitution to limit unlawful search and seizures, and to allow freedom of speech.

So on one hand you have freedom and on the other hand you have safety. I have taken to asking people: “If you had to chose only one, which would it be? Accountability or Anonymity? Do you ever want there to be a way for you to do something anonymously or not? Do you ever want to be at risk of not finding someone who had committed a crime or not?”

I am somewhat surprised to find that when given only the choice between one or the other, it has been nearly an even split amongst people I talk to – usually at conference – about which they’d prefer. Right now, we teeter on the brink of having no anonymity at all. With enough vulnerabilities that allow full compromises of millions of machines, and enough listening posts all over the world, anonymity is slowly but surely getting harder and harder to get. Look at the most recent busts of various Tor hidden services like Silk Road 2 – people whose livelihoods and freedom depend on privacy still can’t manage it.

Most people would say that drug dealers and arms dealers deserve to be behind bars, so good riddance, regardless of how it happened. However, what about Colorado? Last year, being in possession of marijuana would land you in jail. This year it won’t. So are we as a society willing to indiscriminately put people in jail for breaking the law, even when the law later turns out to be unjust and/or bad for society?

Or worse yet, what if our government moves into a second age of McCarthyism – where they hunt down those who engage in civil disobedience with untold masses of siphoned information to decide whom to jail and whom to leave alone? What if adultery suddenly became a felony? Thought crimes could be punishable in such a dystopian world — not a pretty sight either. Though your banking passwords would be safe, certainly. (Except from the government.)

Perhaps releasing certain types of criminals or forgiving certain types of crimes, as California is about to do, might be a worthwhile exercise. A certain level of crime, while seemingly bad, is critical to allowing for a free society. It’s a complex issue, and of course there is always a middle-ground, but I think to properly understand the middle ground you have to explore the edges. What would a perfectly accountable Internet bring? It would bring with it a near zero cyber-crime rate but also limited freedoms. What would a perfectly anonymous Internet bring? It would bring unfettered cyber-crime but unlimited freedoms. It feels like you’d want some sort of middle ground, but there’s no such thing as “somewhat anonymous” when your life depends on it.

While my younger self would have said that “attribution” was the key to security, I would now tell my younger self to look beyond security, and really contemplate what a completely secure society would look like. Maybe a completely secure society with attribution for every act isn’t such a great idea after all, I would warn him. There are probably no easy answers, but it’s a conversation that needs to happen.

Assuming for a second that there was only one answer, if you had to chose one, which would it be: anonymity or accountability? And more importantly, why?

Oil Droplets and Your Banking Credentials

Warning: IANAQC (I am not a quantum cryptographer)

What does a droplet of oil have in common with the security of your banking credentials? Very little, you might think. However, there is research that came out a few months back, that confirms a theory made (and then dismissed) over 80 years ago about quantum effects. Bear with me.

For the last 80 years or so people have believed that particles are in two or more places at once, and only once measured do they “choose” a position and lock in. By virtue of being in two or more places at once, it is believed that a quantum computer can test all theories in a binary question simultaneously (on or off). Each binary question is effectively one bit of entropy, and if you get enough bits, you can build a very powerful computer.

From a computer security perspective it means that factoring large primes is a relatively easy thing to do – you get enough bits into your machine and you can factor the largest publicly available crypto-systems. While it is believed by the likes of Dr. Martin Helman (of Diffe-Hellman-Merkel key exchange infamy) that we have 10 years before such a machine is feasible and an additional 10 years before such a machine is usable, that still brings the time horizon of quantum cryptology into our lifetime.

That’s a scary thought if you have secrets that need to live beyond your lifetime – you only have 20 years before they are breakable by the military — or by anyone who could afford such a device in their evil lair; the only caveat would be the data collection and storage space for all that encrypted data.

However, recent findings suggest that particles might actually not be in multiple positions all at once; they might instead act like a droplet of oil dancing along the surface of a pool of water. Unlike a droplet of water, an oil droplet won’t go beneath the surface of the water (because of differing densities for oil and water). Instead, the oil droplet will bounce along on the surface. But when the oil droplet is first dropped, it causes a ripple, and that ripple will bounce around and could actually interact with the oil droplet again, causing it to move seemingly erratically.

So perhaps quantum particles, like oil, do not behave in “spooky” ways, but rather in very deterministic (as opposed to probabilistic) ways. That is to say that there may be no “magic” behind how particles behave – it may just be a very challenging fluid-dynamics problem. If we knew enough about the waves and the oil we might be able to predict exactly where the oil (or particle) would end up. Okay, but what does this have to do with your banking password?

If this theory is indeed true, cryptographers might be unable to build a quantum computer capable of being in a super-position (two positions at once), and therefore capable of factoring all possible variations at once in the way once envisioned. If that is true, we could be much safer in the near-term as our secrets stay safe from such a machine. That means that crypto-reliant technologies like SSL/TLS might actually have some greater longevity than previously thought (barring things like Poodle, BEAST, CRIME, etc.).

Although this is an unconventional theory, one that is not at all agreed upon by the scientific community (yet), and a difficult one to prove at that, it might make your banking passwords safe for a little longer than we previously thought. Who knew? Oil. Hmm! Read more about it in Wired.

So Your Nude Selfies Were Just Hacked…

If you haven’t been following the most recent news regarding a wide swath of celebrities whose accounts were hacked and private photos shared, you must have been having a lot of fun on Labor Day and I salute you.

Probably the very first thing most of the victimized celebrities are doing now is damage control – limiting their exposure as much as possible. Yes, their names are going to be put out there. Yes, it’s horribly embarrassing, but it’s also not a time to get caught up in self-pity (or self-blame): there’s work to be done. Being cool-headed and reducing the exposure will reduce the pain overall. Some people might go down the path of making examples out of the alleged perpetrators — but beware the Barbra Streisand effect. The harder you try to hide things, the more people want to see those things — like arial photos of Ms. Streisand’s lavish house, for instance.

But these events bring up an interesting point: What would you do if you were a celebrity who had dodged the bullet, but had similar incriminating photos on their computers, cell phones, etc.? More importantly, what should you be doing right now, this very minute, to make sure that anything you have posted to the cloud and want to keep private actually remains so?

First things first – locate every place that the sensitive information lives.
If it’s on a lover’s phone, an old computer that is collecting dust under your staircase, an old email account, or uploaded onto Dropbox – whatever the case may be, you need to find all of it and get an inventory of what those things are. Once you know what’s there, you have to find a way to securely delete that information. Just putting things in the trash can doesn’t work, unfortunately. Older computers have a knack for keeping lots of copies of things when discs defragment. So you need to securely wipe not only the data, but also the free-space on your computer.

Next use the “mud puddle” rule of thumb.
Ask the company that makes the system in question if there is any way to recover data after you have dumped it in a puddle of mud. If the answer is yes, you have a problem, because it means they have copies of your data and can decrypt it (if it was ever encrypted at all) and access it. Make sure that all copies are deleted and removed securely from all systems, and ask for some proof of that. In the worst case scenario, get your lawyer involved to make sure that all copies are securely and permanently deleted. You have two options with computers – either they are perfectly private and accessible only to you, or they have a high-level of convenience and availability. Choose one.

Next, remove all automated syncing to cloud-based systems.
There is no reason you should be sending all of your information to an environment that you don’t completely control. Find an IT guy to set up a private cloud instance that you can back up your computer to, and make sure you are the only one who can access that system once it’s set up if you have to store information off-site. There’s lots of precious family photos, and emails and documents that would be painful to lose. Back them up in a place that only you have access to.

Choose strong passwords.
It sounds simple but nearly every successful hack involving brute force relies on the individual accounts having weak passwords. Don’t fall for it: choose strong passwords, and make them unique. If your password for your free webmail is the same as for your critical systems that protect your nude pictures, you’re more likely to get hacked. It’s always the weakest link, so keep your passwords unique and strong. There’s a lot of password research out there that says that choosing a “passphrase” made up of several words in a row is the strongest sort of password. If you’re an actress, you are used to memorizing lines to get a part. Consider this just another script you need to memorize, but one that can protect your entire reputation. Or, even better, use “second factor authentication” – a physical token or something you have that cannot be stolen from the Internet, if your provider allows it.

Encrypt your nude selfies.
I’m not going to judge you — nude selfies aren’t bad, but they can be dangerous if you don’t encrypt them. There’s lots of encryption software out there and a great deal of it is free. You can choose something that encrypts your selfies when you’re not looking at them and decrypts them when you want to see them for some reason.

Send encrypted nude selfies.
Similar to the above, if you’re going to be sending nude selfies, make sure you do so in a way that self destructs. Software like Wickr can accomplish that for cell phones. There’s no reason to keep them around forever, and if you do need to keep them, you can always save them and re-send them later.

Don’t send nude selfies at all.
I know it sounds obvious and stupid, but once you become a celebrity, it’s really imperative to avoid sending anything incriminating or even keeping it around at all. If you do have to have it for some reason, make sure you keep it on a computer that isn’t capable of going online, so at least you can keep it compartmentalized. Systems that aren’t online are much harder to hack – and usually require physical access to your premises. This is the reason some militaries are reportedly going back to typewriters – it’s a lot harder to hack something physical without involving breaking and entering.

Pick strong secret questions.
One of the most often overlooked issues in computer security is the secret question. Most secret questions are terrible: “what is your favorite color?” Well, the chances that it’s one of a handful of colors is extremely high, and it’s even higher if you’re a celeb since no-doubt at some point someone asked you that on camera. This makes it extremely easy for someone to guess and therefore access your information. So lie and choose something else – some long string that only you know. Write it down somewhere so you don’t lose it, but keep it safe and unique – similar to passwords. Is your favorite color blue? I hope not. Is your birth date the same one that’s on IMDB? Please tell me no.

Disable everything you don’t need.
Living in LA does require you to use hands-free, and I’m sure driving down Venice Beach in your convertible sounds great, but at the same time every time you turn on wireless on your phone, or bluetooth or any additional service, you are putting yourself at greater risk. It’s all a matter of surface area, and the more things you can disable, the better.

Find a security pro.
I highly recommend you find a good security expert to analyze your life, and figure out how and where you are vulnerable. It might be something stupid and avoidable, like you leave your camera in a hotel room while you are away, or it might be something very complex having to do with configuration settings on your home Wifi. Whatever the case, you really should have someone who knows what they are doing take a look at how you live and give you practical advice on how to protect yourself.

It’s easy to blame the victims, and that’s the very last thing I’d ever want to do. I think, if anything, this just shows what a large percentage of people take nude pictures of themselves, so we can’t judge. But there are definitely a few steps people can take to avoid some of the embarrassment. For those who dodged the bullet, consider yourselves lucky; but perhaps it’s time to take your lucky winning streak and leave the blackjack table while there is still time.

Aviator (Default) Search Change

In an effort to find ways to work with a search provider, we spent a lot of time researching various models that would enable us to stay on the side of our users AND allow us to generate revenue to help us pay for Aviator development. Naturally we attempted to work with DuckDuckGo since they were already our search provider of choice. Unfortunately, the only way they were willing to work with us was to monetize ads, and we just aren’t willing to do that. Browsers monetizing ads is at the root of what’s causing issues for users, stifling security and eliminating privacy.

After months of work we decided that Disconnect Search was the best and most exciting path forward. We have a long-standing relationship with the Disconnect team because of their popular browser plugin, and their privacy record is spotless — and Disconnect was comfortable working a deal with us that didn’t rely on selling ads. You can’t beat that! We were thrilled to find a partner who cares enough about their users and ours to forgo the typical death cycle of mandatory partnerships that revolve around advertising, and instead just revolve around being the default search.

This is just another way we want to be clear that we are on our customer’s side, even in matters of business. Our transparency with our business model is the crux of why our users can trust our decisions to be in their best interest. So, in the coming update you will notice that the browser politely asks you if you want to switch from DuckDuckGo to Disconnect. The option is yours, of course, but this will help us continue to evolve the browser, and we believe Disconnect is the most private search engine we could find to boot. Two birds with one stone, right?!

As always, questions and comments are welcome!

DHS and Cyberterrorism

The DHS was recently polled on what groups and attacks they are personally most concerned about. This comes from a pretty wide range of intelligence officers at various levels of the military industrial complex. This underscores how the military is thinking and what they are currently most focused on. The tidbits I found interesting are on pages 7 and 8:

https://www.start.umd.edu/pubs/START_UnderstandingLawEnforcementIntelligenceProcesses_July2014.pdf

The DHS seems to be most concerned about Sovereign Citizens and Islamic Extremists/Jihadists (in that order). The rationale isn’t well explained, but I would presume that physical proximity and the radical nature of Sovereign Citizen groups trumps the extremist nature of Jihadists. I’m speculating, but that would seem to make sense. It could also be a reaction to FUD, but it’s hard to say.

More interestingly, the threat they find most viable is Cyberterrorism. That makes a lot of sense, because Cyberterrorism is cheap, can be done instantaneously, can be done remotely, and can be done with minimal skills and at minimal risk. It’s really hard to tell what’s Cyberterrorism versus what is just a normal for-profit attack, and attribution is largely an un-solvable problem if the attacker knows what they’re doing. Also, even if you can identify the correct adversary, extradition/rendition are tough problems.

There’s not a lot of substance here, because it’s all polls, but it’s interesting to see that our industry is at the top of the US intelligence community’s mind.

The Ghost of Information Disclosure

Information disclosure is a funny thing. Information disclosure can be almost completely innocuous or — as in the case of Heartbleed — it can be devastating. There is a new website called un1c0rn.net that aims to make hacking a lot easier by letting attackers utilize Heartbleed data that has been amassed into one place.

The business model is simple – 0.01 Bitcoins (Around $5) for data. It leaves
no traces on the remote server because the data isn’t stored there anymore,
it’s on un1c0rn’s server. So let’s play a sample attack out.

1) Heartbleed comes out;

2) Some time in the future un1c0rn scans a site that is vulnerable and logs it;

3) A would-be attacker searches through un1c0rn and finds a site of interest;

4) Attacker leverages the information to successfully mount an attack against the target server leveraging the data.

In this model, the attacker’s first packets to the server in question could be
the one that compromises them. But it’s actually more interesting than that. As I was looking through the data I found this query.

un1c0rn

For those of you who don’t live and breathe HTTP this is an authorization request with a base64 encoded string (which is trivial to reverse) that contains the usernames and passwords to the sites in question. This simple request found 400 sites with this simple flaw in it. So let’s play out another attack scenario.

1) Heartbleed comes out;

2) Some time in the future un1c0rn scans a site that is vulnerable and logs it;

3) Site is diligent and finds that they are vulnerable, patching up immediately and switching out their SSL certificate with a new one.

4) A would-be attacker searches through un1c0rn and finds a site of interest;

5) Using the information they found they still compromise the site with the username/password, even though the site is no longer vulnerable to the attack in question.

This is the problem with Information Disclosure – it still can be useful even long after the hole that was used to gather the data has been closed. That’s why in the case of Heartbleed and similar attacks not only do you have to fix the hole but you also have to expire all of the passwords, and remove all of the cookies or any other way that a user could gain access to the system.

The moral of the story is that you may find yourself being compromised seemingly almost magically in a scenario like this. How can someone guess a cookie correctly on the first attempt? Or guess a username/password on the first try? Or exploit a hole without ever having looked at your proprietary source code or even having visited your site before? Or find a hidden path to a directory that isn’t linked to from anywhere? Well, it may not be magic – it may be the ghost of Information Disclosure coming back to haunt you.

Spooky!

Aviator Status – 100k Downloads and Growing!

I realize it’s only been a handful of days since we launched the Windows version of Aviator, but it’s been an exciting ride. If you’ve never had to support a piece of software, it feels a bit like riding an unending roller coaster — you’re no longer in control once you get on the ride put your software out there. People will use it however they use it, and as the developer you simply have to adapt and keep iterating to make the user experience better and better. You can never get off the ride, which is a wonderful feeling – if you happen to like roller coasters! Okay, enough with that analogy.

When we released Aviator for Mac in October, we felt we were onto something when people started – almost immediately – emailing us asking us for features. We were sure we were on the right track when the media started writing articles. And when the number of downloads climbed from the thousands to tens of thousands to close to 45,000 Mac OSX downloads in just five months, we thought we were getting pretty incredible traction. But none of that prepared us for the response we received in just the handful of days since we launched Aviator for Windows. In just 5 days since the Windows launch, we have already hit a total number of 100,000 Aviator users – and that is without spending a single dime on advertising!

We were also pleasantly surprised that a huge chunk of our users came from other regions – as much as 30% of our new Windows user base was from Asia. This means that Aviator is already making a difference in every corner of the world. We’re extremely excited by this progress, and are very encouraged to continue to iterate and deliver new features. I think this really shows how visceral people’s reaction to security and privacy is. It’s no wonder – we’ve never given this kind of control to users before. Either that or our users got wind of how much faster surfing without ads and third-party tracking can be. :) Ever tried to surf the Internet on in-flight wireless? With Aviator you will find that websites are actually usable — give it a try!

We may never know why so many people chose Aviator, but I do hope more people share their user stories with us. We want to know our successes as well as the challenges that remain before us as we continue on this unending roller coaster ride. We really do appreciate all of your feedback and we thank you for helping to make Aviator such a huge success, right out of the gate. We’re just getting started!

Download WhiteHat Aviator for Windows or Mac here: http://www.whitehatsec.com/aviator

WhiteHat Aviator Beta for Windows

Since launching the Mac version of WhiteHat Aviator in October, the number one most-asked-for feature was a Windows version of the browser. Today we hit a major milestone: our Labs team is excited to announce that we are launching the Windows beta. If you want to try it, please download Aviator for Windows here.

Outside of keeping our blog and Twitter followers up-to-date since it’s release in October, we have done little-to-nothing to get attention for Aviator. There has been no marketing or sales resources invested in Aviator. Despite this, we’ve gotten tens of thousands of downloads with our Mac OSX version, and that number has been growing rapidly as the world takes notice.

Now the obvious next question everyone will ask is: “when do I get a version for XYZ operating system?” While we know this is highly important to a lot of our users, we have to balance that with a number of other features — which leads us to perhaps the second most-asked question: “how are you making money on Aviator?” The answer is, right now we aren’t. Therefore, some of our efforts will also be directed towards determining how to sell this in a way that does not involve profiting from our users’ information as many other browsers are in the unfortunate business of doing. As the saying goes, “if you aren’t paying for it, you’re the product.”

That said, we want to make sure that all of our existing users of WhiteHat Aviator know that they will continue to get the browser for free, forever. That’s right! Once we have determined how to monetize it, only new users will need to pay for a license. So, by all means encourage your friends to download it now, so they can enjoy Aviator for free, forever. This is our small way of thanking early Aviator adopters: if you’re one of them, you will never have to pay. A safer browser with free lifetime technical support? It’s unheard of, I know!

Don’t worry, we have a lot of exciting features on the horizon, and we do plan on supporting a number of additional operating systems. One thing at a time! We are thrilled with the hundreds of people who have written encouraging emails, made suggestions, offered feedback and sent us bug reports. We know we’ve hit a nerve and we’re excited by the prospect of a better, faster browser that works for the masses.

Lastly, a special thanks to all of our Windows Alpha testers and Mac Beta testers, without whom we surely wouldn’t have had such a well thought-out product. Please keep your feedback coming! Your input is critical for improving future Aviator versions.

List of HTTP Response Headers

Every few months I find myself looking up up the syntax of a relatively obscure HTTP header. Regularly I find myself wondering why there isn’t a good definitive list of common HTTP Response headers anywhere. Usually the lists on the Internet are missing half a dozen HTTP headers. So I’ve taken care to gather a list all of the HTTP response headers I could find. Hopefully this is useful to you, and removes some of the mystique behind how HTTP works if you’ve never seen headers before.

Note: this does not include things like IncapIP or other proxy/service specific headers that aren’t standard, and nor does it include request headers.

Header Example Value Notes
Access-Control-Allow-Credentials true
Access-Control-Allow-Headers X-PINGOTHER
Access-Control-Allow-Methods PUT, DELETE, XMODIFY
Access-Control-Allow-Origin http://example.org
Access-Control-Expose-Headers X-My-Custom-Header, X-Another-Custom-Header
Access-Control-Max-Age 2520
Accept-Ranges bytes
Age 12
Allow GET, HEAD, POST, OPTIONS Commonly includes other things, like PROPFIND etc…
Alternate-Protocol 443:npn-spdy/2,443:npn-spdy/2
Cache-Control private, no-cache, must-revalidate
Client-Date Tue, 27 Jan 2009 18:17:30 GMT
Client-Peer 123.123.123.123:80
Client-Response-Num 1
Connection Keep-Alive
Content-Disposition attachment; filename=”example.exe”
Content-Encoding gzip
Content-Language en
Content-Length 1329
Content-Location /index.htm
Content-MD5 Q2hlY2sgSW50ZWdyaXR5IQ==
Content-Range bytes 21010-47021/47022
Content-Security-Policy, X-Content-Security-Policy, X-WebKit-CSP default-src ‘self’ Different header needed to control different browsers
Content-Security-Policy-Report-Only default-src ‘self'; …; report-uri /csp_report_parser;
Content-Type text/html Can also include charset information (E.g.: text/html;charset=ISO-8859-1)
Date Fri, 22 Jan 2010 04:00:00 GMT
ETag “737060cd8c284d8af7ad3082f209582d”
Expires Mon, 26 Jul 1997 05:00:00 GMT
HTTP /1.1 401 Unauthorized Special header, no colon space delimiter
Keep-Alive timeout=3, max=87
Last-Modified Tue, 15 Nov 1994 12:45:26 +0000
Link <http://www.example.com/>; rel=”cononical” rel=”alternate”
Location http://www.example.com/
P3P policyref=”http://www.example.com/w3c/p3p.xml”, CP=”NOI DSP COR ADMa OUR NOR STA”
Pragma no-cache
Proxy-Authenticate Basic
Proxy-Connection Keep-Alive
Refresh 5; url=http://www.example.com/
Retry-After 120
Server Apache
Set-Cookie test=1; domain=example.com; path=/; expires=Tue, 01-Oct-2013 19:16:48 GMT Can also include the secure and HTTPOnly flag
Status 200 OK
Strict-Transport-Security max-age=16070400; includeSubDomains
Timing-Allow-Origin www.example.com
Trailer Max-Forwards
Transfer-Encoding chunked compress, deflate, gzip, identity
Upgrade HTTP/2.0, SHTTP/1.3, IRC/6.9, RTA/x11
Vary *
Via 1.0 fred, 1.1 example.com (Apache/1.1)
Warning Warning: 199 Miscellaneous warning
WWW-Authenticate Basic
X-Aspnet-Version 2.0.50727
X-Content-Type-Options nosniff
X-Frame-Options deny
X-Permitted-Cross-Domain-Policies master-only Used by Adobe Flash
X-Pingback http://www.example.com/pingback/xmlrpc
X-Powered-By PHP/5.4.0
X-Robots-Tag noindex,nofollow
X-UA-Compatible Chome=1
X-XSS-Protection 1; mode=block

If I’ve missed any response headers, please let us know by leaving a comment and I’ll add it into the list. Perhaps at some point I’ll create a similar list for Request headers, if people find this helpful enough.