Category Archives: Technical Insight

Web Security for the Tech-Impaired: Passwords that Pass the Test

In my last post, “The Dangers of Email”, I explored ways that folks who are less than technically savvy can practice good email security hygiene. Today we’ll get into a somewhat controversial subject: passwords. You use them everyday to log in to your bank account, credit card, Amazon — the list goes on and on. You probably log in to a few websites everyday, but how often do you think about that password you’ve chosen? Password security is a hot button topic and everyone has their own suggestion about what constitutes a good strong password. This post will help guide you to a relatively secure password.

Your password is your key to your online accounts. It’s the ID you create to prove that you are who you say you are in a digital world. As humans we tend to make passwords that are easy to remember. If you forget your password you often are prompted with a difficult series of steps to recover it, from answering security questions to calling a support line. To skip all that headache we often create passwords that are pretty easy to guess and we use those passwords for all our accounts. This makes it very easy for an attacker to gain access to all your accounts. If one site where I use that password is compromised and my password is leaked, the attackers now know my password for every single account I’ve created. No matter how quick I change those passwords I will most likely miss or forget one. This is why it’s a good idea to use a variety of passwords. Very secure folks will create a different password for every account they create. I would recommend that at the very least you create separate passwords for your sensitive accounts (your bank account, credit card, 401k, and so on).

Now the question is, what is considered a good password? It might surprise you to know that modern computers can ‘guess’ passwords quite quickly, often going through millions of potential passwords a day. Passwords that are just words are incredibly weak passwords that can be guessed quite quickly. Also short passwords are out. Most experts agree that passwords should be at least 12 characters long. To make it harder to break, your password should contain a mixture of upper case and lower case characters, numbers, and special characters (such as !,@,#,$,?). It’s also a good idea to vary where these characters are placed. A friend of mine recently played ‘mind reader’ to some colleagues of mine. He had them think of a password of theirs. He then guessed that the first part of the password was a word of about 8 characters. That word is then followed by two numbers. The last character of the password is a special character. They were dumbfounded. Yes the human brain works the same for all of us. As we’re asked to do more and more things to our passwords we simply tack them on at the end. This is a pattern that hackers know about and will exploit.

So to sum up, here are some tips to help you practice good password habits:
1) Use a different password for all your important accounts. To win a gold star use a different password on all accounts.
2) Your password should be no less then 12 characters
3) Use a mix of lower case, upper case, numbers and special characters.
4) Don’t use the very common sequence of word-number-special character. Mix up where these are placed in your password.

Again, I urge our readers to feel free to forward this post on to friends or family that may benefit from these tips. Many in the security industry often forget that most consumers are less technically savvy, and therefore less security aware, than we are. This series is designed to help you, help them.

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.

tls13

Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.

facebookDelete

Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.

pinterestblocked

We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Some guy figured out how to delete “every” photo on Facebook
Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site
40,000 MongoDB Instances Found Open and Vulnerable
Ten Million Passwords
Jeb Bush Email Dump
PCI considers SSL Dead”>
Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:
Lawmakers Call for Investigation on Verizon SuperCookies
NSA may be Trolling You

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds
Anthem and Turbotax Hack
Sony Hack Has Cost Its Business $15M So Far
Data Breach at Health Insurer Anthem Could Impact Millions
Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash
Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:
NSA Using Disclosed Hacker Data
Uber Lost and Found DB left open
Fancybox WordPress Vuln
Meanwhile TrueCrypt is Replaced by VeraCrypt

#HackerKast 18 Bonus Round: Password Cracking

Hey Everybody! Thanks for checking out this week’s bonus footage. We like to do these to not just focus on current events but to also get our hands dirty with some technical demos. This week, we decided to talk about password cracking.

You hear news stories all the time about passwords being stolen and you may have heard of password hashes being cracked. What this means is that somebody got a hashed copy of a lot of passwords out of a database and are running programs against it to get the plain text password out.

For those of you familiar with password cracking this will be super boring but we decided to actually show what this looks like for those who haven’t seen it. I decided to use John the Ripper for this demo but could have used a ton of others like OCL Hashcat. Kali Linux has a few of these installed by default for those who want to play.

Since we are web app guys here at WhiteHat I decided to pick on some password hashes that make sense in our world, WordPress. Most password cracking demos you’ll see are running against local machine password files so instead of that I made a few of my own WordPress password hashes. The giveaway showing that these are WordPress hashed passwords is that they use a PHPass algorithm which results in a hash that always starts with $P$B.

The passwords I chose were pretty easy ones just to prove to you guys how easy cracking easy passwords is. Anything in the top couple of 1000 used passwords will be cracked in seconds with the help of a word list, as you’ll see in the video.

The other major point I wanted to make is that seemingly “good” passwords that follow all the rules of a websites password strength requirements can actually be pretty weak. The example I used was “Jeremiah29:11″ as a password passes most requirements. It’s over 8-10 characters, it is has upper and lower case letters, has numbers, and special characters. Seems great right? Well since it is a popular bible verse, this took less than 30 min. to crack on my laptop and would take seconds on a computer built for password cracking.

Check out the end of the video for some of our tips on secure password selection. Let us know what you think!

Web Security For the Tech-Impaired: The Dangers of Email

Editor’s Note: The following post is the first in a series of blasts that we will be sharing for readers who are – or who know people that are – not technically savvy. We will touch on topics that we in the security community are very aware of and attempt to break them down into language that those who are not as internet skilled may understand. If you have suggestions for topics you wish for us to cover in this series, please share in the comments.

You’ve all been there. You open your email and your mom has sent you something. You see the two letters you dread: FW. Oh look, it’s an email with a link to a YouTube video about a cat who just can’t seem to figure out that the sliding glass door is a solid object. You contemplate sending back an email saying ‘Come on Mom, you should know to never ever click on links in emails,’ but you don’t want to ruin her fun — and more than likely she won’t understand WHY clicking on links in emails is a bad thing. You could try to explain it to her, but you’re afraid her brain will explode if you start talking about things like “Cross Site Scripting”. Well folks, I’m going to try and help you out. In this new blog series, I am aiming to provide tips and advice that you can share with your less-than-tech-savvy friends and family – whether its your mom, grandpa, cousin Vinny or whomever. These are posts that I intend for you to FW: (uh oh, there are those letters again) the links to your mom (or whomever) so that they can get a non technical explanation of the dangers of the ‘internets.’ Now begins the non-technical explanation, here we go!

Hello there! You’re no doubt reading this as a result of your son/daughter/grandson/granddaughter having sent you here for guidance. Fear not, I will help guide you through the dangers of the internet and help you be more secure with your personal information. No doubt you’ve heard of recent credit card breaches in stores you visit every day. You’ve also probably heard about ‘phishing’ emails that ask for your personal information in an email or ask you to click some link. You may have seen emails that say ‘Your credit card has been stolen, please email your Social Security number, mother’s maiden name and birthdate to this email address.’ The good news is that you can prevent yourself from being a victim of these scams.

The first thing you’ll need to know is that you should be very, VERY paranoid about anything you get in an email. If someone knocks on your front door, you’re always skeptical about what they want; the same principle should be applied to email. Anyone and everyone can email you and not all emails should be trusted, particularly from contacts that you do not know or that ask you for personal information. Most businesses make it a point to not request such information over email, so if you get such a request, it is quite likely a scam. Secondly it is very easy to fake the sender of an email. Just because it says ‘admin@bankofamerica.com’ doesn’t mean it is. Never trust that your email is coming from the business that it purports to be coming from.

Furthermore, links and attachments in emails can be bad news. Just as it’s very easy to make it look like an email is coming from someone else, it’s just as easy to make a link in an email look different. I can easily make it look like it’s going to ‘www.youtube.com/someFunnyCatVideo’ but really when you click on the link it will take you to ‘www.ImSoEvil.com/LookAtHowEvilIAm.’ Fake sites are set up under the guise of seemingly legitimate URLs in an effort to get you to click on them which could lead to theft of personal information or worse. Attachments in emails from unknown sources are also bad news. You could be unknowingly downloading malware — software that can interfere with the proper functioning of your computer, damage your privacy or even install the dreaded virus.

All this sounds pretty frightening already. You may think you now need to go make a tin foil hat and build a bunker in your backyard. But with this knowledge you are well-armed to combat identity thieves. Here are a few simple things you can do to help protect yourself:

* Never give your personal information to anyone. No legitimate business will ask you to email them your Social Security number, credit card number, passwords, date of births, etc., over email. If they’re asking for that information it is 99.9% likely that it’s a scam. Sometimes an attacker will send an email that makes it sound like there’s an emergency — if you don’t do what they’re asking for right away something horrible will happen! Instead of doing what the email says, if it looks like it might be from a legitimate business – like a bank that you do actually have an account with – contact that business directly. Don’t use any links from that email. Let them know what email you received and that you want to confirm whether or not it was a legitimate email.

* Never click on a link in an email — it’s just asking for trouble. If you really want to watch that cat video, copy the link address into your browser window so you can be sure you’re sending your browser where you actually want it to go.

* If you receive an email that has an attachment and you were not specifically expecting that person to send you that attachment, contact them directly and confirm that they sent it and it’s a legitimate attachment. More than once a friend of mine has found out that their email account was hacked because I contacted them about a suspicious attachment.

This is all but the beginning of your training and you should come back to this blog often to hear more helpful (and hopefully easy to understand) advice on how to better protect yourself on the internet. Go forth and click on!

5 Days to Setting Up an Application Security Program

Congratulations! You now have the responsibility of ensuring your web applications are secure. This is the reality that modern day CISOs and security professionals address every day. You may have even lobbied for and championed this initiative because you are acutely aware of the risk that vulnerable web applications present to the business. Or as is often the case in reaction to a breach or an attack (aka a “security event”), web applications have now appeared on the radar of your senior management team. So, where to begin? Where’s the playbook?

To assist you in this endeavor, we have created an “Application Security Program Quick Start Guide.” WhiteHat has years of combined web application and security management experience which came in very handy for this undertaking. This guide is essentially a playbook that is both easy-to-consume yet prescriptive-enough that the reader is able to walk away with concrete action items to set in motion.

Web application testing is not a fledging security activity by any measure. That said, finding resources to help navigate the process of building a web application security program are scarce and often too high-level. In practice, there is no shortage of tools or services to perform web application testing, but testing alone is not a substitute for a comprehensive web application security program. To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

Today we are releasing this “Application Security Program Quick Start Guide” in the hopes that it will help CISOs in their ongoing work to ensure the security of their organization’s web applications and mission-critical information. In addition, we have donated the guide under a Creative Commons license to the OWASP community for everyone to use.

You can download the guide here: https://whitehatsec.com/whitepaper/2015/01/12/whitepaper_appsec_quickstartguide.html

The OWASP project page can be found here: https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project

We hope this initial draft serves to spur the collective insights of those willing to participate.

North Korea’s Naenara Web Browser: It’s Weirder Than We Thought

Naenara Browser is the DPRK’s version of Firefox that comes built into Red Star OS, the official operating system of North Korea. I recently got my hands on Naenara Browser version 3.5. My first impression in playing with it is that this is one ancient version of Firefox. Like maybe more than a half dozen major revisions out of date? It’s hard to tell for sure in cursory checking but the menus remind me of something I used to use 5+ years ago. That’s not too surprising; it’s tough to have a browser and update it all the time, especially with such a small team devoted to the project, as I’m sure they have a lot of other things going on.

When I first saw an image of the browser I was awe-struck to see that it made a request to an adddress (http://10.76.1.11/) upon first run. That may not mean much to someone who doesn’t deal with the Internet much, but it’s a big deal if you want to know how North Korea’s Internet works.

If you want to send a request to a web address across the country, you need to have a hostname or an IP address. Hostnames convert to IP addresses through something called DNS. So if I want to contact www.whitehatsec.com DNS will tell me to go to 63.128.163.3. But there are certain addresses, like those that start in “10.”, “192.168.” and a few others that are reserved and meant only for internal networks – not designed to be routable on the Internet. This is sometimes a security mechanism to allow local machines to talk to one another when you don’t want them to traverse the Internet to do so.

Here’s where things start to go off the rails: what this means is that all of the DPRK’s national network is non-routable IP space. You heard me; they’re treating their entire country like some small to medium business might treat their corporate office. The entire country of North Korea is sitting on one class A network (16,777,216 addresses). I was always under the impression they were just pretending that they owned large blocks of public IP space from a networking perspective, blocking everything and selectively turning on outbound traffic via access control lists. Apparently not!

But it doesn’t stop there! No! No sirrreee… I started digging through their configuration settings and here are some gems:

  1. They use the same tracking system Google uses to create unique keys, except they built their own. That means the microtime of installation is sent to the mothership every single time someone pulls down the anti-phishing and anti-malware lists (from 10.76.1.11) in the browser. This microtime is easily enough information to decloak people, which is presumably the same reason Google built it into the browser.
  2. All crash reports are sent to the mothership (10.76.1.11). So every time the browser fails for some reason they get information about it. Useful for debugging and also for finding exploits in Firefox, without necessarily giving that information back to Mozilla – a U.S. company.
  3. All news feeds go back to the mothership in a specially crafted URL: http://10.76.1.11/naenarabrowser/rss/?url=%s At first it was unclear if that actually does anything or not, since we can’t see the IP address, but it looks like it probably does act as a feed aggregator.
  4. Strangely, the browser adds “.com” instead of “.com.kp” as a suffix when the browser can’t find something. It’s odd because this means in some cases this might accidentally be contacting external hosts when someone typos something in the country. A bad design choice, but perhaps meant for usability since most things live on .com.
  5. There are quite a few references to “.php” on the mothership website. I would be unsurprised if most things on it were written in PHP.
  6. Then I spotted this little number: http://10.76.1.11/naenarabrowser/%LOCALE%.www.mozilla.com/%LOCALE%/firefox/geolocation/ This is the warning that pops up when users turn on geolocation. But here’s the really crazy part: if you remove the DPRK specific URL part and just leave it as %LOCALE%.www.mozilla.com/%LOCALE%/firefox/geolocation/ and substitute %LOCALE% with “ko” you end up on Mozilla’s site translated into Korean. Could the mothership be acting as a proxy? Is that how people are actually visiting the Internet – through a big proxy server? Can that really be true? It kind of makes sense to do it that way if you want to allow specific URLs through but not others on the same domain. Hm!
  7. More of the same. This time the safe browsing API that Google supports to find phishing/malware stuff — http://10.76.1.11/naenarabrowser/safebrowsing.clients.google.com/safebrowsing/diagnositc?client=%NAME%&hl=%LOCALE%&site= — if you remove the preceding part of the URL and fill in the variables it’s a real site. And there are a bunch more like this.
  8. Apparently they allow some forms of extensions, plugins and themes, though it’s not clear if this is the whole list or their own special brand of allowed add ons: http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/extensions/ http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/plugins/ http://10.76.1.11/naenarabrowser/%LOCALE%/%VERSION%/themes/

  9. Apparently all of the mail from the country goes through the single mothership URL. Very strange to build it this way, and obviously vulnerable to man in the middle attacks, sniffing and so on, but I guess no one in DPRK has any secrets, or at least not over email: http://10.76.1.11/naenarabrowser/mail/?To=%s I found a reference to “evolution” with regards to mail, which means there is a good chance North Korea is using the Evolution project for their country.

  10. Same thing with calendaring? So many sensitive things end up in calendars, like passwords, excel spreadsheets, etc… it’s still very odd that they haven’t bothered using HTTPS internally: http://10.76.1.11/naenarabrowser/webcal/?refer=ff&url=%s

  11. This one blew my mind. Either it’s a mistake or a bizarre quirk of the way DPRK’s network works but the wifi URL for GEO still points to https://www.google.com/loc/json – not only is there no way for this to work since Google hasn’t gone through the country with their wifi cars, and it’s on the public Internet without going through their proxy of doom, but also it’s over HTTPS, meaning that if it were able to be contacted, the DPRK might have a hard time seeing what is being sent. Would they allow outbound HTTPS? More questions than answers it seems.
  12. The offical Naenara search function isn’t Google, and it’s not even clear if it’s a proxy or not. But one thing makes me think it might be – it’s in UTF-8 charcode, and not something that you might expect like BIG5 or ISO-2022-KR or SHIFT_JIS or something. http://10.76.1.11/se/search/?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&keyword= But wait a tick, after a little digging I found a partial match on the URL: /search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1 and where did I find this? Google. Are they proxying Google results? I think so! That means that depending on what Google can put on those pages, they technically can run JavaScript and read the DPRK’s email/calendars, etc. using XMLHTTPRequest, since they are all on the same domain. Whoops!

  13. In looking around at the certificates that they support, I was not surprised to find that they accepted no other certificates as valid – only their own. That means it would be trivial to man in the middle any outbound HTTPS connection, so even if they do allow outbound access to Google’s JSON location API it wouldn’t help, because the connection and contents can be monitored by them. Likewise, no other governments can man in the middle any connections that the North Koreans have (I’m saying that with a bit of tongue in cheek, because of course they can according to Wikileaks docs, but this probably makes the DPRK feel better — and more importantly they probably don’t know how to do it in the same way as the NSA does, so they have to rely on draconian Internet breaking concepts like this).

  14. The browser automatically updates, without letting the browser disable that function. That’s actually a good security measure, but given how old this browser is, I doubt they use it often, and therefore it’s probably not designed to protect the user, but rather allow the government to quickly install malware should they feel the need. Wonderful.
  15. Even if the entire Internet is proxied through North Korean servers, and even if their user agent strings are filtered by the proxy, an adversary can still identify a user using Naenara by looking at it in JavaScript space using navigator.UserAgent. Their user agent is, “Mozilla/5.0 (X11; U; Linux i686; ko-KP; rv: 19.1br) Gecko/20130508 Fedora/1.9.1-2.5.rs3.0 NaenaraBrowser/3.5b4″ So if you see that UserAgent string in JavaScript you could target North Korean users rather easily.
  16. Although the Red Star OS does lock down things like their file manager that only shows you a few directories, disables the command-O (open) feature, removes the omnibar feature and so on, it’s still possible to do whatever you want. Using the browser users can go to file:/// to view files and they can write their own JavaScript using javascript: directives which give them just about any access they want, if they know what they’re doing. Chances are they don’t, but despite their Military’s best efforts the Red Star OS actually isn’t that locked down from a determined user’s perspective.
  17. Snort intrusion detection system is installed by default. It’s either used as an actual security mechanism as it was designed or it could be re-purposed as a way to constantly snoop on people’s computers to see what they are doing when they use the Internet. Even if it didn’t phone home necessarily, the DPRK soldier who broke down your door could fairly easily do forensics and see everything you had done without relying on any IP correlation at the mothership. So using your neighbor’s wifi isn’t a safe alternative for a political dissident using Red Star OS.

My ability to read North Korean is non-existent, so I had to muddle my way through this quite a bit, but I think we have some very good clues as to how this browser and more importantly how North Korea’s Internet works, or doesn’t work as it might be.

It is odd that they can do all of this off of one IP address. Perhaps they have some load balancing but ultimately running anything off of one IP address for a whole country is bad for many reasons. DNS is far more resilient, but it also makes things slower, in a country with Internet connectivity that is probably already pretty slow. If I were to guess, the DPRK probably uses a proxy and splits off core functions by URL to various clusters of machines. A single set of F5s could easily handle this job for the entire country. It would be slow, but it doesn’t seem the country cares much about the comforts of fast Internet anyway.

Ultimately the most interesting takeaway for me personally was what lengths North Korea goes to to limit what their people get to do, see and contribute to — Censorship at a browser and network level embodied in the OS called Red Star 3.0. It’s quite a feat of engineering. Creepy and cool. Download the Red Star OS here.

Aviator Going Open Source

One of the most frequent criticisms we’ve heard at WhiteHat Security about Aviator is that it’s not open source. There were a great many reasons why we didn’t start off that way, not the least of which was getting the legal framework in place to allow it, but we also didn’t want our efforts to be distracted by external pressures while we were still slaving away to make the product work at all.

But now that we’ve been running for a little more than a year, we’re ready to turn over the reins to the public. We’re open sourcing Aviator to allow experts to audit the code and also to let industrious developers contribute to it. Yes, we are actually open sourcing the code completely, not just from a visibility perspective.

Why do this? I suspect many people just want to be able to look at the code, and don’t have a need to – or lack the skills to – contribute to it. But we also received some really compelling questions from the people who have an active interest in the Tor community who expressed an interest in using something based on Chromium, and who also know what a huge pain it is to make something work seamlessly. For them, it would be a lot easier to start with a more secure browser that had removed a lot of the Google specific anti-privacy stuff, than to re-invent the wheel. So why not Aviator? Well, after much work with our legal team the limits of licensing are no longer an issue, so now that is now a real possibility. Aviator is now BSD (free as in beer) licensed!

So we hope that people use the browser and make it their own. We won’t be making any additional changes to the browser; Aviator is now entirely community-driven. We’ll still sign the releases, QA them and push them to production, but the code itself will be community-driven. If the community likes Aviator, it will thrive, and now that we have a critical mass of technical users and people who love it, it should be possible for it to survive on its own without much input from WhiteHat.

As an aside, many commercial organizations discontinue support of their products, but they regularly fail to take the step of open sourcing their products. This is how Windows XP dies a slow death in so many enterprises, unpatched, unsupported and dangerously vulnerable. This is how MMORPG video games die or become completely unplayable once the servers are dismantled. We also see SAAS companies discontinue services and allow only a few weeks or months for mass migrations without any easy alternatives in sight. I understand the financial motives behind planned obsolescence, but it’s bad for the ecosystem and bad for the users. This is something the EFF is working to resolve and something I personally feel that all commercial enterprises should do for their users.

If you have any questions or concerns about Aviator, we’d love to hear from you. Hopefully this is the browser “dream come true” that so many people have been asking for, for so long. Thank you all for supporting the project and we hope you have fun with the code. Aviator’s source code can be found here on Github. You don’t need anything to check it out. If you want to commit to it, shoot me an email with your github account name and we’ll hook you up. Go forth! Aviator is yours!

Top 10 Web Hacking Techniques of 2014

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:

2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31).

Phase 1: Open community submissions [Jan 7-Jan 30]
Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Feb 2-Feb 20]
Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall.

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Phase 3: Panel of Security Experts Voting [Feb 23-Mar 2]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014!

Prizes [to be announced]

The winner of this year’s top 10 will receive a prize!

Ongoing List of 2014 Hacks (in no particular order)
Heartbleed
TweetDeck XSS
OpenSSL CVE-2014-0224
Rosetta Flash
Unauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445
CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS Auditor
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Facebook hosted DDOS with notes app
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
The PayPal 2FA Bypass
AIR Flash RCE from PWN2OWN
PXSS on long length videos to DOS
MSIE Flash 0day targeting french aerospace
Linskys E420 Authentication Bypass Disclosure
Paypal Manager Account Hijack
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
How I hacked Instagram to see your private photos
How I hacked GitHub again
ShellShock
Poodle
Residential Gateway “Misfortune Cookie”
Recursive DNS Resolver (DOS)
Belkin Buffer Overflow via Web
Google User De-Anonymization
Soaksoak WordPress Malware
Hacking PayPal Accounts with 1 Click
Same Origin Bypass in Adobe Reader CVE-2014-8453
RevSlider
HikaShop Object Injection
Covert Timing Channels based on HTTP Cache Headers
NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE
Bypassing NoCAPTHCA
Delta Boarding Pass Spoofing
Cryptophp Backdoor
Microsoft SChannel Vulnerability
Google Two-Factor Authentication Bypass
Drupal 7 Core SQLi
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Reflected File Download
Misfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routers
Hostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2
File Name Enumeration in Rails
FlashFlood
Canadian Beacon
setTimeout Clickjacking

Click here to vote for your favorite web hacks of the year!

#HackerKast 13: Zombie POODLE, TCP/UDP Vulnerabilities, Jailed for XSS

This week Robert was keeping warm by his yule log while Jeremiah was freezing in the Boston snow and I won’t be putting Christmas ornaments in my beard no matter how many of you send me that blog post. To get right into it, we started off by talking about the return of POODLE. For those with short term memory loss, POODLE was a nasty vulnerability disclosed a few weeks back that affected SSL v3 which is: a) already widespread as-is and, b) easy to downgrade somebody’s browser to use. The zombie POODLE this week didn’t go after SSL this time and instead went after TLS 1.2 which is used *everywhere*. The most prominent place that will need patching is all F5 load balancers which are using this version of TLS – and that happens to be most of them. Sorry for all of you who lost sleep a few weeks ago because it is about to happen again this week. Happy Holidays!

Next, if you recall a topic from last week’s episode regarding Google’s alternative to CAPTCHA, well it appears Robert may be getting a Christmas wish early, and it didn’t take long. Before any of us had ever seen it in the wild, Google’s new solution to replace CAPTCHAs was found to be very easily avoidable. The check-box that is supposed to tell if you are a human or a robot turns out to fail back to a normal CAPTCHA which is nothing new. If that wasn’t useless enough, it actually introduces a new weakness that didn’t exist before! This check-box is clickjackable! You can gather tons of valid tokens that say you are a human and load them into your botnet or whatever you’d like.

Now buckle up and put your splash guards on because this next story blew our minds. A new proposal for the HTTP spec has popped up that would allow a browser to… wait for it… make TCP/UDP requests! Yup, you heard it. We had TCP/UDP and said: “Hey, let’s abstract a layer on top of that, and we’ll call it HTTP.” Now, fast forward to this month and we are saying: “Hey remember TCP/UDP? Lets put that on top of HTTP!” I’m picturing Dory from finding Nemo here. This opens tons of doors to all sorts of attacks behind a firewall via a web browser. Watch the video for a list of ideas that might be possible if this is implemented from Robert and I.

Lastly, we have a weird and sad story about somebody ending up in jail for a web “hack.” In Singapore, some unlucky fellow decided to poke around on their prime minister’s website. The website had a Google search bar embedded in it which seemed to tie into some reflection of that text which was unsanitized and therefore vulnerable to XSS. This led him to get a laugh out of it and craft a link with the reflective XSS in it and send it around which showed the prime minister’s site displaying a Guy Fawkes mask in reference to Anonymous. The thing with this though is that the site wasn’t actually defaced and no breach actually occurred. That didn’t stop the local authorities from sending this guy to jail for six months and fining him the equivalent of $34,000. As far as we know this is the first person since Samy on Myspace (who is my hero) who landed in jail due to XSS.

Keep an eye out for some Bonus Footage this week where Robert and I dig into some JavaScript Flooding attacks with an easy demo!

Resources:
POODLE back to bite TLS connections
The No CAPTCHA Problem
TCP and UDP Socket API
Singapore Hacker Jailed for XSS on Prime Minister’s Office Website