Category Archives: Technical Insight

Top 10 Web Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Web Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out!

Agree with the list? Disagree? Share your comments below.
END UPDATE

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:

2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31).

Phase 1: Open community submissions [Jan 7-Jan 30]
Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Feb 2-Feb 20]
Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall.

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014!

Prizes [to be announced]

The winner of this year’s top 10 will receive a prize!

Ongoing List of 2014 Hacks (in no particular order)
Heartbleed
TweetDeck XSS
OpenSSL CVE-2014-0224
Rosetta Flash
Unauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445
CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS Auditor
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Facebook hosted DDOS with notes app
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
The PayPal 2FA Bypass
AIR Flash RCE from PWN2OWN
PXSS on long length videos to DOS
MSIE Flash 0day targeting french aerospace
Linskys E420 Authentication Bypass Disclosure
Paypal Manager Account Hijack
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
How I hacked Instagram to see your private photos
How I hacked GitHub again
ShellShock
Poodle
Residential Gateway “Misfortune Cookie”
Recursive DNS Resolver (DOS)
Belkin Buffer Overflow via Web
Google User De-Anonymization
Soaksoak WordPress Malware
Hacking PayPal Accounts with 1 Click
Same Origin Bypass in Adobe Reader CVE-2014-8453
RevSlider
HikaShop Object Injection
Covert Timing Channels based on HTTP Cache Headers
NODE.JS CONNECT CSRF BYPASS ABUSING METHODOVERRIDE MIDDLEWARE
Bypassing NoCAPTHCA
Delta Boarding Pass Spoofing
Cryptophp Backdoor
Microsoft SChannel Vulnerability
Google Two-Factor Authentication Bypass
Drupal 7 Core SQLi
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Reflected File Download
Misfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routers
Hostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2
File Name Enumeration in Rails
FlashFlood
Canadian Beacon
setTimeout Clickjacking

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Final 15 (in no particular order):
AIR Flash RCE from PWN2OWN
Belkin Buffer Overflow via Web
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Heartbleed
Covert Timing Channels based on HTTP Cache Headers
Canadian Beacon
Cryptophp Backdoor
Hacking PayPal Accounts with 1 Click
Google Two-Factor Authentication Bypass
ShellShock
Facebook hosted DDOS with notes app
Rosetta Flash
Poodle
Residential Gateway “Misfortune Cookie”

#HackerKast 27: SXSW, Copy Magic Paste, Tinder AI, GTA V, Mystery SSL Fix

Hey everybody! Quick recap this week as we are gearing up for the Top 10 Web Hacks Webinar (Which you can register to watch here)

Robert and I just got back from SXSW this weekend and that was a very interesting experience. My first big trade show floor that wasn’t security related. Tons of interesting stuff floating around Austin this week!

First story we covered was about a Copy Magic Paste trick that Robert found from the SEO crowd. This idea started as a way for websites to force citation for people stealing content but Robert was talking about the possibility of utilizing this to sneak javascript in places.

Next, I touched on a fun Tinder story from SXSW where a movie about AI used a robot Tinder profile to match with people at the conference and after a short conversation the bot would point the person they tricked towards an Instagram promoting the movie. This brought up a lot of topics related to AI that were floating around the conference which Robert has a ton to say about.

A quick fun logic flaw in GTA V wound up with some real $ consequences. Jer and I love logic flaws, they feel like hacking without hacking. This was a pretty simple, make an in game car for a few thousand in game dollars and sell it for about 10x that. The writers of this article did the conversion on how much money real world this would turn into and it seemed people could make about $5 every 20 minutes. If this could be automated it would’ve been some nice passive income.

Jer talked about a new exciting story that we are all very hopeful about, Yahoo Mail end to end encryption. Alex Stamos, CISO over at Yahoo, announced a new program to use end to end encryption in their webmail client. The big question here is how usable this will be. If it is as usable as PGP, we probably won’t see a huge uptick in adoption. We’ll be watching this closely as it has huge potential.

Lastly we touched on a “mystery” SSL fix from the OpenSSL community. A mailing list announcement mentioned some new version patches coming out that fix a high severity vulnerability. We don’t have much detail here but once we do know, it will be pretty interesting. In the wake of Heartbleed, we are all a bit nervous when OpenSSL is mentioned in the context of vulnerabilities.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Copy Magic Paste Modifies Copy Event on your Website
Tinder Users at SXSW Are Falling For a Robot
Grand Theft Auto Logic Flaw Leads To Real Money
User-Focused Security: End-to-End Encryption Extension for Yahoo Mail
New Mystery SSL Fix To Be Released Thursday

Notable stories this week that didn’t make the cut:
Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine
Microsoft Is Killing off the Internet Explorer Brand (now called Spartan)
Chromium to Block RFC1918 (Probably)

Hillary Clinton’s Emails And The Internet Services Supply Chain

Do you want the blue pill? Then leave. Up for the red pill? Then keep reading.

There has been a lot of talk about Hillary Clinton’s emails lately, and for good reason. People are genuinely concerned about national secrets falling into the hands of those who might hurt people. Regardless of the merit of the claims of how her private email address was used, I wanted to spend some time talking about something that hasn’t been talked about enough – the Internet Services Supply Chain (a made up term, like all the others). ;)

What is the Internet Services Supply Chain? Whenever you build a website or email account that you host yourself, there are a number of things that you need to rely on. First, you need to rely on the physical hardware and its components – that’s called the Hardware Supply Chain and is a well understood (although not at all solved) issue. Then you have software components that your site utilizes – that’s called the Software Supply Chain and is also a well understood (although not at all solved) issue. Lastly, there are a number of service providers that are incredibly important for the continuity and security of your site, and that is the Internet Services Supply Chain. Those can include – but are not limited to – hosting providers, DNS providers, email providers and registrars.

For example, Hillary Clinton’s email MX records are actually on two separate IP addresses:

clintonemail.com.inbound10.mxlogic.net - 208.65.144.3
clintonemail.com.inbound10.mxlogicmx.net - 208.65.144.2

Unfortunately, it’s not that easy. Mxlogic relies on companies too. And those companies rely on other companies, and so on. Here’s just a simple mapping of all of the companies who could theoretically have taken over her domain as a result of that supply chain:

clintonemail.com
	Relies on ns16.worldnic.com for DNS
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies on droneteam@web.com for Domain Admin Control
	Relies on networksolutions.com for Registrar
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies droneteam@web.com for Domain Admin Control
	Relies on mxlogicmx.net for Email
		Relies on hostmaster@mcafee.com for Domain Admin Control
			Relies on akam.net for DNS
				Relies on hostmaster-billing@akamai.com for Domain Admin Control
		Relies on pdns3.ultradns.org for DNS
			Relies on Godaddy.for DNS
				Relies on domains@neustar.biz for Domain Admin Control
					Relies on pphosted.com for Mail
						Relies on proofpoint.com for DNS
						Relies on dns@proofpoint.com for Domain Admin Control
					Relies on NEUSTARREGISTRY.BIZ for Registrar
						Relies on Godaddy for Registrar
							Relies on outlook.com for Mail
								Relies on msft.net for DNS
									Relies on domains@microsoft.com for Domain Admin Control
								Relies on o365filtering.com for DNS
								Relies on hotmail.com for Mail
								Relies on domains@microsoft.com for Domain Admin Control
						Shares Host with dominios.com.co
						Shares Host with ddosattacks.com
						Shares Host with startknowing.biz
						Shares Host with neustarportingxpress.biz
						Shares Host with neustartcpa.biz
						Shares Host with dset.net
						Shares Host with m.dset.com
						Shares Host with neustar.tw
						Shares Host with neustarportingxpress.com
						Shares Host with mydotnyc.info
						Shares Host with neustarpartners.org
						Shares Host with npac4america.net
						Shares Host with neustarintelligentcloud.org
						Shares Host with ipenablers.biz
						Shares Host with ddosattacks.info
						Shares Host with extranet.sipix.neustar.biz
						Shares Host with neustarinfoservices.us
						Shares Host with socialscoop.us
						Shares Host with buy.us
						Shares Host with themobilecloud.us
						Shares Host with neustarportxpress.com
						Shares Host with dset.biz
						Shares Host with neustarreferrals.us
						Shares Host with neustarxpressport.biz
						Shares Host with getonlinewith.us
						Shares Host with intelligentcloud.us
						Shares Host with neustaripenablers.biz
						Shares Host with betterintelligence.com
						Shares Host with usblog.neustar.us
						Shares Host with themobilecloud.co
						Shares Host with identitymatters.biz
						Shares Host with campaignadministrator.biz
						Shares Host with neustarportxpress.biz
						Shares Host with npacforamerica.biz
						Shares Host with advantageoptout.com
						Shares Host with mobilecloudsolutions.us
						Shares Host with themobilecloud.biz
						Shares Host with npac4america.biz
						Shares Host with neustaripenablers.net
						Shares Host with campaignadministrator.org
						Shares Host with portxpress.biz
						Shares Host with themobilecloud.org
						Shares Host with www.neustarultraservices.biz
						Shares Host with kickstartamerica.net
						Shares Host with www.neustarregistry.biz
						Shares Host with kickstartamerica.info
						Shares Host with account.neustar.us
						Shares Host with portxpress.neustar.biz
						Shares Host with nic.us
						Shares Host with neulevel.biz
						Shares Host with neustarregistry.biz
						Shares Host with neustar-creative.biz
						Shares Host with neustarinfoservices.biz
						Shares Host with simpleportportal.biz
						Shares Host with kickstartamerica.us
						Shares Host with neustargovsolutions.biz
						Shares Host with neustargovsolutions.co
						Shares Host with ddosattacks.co.uk
						Shares Host with kickstartamerica.org
						Shares Host with neustarreferrals.net
						Shares Host with archerdev.neustar.biz
						Shares Host with getonlinewith.biz
						Shares Host with neustaraffiliates.biz
						Shares Host with nic.biz
						Shares Host with neustarpartners.eu
						Shares Host with neustarpartners.com
						Shares Host with neulevel.com
						Shares Host with neustarultraservices.com
						Shares Host with neustar-registry.com
						Shares Host with neustarsummit.biz
						Shares Host with billing.neustar.com
						Shares Host with archer.neustar.biz
						Shares Host with neustarmobilecloudsolutions.biz
						Shares Host with neustarplatformone.biz
						Shares Host with neustar.cn
						Shares Host with billing.neustar.biz
						Shares Host with neustaraffiliates.net
						Shares Host with neustarpartners.us
						Shares Host with neustarpartner.us
						Shares Host with uvvu.com
						Shares Host with neustaraffiliate.org
						Shares Host with gomocode.co
						Shares Host with gomocode.net
						Shares Host with getmy.us
						Shares Host with neustarpartner.org
						Shares Host with gomocode.com
						Shares Host with neustaraffiliates.us
						Shares Host with neustarintelligentcloud.com
						Shares Host with loadtesting.biz
						Shares Host with neustarpartners.cn
						Shares Host with neustarpartners.asia
						Shares Host with neustarmobilecloudsolutions.net
						Shares Host with neustar.biz
						Shares Host with neustaraffiliate.us
						Shares Host with neustarinfoservices.info
						Shares Host with neustarreferrals.biz
						Shares Host with neustarintelligentcloud.co
						Shares Host with mobilecloudsolutions.co
						Shares Host with dotyou.biz
						Shares Host with neustaradadvisor.us
						Shares Host with mobilecloudsolutions.net
						Shares Host with neustarmedia.biz
						Shares Host with neustar-registry.biz
						Shares Host with intelligentcloud.biz
						Shares Host with socialscoop.biz
						Shares Host with neustaradadvisor.info
						Shares Host with npac4america.us
						Shares Host with mobilecloudsolutions.biz
						Shares Host with neustarpartner.com
						Shares Host with neustarreferrals.org
						Shares Host with neulevel.cn
						Shares Host with library.us
						Shares Host with nightfire.com
						Shares Host with neulevel.net
						Shares Host with neustarultraservices.biz
						Shares Host with neustaradadvisor.biz
						Shares Host with neustarplatformone.com
						Shares Host with neustarmobilecloudsolutions.co
						Shares Host with npacforamerica.com
						Shares Host with redirect.neustar.biz
						Shares Host with mydotnyc.org
						Shares Host with neustarintelligentcloud.net
						Shares Host with registry.neulevel.biz
						Shares Host with ownit.nyc
						Shares Host with neustarpartner.net
						Shares Host with rfc2916.net
						Shares Host with agile.neustar.biz
						Shares Host with platformone.biz
						Shares Host with npac4america.com
						Shares Host with enum.org
						Shares Host with neustarplatformone.us
						Shares Host with neustaradadvisor.com
						Shares Host with neustarmobilecloudsolutions.us
						Shares Host with gomocodes.com
						Shares Host with my.biz
						Shares Host with neustaraffiliate.net
						Shares Host with parks.us
						Shares Host with dset.com
						Shares Host with gomocode.org
						Shares Host with neustarpartners.net
						Shares Host with neustarmobilecloudsolutions.org
						Shares Host with neustarlocaleze.info
						Shares Host with www.betterintelligence.com
						Shares Host with neustarmobilecloudsolutions.com
						Shares Host with neustaripenablers.com
						Shares Host with campaignadministrator.us
						Shares Host with campaignadministrator.com
						Shares Host with gomocodes.biz
						Shares Host with mydotnyc.biz
						Shares Host with neustaripenablers.org
						Shares Host with payment.neustar.biz
						Shares Host with campaignadministrator.net
						Shares Host with npac4america.co
						Shares Host with mobilecloudsolutions.org
						Shares Host with neustarsecretariat.biz
						Shares Host with mydotnyc.us
						Shares Host with neustarpartner.biz
						Shares Host with mydotnyc.net
						Shares Host with totalview.biz
						Shares Host with neustarreferrals.com
						Shares Host with platformone.neustar
						Shares Host with interactiveinsightssummit.com
						Shares Host with neustarinfoservices.com
						Shares Host with neustarlocaleze.us
						Shares Host with portingxpress.biz
						Shares Host with decellc.com
						Shares Host with support.neustar
						Shares Host with npacforamerica.us
						Shares Host with gomocode.biz
						Shares Host with mobilenextbigthing.biz
						Shares Host with npac4america.org
						Shares Host with vote.us
						Shares Host with neustarultraservices.net
						Shares Host with neustarintelligentcloud.us
						Shares Host with portingxpress.com
						Shares Host with dset.mobi
						Shares Host with loadtesting.us
						Shares Host with about.us
						Shares Host with neustaraffiliate.biz
						Shares Host with www.whobiz.biz
						Shares Host with stateofddos.biz
						Shares Host with ddosattacks.us
						Shares Host with xpressport.biz
						Shares Host with lookup.neustar.biz
						Shares Host with neustarpartners.biz
						Shares Host with portdr.org
						Shares Host with neustaraffiliates.com
						Shares Host with portdr.biz
						Shares Host with dotbiz.biz
						Shares Host with blog.neustar.biz
						Shares Host with identitymatters.co
						Shares Host with identitymatters.com
						Shares Host with kickstartamerica.biz
						Shares Host with kickstartamerica.co
						Shares Host with redir.neustar.biz
						Shares Host with identitymatters.us
						Shares Host with portdr.com
						Shares Host with neustaraffiliates.org
						Shares Host with portdr.us
						Shares Host with neustar.com.cn
						Shares Host with portdr.net
						Shares Host with neustarsimpleportportal.biz
						Shares Host with cloudnames.biz
						Shares Host with neusentry.biz
						Shares Host with etns.org
						Shares Host with dset.us
						Shares Host with neustar.com
						Shares Host with neustarlife.biz
						Shares Host with neustarintelligentcloud.biz
						Shares Host with payment.neustar.com
						Shares Host with neustarxpressport.com
						Shares Host with ddosattacks.biz
						Shares Host with mydotnyc.com
						Shares Host with neustargovsolutions.us
						Shares Host with neustargovsolutions.net
						Shares Host with neustartechnology.biz
						Shares Host with startwithus.biz
						Shares Host with www.neustarultraservices.com
						Shares Host with startwithus.net
						Shares Host with startwithus.us
						Shares Host with startwithus.org
						Shares Host with neustar.us
						Shares Host with dset.org
			Relies on PDNS196.ULTRADNS.BIZ for DNS
			Relies on PDNS196.ULTRADNS.CO.UK for DNS
			Relies on DNS196.ULTRADNS.COM for DNS
			Relies on PDNS196.ULTRADNS.INFO for DNS
			Relies on PDNS196.ULTRADNS.NET for DNS
			Relies on PDNS196.ULTRADNS.ORG for DNS
		Relies on pdns2.ultradns.net for DNS
		Relies on pdns5.ultradns.info for DNS
		Relies on pdns6.ultradns.co.uk for DNS
		Relies on dnsadmin@mxlogic.com for Domain Admin Control
		Relies on register.com for Registrar
			Relies on NS-1119.AWSDNS-11.ORG for DNS
				Relies on hostmaster@amazon.com for Domain Admin Control
					Relies on dynect.net for DNS
						Relies on dynamicnetworkservices.net for DNS
							Relies on dynamicnetworkservices.net@secretregistration.com for Domain Admin Control
						Relies on mailhop.org for Mail
							Relies on tucowsdomains.com for Registrar
								Relies on tucowsdomains.com@contactprivacy.com for Domain Admin Control
								Relies on TUCOWS.COM on DNS
						Relies on hostmaster@dyn.com for Domain Admin Control
					Relies on markmonitor.com for Registrar
						Relies on psmtp.com for MX					
							Relies on google.com for MX
							Relies on google.com for DNS
	                                        Shares Host with allwhois.co.uk
	                                        Shares Host with allwhois.com
	                                        Shares Host with bannermonitor.com
	                                        Shares Host with brandseyeview.com
	                                        Shares Host with collectivetrust.com
	                                        Shares Host with collectivetrust.net
	                                        Shares Host with collectivetrust.org
	                                        Shares Host with collectivetrustsolutions.com
	                                        Shares Host with dtecnet.com
	                                        Shares Host with dtecnet.dk
	                                        Shares Host with dtecnet.net
	                                        Shares Host with dtecnetusa.com
	                                        Shares Host with emarkmonitor.biz
	                                        Shares Host with emarkmonitor.cn
	                                        Shares Host with emarkmonitor.com
	                                        Shares Host with emarkmonitor.info
	                                        Shares Host with emarkmonitor.net
	                                        Shares Host with emarkmonitor.org
	                                        Shares Host with emarkmonitor.us
	                                        Shares Host with idaworks.com
	                                        Shares Host with insiderforum07.com
	                                        Shares Host with mark-monitor.at
	                                        Shares Host with mark-monitor.biz
	                                        Shares Host with mark-monitor.fr
	                                        Shares Host with mark-monitor.info
	                                        Shares Host with mark-monitor.it
	                                        Shares Host with mark-monitor.net
	                                        Shares Host with mark-monitor.org
	                                        Shares Host with mark-monitor.ru
	                                        Shares Host with markmonitor.am
	                                        Shares Host with markmonitor.at
	                                        Shares Host with markmonitor.be
	                                        Shares Host with markmonitor.biz
	                                        Shares Host with markmonitor.ca
	                                        Shares Host with markmonitor.ch
	                                        Shares Host with markmonitor.ci
	                                        Shares Host with markmonitor.cn
	                                        Shares Host with markmonitor.co.kr
	                                        Shares Host with markmonitor.co.nz
	                                        Shares Host with markmonitor.co.uk
	                                        Shares Host with markmonitor.com
	                                        Shares Host with markmonitor.com.au
	                                        Shares Host with markmonitor.com.br
	                                        Shares Host with markmonitor.com.kh
	                                        Shares Host with markmonitor.com.py
	                                        Shares Host with markmonitor.com.ru
	                                        Shares Host with markmonitor.cz
	                                        Shares Host with markmonitor.de
	                                        Shares Host with markmonitor.dk
	                                        Shares Host with markmonitor.es
	                                        Shares Host with markmonitor.eu
	                                        Shares Host with markmonitor.fi
	                                        Shares Host with markmonitor.fr
	                                        Shares Host with markmonitor.gr
	                                        Shares Host with markmonitor.gy
	                                        Shares Host with markmonitor.hu
	                                        Shares Host with markmonitor.in
	                                        Shares Host with markmonitor.info
	                                        Shares Host with markmonitor.it
	                                        Shares Host with markmonitor.jp
	                                        Shares Host with markmonitor.la
	                                        Shares Host with markmonitor.lt
	                                        Shares Host with markmonitor.lu
	                                        Shares Host with markmonitor.lv
	                                        Shares Host with markmonitor.name
	                                        Shares Host with markmonitor.net
	                                        Shares Host with markmonitor.nl
	                                        Shares Host with markmonitor.nu
	                                        Shares Host with markmonitor.org
	                                        Shares Host with markmonitor.pl
	                                        Shares Host with markmonitor.pt
	                                        Shares Host with markmonitor.ro
	                                        Shares Host with markmonitor.se
	                                        Shares Host with markmonitor.sk
	                                        Shares Host with markmonitor.su
	                                        Shares Host with markmonitor.tc
	                                        Shares Host with markmonitor.tv
	                                        Shares Host with markmonitor.us
	                                        Shares Host with markmonitor.vg
	                                        Shares Host with markmonitorglobal.com
	                                        Shares Host with mm-test-08c.info
	                                        Shares Host with mmdomain53.biz
	                                        Shares Host with mmdomain53.net
	                                        Shares Host with mmdomain53.org
	                                        Shares Host with wwwmarkmonitor.ch
	                                        Shares Host with wwwmarkmonitor.it
	                                        Shares Host with wwwmarkmonitor.ru
			Relies on NS-1887.AWSDNS-43.CO.UK for DNS
			Relies on NS-226.AWSDNS-28.COM for DNS
			Relies on NS-948.AWSDNS-54.NET for DNS

And this doesn’t even cover the Supply Chain for her hosting providers for mail.clintonemail.com or sslvpn.clintonemail.com. Now step back for a minute and ask yourself not “how easy would it be to break into all of these,” but “how easy would be for someone to break into any one of these domains?” I know both Rackspace and Google are on the list, and they were both targeted in the Aurora attacks that were allegedly attributed to the Chinese military (as an example). So it’s not a matter of whether it is possible to break into a domain, it’s just a matter of how hard someone is willing to try. Can you have a secure website without secure email? (Spoiler no you cannot).

We are putting all our eggs in a very small basket that hundreds of thousands of people could potentially have access to. The real issue isn’t Hillary Clinton and her blackberry. The real problem is that everyone everywhere who is on the public Internet is subject to this Internet Service Supply Chain. It’s inescapable because the Internet isn’t a bunch of islands; it’s far more interconnected, with consolidated power resting with a handful of service providers. We are all just as vulnerable as Hillary is, if we use the same Internet that she does.

Hillary is no different from anyone else. I could have done this same analysis on any company anywhere, and gotten roughly the same results. Let’s say the target was actually secure (Hillary’s email in this case); it doesn’t matter. If there is any vulnerability in any one of the companies the target relies on, the target is vulnerable. That is what happened with Lenovo, whose Registrar (Webnic) was hacked. And that’s just one example from less than a month ago.

That’s the problem with the Internet Services Supply Chain – any weak link in the chain can cause a cascade/ripple effect. It also means the stakes are getting even higher for those service providers and those who use them as power is consolidated to a few mega-companies that have the reach and access to control so many other companies. At some point no company and no individual will be able to ensure their own or their partners’ security.

And now you’re probably asking yourself, “Why, oh why did I pick the red pill?”

dnstest – Monitor Your DNS for Hijacking

In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don’t know what to do about it. More importantly, many companies don’t even notice they’ve been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only accept comments through a website, they may never know unless they randomly check, or the attacker releases the site and the flood of complaints comes rolling in after the fact.

So I wrote a little tool called “dnstest.pl” (yes a Perl script) that can be run out of cron and can monitor one or more hostname-to-IP-address pairs of sites that are critical to you. If anything happens it’ll send you an alert via email. There are other tools that do this or similar things, but it’s another tool in your arsenal; and most importantly dnstest is meant to be very lightweight and simple to use. You can download dnstest here.

Of course this is only the first step. Reacting quickly to the alert simply reduces the outage and the chance of customer complaints or similar damage. If you like it but want it to do something else, go ahead and fork it. Enjoy!

Web Security for the Tech-Impaired: Passwords that Pass the Test

In my last post, “The Dangers of Email”, I explored ways that folks who are less than technically savvy can practice good email security hygiene. Today we’ll get into a somewhat controversial subject: passwords. You use them everyday to log in to your bank account, credit card, Amazon — the list goes on and on. You probably log in to a few websites everyday, but how often do you think about that password you’ve chosen? Password security is a hot button topic and everyone has their own suggestion about what constitutes a good strong password. This post will help guide you to a relatively secure password.

Your password is your key to your online accounts. It’s the ID you create to prove that you are who you say you are in a digital world. As humans we tend to make passwords that are easy to remember. If you forget your password you often are prompted with a difficult series of steps to recover it, from answering security questions to calling a support line. To skip all that headache we often create passwords that are pretty easy to guess and we use those passwords for all our accounts. This makes it very easy for an attacker to gain access to all your accounts. If one site where I use that password is compromised and my password is leaked, the attackers now know my password for every single account I’ve created. No matter how quick I change those passwords I will most likely miss or forget one. This is why it’s a good idea to use a variety of passwords. Very secure folks will create a different password for every account they create. I would recommend that at the very least you create separate passwords for your sensitive accounts (your bank account, credit card, 401k, and so on).

Now the question is, what is considered a good password? It might surprise you to know that modern computers can ‘guess’ passwords quite quickly, often going through millions of potential passwords a day. Passwords that are just words are incredibly weak passwords that can be guessed quite quickly. Also short passwords are out. Most experts agree that passwords should be at least 12 characters long. To make it harder to break, your password should contain a mixture of upper case and lower case characters, numbers, and special characters (such as !,@,#,$,?). It’s also a good idea to vary where these characters are placed. A friend of mine recently played ‘mind reader’ to some colleagues of mine. He had them think of a password of theirs. He then guessed that the first part of the password was a word of about 8 characters. That word is then followed by two numbers. The last character of the password is a special character. They were dumbfounded. Yes the human brain works the same for all of us. As we’re asked to do more and more things to our passwords we simply tack them on at the end. This is a pattern that hackers know about and will exploit.

So to sum up, here are some tips to help you practice good password habits:
1) Use a different password for all your important accounts. To win a gold star use a different password on all accounts.
2) Your password should be no less then 12 characters
3) Use a mix of lower case, upper case, numbers and special characters.
4) Don’t use the very common sequence of word-number-special character. Mix up where these are placed in your password.

Again, I urge our readers to feel free to forward this post on to friends or family that may benefit from these tips. Many in the security industry often forget that most consumers are less technically savvy, and therefore less security aware, than we are. This series is designed to help you, help them.

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.

tls13

Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.

facebookDelete

Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.

pinterestblocked

We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Some guy figured out how to delete “every” photo on Facebook
Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site
40,000 MongoDB Instances Found Open and Vulnerable
Ten Million Passwords
Jeb Bush Email Dump
PCI considers SSL Dead”>
Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:
Lawmakers Call for Investigation on Verizon SuperCookies
NSA may be Trolling You

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds
Anthem and Turbotax Hack
Sony Hack Has Cost Its Business $15M So Far
Data Breach at Health Insurer Anthem Could Impact Millions
Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash
Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:
NSA Using Disclosed Hacker Data
Uber Lost and Found DB left open
Fancybox WordPress Vuln
Meanwhile TrueCrypt is Replaced by VeraCrypt

#HackerKast 18 Bonus Round: Password Cracking

Hey Everybody! Thanks for checking out this week’s bonus footage. We like to do these to not just focus on current events but to also get our hands dirty with some technical demos. This week, we decided to talk about password cracking.

You hear news stories all the time about passwords being stolen and you may have heard of password hashes being cracked. What this means is that somebody got a hashed copy of a lot of passwords out of a database and are running programs against it to get the plain text password out.

For those of you familiar with password cracking this will be super boring but we decided to actually show what this looks like for those who haven’t seen it. I decided to use John the Ripper for this demo but could have used a ton of others like OCL Hashcat. Kali Linux has a few of these installed by default for those who want to play.

Since we are web app guys here at WhiteHat I decided to pick on some password hashes that make sense in our world, WordPress. Most password cracking demos you’ll see are running against local machine password files so instead of that I made a few of my own WordPress password hashes. The giveaway showing that these are WordPress hashed passwords is that they use a PHPass algorithm which results in a hash that always starts with $P$B.

The passwords I chose were pretty easy ones just to prove to you guys how easy cracking easy passwords is. Anything in the top couple of 1000 used passwords will be cracked in seconds with the help of a word list, as you’ll see in the video.

The other major point I wanted to make is that seemingly “good” passwords that follow all the rules of a websites password strength requirements can actually be pretty weak. The example I used was “Jeremiah29:11″ as a password passes most requirements. It’s over 8-10 characters, it is has upper and lower case letters, has numbers, and special characters. Seems great right? Well since it is a popular bible verse, this took less than 30 min. to crack on my laptop and would take seconds on a computer built for password cracking.

Check out the end of the video for some of our tips on secure password selection. Let us know what you think!

Web Security For the Tech-Impaired: The Dangers of Email

Editor’s Note: The following post is the first in a series of blasts that we will be sharing for readers who are – or who know people that are – not technically savvy. We will touch on topics that we in the security community are very aware of and attempt to break them down into language that those who are not as internet skilled may understand. If you have suggestions for topics you wish for us to cover in this series, please share in the comments.

You’ve all been there. You open your email and your mom has sent you something. You see the two letters you dread: FW. Oh look, it’s an email with a link to a YouTube video about a cat who just can’t seem to figure out that the sliding glass door is a solid object. You contemplate sending back an email saying ‘Come on Mom, you should know to never ever click on links in emails,’ but you don’t want to ruin her fun — and more than likely she won’t understand WHY clicking on links in emails is a bad thing. You could try to explain it to her, but you’re afraid her brain will explode if you start talking about things like “Cross Site Scripting”. Well folks, I’m going to try and help you out. In this new blog series, I am aiming to provide tips and advice that you can share with your less-than-tech-savvy friends and family – whether its your mom, grandpa, cousin Vinny or whomever. These are posts that I intend for you to FW: (uh oh, there are those letters again) the links to your mom (or whomever) so that they can get a non technical explanation of the dangers of the ‘internets.’ Now begins the non-technical explanation, here we go!

Hello there! You’re no doubt reading this as a result of your son/daughter/grandson/granddaughter having sent you here for guidance. Fear not, I will help guide you through the dangers of the internet and help you be more secure with your personal information. No doubt you’ve heard of recent credit card breaches in stores you visit every day. You’ve also probably heard about ‘phishing’ emails that ask for your personal information in an email or ask you to click some link. You may have seen emails that say ‘Your credit card has been stolen, please email your Social Security number, mother’s maiden name and birthdate to this email address.’ The good news is that you can prevent yourself from being a victim of these scams.

The first thing you’ll need to know is that you should be very, VERY paranoid about anything you get in an email. If someone knocks on your front door, you’re always skeptical about what they want; the same principle should be applied to email. Anyone and everyone can email you and not all emails should be trusted, particularly from contacts that you do not know or that ask you for personal information. Most businesses make it a point to not request such information over email, so if you get such a request, it is quite likely a scam. Secondly it is very easy to fake the sender of an email. Just because it says ‘admin@bankofamerica.com’ doesn’t mean it is. Never trust that your email is coming from the business that it purports to be coming from.

Furthermore, links and attachments in emails can be bad news. Just as it’s very easy to make it look like an email is coming from someone else, it’s just as easy to make a link in an email look different. I can easily make it look like it’s going to ‘www.youtube.com/someFunnyCatVideo’ but really when you click on the link it will take you to ‘www.ImSoEvil.com/LookAtHowEvilIAm.’ Fake sites are set up under the guise of seemingly legitimate URLs in an effort to get you to click on them which could lead to theft of personal information or worse. Attachments in emails from unknown sources are also bad news. You could be unknowingly downloading malware — software that can interfere with the proper functioning of your computer, damage your privacy or even install the dreaded virus.

All this sounds pretty frightening already. You may think you now need to go make a tin foil hat and build a bunker in your backyard. But with this knowledge you are well-armed to combat identity thieves. Here are a few simple things you can do to help protect yourself:

* Never give your personal information to anyone. No legitimate business will ask you to email them your Social Security number, credit card number, passwords, date of births, etc., over email. If they’re asking for that information it is 99.9% likely that it’s a scam. Sometimes an attacker will send an email that makes it sound like there’s an emergency — if you don’t do what they’re asking for right away something horrible will happen! Instead of doing what the email says, if it looks like it might be from a legitimate business – like a bank that you do actually have an account with – contact that business directly. Don’t use any links from that email. Let them know what email you received and that you want to confirm whether or not it was a legitimate email.

* Never click on a link in an email — it’s just asking for trouble. If you really want to watch that cat video, copy the link address into your browser window so you can be sure you’re sending your browser where you actually want it to go.

* If you receive an email that has an attachment and you were not specifically expecting that person to send you that attachment, contact them directly and confirm that they sent it and it’s a legitimate attachment. More than once a friend of mine has found out that their email account was hacked because I contacted them about a suspicious attachment.

This is all but the beginning of your training and you should come back to this blog often to hear more helpful (and hopefully easy to understand) advice on how to better protect yourself on the internet. Go forth and click on!

5 Days to Setting Up an Application Security Program

Congratulations! You now have the responsibility of ensuring your web applications are secure. This is the reality that modern day CISOs and security professionals address every day. You may have even lobbied for and championed this initiative because you are acutely aware of the risk that vulnerable web applications present to the business. Or as is often the case in reaction to a breach or an attack (aka a “security event”), web applications have now appeared on the radar of your senior management team. So, where to begin? Where’s the playbook?

To assist you in this endeavor, we have created an “Application Security Program Quick Start Guide.” WhiteHat has years of combined web application and security management experience which came in very handy for this undertaking. This guide is essentially a playbook that is both easy-to-consume yet prescriptive-enough that the reader is able to walk away with concrete action items to set in motion.

Web application testing is not a fledging security activity by any measure. That said, finding resources to help navigate the process of building a web application security program are scarce and often too high-level. In practice, there is no shortage of tools or services to perform web application testing, but testing alone is not a substitute for a comprehensive web application security program. To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

Today we are releasing this “Application Security Program Quick Start Guide” in the hopes that it will help CISOs in their ongoing work to ensure the security of their organization’s web applications and mission-critical information. In addition, we have donated the guide under a Creative Commons license to the OWASP community for everyone to use.

You can download the guide here: https://whitehatsec.com/whitepaper/2015/01/12/whitepaper_appsec_quickstartguide.html

The OWASP project page can be found here: https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project

We hope this initial draft serves to spur the collective insights of those willing to participate.