Category Archives: Uncategorized

#HackerKast 28: Unicode Chrome Crash, Brain Waves, Top 10 Web Hacks, PWN2OWN, Wind Turbine CSRF, TLS certificates

Hey Everybody! Thanks for checking out this week’s HackerKast! We’ve got some fun stories this week that were a good time to chat about.

First we mentioned a bit of a concerning story but also an amusing one. There was a little magic string of Unicode characters that would crash Chrome completely when viewed. This had to do with some language libraries that were installed locally that didn’t play nicely together. Robert, being the hacker he is, couldn’t resist but putting this string of characters in a Facebook status and tweet. He got a lot of hate mail. (Oh and if Chrome crashes while reading this post, you should really install updates ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ).

Now we all love when security topics get themselves out of the echo chamber, but I think this next story is fairly unique as to what industry it popped up in. Turns out some biology research went on when some scientists decided to perform an MRI of people while they were browsing the web. We all know users just click things to get them out of the way but it turns out there is a biological reason for this! Certain parts of the brain actually turn off and become inactive on the MRI when the users were viewing security warnings, like the ones for invalid SSL certificates. Now we can all collectively say that security is making people brain dead.

Finally my life is a bit back to normal as the Top 10 Web Hacks talk is complete and published. For those of you who missed the webinar you can check it out here: Recording. I went through the run down of what this talk is and touched on a few of the interesting pieces of research that made the list in the video. I’ll also be giving the talk again in person at RSA for all of you there! Check it out.

Next, we talked a bit about PWN2OWN contest up at CanSecWest this year. All major browsers fell by the 2nd day of trying. For those unfamiliar, PWN2OWN is basically an 0-Day contest. Show up and own a box completely by navigating an up to date browser/OS to a website. One researcher scored a total of $225K in a single day for his exploits. That is some serious 0-day cash! Jeremiah also mentioned, as he does every now and then, his idea of a PWN2OWN category that rewards bugs found via AntiVirus software. Owned by the software you installed to protect yourself.

Another fun one I touched on next was a vulnerability that was found in an actual wind turbine. This turbine, for whatever reason, has a web admin portal. The portal was vulnerable to CSRF via an HTTP GET request to force a credential change for the admin account. Once credentials are changed, the attacker can completely control the turbine and even stop it from generating power.

The last story we touched on was a complicated story about SSL/TLS certificates where Google was warning this week that some unauthorized TLS certs were trusted by almost any Operating System. Robert goes into the technical details here for those interested listen up! The cliff notes is that if you are in Egypt, you should watch what you say online, especially while using Google via Internet Explorer. FireFox and Chrome’s certificate pinning helps a bit here if in use so those should be slightly better off.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Crashing Chrome Tabs with Unicode
MRIs Shows Brains Shutting Down With Security Prompts
Top 10 Web Hacking Techniques of 2014
All Major Browsers Fall At PWN2OWN Day 2
Wind turbine blown away by control system vulnerability
Google warns of unauthorized TLS certificates trusted by almost all OSes

Notable stories this week that didn’t make the cut:
North Korea Web Outage Was Response To Sony Hack, Congressman Says
China Admits To Having a Hacking Group
Cisco to Ship Boxes to Empty Houses To Evade the NSA
Kapersky Being Accused Of Ties To Russian Military
No password or PIN, but I have a fake ID. Sure, take the domain
FREAK uses Similar Modulo Attacks
Brute Forcing IOS Screenlock
Need a security expert? Hire a coder

The Imitation Game – A Review

Warning: Spoiler alert!

I went to go watch “The Imitation Game” this weekend, on a bit of a whim. I know Alan Turing’s story rather well – having spent a lot of time in computer security will do that to you. Overall I thought the movie was really good – the acting, writing, and overall historicity were all very good.

Pros:

  • The movie spent a lot of time talking about his personal life, and what lead up to his suicide. I’d argue that this was as much a movie about the father of computers as it was about the historical (and unfortunately current) marginalization and criminalization of homosexuality.
  • I was impressed how the movie explained how reduction of keyspace works in rather plain english and simple examples. The math might be improbably difficult for the average person, but they managed to make it accessible.
  • They mention the Turing test – though thankfully there were no CAPTCHAs in sight.
  • The movie spent quite a long time explaining why you cannot use a single signal to make any decisions or the adversary will switch tactics and you’ll lose that one signal. I try to make this point all the time and yet I still people doing things like blocking countries at the firewall by IP address. If you are in security, and you take nothing away from this movie, let it be this – do not use a single signal to identify and stop fraud/hacking. You’re hurting the ecosystem by doing so. Yes, you.

There were a couple cons though… Some cons that actually made me cringe.

Cons:

  • At one point in the movie Alan Turing made the bear in the woods joke. Just about the time my eyes started rolling the audience burst into laughter – at this point I realized I was extremely jaded and should probably learn to live a little, hug a tree, run like a child or generally do something other than wince at old security jokes. But the reason I hate this joke is that is presumes that you can leave the woods once the bear has eaten your friend. Unless you plan to close up shop and leave the Internet, this analogy has always been a very dangerous one. Bears get stronger, and will get hungry again, and if you’re relying on running faster than an adversary who is dead you’re using the wrong analogy. I prefer the prairie dog analogy if you’re looking for silly analogies.
  • A big motivator throughout the movie was that at the end of the day a buzzer went off that meant that the Nazis had changed their encryption keys. So yesterday’s keys were “useless” and anything they had done had to be scrapped if they couldn’t complete it by midnight. Though it’s an interesting plot device it really doesn’t work that way. Decryption doesn’t stop at the end of the day, just because your key changes. If the adversary has the ciphertext and there is nothing ephemeral about the key, it can still be decrypted. Now if you’re going to make the point that the data loses value the longer it takes to decrypt – yes, I’m on board with that. But the movie didn’t explain that at all.
  • They don’t really talk about Turing’s other accomplishments, like the Turing Halting problem – which more or less describes the problem with blacklists and all kinds of other technologies. As a student of breaking crappy blacklists, this is one of his most useful accomplishments to my daily life. I really wanted to hear them mention it at least once, like they did with the Turing test. Alas!

I’d also point out that there were some other controversies about the historical accuracy as well that didn’t jump out at me as I watched it. Anyway, it was a really wonderful movie, despite the cons. I’d highly recommend it to people who want to know a bit more about our roots, and get a bit more familiarity with some of the core concepts that have brought us to where we are today. I love that we’re seeing more movies about real heroes and not the typical hollywood-manufactured superhero.

DHS and Cyberterrorism

The DHS was recently polled on what groups and attacks they are personally most concerned about. This comes from a pretty wide range of intelligence officers at various levels of the military industrial complex. This underscores how the military is thinking and what they are currently most focused on. The tidbits I found interesting are on pages 7 and 8:

https://www.start.umd.edu/pubs/START_UnderstandingLawEnforcementIntelligenceProcesses_July2014.pdf

The DHS seems to be most concerned about Sovereign Citizens and Islamic Extremists/Jihadists (in that order). The rationale isn’t well explained, but I would presume that physical proximity and the radical nature of Sovereign Citizen groups trumps the extremist nature of Jihadists. I’m speculating, but that would seem to make sense. It could also be a reaction to FUD, but it’s hard to say.

More interestingly, the threat they find most viable is Cyberterrorism. That makes a lot of sense, because Cyberterrorism is cheap, can be done instantaneously, can be done remotely, and can be done with minimal skills and at minimal risk. It’s really hard to tell what’s Cyberterrorism versus what is just a normal for-profit attack, and attribution is largely an un-solvable problem if the attacker knows what they’re doing. Also, even if you can identify the correct adversary, extradition/rendition are tough problems.

There’s not a lot of substance here, because it’s all polls, but it’s interesting to see that our industry is at the top of the US intelligence community’s mind.