Category Archives: Vulnerabilities

#HackerKast 36: Moose Router Worm, Adult Friend Finder male users hacked, Firefox and advertising, WHS Stats Report, and IRS Data Breach

It was just Jeremiah and me again today, as Matt is shamelessly galavanting around Europe at various security conferences (I think it’s safe to hate him for it, isn’t it?). But we had a ton of interesting stories this week to cover and didn’t have much time to do it.

The first up was the Moose Router Worm – similar to the Internet Census Project, it used default usernames and passwords to compromise remote routers. We don’t know how many routers were compromised but it was a lot, I’m sure. Jer seems to think that routers shouldn’t even have this feature at all – and I’m inclined to agree.

It was a bad week for Adult Friend Finder, but an even worse week for their users, who had user account data stolen and published on the Internet. The data dump was incomplete and only comprised about 300M worth of data. Also, interestingly enough, it seemed to contain only data from the male users, which implies that it’s probably more about who is most easily blackmailed and less about what the actual adversaries have.

Next up we discussed Firefox and their rather strange move to build an advertising platform into the browser. Their reasoning is complicated, but it seems to revolve around a mix of making money and doing right by their users – except I don’t recall a user ever asking for this. Meanwhile one of Mozilla’s own employees wrote up a great paper on how users with ad blocking and privacy protection can save up to 40% bandwidth and page load time on the top Alexa sites. Shortly after, that same employee promptly left the company under somewhat mysterious circumstances.

Then we covered the stats report. You’ll have to download it to see for yourself, but there are a great number of interesting findings in there. For instance it appears to refute the idea of a best practice. There just doesn’t seem to be any one security factor that will prevent people from being hackable. Maybe they work in some combination, but not in a vacuum. Check it out.

Lastly, we briefly touched on the IRS data breech (if you can call it that) where north of 100k people’s tax data were stolen. This is almost certainly the result of stealing user data through something like Zeus or other public places and combining data to attempt to log in as the user. Jer’s point couldn’t be more clear – Social Security Numbers aren’t a good password, stop using them. If you are, you’re site is hackable.

That’s it for the week, I hope you enjoyed it! We’ll be back next week. Rate, subscribe, and give us feedback on things you’d like us to cover.

Moose Router Worm
Adult Friend Finder Compromised
Firefox Will Soon Get Sponsored Suggested Tiles Based On Your Browsing History
Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015
Website Security Statistics Report 2015
100k+ Tax Records Breached from the IRS

Notable stories this week that didn’t make the cut:
Android Chrome ARC Welder
Chrome Extension Transmits Information Via Sound
Phuctor – RSA Super Collider
Two Diablo III players stole virtual armor and gold — and got prosecuted IRL
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 1
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 2
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 3
FCC Warns Internet Providers That They’re On the Hook For User Privacy
Adblock Browser for Android
Hacking Starbucks for unlimited coffee
Logjam Attack against the TLS Protocol article 1
Logjam Attack against the TLS Protocol article 2
Specially Crafted Message Crashes iPhones article 1
Specially Crafted Message Crashes iPhones article 2
40% of Docker Images Are Vulnerable to High Severity CVEs

Logjam: Web Encryption Vulnerability

A team of researchers has released details of a new attack called “Logjam.” This attack, like FREAK, enables a man-in-the-middle attacker to downgrade the connection between the client and the server to an easier-to-break cipher. Many servers support these weaker ciphers, though there is no practical reason to support them. The solution is to simply not support any ciphers that are easy to break. In fact, the browser makers are doing that right now.

The offending ciphers, Export Diffie-Hellman ciphers, can be found in HTTPS, SSH, VPN, mail, and many other servers. This does not, however, mean that you are vulnerable, or that you need to panic. Exploiting this vulnerability requires man-in-the-middle and a high level of sophistication. The real risk is relatively low on this issue compared to Poodle or Heartbleed. You should simply test your TLS endpoints to ensure that they do not support any weak ciphers. If you took this step back when FREAK came out, you are likely already okay.

The specific ciphers to disable for this attack are DHE_EXPORT ciphers (or “EXP-EDH-” ciphers). But go ahead and disable all weak ciphers, while you’re at it.

All WhiteHat Sentinel dynamic testing services (BE, SE, PE, PL, Elite) now report the use of export ciphers as part of reporting on weak ciphers, and specifically call out the ciphers that are a concern for Logjam.

The research team that released the report has also set up a page to test your servers here:

Remember that when you test a hostname, you are really testing the TLS endpoint for that connection, which may be a load balancer or firewall, and not your application server.

#Hackerkast 35: Airplane hacking, United bug bounty, and SEA hacks Washington Post

Hey Everyone! It was just Jeremiah Grossman and me today, as Matt Johansen is overseas this week attending various security conferences. So we braved on and did a short one with just three major articles.

First we covered Airplane hacking and a bit of drama that has been unfolding in the mainstream press related to hacking an airplane while on one. Jeremiah made the point that it’s not just illegal it’s also dangerous from a personal safety perspective. Rule number 1 of hacking – don’t hack the airplane while you’re still on it.

Then we discussed a bit about the United bug bounty program that was just announced. Although it’s interesting, it still doesn’t cover the major thing the public is worried about. Learning who is flying is bad, but doing something bad to an airplane is much much worse. And it does beg the question, why does the bounty program not cover the airplane if there are no flaws in airplanes?

Lastly we covered the latest SEA hack of Washington Post by way of their CDN provider, InstartLogic. Jer made the point that hacking InstartLogic is just the canary in the coal mine: it’s the other hacks that you don’t see until a year or two down the road that are really troubling. In some ways, the SEA is doing us a huge favor by letting us know about the issues without causing any real harm in the process.

Airplane Hacking?!?!
United Rewards Bug Bounties with United Miles
SEA hacked Washington Post’s CDN InstartLogic

Notable stories this week that didn’t make the cut:
Firefox is going to Depreciate HTTP
Anti-gay demonstrators advertise gay porn site after their domain expires
Adblockers are immoral vs
Priority of Cnstituencies
Why a Law Firm is Baiting Cops With A Tor Server
VENOM Exploit Against QEMU and Xen Floppy Discs
Safari address-spoofing bug could be used in phishing, malware attacks

#HackerKast 34: SOHO Routers hacked, 3d printed ammo, Nazis & child porn, PayPal Remote Code Execution, Dubsmash 2, Twitter CSRF

Hey Everybody! We’re back from our 1 week break due to crazy schedules and even now we are without Jeremiah. Coconuts don’t make great WiFi antennae or something.

Started this episode talking about some Vendors who decided to do some weird, bad stuff this past week. In both stories it seems some security vendors were caught being naughty, starting with Tiversa. They are a security firm that decided it’d be a good idea to extort their own clients by finding a fake vulnerability and asking for money to fix this fake vulnerability. Then Tencent and Qihoo, two different Chinese AV Vendors, were both caught cheating on a certification test about how good their products were.

Moving away from shady vendors and on to shady home wireless routers. Not news to anybody, really: wifi routers you buy off the shelf aren’t quite state of the art when it comes to security. Hence, we see some sort of router hacking story pop up all the time. This time SOHO routers were targeted by the hacking group Anonymous, as per a report from Incapsula. It seems Anonymous saw a good opportunity to exploit these home routers and use them as a botnet, running their DDoS tool for fun and profit. The extremely 1337 H@x0r methodology being used here, which takes many years of cyber security experience and probably a CISSP to exploit, is a default username and password. Try to keep up here, the DEFAULT USERNAME AND PASSWORD out of the box was used to compromise MILLIONS of home routers and turn them into DDoS bots. I’ll just leave that there.

Next, Robert talked about some of the most ridiculous topics we’ve talked about on the podcast. He somehow related 3d printed ammunition to a story about Nazis and child pornography. You see, some court ruled somewhere that the file on the computer that can be used to 3d print bullets is now considered as munitions legally. In related(?) news, there was some Nazi war camp website that got hacked and got child pornography uploaded to it. When child porn is involved, the government immediately must confiscate the computers as evidence which essentially takes the website offline. Robert related the two by saying that you could also upload a 3d printer file which would have the same effect, now that a file can constitute illegal munitions.

In vulnerability disclosure news, PayPal was vulnerable to Remote Code Execution via a 3rd party library they were using. The Java Debug Wire Protocol using Shellifier was leaving port 8000 open on some Paypal servers, which allowed an attacker to gain access remotely — without authenticating — and execute commands. The part we don’t know yet is whether or how much PayPal paid the researcher who disclosed this to them. They’ve been known to pay big bounties in the past.

Robert then covered a fake mobile app called Dubsmash 2 that was uploaded to the Google Play store this week and got wildly popular. Apparently, Dubsmash is a popular app which allows you to lip sync to some songs — but the fraudulent sequel app wouldn’t be nearly as fun. What it did was immediately remove the “Dubsmash” part of the app and replace the icon with a mimic “Settings” icon. The moment a user clicked this icon, the app would generate thousands of pop-unders of porn sites and click on ads. The thought here was they are using this in a pay-per-click fraud scheme to generate earnings for the developer. 500,000 users downloaded the fake app to date.

Lastly, we talked about a CSRF vulnerability disclosed via HackerOne to Twitter about 11 months ago and recently disclosed publicly. This CSRF protection bypass was *very* creative and used a behavior in certain frameworks which treats commas as semicolons. This would allow an attacker to exploit a user by sending them a malicious link which would allow the attacker to use the CSRF token they stole on Really cool research that I’m glad eventually became public.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Tiversa May Have Hacked Its Own Clients To Extort Them
2nd (Tencent and Qihoo) Chinese AV-Vendor Caught Cheating
3-D Printed Gun Lawsuit Starts the War Between Arms Control and Free Speech
Nazi camp website hacked with child porn on anniversary
MySQL Out of Band (2nd Order) Exploitation
Twitter CSRF Bug
PayPal Remote Code Execution (Java Debug Wire Protocol using Shellifier)
Your Smartphone Might Be Watching Porn Behind Your Back
Anonymous accused of running a botnet using thousands of hacked home routers

Notable stories this week that didn’t make the cut:
PHP == Operator Issue
Hack Google Password
Researchers Hijack Teleoperated Surgical Robot
Google PageSpeed Service End of Life
Windows to Kill of Patch Tuesday
PortSwigger Web Security Blog: Burp Suite now reports blind XXE injection
Practical Cache Attacks in JavaScript
25 Members of $15M Carding Gang Arrested
Apple ‘test’ iPad stolen from a Cupertino home: Report
Irate Congressman Gives Cops Easy Rule – Follow The Damned Constitution

Magic Hashes

For more than the last decade, PHP programmers have been wrestling with the equals-equals (==) operator. It’s caused a lot of issues. This has a particular implication for password hashes. Password hashes in PHP are base16 encoded and can come in the form of “0e812389…”. The problem is in == comparison the 0e means that if the following characters are all digits the whole string gets treated as a float. This was pointed out five years ago by Gregor Kopf, two years ago by Tyler Borland and Raz0r and again a year ago by Michal Spacek and Jos Wetzels but this technique is making more waves this past week.

Below is a list of hash types that when hashed are ^0+e\d*$ which equates to zero in PHP when magic typing using the “==” operator is applied. That means that when a password hash starts with “0e…” as an example it will always appear to match the below strings, regardless of what they actually are if all of the subsequent characters are digits from “0-9″. The implication is that these magic numbers when hashed are treated as the number “0” and compared against other hashes, the comparison will evaluate to true. Think of “0e…” as being the scientific notation for “0 to the power of some value” and that is always “0”. PHP interprets the string as an Integer.

if (hash('md5','240610708',false) == '0') {
  print "Matched.\n";
if ('0e462097431906509019562988736854' == '0') {
  print "Matched.\n";

What this practically means is that the following “magic” strings are substantially more likely to evaluate to true when hashed given a completely random hash (E.g. a randomly assigned password, nonce, file hash or credential). Likewise if a straight guess of a hash is required the associated hashes are proven to be typed into the float “0” with the “==” comparison operator in PHP, and if another hash in a database also starts with a “0e…” the comparison will evaluate to true. Therefore, the hashes can also be substantially more likely to evaluate to true when compared with a database of hashes, even if they don’t actually match. Many cookies, as an example are simply hashes, and finding a collision becomes much more likely depending on how many valid credentials are in use at the time of test (See: Birthday paradox).

Use Case 1: Use the “Magic” Number below as a password or as a string that you expect to be hashed. When it is compared against the hash of the actual value, and if they both are treated as “0” and therefore evaluated as true, you will be able to log into the account without the valid password. This could be forced to happen in environments where automatic passwords are chosen for users during a forgot password flow and then attempting to log in immediately afterwards, as an example.

Use Case 2: The attacker can simply take the example in the Hash column in the table below and use it as a value. In some cases these values are simply done as a look-up against known values (in memory, or perhaps dumped from a database and compared). By simply submitting the hash value, the magic hash may collide with other hashes which both are treated as “0” and therefore compare to be true. This could be caused to happen

Hash Type

Hash Length

“Magic” Number / String

Magic Hash

Found By
md2 32 505144726 0e015339760548602306096794382326 WhiteHat Security, Inc.
md4 32 48291204 0e266546927425668450445617970135 WhiteHat Security, Inc.
md5 32 240610708 0e462097431906509019562988736854 Michal Spacek
sha1 40 10932435112 0e07766915004133176347055865026311692244 Independently found by Michael A. Cleverly & Michele Spagnuolo & Rogdham
sha224 56
sha256 64
sha384 96
sha512 128
ripemd128 32 315655854 0e251331818775808475952406672980 WhiteHat Security, Inc.
ripemd160 40 20583002034 00e1839085851394356611454660337505469745 Michael A Cleverly
ripemd256 64
ripemd320 80
whirlpool 128
tiger128,3 32 265022640 0e908730200858058999593322639865 WhiteHat Security, Inc.
tiger160,3 40 13181623570 00e4706040169225543861400227305532507173 Michele Spagnuolo
tiger192,3 48
tiger128,4 32 479763000 00e05651056780370631793326323796 WhiteHat Security, Inc.
tiger160,4 40
tiger192,4 48
snefru 64
snefru256 64
gost 64
adler32 8 FR 00e00099 WhiteHat Security, Inc.
crc32 8 2332 0e684322 WhiteHat Security, Inc.
crc32b 8 6586 0e817678 WhiteHat Security, Inc.
fnv132 8 2186 0e591528 WhiteHat Security, Inc.
fnv164 16 8338000 0e73845709713699 WhiteHat Security, Inc.
joaat 8 8409 0e074025 WhiteHat Security, Inc.
haval128,3 32 809793630 00e38549671092424173928143648452 WhiteHat Security, Inc.
haval160,3 40 18159983163 0e01697014920826425936632356870426876167 Independently found by Michael Cleverly & Michele Spagnuolo
haval192,3 48 48892056947 0e4868841162506296635201967091461310754872302741 Michael A. Cleverly
haval224,3 56
haval256,3 64
haval128,4 32 71437579 0e316321729023182394301371028665 WhiteHat Security, Inc.
haval160,4 40 12368878794 0e34042599806027333661050958199580964722 Michele Spagnuolo
haval192,4 48
haval224,4 56
haval256,4 64
haval128,5 32 115528287 0e495317064156922585933029613272 WhiteHat Security, Inc.
haval160,5 40
haval192,5 48
haval224,5 56
haval256,5 64

To find the above, I iterated over a billion hashed integers of each hash type to attempt to find an evaluation that results in true when compared against “0”. If I couldn’t find a match within the billion attempts I moved on to the next hashing algorithm. This technique was inefficient but it was reasonably effective at finding a “Magic” Number/String associated with most hash algorithms with a length of 32 hex characters or less on a single core. The one exception was “adler32″ which is used in zlib compression as an example and required a slightly different tactic. The moral of the story here is for the most part the more bits of entropy in a hash the better defense you will have. Here is the code used I used (adler32 required a lot of special treatment to find a valid hash that didn’t contain special characters):

function hex_decode($string) {
  for ($i=0; $i < strlen($string); $i)  {
    $decoded .= chr(hexdec(substr($string,$i,2)));
    $i = (float)($i)+2;
  return $decoded;
foreach (hash_algos() as $v) {
  $a = 0;
  print "Trying $v\n";
  while (true) {
    if ($a > 1000000000) {
    if ($v === 'adler32') {
      $b = hex_decode($a);
    } else {
      $b = $a;
    $r = hash($v, $b, false);
    if ($r == '0') {
      if(preg_match('/^[\x21-\x7e]*$/', $b)) {
        printf("%-12s %s %s\n", $v, $b, $r);

I didn’t have to just use integers as found in most of the results but it was slightly easier to code. Also, in hindsight it’s also slightly more robust because sometimes people force the passwords to upper or lowercase, and numbers are uneffected by this, so using integers is slightly safer. However, in a practical attack, an attacker might have to find a password that conforms to password requirements (at least one upper case, one lower case, one number and one special character) and also is evaluated into zero when hashed. For example, after 147 million brute force attempts, I found that “Password147186970!” converts to “0e153958235710973524115407854157″ in md5 which would meet that stringent password requirement and still evaluate to zero.

To round this out, we’ve found in testing that a 32 character hash has collisions with this issue in about 1/200,000,000 of random hash tests. That’s thankfully not that often, but it’s often enough that it might be worth trying on a high volume website or one that generates lots of valid credentials. Practically this is rather difficult to do, thankfully, without sending a massive amount of attempts in the most likely instances. Note: there are similar issues with “0x” (hex) and “0o” (octal) as well but those characters do not appear in hashes, so probably less interesting in most cases. It’s also worth mentioning that “==” and “!=” both suffer from the same issue.

Are websites really vulnerable to this attack? Yes, yes, they are. This will surely cause issues across many many different types of code repositories like this and this and this and this to name just a few. Similar confusion could be found in Perl with “==” and “eq”, as well as loosely cast languages like JavaScript as well. (Thanks to Jeremi M Gosney for help thinking this through.) I wouldn’t be surprised to see a lot of CVEs related to this.

Patch: Thankfully the patch is very simple. If you write PHP you’ve probably heard people mention that you should be using triple equals “===”. This is why. All you need to do is change “==” to “===” and “!=” to “!==” respectively to prevent PHP from attempting to guess the variable type (float vs string). Some people have also recommended using the “hash_equals” function.

WhiteHat will now be testing this with both our dynamic scanner and static code analysis for WhiteHat customers. If you want a free check please go here. This is rather easily found using static code analysis looking for comparisons of hashes in PHP. Lastly, if you have some computing horsepower and have any interest in this attack, please consider contributing to any value/hash pairs that we haven’t found samples for yet or for hash algorithms we haven’t yet listed.

#HackerKast 32: WordPress Core XSS, Spoof Email Tanks Stock, Tesla Defacement via DNS Hack, 451 Status Code, MS15-034 Microsoft Vulnerability

Hey All! Thanks for checking out this week’s HackerKast! We’re all back and recovering from RSA and my feet still hurt.

Starting off with This Week In WordPress Sucks™, we’ve got a vulnerability in WordPress core this time. This is usually not the case as core has been gone over several times with a fine toothed comb, but some persistent XSS in core comment functionality popped up anyway. Also, as per usual, a few hundred plugins were vulnerable to an XSS that was found in two different frequently used functions that were poorly documented. The core issue were patched already but it is up to administrators of WordPress installs to race and get the patch installed.

Next, in silly things that affect the stock market news, Italy’s 2nd largest bank had a hoax email go out pretending to be the CEO resigning. Within moments, the stock takes a huge crash before coming back up after everyone realizes it was a hoax. We’ve seen this before a few times, notably the time Associated Press Twitter account was hacked and tweeted about a bomb at the White House which caused the entire stock market to take a dive for a few minutes. This all points to the fact that there are automated stock trading systems out there making decisions based off of social media and news information.

We had a little chat about the recent problem over at Tesla where their homepage was “defaced”. This wasn’t actually a defacement of any servers on their end but the attackers went after the recently popular low hanging fruit of DNS providers. Once the DNS provider was owned, the homepage was redirected along with any MX records allowing emails to be rerouted to the attackers. With this email rerouting in place, they then sent out some Twitter password reset emails which allowed them to take over the social media accounts. What Robert and I touched on at the end here is that Tesla was lucky that this was all for the lulz because that email rerouting, if done correctly, could’ve been silently MiTMing the company’s emails for some time before anybody noticed. Scary stuff relying on a DNS provider with that level of severity of compromise.

A new status code is being presented in the HTTP standard for the purposes of displaying a legally related block. Instead of just a 404, the browser would now present a 451 which would mean legally restricted due to any number of reasons. Most popularly this would show up for geolocation related blocks of content that tons of Netflix users are very aware of.

Lastly, MS-15-034, came out which was a Microsoft Buffer Overflow vulnerability in IIS servers. Of course Robert couldn’t help himself and wrote a snippet of exploit code. Then in This Week In RSnake Puts Something Dangerous Social Media™ he posted this code to Twitter for people to play with exploit in a remotely exploitable way. We’re toying with a possible demo we could do of this for you all but might take some tinkering to make it interesting.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay


XSS 0day in WordPress Core
Many WordPress Plugins Found Vulnerable to XSS
Fake Email Regarding CEO Resignation Tanks Stock
Tesla’s DNS and Twitter Account Hacked
New HTTP “Legally Restricted” Status Code Proposed
MS15-034 Buffer Overflow in Microsoft HTTP pt 1.
MS15-034 Buffer Overflow in Microsoft HTTP pt 2.
MS15-034 Buffer Overflow in Microsoft HTTP pt 3.

Notable stories this week that didn’t make the cut:

Thirty Meter Telescope Gets DDoS’d
Google’s April Fools Joke Actually Made Users Less Secure
Extremely Hackable eVoting Machine
Security Expert Pulled Off Flight by FBI After Exposing Airline Security Flaws
Senate Proposes Re-classifying Certain Uses of Software/Hardware as “Fair Use” and Exempt from DMCA
Navy Announces It Will Stop Buying Manned Aircraft
“Better Presentation of URLs in Search” Should Read “Removal of URLs In Search”
“The Real Deal” DarkNet 0Day Auction

Web Security for the Tech-Impaired: The Importance of the ’S’

There’s one little letter that has huge importance when you’re logging into sites or buying your favorite items: it’s the letter ’S’. The ’s’ I’m referring to is the ’S’ in HTTPS. You may never have seen the ’S’ before in your web browser, or you may have seen it and never realized it’s importance. You may know it as that thing that gets added before the website you type in. What is it’s meaning? Why is it important? You shall find these answers in this post!

HTTP and HTTPS are referred to as ‘protocols’. In essence, these protocols are defining how your computer will talk to another computer. As you browse the web, you may notice that some sites use HTTP, while others use HTTPS. If you bring up CNN’s home page you’ll notice that it either shows http in front of the URL in the URL bar or just This shows that the site is using the HTTP protocol to communicate. HTTP is a non-secure way of transmitting data from your computer to the website. Data over the HTTP protocol can be intercepted and read at any point between you and the website’s computer. This is what’s known as a ‘man-in-the-middle’ (MITM). A person listening in on your virtual conversation between your computer and the website’s computer can look at all the data that’s being sent. This isn’t a big deal if you’re looking at articles on CNN or searching for content on Wikipedia, but what if you log in to a site or buy something from an online store? You certainly don’t want the bad guys to know your username and password or your credit card number, so how do you protect yourself?

This is where the mighty ’S’ comes to the rescue. The protocol HTTPS is a way of securely sending data from your computer to the website you are interacting with. If a site is using HTTPS you’ll notice the HTTPS in front of the URL. As an example, go to In more modern and up-to-date browsers, you’ll likely see the HTTPS colored in either green or red and a lock icon. The green text with the lock icon is stating that you’re communicating securely with this website and everything looks to be going well.

If the https is red, there is probably some type of issue with the site security. It may be that the site’s certificate is out of date or invalid, or it may be that the site includes insecure third-party content, or there may be other issues. In any case, it is always safest not to proceed with a transaction that involves information you would like to keep secure if the HTTPS and lock icon are not green.

HTTPS uses a complicated system to encrypt the data you send to the website and vice versa. A bad guy who is performing an MITM attack will still see the conversation between you and the website, but it will be completely incoherent, like listening to a conversation in a language that’s been made up by the two people talking. Anytime you are doing anything that requires a login, credit card number, social security numbers, or ANY private data, you want to make sure that you see that HTTPS protocol, and if you have the benefit of modern browsers, that the green lock icon is present. NEVER log in or give any sensitive information to a site that does not communicate over HTTPS.

Protecting your Intellectual Property: Are Binaries Safe?

Organizations have been steadily maturing their application testing strategies and in the next several weeks we will be releasing the WhiteHat Website Security Statistics report that explores the outcomes of that maturation.

As part of that research we explored some of the activities being undertaken as part of application security programs and we were impressed to see that 87% of the respondents perform static analysis. 32% of them perform it with each major release and 13% are performing it daily.

This adoption of testing earlier in the software lifecycle is a welcome move. It is not a simple task for many companies to build out the policies that are essential for driving the maturity of an application security program.

We wanted to explore a policy that seems to have been conflated with the need to gain visibly into third-party software service providers and commercial off-the-shelf software (COTS) vendors’ products.

There seems to be a significant amount of confusion and perhaps intentional fear uncertainty and doubt (FUD) in this area. The way you go about testing third party software should mirror the way you go about testing your own software. Binary analysis of software for the purpose of not exposing your Intellectual Property (IP) is where the question of measurable security lies.

Binaries can easily be decompiled, revealing nearly 100% of the source code. If your organization is distributing the binaries that make up your web application to a third party, you have effectively given them all the source code as well. This conflation of testing policies leads to a false sense of Intellectual Property protection.

Reverse engineering, while requiring some effort is no problem. Tools such as ILSpy and Show My Code are freely and widely available.Sharing your binaries in an attempt to protect your Intellectual Property actually end up exposing 100% of your IP.

Source and Binary

This video illustrates this point.

Educational Series: How lost or stolen binary applications expose all your intellectual property. from WhiteHat Security on Vimeo.

While customers are often required by policy to protect their source code, the only way to do that is to protect your binaries. That means being careful never to turn on the compilation options that allow for binary review that other vendors require. Or at a very minimum it requires that those same binaries never get uploaded to production where they may be exposed via vulnerabilities. Either way, if your requirement is to protect your IP you need to make certain your binaries don’t fall into the wrong hands, because inside of those binaries could be the keys to the castle.

For more information, click here to see the infographic on the two testing methodologies.

The Perils of Privacy Personas

Privacy is a complex beast, and depending on who you talk to, you get very different opinions of what is required to be private online. Some people really don’t care, and others really do. It just depends on the reasons why they care and the lengths they are both willing and able to go through to protect that privacy. This is a brief run-down on some various persona types. I’m sure people can come up with others, but this is a sampling of the kinds of people I have run across.

Alice (The Willfully Ignorant Consumer)

  • How Alice talks about online privacy: “I don’t have anything to hide.”
  • Alice’s perspective: Alice doesn’t see the issues with online advertising, governmental spying and doesn’t care who reads her email, what people do with her information, etc. She may, in the back of her mind, know that there are things she has to hide but she refuses to acknowledge it. She is not upset by invasive marketing, and feels the world will treat her the same way she treats it. She’s unwilling to do anything to protect herself, or learn anything beyond what she already knows. She’s much more interested in other things and doesn’t think it’s worth the time to protect herself. She will give people her password, because she denies the possibility of danger. She is a danger to all around her who would entrust her with any secrets.
  • Advice for Alice: Alice should do nothing. All of the terrible things that could happen to her don’t seem to matter to her, even when she is advised of the risks. This type of user can actually be embodied by Microsoft’s research paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, which is to say that spending time on security has a negative financial tradeoff for most of the population when taken in a vacuum where one person’s security does not impact another’s.

Bob (The Risk Taker)

  • How Bob talks about online privacy: “I know I shouldn’t do X but it’s so convenient.”
  • Bob’s perspective: Bob knows that bad things do happen, and is even somewhat concerned about them. However, he knows he doesn’t know enough to protect himself and is more concerned about usability and convenience. He feels that the more he does to protect himself, the more inconvenient life is. He can be summed up with the term “Carpe Diem.” Every one of his passwords is the same. He choses weak security questions. He uses password managers. He clicks through any warning he sees. He downloads all of the programs he finds regardless of origin. He interacts on every social media site with a laissez-faire attitude.
  • Advice for Bob: He should pick email/hosting providers and vendors that naturally take his privacy and security seriously. Beyond that, there’s not much else he would be willing to change.

Cathy (The Average Consumer)

  • How Cathy talks about online privacy: “This whole Internet thing is terrifying, but really, what can I do? Tax preparation software, my utilities and email are essential. I can’t just leave the Internet.”
  • Cathy’s perspective: Cathy knows that the Internet is a scary place. Perhaps she or one of her friends has already been hacked. She would pick more secure and private options, but simply has no idea where to start. Everyone says she should take her security and privacy seriously, but how and who should she trust to give her the best advice? Advertisers are untrustworthy, security companies seem to get hacked all the time – nothing seems secure. It’s almost paralyzing. She follows whatever best practices she can find, but doesn’t even know where to begin unless it shows up in whatever publications she reads and happens to trust.
  • Advice for Cathy: Cathy should try to find options that have gone through rigorous third party testing by asking for certificates of attestation, or attempt to self-host where possible (E.g. local copies of tax software versus Internet-based versions), and follow all best practices for two-factor authentication. She should use ad-blocking software, VPNs and logs out of anything sensitive when finished. Ideally she should use a second browser for banking versus Internet activities. She shouldn’t click on links out of emails, shouldn’t install any unknown applications and even shouldn’t download trustworthy applications from untrustworthy websites. If a site is unknown, has a bad or nonexistent BBB rating or seems to not look “right”, she should avoid it. It may have been hacked or taken over. She should also do reputation checking on the site using Web of Trust or similar tools. She should look for the lock in her browser to make sure she is using SSL/TLS. She shouldn’t use public wifi connections. She should install all updates for every software that is already on her computer, uninstall anything she doesn’t need and make sure all services are disabled that aren’t necessary. If anything looks suspicious, she should ask a more technical person for help, and make sure she has backups of everything in the case of compromise.

Dave (The Paranoid Reporter)

  • How Dave thinks about online privacy: “I know the government is capable of just about anything. So I’ll do what I can to protect my sources, insomuch as that it enables me to do my job.”
  • Dave’s perspective: Dave is vaguely aware of some of the programs the various government agencies have in place. He may or may not be aware that other governments are just as interested in his information as the US government. Therefore, he places trust in poor places, mistakenly thinking he is somehow protected by geography or rule of law. He will go out of his way to install encryption software, and possibly some browser security and privacy plugins/add-ons, like ad-blocking software like Disconnect or maybe even something more draconian like NoScript. He’s downloaded Tor once to check it out, and has a PGP/GPG key that no one has ever used posted on his website. He relies heavily on his IT department to secure his computer. But he uses all social media, chats with friends, has an unsecured phone and still uses third party webmail for most things.
  • Advice for Dave: For the most part, Dave is woefully unequipped to handle sensitive information online. His phone(s) are easily tapped, his email is easily subpoenaed and his social media is easily crawled/monitored. Also, his whereabouts are always monitored in several different ways through his phone and social media. He is at risk of putting people’s lives in danger due to how he operates. He needs to have complete isolation and compartmentalization of his two lives. Meaning, his work computer and personal email/social presence should not intertwine. All sensitive stuff should be done through anonymous networks, and using heavily encrypted data that ideally becomes useless after a certain period of time. He should be using burner phones and he should be avoiding any easily discernible patterns when meeting with sources in person or talking to sources over the Internet.

Eve (The Political Dissident)

  • How Eve thinks about online privacy: “What I’m doing is life or death. Everyone wants to know who I am. It’s not paranoia if you’re right.”
  • Eve’s perspective: Eve knows the full breadth of government surveillance from all angles. She’s incredibly tuned in to how the Internet is effectively always spying on her traffic. Her life and the lives of her friends and family around her are at risk because of what she is working on. She cannot rely on anyone she knows to help her because it will put them and ultimately, herself, in the process. She is well read on all topics of Internet security and privacy and she takes absolutely every last precaution to protect her identity.
  • Advice for Eve: Eve needs to got to incredible lengths to use false identities to build up personas so that nothing is ever in her name. There should always be a fall-back secondary persona (also known as a backstop) that will take the fall if her primary persona is ever de-anonymized instead of her actual identity. She should never connect to the Internet from her own house, but rather travel to random destinations and connect into wifi at distances that won’t make it visually obvious. Everything she does should be encrypted. Her operating system should be using plausible deniability (E.g. VeraCrypt) and she should actually have a plausibly deniable reason for it to be enabled. She should use a VPN or hacked machines before surfing through a stripped down version of Tails, running various plugins that ensure that her browser is incapable of doing her harm. That includes plugins like NoScript, Request Policy, HTTPS Everywhere, etc. She should never go to the same wifi connection twice, and should use different modes of transportation whenever possible. She should never use her own credit card, but instead trade in various forms of online crypto-currencies, pre-paid credit cards, physical cash and barter/trade. She should use anonymous remailers and avoid using the same email address more than once. She should regularly destroy all evidence of her actions before returning to any place where she might be recognized. She should avoid wearing recognizable outfits, and cover her face as much as possible without drawing attention. She should never carry a phone, but if she must, it should have the battery removed. Her voice should never be transmitted due to voice-prints and phone-line/background noise forensics. All of her IDs should be put into a Faraday wallet. She should never create any social media accounts under her own name, never upload a picture of herself or surroundings, and never talk to anyone she knows personally while surfing online. She should avoid using any jargon, slang or words that are unique to her location. She should never talk about where she is, where she’s from or where she’s going. She should never tell anyone in real life what she’s doing and she should always have a cover story for every action she takes.

I think one of the biggest problems in our industry is the fact that we tend to give generic one-size-fits-all privacy advice. As you can see above, this sampling of various types of people isn’t perfect but it never could be. People’s backgrounds are so diverse and varied, that it would be impossible to precisely fit any one person into any bucket. Therefore privacy advice must be tailored to people’s ability to understand their interest in protecting themselves and the actual threat they’re facing.

Also, we often are talking at odds with regards to privacy vs security. Even if we didn’t have to worry about the intentions of those giving advice, as discussed in that video, we still can’t rely on the advice itself necessarily. Nor can we rely on the advice being well taken by the person we are giving it to. One party might fully believe that they’re doing all they need to be doing, while they are in fact making it extremely dangerous for those around them who have higher security requirements.

Anything could be a factor in people’s needs/interest/abilities with regards to privacy – age, sex, race, religion, cultural differences, philosophies, their location, which government they agree with, who they’re related to, how much money they have, etc. Who knows how any of those things might impact their privacy concerns and needs? If we give people one-size-fits-all privacy advice it is guaranteed to be a bad fit for most people.

#HackerKast 30: Verizon Supercookie, Tesla Stock April Fools, Bugs in Tor, YouTube Bounty Hack, ‘Do Not Track’ and Microsoft

Hey All! We made it to 30 Episodes! Thanks for coming along for the ride, and hope you’re enjoying HackerKast. Now… the news!

First we talked about the follow up to a story we spoke about a few weeks back that had to do with Verizon tracking its customers. They were doing this by implementing a sort of “supercookie” which was injected into HTTP requests on their end. This isn’t something that would go away if you cleared your cache, cookies, browser files, etc. This was basically the glitter of user tracking, it never went away. News this week was that Verizon spokespeople made some hand wavy announcement of how this isn’t a problem since users can opt-out of this tracking if they wish. The problem we discuss here is that nobody is going to do that or even take the time to figure out how to do it via some random Verizon web interface. Bad form on Verizon’s part and just shows that the users’ interests are not truly at the heart here. The age old adage of “if you aren’t paying for it, you’re the product” doesn’t even apply here since you ARE paying for Verizon. They are just squeezing your data for more money.

Privacy tangent aside, in lighter news, the stock market is being automated! Lighter news? I guess so, due to the context here of an April Fools joke by Tesla. They announced the brand new ‘Model W’ which caused a bit of a commotion amongst the robots on the Internet. Turns out the Model W wasn’t a new line of Tesla cars but a joke about them making a watch which could do phenomenal things such as telling time. At the time of this announcement a bunch of excited robots made Tesla stock jump by nearly 1% and there were over 400,000 trades in 60 seconds, which was the largest surge for Tesla since their IPO. This may be a funny instance of this but it is a scary thought that a practical joke could have cost people hundreds of thousands of dollars because of some trigger happy robots.

Next, we talked about some new issues discovered and written about with Tor. In this case, we are talking about Denial of Service technique that is unique to a Tor Hidden Service. By using a ton of requests that open up “circuits” to hidden services, which kind of act like sockets, an attacker can flood the server and take it down. By building up a lot of these circuits, a hidden service will need to utilize a ton of CPU and memory to handle all of this. This is being called a bug but Robert doesn’t like that terminology because it is kind of by design how hidden services work, just being used maliciously.

Now we are talking about something we all really like the sound of, deleting Justin Bieber videos off the Internet. Well, that was the click bait for this one. The real topic is that a researcher found a way to delete any video off of YouTube immediately. Turns out that Google paid this researcher $5,000 for this bug which we all agreed seemed a bit low for such a serious bug, but we might not have all the information. The funny part here is the researcher discussed how hard it was to fight the urge to not deleting Bieber fan channels. Good bug.

Lastly, Microsoft announced that it will not be supporting ‘Do Not Track’ by default in the next version of their browsers, whatever they are calling it these days. This is coming right after ‘Do Not Track’ was finally supported by default only in their latest version of Internet Explorer. This sounds like a loss for privacy of the users but, in reality, DNT doesn’t really work. Nobody really pays attention to this and it costs more bandwidth anyway so there really is no point at this stage in the game.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Verizon Customers Can Now Opt Out of Supercookie Due to Government Pressure
Tesla Stockholders Can’t take a Joke
Bugs in Tor Network Used In Attacks Against Underground Markets
YouTube hack ‘threatened’ Justin Bieber videos
‘Do Not Track’ no longer default setting for Microsoft browsers

Notable stories this week that didn’t make the cut:
Turkey Blocks Social Media Again – People Resort to Posters to Educate