Category Archives: Vulnerabilities

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.

tls13

Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.

facebookDelete

Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.

pinterestblocked

We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Some guy figured out how to delete “every” photo on Facebook
Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site
40,000 MongoDB Instances Found Open and Vulnerable
Ten Million Passwords
Jeb Bush Email Dump
PCI considers SSL Dead”>
Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:
Lawmakers Call for Investigation on Verizon SuperCookies
NSA may be Trolling You

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds
Anthem and Turbotax Hack
Sony Hack Has Cost Its Business $15M So Far
Data Breach at Health Insurer Anthem Could Impact Millions
Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash
Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:
NSA Using Disclosed Hacker Data
Uber Lost and Found DB left open
Fancybox WordPress Vuln
Meanwhile TrueCrypt is Replaced by VeraCrypt

#HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability

Hey everybody! Slow news week this week so we sent Jeremiah to Germany…. in the winter. Poor Hawaiian!

Anyway, we started this week off talking about a really cool bug in Internet Explorer. This vuln is a Universal Cross Site Scripting (XSS) bug that also bypasses Same Origin Policy and works in even the latest IE version 11. That is a mouthful and it’s all bad. What this means is that by abusing iFrames, an attacker could execute XSS in any site they want via your browser. Websites could be doing everything completely right but if they aren’t using X-Frame-Options header properly than an attacker can effectively do anything they want on those sites. Bad day to be an IE user or an IE developer for sure.

Next I passed it over to Robert to talk about a few of his favorite things, Denial of Service, browser security, DNS, and even China! If Robert was playing a game of Bingo of the things he likes to talk about, this next story would definitely be on the game board. This week a company noticed a massive spike in traffic coming from China and all going to weird URLs. With the information we have, it looks like somebody was poisoning DNS and making requests originally destined for other websites all pointing at a single website. Interesting DDoS vector! The solution applied was to block the IP addresses which, as Robert shares, is a really bad idea. He also discusses the fact that we probably have a bunch of research to do around browser-based DoS in the future.

Last story we ended up talking about was a fun bug disclosure from HackerOne today which also has a really cool PoC cherry on the cake to check out. For those unfamiliar, HackerOne organizes a bunch of bug bounty efforts for lots of different websites including their own. This particular bug has to do with the abuse of an ineffective escaping method for the “\” character. The timeline is over on the HackerOne website and you can see how the researcher figures out how to make this bug progressively more severe. He started with just editing some HTML, including spoofing a profile picture or style sheet, but he ends up figuring out he can use a tag to immediately redirect a user to a potentially evil site. At that point he can utilize phishing, driveby malware downloads, all sorts of Javascript attacks, etc. Even possibly take advantage of a Universal XSS SOP bypass in IE 11 to bring it full circle. Kudos to HackerOne for fixing this in about a day and also publicly disclosing the information and the fact they paid out $5,000 for the bug.

Ended today’s session with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is the completely community-driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
IE UXSS Bypass 1
IE UXSS Bypass 2
IE UXSS Bypass3
Browser DDoS via DNS Spoofing Coming from China
Fun bug disclosure from HackerOne today

Notable stories this week that didn’t make the cut:
Possible New Origins of the Word “Hack”
Web-RTC leaks VPN origin IPs
UK National Health Service – Tons of Vulns
Really cool PoC

#HackerKast 19: Pressable Slowloris Attack, GoDaddy CSRF, Decloak Tor Hidden Services via SSH, LizardSquad Hacks Malaysian Airlines, GHOST Vulnerability

Welcome to this week’s HackerKast everybody! This week Jeremiah and I were lucky enough to be shooting this episode beachside while at AppSecCali down in Santa Monica. Poor Robert was stuck at home but I was happy to pull a Jeremiah and have palm trees behind me just like he does while he is in Hawaii.

This week we started with a story near and dear to Robert’s heart about a Slowloris Denial of Service attack on Pressable. Near and dear since Robert is the father of this type of DoS attack. Pressable is a big WordPress provider – I know, I know, we just can’t leave WordPress alone can we Internet? Slowloris is pretty easy to defend against if you are trying to but a lot of default web servers, such as Apache, don’t enable such protections. This DoS attack lasted 4 or 5 days and caused Pressable to lose tons of customers. Robert talked about popular defenses in the video if you are interested in that. We also briefly mentioned a new tool called CapTipper that is a malicious HTTP traffic explorer which could be used to help dig into information if you are undergoing one of these attacks.

Next, I talked about a GoDaddy CSRF vulnerability that was disclosed which was pretty nasty not to mention scary to think about how long it might have been around. For those unfamiliar, CSRF is when an attacker can force a user’s browser to make requests on their behalf. This is particularly bad news for GoDaddy since an attacker would have been able to force an authenticated user to change their nameservers, auto-renew settings, and edit the dns zone file. This combination would be deadly in forcing a website to point towards malicious servers, or even turning off auto-renew to snipe domain names away from GoDaddy users. This was disclosed and fixed in 3 days which is VERY impressive considering the average time to fix for most companies is much longer than that.

We seem to be talking about Lizard Squad (Mafia? Crew?) lately and this time they went after Malaysian Airlines. They attacked the airline’s DNS servers and forced the page to redirect to a page that said “404 Plane Not Found.” We see these DNS server attacks more and more lately as it is seeming to be a bit of an easy target instead of going after the websites themselves.

Another topic this week near to Robert’s heart was a new way to identify Tor hidden services via SSH Fingerprints. What some researchers have done is scan the internet for open SSH services, grab the fingerprint off that and then compare the fingerprint to a Tor Hidden service and decloak the real IP address of the site. This technique could be used for other purposes such as websites behind Akamai or CloudFlare who don’t want their real IP public.

Last story we covered for this week is a new vulnerability called GHOST that seems like it could be serious but we haven’t had a lot of time to research it but had to mention. It has a name and is branded so it must be super serious, right? We’ll most likely do a follow up post about this but if you are interested in this vulnerability, it seems to be a glibc buffer overflow in DNS resolvers. More soon!

References:
Pressable Slowloris DoS Outage
Taking over Godaddy Account using CSRF
Malasian Airlines DNS Redirected (404 Plane Not Found)
Using SSH fingerprints to identify Tor hidden Services
GHOST Vulnerability – glibc buffer overflow in DNS resolver

Notable stories this week that didn’t make the cut:
Flash 0day in the wild
CapTipper – Malicious HTTP traffic explorer tool”
Nearly every US Arms Program Found Vulnerable to Cyber Attacks
China Cracks Down on VPN Services After Censorship System ‘Upgrade’
FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN
Oracle/Java vulnerabilities
Referrer Changes in W3C
Healthcare.gov Or 3rd Party Vendors may fun Afoul of new CFAA rules

#HackerKast 17: UK Bans WhatsApp and iMessage, Instagram Privacy Issues, Cross Site Content Hijacking (XSCH), Amazon S3 Bitcoin Hack

Howdy Partners! Hope you all are in full swing in the new year and taking names. I know for a fact that a ton of you are busy since every hotel in Santa Clara, Calif., was sold out this month just as Robert and I were trying to visit the mothership.

Anywho… we started this week’s HackerKast chatting about how our blog post of the North Korean Web Browser got so much traffic that it DoS’d us. The ol’ Reddit hug of death got us and our poor IT department was thrilled with us.

The first news story we covered was the brilliant discussion going on across the pond in the UK about banning a ton of encrypted messaging services, including WhatsApp and iMessage. We all feel this is a silly reactionary measure to try to thwart terrorist communications but will have repercussions that will be wide-reaching. Knowing our audience, I’m probably preaching to the choir, but there are plenty of legitimate reasons for strong encryption protected messaging services. I think another side of my feelings were best summed up by a tweet:

Next, we brought up some Instagram news about a privacy problem they had over there. Turns out that if you ever had your Instagram profile set to public, no matter what your current privacy settings, your photos are accessible via direct URL. This is a thinly veiled illusion of privacy and further proves that if you don’t want a photo seen, you shouldn’t put it on the Internet at all.

Robert followed this up by mentioning briefly some new attack research that was published recently that was dubbed Cross Site Content Hijacking. We need another acronym like we need a hole in the head but this research could prove to be very interesting. The thing that perked our ears up about this type of vuln was that it might be possible to read arbitrary HTTP Headers across domain. This includes referring URLs which are widely used as a CSRF protection in many web applications including the Django framework. We haven’t dug deeply into this one but wanted to bring it up as a potentially interesting bit of research for you folks to chew on.

Some news about an Amazon S3 hack bubbled to the top this week which we’ve heard about before but is still super fun to talk about and – more importantly – to learn to protect yourself from. We all know our private keys are an important thing to keep private but with the ever-growing popularity of programmatically spinning up and down virtual instances in Amazon it is becoming easy to forget those private keys in your code. If you are using these keys in development and you accidentally leave them in your code when you push it up to a GitHub repo, those keys are now public. GitHub and Amazon do a good job of trolling the Internet keeping an eye out for this happening but it still happens, even to the best of us. A popular (mis)use case of this kind of hack is using your private key to spin up instances that start mining bitcoins for the attacker. This usually doesn’t get caught until the victim gets the big bill in the mail for the CPU time.

“Kid hacks into school’s website to shame them for making them go to school when the roads were covered in snow” has to be our favorite headline of the week. We’d love to include the screenshots from this website defacement but they are pretty NSFW. The kids hacking school stories are always a lot of fun because I think it resonates with a lot of us who have memories of being bored in school and playing with computers just wondering if you could switch your grades. Not that any of us did such a thing.

Notable stories this week that didn’t make the cut:
Iran oders 3 communication apps blocked (LINE, WhatsApp and Tango)
AT&T is going to start supporting webrtc
Silk Road Reloaded moving to I2p instead of Tor
Obama proposal: Hacked companies have 30 days to fess up

References:
WhatsApp and iMessage could be banned under new surveillance plans
Iran orders 3 communication apps blocked
Your private Instagrams weren’t as private as you thought they were
Content hijacking proof-of-concept using Flash, PDF and Silverlight
Dev put AWS keys on Github. Then BAD THINGS happened
Angry Student Hacks County’s Website to Apologize for Snow Day

#HackerKast 16: India blocks GitHub, GoGo fake SSL certificates, North Korea’s only network

Happy 2015 everybody! Jeremiah, Robert, and I got right back on track our first week back in the office and there were plenty of stories to talk about. Turns out hackers don’t really take vacation.

Right off the bat Robert brought up a story about the Indian government pulling a China and blocking access to a ton of sites this week. Some notable sites include Pastebin, Dailymotion, and Github, according to reports coming from Indian users. The reasons cited all have to do with anti-terrorism and blocking potential terrorists’ access to sites that can be used as virtual dead drops. This seems like a complete overreaction to us and has some serious overarching repercussions, most obviously the fact that a giant chunk of the world’s developers can no longer access the largest chunk of open source code, GitHub. We’ll see where this goes but if you’re an investor in VPN services you probably have a big smile on your face right about now.

Next, I brought up some disturbing tweets that caught my eye this week about GoGo Inflight WiFi services. If any of you are frequent flyers like us you’ve undoubtably been forced to use GoGo at some point, but a few more technically savvy users noticed GoGo is up to no good recently. While browsing the internet in the air, some noticed that GoGo was issuing fake SSL certificates while browsing certain websites such as Google and YouTube. Ironically, the user who started attracting attention to this was an engineer who worked for Google. This effectively allows GoGo to Man in The Middle all the SSL traffic of their users and read sensitive data that should be encrypted. Spokespeople from GoGo have stated this is only used to block or throttle video streaming services so that there is enough bandwidth to go around but it is still pretty shady that they have access to sensitive information.

Next, Robert found a fun image floating around of a (the?) North Korean web browser called Naenara Browser:

RSnake_2015-Jan-06

This was just something really quick we wanted to bring up because the screenshot shows that as soon as you install this browser it makes a call to a RFC 1918 address (10.76.1.11) from your computer. The importance of this that left my jaw open was that this means that all of North Korea is on the same network. As in intranet. Things that make you go “Wah?”.

Ever think you found something cool and couldn’t wait to share it with your friends? Well don’t share it with RSnake because he probably knows about it already. As was the case with this “recent” HSTS (HTTP Strict Transport Security) research coming out of the UK. A few weeks ago you might remember us mocking Google’s former CEO Eric Schmidt over his claim that Google’s Incognito mode would protect you from the NSA. Well after we all facepalmed collectively on the podcast, this researcher in the UK decided to set out and prove Schmidt wrong. Robert gets into the technical details of deanonymizing somebody with the nitty gritty of how HSTS works, which is super interesting and deserves a read through some of these blog posts.

Lastly, we talked about Moonpig. Not to be confused with Pigs In Space.

pigsinspace

This Moonpig is an online mail order greeting card service. While most mail order greeting card services are at the forefront of information security, Moonpig fell victim to a vulnerability in their API which allowed full account take over of any user. Their API was poorly designed and had no authentication at all which allowed just a quick flip of a customerID parameter to start impersonating other users, making fake orders, stealing credit card information, etc. The kicker of this vulnerability was that it was responsibly disclosed to Moonpig back in August of 2013 and responded with they’d “get right on it”. 17 months later, this researcher and user of Moonpig was frustrated of waiting for a fix and decided to write them again in September 2014. The reply this time was that a fix was coming before Christmas. Well, New Years has just passed and the researcher decided to publish his findings publicly and guess what? Less than 24 hours an engaget article later the API was pulled offline. Another unfortunate win for Full Disclosure.

We closed off with some musings about time to fix statistics and overall browser security suggestions for everyday people. Unfortunately we are going to have to break the web to fix the web. There is a Dan Kaminsky quote about this never happening somewhere…

That’s all for this week. Stay tuned for next week when hopefully we’ll have some bonus footage for you all. Also! Check us out in iTunes now for those of you who like that sort of thing and would rather just listen to the podcast instead of staring at our mugs for 15-20 minutes.

Happy New Year!

Notable stories this week that didn’t make the cut:
Banks doing Hack-back being investigated by FBI
Playstation network may have just been a ploy to market a DDoS tool
But then one of the alleged Lizard Mafia guys got arrested, and another is being questioned
Katie from HackerOne was detained and forced to decrypt her laptop in France – don’t travel with exploits or anything you care about!
$5M US in Bitcoin stolen from Bitstamp in unexplained hack

Resources:
Pastebin, Dailymotion, Github blocked after DoT order: Report
Gogo issues fake HTTPS certificate to users visiting YouTube
North Korean Browser
Brit Proves Google’s Eric Schmidt Totally Wrong: Super Cookies Can Track Users Even When In Incognito Mode
Moonpig flaw leaves customer accounts wide open for 17 months (update)

#HackerKast 15: New Year. Same Hacks.

WhiteHat Security Top Security Stories of the Week: December 29, 2014 to January 2, 2015 from WhiteHat Security on Vimeo.

We were able to squeeze a recording in between Christmas and New Year’s Eve and I’m glad we did because we had a lot to chat about. Although we were still in a food coma from Christmas, I think we were able to shake it off and record a good episode for you guys.

First, we hit on a funny story of Instagram getting wise to millions of fake profiles and giving them all the axe at the same time. These sockpuppet accounts were all over; I personally noticed a severe uptick recently and was in contact with Facebook/Instagram security team to chat about it. Some of the hilarity being noted in the post-spamageddon world is that fairly popular-seeming accounts dropped to near zero followers as their numbers were very bloated by robots.

Next, somebody came up with a clever way to bypass the age old two-factor authentication implementation of a trusty fingerprint. Wait… did I say “trusty”? Scratch that. This research shows that with a high resolution photo of somebody’s finger, you can recreate their fingerprint well enough to bypass a touch ID scanner. They proved this by copying the fingerprint of Germany’s Minister of Defense, Ursula von der Leyen, off of a simple photo. Robert points out that your fingerprints are left nearly everywhere you go and are a pretty weak second factor authentication mechanism due to the many ways to get around it.

Now we get to two of Robert’s favorite topics that just so happen to both be in the same story this week: Google AND China. Turns out, China blocked another site this week, as they tend to do, but this time the site was a little known email provider called Gmail. This is pretty huge news in itself but as Robert points out, this could have a major ripple effect of nobody in China being able to receive email from a gmail address. So not only might this force people in China to a different email provider, it might force people around the world who need to communicate with people/businesses in China to use something else as well.

We couldn’t get out of a HackerKast without talking about Lizard Mafia (Patrol? Squad?). A sentence I never thought I’d say. Anyway, this slowly becoming infamous hacker crew of lizards – who have been tormenting Brian Krebs and took down Xbox Live/PSN over Christmas – have now set their crosshairs upon Tor. They made a clever attempt to DoS Tor with what is known as a Sybil attack, which spokespeople from Tor have noted would probably cause them some problems if launched by an adversary who had sufficient time/means. This attempt wasn’t successful, but it is interesting to read how they were going about trying.

I touched quickly on a fun business logic flaw (near and dear to my heart and to Jer’s) that had to do with getting cheaper hotel rooms. By the nature of being a logic flaw, this isn’t really a technical “hack” so-to-speak but it is clever nonetheless. The “attack” outlined a method of getting a huge discount on your hotel room by booking alongside some local conferences. These conferences that have huge draws (RSA anyone?) usually strike deals with local hotels to get a “conference rate.” Well it turns out that this rate is sometimes given out with little-to-no verification as to whether you are actually a conference attendee. In some cases this knocked the price down more than $200 per night from the current research.

Guess what everybody? WordPress caused a site to get hacked! Contain your shock/awe/riots please. In this case, ISC.org was hacked – allegedly the fault of a WordPress install – and was serving up malware. ISC is popular for its creation of things like BIND DNS, DHCP, etc., and as Robert points out the scary thing about this hack might not be the website itself but the highly technical system admin type users who might be compromised. Imagine your IT person – who also has the keys to the corporate kingdom – is the one who gets malware on their machine for a minute. Doesn’t sound good right? ISC swears this breach was just on their website and no sensitive code was compromised but we aren’t really sure of any details.

Lastly, Jeremiah showed us a pretty picture. No really! A popular infographic made its way around the tubes this week showing the immense size of records lost in data breaches in the last decade or so. This one was super cool, letting you check out how something like the Target breach last year compared to the TJ Maxx or Heartland breaches of a few years ago. The moral of this story is that information about you is probably stored somewhere that will be compromised, so be diligent about what you put where and prepare for what happens when it gets stolen. Also, a lesson for companies: don’t store what you don’t have to! I know we live in a data-centric world but unless you absolutely must, you probably should “just say no” [insert Smokey the Bear motivational image] to storing sensitive data.

That’s all for us folks. Sorry for the long one today but there was a lot going on while we were all opening gifts, sipping eggnog, and toasting the new year! Hope your 2015 is off to a great start!

Resources:
Hackers say they can copy your fingerprint from just a photograph
Gmail has been blocked in China
Hackers who shut down PSN and Xbox Live now attacking Tor
How we hacked the hotel industry to save $200+ per night
Someone went from 3.6 million Instagram followers to 8 today. Eight.
ISC.org website hacked: Scan your PC for malware if you stopped by
The world’s biggest data breaches, in one incredible infographic

#HackerKast 14 Bonus Round: Canadian Beacon – JavaScript Beacon and Performance APIs

In this week’s bonus footage of HackerKast, I showed Matt my new JavaScript
port scanning magic that I dubbed “Canadian Beacon” because it uses the new Beacon API. It was either that or Kevin Beacon – I had to make a tough choice with my puns. It utilizes both the performance API and the beacon API.

It shows how you can use iframes and performance APIs to do basically the same thing we used to be able to do with onload event handlers on iframes of yester-year.

Not a huge deal, because we can do this in a bunch of different ways already, but it shows how easy it is to do JavaScript port scanning; and even if someone bothers to shut one variant down, this and other variants will take their place. This is one of the major reasons Aviator has chosen to break access to RFC1918 from the Internet.

Only a few browser variants are vulnerable, Chrome and apparently Firefox though I only got it working in Chrome. If you want to see a demo you can check out Canadian Beacon here.

#HackerKast 14: Google’s XSS Problem, Delta Airlines, Sands Casino, Eric Schmidt and more Google Facepalms

I come bearing a special Holiday HackerKast for you all today! The crew here at WhiteHat were talking about just picking these up after the New Year but there was just too much going on to skip out. Let’s jump right in with our first story about a cool persistent XSS problem our friends over at Google had this week. This bug was discovered by some SEO folk which is pretty interesting but the problem lay within a Google feature called “rich snippets.” In the search engine results page, there is a small snippet of content from every website under the links. It turns out that if you craft your website just the right way and include a bit of Javascript, that Javascript will fire if your site shows up in those search results. These XSS landing spaces of sourced-in code are always tricky.

Next, we talked about a story that hit close to home for me as a Delta Airlines loyal flyer. The attack disclosed this week was taking advantage of the lack of protections on electronic boarding passes. The super duper hack here was to break out your favorite hacking tool (a web browser) and just rotate through the URLs of your boarding pass and access other people’s boarding passes. That in itself wasn’t terrifying to me because if I tried to board the plane after somebody pretending to be me boarded, I feel like that would turn out poorly for them fast. The trickier part was that apparently, according to Robert, you could even change seat assignments and kick people out of first class. This is also the same hack that landed Weev in jail, even though granted Weev took it a bit further. I could’ve used this bug to get me out of the middle seat on my last long flight.

Another bad breach this week for the Sands Casinos. They disclosed a recent breach, without sharing much detail. The attackers in this case were attempting to brute force the casino’s VPN service for days on end until Sands got fed up and blocked them from doing that. This caused the attackers to shift focus, and they found a public facing staging (QA) website which didn’t have the same security controls as production would, and they were able to compromise the network that way. The details are sparse but apparently they did a lot of damage once they pivoted around the internal network.

We then had a little discussion about a noble Google proposal from their Chromium team to mark anything over HTTP as “insecure.” In their opinion, everything on the web should be encrypted over HTTPS or using some other TLS encrypted channel. The proposal puts forth the idea of flagging any connection in chrome that isn’t using TLS as “insecure” and warning the user about it. The points we brought up is that there is very little at that point for the user to do to remedy the fact that a website isn’t using TLS. Robert also brought up the opinion that there are tons of sites we don’t care about being encrypted. He also suggested that Google’s motivation of doing this is probably to do with the recent AT&T/Verizon news of the ISPs intercepting, monitoring, and modifying traffic. My opinion of all this was at least optimistic about the mindset change that it might stir up in everyday users as they at least learn the difference between HTTP and HTTPS.

We followed this somewhat uplifting Google news with a straight Google facepalm. Eric Schmidt, executive chairman and former CEO of Google, was quoted stating that if users just used Incognito mode in Chrome that they’d be safe from the NSA. Not only was he quoted saying that he thought this was true, he actually, and I quote, “strongly recommended” Incognito mode to avoid tracking from the government. We all joined in a collective facepalm after this one.

Lastly, after a nice long Holiday episode this week, we covered a fun bug recently disclosed in some popular router firmware that was used by many manufacturers. Some researchers discovered that just by sending a maliciously malformed cookie as part of an HTTP request through any routers using this firmware, they could get immediate remote code execution with admin privileges on the device itself. Important side note: this isn’t home routers we are talking about, it is ISP Residential Gateway routers. The funny (sad?) part about this bug is that the vulnerable code was written in 2002. Should I repeat that? The vulnerable code was written in 2002. Even crazier is that it was fixed by the firmware developer in 2005. Even though all of that is true, the router manufacturers are putting out brand new 2014 devices with the 2002 firmware. The researchers who found this bug scanned around the internet and found ~12 million vulnerable devices, in some cases affecting up to half the Internet users in a given country. Even though this is the longest paragraph, I’m leaving out some details so check out the video.

Keep your eyes out for some bonus footage Robert and I filmed after this episode with some cool iframe hacking.

Thats all we have this week. Happy Holidays from all of us here at WhiteHat Security, I hope you all have a wonderful rest of your year and at least a few mental days off from work. Be safe and see you in 2015!

Resources:
How I Hacked Google (For Good)
Need a last minute flight?
Now at the Sands Casino: An Iranian Hacker in Every Server
Marking HTTP As Non-Secure
12 Million Home Routers Vulnerable to Takeover
Top Google exec mistakenly suggests Chrome’s incognito mode can foil the NSA

The Parabola of Reported WebAppSec Vulnerabilities

The nice folks over at Risk Based Security’s VulnDB gave me access to take a look at their extensive collection of vulnerabilities that they have collected over the years. As you can probably imagine, I was primarily interested in their remotely exploitable web application issues.

Looking at the data, the immediate thing I notice is the nice upward trend as the web began to really take off, and then the real birth of web application vulnerabilities in the mid 2000’s. However, one thing I found that struck me as very odd was that we’re starting to see a downward trend in web application vulnerabilities since 2008.

  • 2014 – 1607 [as of August 27th]
  • 2013 – 2106
  • 2012 – 2965
  • 2011 – 2427
  • 2010 – 2554
  • 2009 – 3101
  • 2008 – 4615
  • 2007 – 3212
  • 2006 – 4167
  • 2005 – 2095
  • 2004 – 1152
  • 2003 – 631
  • 2002 – 563
  • 2001 – 242
  • 2000 – 208
  • 1999 – 91
  • 1998 – 25
  • 1997 – 21
  • 1996 – 7
  • 1995 – 11
  • 1994 – 8

Assuming we aren’t seeing a downward trend in total compromises (which I don’t think we are) here are the reasons I think this could be happening:

  1. Code quality is increasing: It could be that we saw a huge increase in code quality over the last few years. This could be coming from compliance initiatives, better reporting of vulnerabilities, better training, source code scanning, manual code review, or any number of other places.
  2. A more homogenous Internet: It could be that people are using fewer and fewer new pieces of code. As code matures, people who use it are less likely to switch in favor of something new, which means there are fewer threats to the incumbent code to be replaced, and it’s therefore more likely that new frameworks won’t get adopted. Software like WordPress, Joomla, or Drupal will likely take over more and more consumer publishing needs moving forward. All of the major Content Management Systems (CMS) have been heavily tested, and most have developed formal security response teams to address vulnerabilities. Even as they get tested more in the future, such platforms are likely a much safer alternative than anything else, therefore obviating the need for new players.
  3. Attacks may be moving towards custom web applications: We may be seeing a change in attacker tactics, where they are focusing on custom web application code (e.g. your local bank, Paypal, Facebook), rather than open source code used by many websites. That means they wouldn’t be reported in data like this, as vulnerability databases do not track site-specific vulnerabilities. The sites that do track such incidents are very incomplete for a variety of reasons.
  4. People are disclosing fewer vulns: This is always a possibility when the ecosystem evolves far enough where reporting vulnerabilities is more annoying to researchers, provides them fewer benefits, and ultimately makes their life more difficult than working with the vendors directly or holding onto their vulnerabilities. The presence of more bug bounties, where researchers get paid for disclosing their newly found vulnerability directly to the vendor, is one example of an influence that may affect such statistics.

Whatever the case, this is is an interesting trend and should be watched carefully. It could be a hybrid of a number of these issues as well, and we may never know for sure. But we should be aware of the data, because in it might hide some clues on how to further decrease the numbers. Another tidbit that is not expressed in the data above shows that there were 11,094 vulnerabilities disclosed in 2013, of which 6,122 were “web related” (meaning web application or web browser). While only 2,106 may be remotely exploitable (meaning it involves a remote attacker and there is published exploit code) context-dependent attacks (e.g. tricking a user to click a malicious link) are still a leading source of compromise at least amongst targeted attacks. While vulnerability disclosure trends may be going down, organizational compromises appear to be just as common or even more so than they have ever been. Said another way, compromises are flat or even up, and new remotely exploitable web application vulnerabilities being disclosed is down. Very interesting.

Thanks again to the Cyber Risk Analytics VulnDB guys for letting me play with their data.