Category Archives: Vulnerabilities

#HackerKast 28: Unicode Chrome Crash, Brain Waves, Top 10 Web Hacks, PWN2OWN, Wind Turbine CSRF, TLS certificates

Hey Everybody! Thanks for checking out this week’s HackerKast! We’ve got some fun stories this week that were a good time to chat about.

First we mentioned a bit of a concerning story but also an amusing one. There was a little magic string of Unicode characters that would crash Chrome completely when viewed. This had to do with some language libraries that were installed locally that didn’t play nicely together. Robert, being the hacker he is, couldn’t resist but putting this string of characters in a Facebook status and tweet. He got a lot of hate mail. (Oh and if Chrome crashes while reading this post, you should really install updates ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ).

Now we all love when security topics get themselves out of the echo chamber, but I think this next story is fairly unique as to what industry it popped up in. Turns out some biology research went on when some scientists decided to perform an MRI of people while they were browsing the web. We all know users just click things to get them out of the way but it turns out there is a biological reason for this! Certain parts of the brain actually turn off and become inactive on the MRI when the users were viewing security warnings, like the ones for invalid SSL certificates. Now we can all collectively say that security is making people brain dead.

Finally my life is a bit back to normal as the Top 10 Web Hacks talk is complete and published. For those of you who missed the webinar you can check it out here: Recording. I went through the run down of what this talk is and touched on a few of the interesting pieces of research that made the list in the video. I’ll also be giving the talk again in person at RSA for all of you there! Check it out.

Next, we talked a bit about PWN2OWN contest up at CanSecWest this year. All major browsers fell by the 2nd day of trying. For those unfamiliar, PWN2OWN is basically an 0-Day contest. Show up and own a box completely by navigating an up to date browser/OS to a website. One researcher scored a total of $225K in a single day for his exploits. That is some serious 0-day cash! Jeremiah also mentioned, as he does every now and then, his idea of a PWN2OWN category that rewards bugs found via AntiVirus software. Owned by the software you installed to protect yourself.

Another fun one I touched on next was a vulnerability that was found in an actual wind turbine. This turbine, for whatever reason, has a web admin portal. The portal was vulnerable to CSRF via an HTTP GET request to force a credential change for the admin account. Once credentials are changed, the attacker can completely control the turbine and even stop it from generating power.

The last story we touched on was a complicated story about SSL/TLS certificates where Google was warning this week that some unauthorized TLS certs were trusted by almost any Operating System. Robert goes into the technical details here for those interested listen up! The cliff notes is that if you are in Egypt, you should watch what you say online, especially while using Google via Internet Explorer. FireFox and Chrome’s certificate pinning helps a bit here if in use so those should be slightly better off.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Crashing Chrome Tabs with Unicode
MRIs Shows Brains Shutting Down With Security Prompts
Top 10 Web Hacking Techniques of 2014
All Major Browsers Fall At PWN2OWN Day 2
Wind turbine blown away by control system vulnerability
Google warns of unauthorized TLS certificates trusted by almost all OSes

Notable stories this week that didn’t make the cut:
North Korea Web Outage Was Response To Sony Hack, Congressman Says
China Admits To Having a Hacking Group
Cisco to Ship Boxes to Empty Houses To Evade the NSA
Kapersky Being Accused Of Ties To Russian Military
No password or PIN, but I have a fake ID. Sure, take the domain
FREAK uses Similar Modulo Attacks
Brute Forcing IOS Screenlock
Need a security expert? Hire a coder

#HackerKast 27: SXSW, Copy Magic Paste, Tinder AI, GTA V, Mystery SSL Fix

Hey everybody! Quick recap this week as we are gearing up for the Top 10 Web Hacks Webinar (Which you can register to watch here)

Robert and I just got back from SXSW this weekend and that was a very interesting experience. My first big trade show floor that wasn’t security related. Tons of interesting stuff floating around Austin this week!

First story we covered was about a Copy Magic Paste trick that Robert found from the SEO crowd. This idea started as a way for websites to force citation for people stealing content but Robert was talking about the possibility of utilizing this to sneak javascript in places.

Next, I touched on a fun Tinder story from SXSW where a movie about AI used a robot Tinder profile to match with people at the conference and after a short conversation the bot would point the person they tricked towards an Instagram promoting the movie. This brought up a lot of topics related to AI that were floating around the conference which Robert has a ton to say about.

A quick fun logic flaw in GTA V wound up with some real $ consequences. Jer and I love logic flaws, they feel like hacking without hacking. This was a pretty simple, make an in game car for a few thousand in game dollars and sell it for about 10x that. The writers of this article did the conversion on how much money real world this would turn into and it seemed people could make about $5 every 20 minutes. If this could be automated it would’ve been some nice passive income.

Jer talked about a new exciting story that we are all very hopeful about, Yahoo Mail end to end encryption. Alex Stamos, CISO over at Yahoo, announced a new program to use end to end encryption in their webmail client. The big question here is how usable this will be. If it is as usable as PGP, we probably won’t see a huge uptick in adoption. We’ll be watching this closely as it has huge potential.

Lastly we touched on a “mystery” SSL fix from the OpenSSL community. A mailing list announcement mentioned some new version patches coming out that fix a high severity vulnerability. We don’t have much detail here but once we do know, it will be pretty interesting. In the wake of Heartbleed, we are all a bit nervous when OpenSSL is mentioned in the context of vulnerabilities.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Copy Magic Paste Modifies Copy Event on your Website
Tinder Users at SXSW Are Falling For a Robot
Grand Theft Auto Logic Flaw Leads To Real Money
User-Focused Security: End-to-End Encryption Extension for Yahoo Mail
New Mystery SSL Fix To Be Released Thursday

Notable stories this week that didn’t make the cut:
Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine
Microsoft Is Killing off the Internet Explorer Brand (now called Spartan)
Chromium to Block RFC1918 (Probably)

#HackerKast 26: Rowhammer, uTorrent bitcoin trojan, Chrome Same Origin Policy Bypass

Hey Everybody! Hard to believe we’ve done 26 of these already. Hope you’re having as much fun watching/listening to these as we are having while making them!

First and most importantly this week we HAD to cover Rowhammer. For those of you who haven’t heard, the latest research to come from some smart folks over at Google is pretty scary. This creative attack has to do with circuits in memory being lined up in specific rows (hence “Rowhammer”). By sending different signals to these circuits, these researchers were able to predictably flip certain adjacent bits which would allow for privilege escalation. Robert goes into way more detail so listen up if you’re interested!

Next, I touched a bit on the recent uTorrent debacle. For those of you who use the popular torrent software, beware of the latest update! It comes with a bit of a surprise piece of software. Where I come from, we call that a trojan. Anyway, this time they included a Bitcoin miner called Epic Scale. This of course would cause your performance on your machine to suffer, along with your electric bill. All the while making uTorrent some cash. Not trivial to uninstall this whole mess either, so needless to say, people are pissed.

Finally we finished up with some more great research, this time having to do with a new Chrome Same Origin Policy bypass. This one was super creative and had similar lines of thought from the Pixel Perfect Timing research from last summer because it utilizes some SVG tricks. The researcher will set up a malicious page, source in an image from an external page, and then via javascript can read the image data by jumping through a few hoops. This could be utilized for login detection, private photo snooping, etc.

We didn’t feel like squeezing FREAK into a HackerKast with other stories, so we’ll give it the time it deserves soon. (I know there is some AppSec junkie somewhere out there wondering why we left it out!)

Thanks for listening! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

References:
Rowhammer
Beware, μTorrent is installing a Bitcoin miner software
Chrome SOP Bypass with SVG (CVE-2014-3160

Notable stories this week that didn’t make the cut:
To protect itself from attack, Estonia is finding ways to back up its data
Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all
Where there’s a will, there’s a way – The Ambassador who worked from a Nairobi bathroom to avoid State Dept. IT
The CIA Campaign To Steal Apple’s Secrets

Hillary Clinton’s Emails And The Internet Services Supply Chain

Do you want the blue pill? Then leave. Up for the red pill? Then keep reading.

There has been a lot of talk about Hillary Clinton’s emails lately, and for good reason. People are genuinely concerned about national secrets falling into the hands of those who might hurt people. Regardless of the merit of the claims of how her private email address was used, I wanted to spend some time talking about something that hasn’t been talked about enough – the Internet Services Supply Chain (a made up term, like all the others). ;)

What is the Internet Services Supply Chain? Whenever you build a website or email account that you host yourself, there are a number of things that you need to rely on. First, you need to rely on the physical hardware and its components – that’s called the Hardware Supply Chain and is a well understood (although not at all solved) issue. Then you have software components that your site utilizes – that’s called the Software Supply Chain and is also a well understood (although not at all solved) issue. Lastly, there are a number of service providers that are incredibly important for the continuity and security of your site, and that is the Internet Services Supply Chain. Those can include – but are not limited to – hosting providers, DNS providers, email providers and registrars.

For example, Hillary Clinton’s email MX records are actually on two separate IP addresses:

clintonemail.com.inbound10.mxlogic.net - 208.65.144.3
clintonemail.com.inbound10.mxlogicmx.net - 208.65.144.2

Unfortunately, it’s not that easy. Mxlogic relies on companies too. And those companies rely on other companies, and so on. Here’s just a simple mapping of all of the companies who could theoretically have taken over her domain as a result of that supply chain:

clintonemail.com
	Relies on ns16.worldnic.com for DNS
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies on droneteam@web.com for Domain Admin Control
	Relies on networksolutions.com for Registrar
		Relies on netsol.com for NS
			Relies on mx.myregisteredsite.com for Mail
				Relies droneteam@web.com for Domain Admin Control
	Relies on mxlogicmx.net for Email
		Relies on hostmaster@mcafee.com for Domain Admin Control
			Relies on akam.net for DNS
				Relies on hostmaster-billing@akamai.com for Domain Admin Control
		Relies on pdns3.ultradns.org for DNS
			Relies on Godaddy.for DNS
				Relies on domains@neustar.biz for Domain Admin Control
					Relies on pphosted.com for Mail
						Relies on proofpoint.com for DNS
						Relies on dns@proofpoint.com for Domain Admin Control
					Relies on NEUSTARREGISTRY.BIZ for Registrar
						Relies on Godaddy for Registrar
							Relies on outlook.com for Mail
								Relies on msft.net for DNS
									Relies on domains@microsoft.com for Domain Admin Control
								Relies on o365filtering.com for DNS
								Relies on hotmail.com for Mail
								Relies on domains@microsoft.com for Domain Admin Control
						Shares Host with dominios.com.co
						Shares Host with ddosattacks.com
						Shares Host with startknowing.biz
						Shares Host with neustarportingxpress.biz
						Shares Host with neustartcpa.biz
						Shares Host with dset.net
						Shares Host with m.dset.com
						Shares Host with neustar.tw
						Shares Host with neustarportingxpress.com
						Shares Host with mydotnyc.info
						Shares Host with neustarpartners.org
						Shares Host with npac4america.net
						Shares Host with neustarintelligentcloud.org
						Shares Host with ipenablers.biz
						Shares Host with ddosattacks.info
						Shares Host with extranet.sipix.neustar.biz
						Shares Host with neustarinfoservices.us
						Shares Host with socialscoop.us
						Shares Host with buy.us
						Shares Host with themobilecloud.us
						Shares Host with neustarportxpress.com
						Shares Host with dset.biz
						Shares Host with neustarreferrals.us
						Shares Host with neustarxpressport.biz
						Shares Host with getonlinewith.us
						Shares Host with intelligentcloud.us
						Shares Host with neustaripenablers.biz
						Shares Host with betterintelligence.com
						Shares Host with usblog.neustar.us
						Shares Host with themobilecloud.co
						Shares Host with identitymatters.biz
						Shares Host with campaignadministrator.biz
						Shares Host with neustarportxpress.biz
						Shares Host with npacforamerica.biz
						Shares Host with advantageoptout.com
						Shares Host with mobilecloudsolutions.us
						Shares Host with themobilecloud.biz
						Shares Host with npac4america.biz
						Shares Host with neustaripenablers.net
						Shares Host with campaignadministrator.org
						Shares Host with portxpress.biz
						Shares Host with themobilecloud.org
						Shares Host with www.neustarultraservices.biz
						Shares Host with kickstartamerica.net
						Shares Host with www.neustarregistry.biz
						Shares Host with kickstartamerica.info
						Shares Host with account.neustar.us
						Shares Host with portxpress.neustar.biz
						Shares Host with nic.us
						Shares Host with neulevel.biz
						Shares Host with neustarregistry.biz
						Shares Host with neustar-creative.biz
						Shares Host with neustarinfoservices.biz
						Shares Host with simpleportportal.biz
						Shares Host with kickstartamerica.us
						Shares Host with neustargovsolutions.biz
						Shares Host with neustargovsolutions.co
						Shares Host with ddosattacks.co.uk
						Shares Host with kickstartamerica.org
						Shares Host with neustarreferrals.net
						Shares Host with archerdev.neustar.biz
						Shares Host with getonlinewith.biz
						Shares Host with neustaraffiliates.biz
						Shares Host with nic.biz
						Shares Host with neustarpartners.eu
						Shares Host with neustarpartners.com
						Shares Host with neulevel.com
						Shares Host with neustarultraservices.com
						Shares Host with neustar-registry.com
						Shares Host with neustarsummit.biz
						Shares Host with billing.neustar.com
						Shares Host with archer.neustar.biz
						Shares Host with neustarmobilecloudsolutions.biz
						Shares Host with neustarplatformone.biz
						Shares Host with neustar.cn
						Shares Host with billing.neustar.biz
						Shares Host with neustaraffiliates.net
						Shares Host with neustarpartners.us
						Shares Host with neustarpartner.us
						Shares Host with uvvu.com
						Shares Host with neustaraffiliate.org
						Shares Host with gomocode.co
						Shares Host with gomocode.net
						Shares Host with getmy.us
						Shares Host with neustarpartner.org
						Shares Host with gomocode.com
						Shares Host with neustaraffiliates.us
						Shares Host with neustarintelligentcloud.com
						Shares Host with loadtesting.biz
						Shares Host with neustarpartners.cn
						Shares Host with neustarpartners.asia
						Shares Host with neustarmobilecloudsolutions.net
						Shares Host with neustar.biz
						Shares Host with neustaraffiliate.us
						Shares Host with neustarinfoservices.info
						Shares Host with neustarreferrals.biz
						Shares Host with neustarintelligentcloud.co
						Shares Host with mobilecloudsolutions.co
						Shares Host with dotyou.biz
						Shares Host with neustaradadvisor.us
						Shares Host with mobilecloudsolutions.net
						Shares Host with neustarmedia.biz
						Shares Host with neustar-registry.biz
						Shares Host with intelligentcloud.biz
						Shares Host with socialscoop.biz
						Shares Host with neustaradadvisor.info
						Shares Host with npac4america.us
						Shares Host with mobilecloudsolutions.biz
						Shares Host with neustarpartner.com
						Shares Host with neustarreferrals.org
						Shares Host with neulevel.cn
						Shares Host with library.us
						Shares Host with nightfire.com
						Shares Host with neulevel.net
						Shares Host with neustarultraservices.biz
						Shares Host with neustaradadvisor.biz
						Shares Host with neustarplatformone.com
						Shares Host with neustarmobilecloudsolutions.co
						Shares Host with npacforamerica.com
						Shares Host with redirect.neustar.biz
						Shares Host with mydotnyc.org
						Shares Host with neustarintelligentcloud.net
						Shares Host with registry.neulevel.biz
						Shares Host with ownit.nyc
						Shares Host with neustarpartner.net
						Shares Host with rfc2916.net
						Shares Host with agile.neustar.biz
						Shares Host with platformone.biz
						Shares Host with npac4america.com
						Shares Host with enum.org
						Shares Host with neustarplatformone.us
						Shares Host with neustaradadvisor.com
						Shares Host with neustarmobilecloudsolutions.us
						Shares Host with gomocodes.com
						Shares Host with my.biz
						Shares Host with neustaraffiliate.net
						Shares Host with parks.us
						Shares Host with dset.com
						Shares Host with gomocode.org
						Shares Host with neustarpartners.net
						Shares Host with neustarmobilecloudsolutions.org
						Shares Host with neustarlocaleze.info
						Shares Host with www.betterintelligence.com
						Shares Host with neustarmobilecloudsolutions.com
						Shares Host with neustaripenablers.com
						Shares Host with campaignadministrator.us
						Shares Host with campaignadministrator.com
						Shares Host with gomocodes.biz
						Shares Host with mydotnyc.biz
						Shares Host with neustaripenablers.org
						Shares Host with payment.neustar.biz
						Shares Host with campaignadministrator.net
						Shares Host with npac4america.co
						Shares Host with mobilecloudsolutions.org
						Shares Host with neustarsecretariat.biz
						Shares Host with mydotnyc.us
						Shares Host with neustarpartner.biz
						Shares Host with mydotnyc.net
						Shares Host with totalview.biz
						Shares Host with neustarreferrals.com
						Shares Host with platformone.neustar
						Shares Host with interactiveinsightssummit.com
						Shares Host with neustarinfoservices.com
						Shares Host with neustarlocaleze.us
						Shares Host with portingxpress.biz
						Shares Host with decellc.com
						Shares Host with support.neustar
						Shares Host with npacforamerica.us
						Shares Host with gomocode.biz
						Shares Host with mobilenextbigthing.biz
						Shares Host with npac4america.org
						Shares Host with vote.us
						Shares Host with neustarultraservices.net
						Shares Host with neustarintelligentcloud.us
						Shares Host with portingxpress.com
						Shares Host with dset.mobi
						Shares Host with loadtesting.us
						Shares Host with about.us
						Shares Host with neustaraffiliate.biz
						Shares Host with www.whobiz.biz
						Shares Host with stateofddos.biz
						Shares Host with ddosattacks.us
						Shares Host with xpressport.biz
						Shares Host with lookup.neustar.biz
						Shares Host with neustarpartners.biz
						Shares Host with portdr.org
						Shares Host with neustaraffiliates.com
						Shares Host with portdr.biz
						Shares Host with dotbiz.biz
						Shares Host with blog.neustar.biz
						Shares Host with identitymatters.co
						Shares Host with identitymatters.com
						Shares Host with kickstartamerica.biz
						Shares Host with kickstartamerica.co
						Shares Host with redir.neustar.biz
						Shares Host with identitymatters.us
						Shares Host with portdr.com
						Shares Host with neustaraffiliates.org
						Shares Host with portdr.us
						Shares Host with neustar.com.cn
						Shares Host with portdr.net
						Shares Host with neustarsimpleportportal.biz
						Shares Host with cloudnames.biz
						Shares Host with neusentry.biz
						Shares Host with etns.org
						Shares Host with dset.us
						Shares Host with neustar.com
						Shares Host with neustarlife.biz
						Shares Host with neustarintelligentcloud.biz
						Shares Host with payment.neustar.com
						Shares Host with neustarxpressport.com
						Shares Host with ddosattacks.biz
						Shares Host with mydotnyc.com
						Shares Host with neustargovsolutions.us
						Shares Host with neustargovsolutions.net
						Shares Host with neustartechnology.biz
						Shares Host with startwithus.biz
						Shares Host with www.neustarultraservices.com
						Shares Host with startwithus.net
						Shares Host with startwithus.us
						Shares Host with startwithus.org
						Shares Host with neustar.us
						Shares Host with dset.org
			Relies on PDNS196.ULTRADNS.BIZ for DNS
			Relies on PDNS196.ULTRADNS.CO.UK for DNS
			Relies on DNS196.ULTRADNS.COM for DNS
			Relies on PDNS196.ULTRADNS.INFO for DNS
			Relies on PDNS196.ULTRADNS.NET for DNS
			Relies on PDNS196.ULTRADNS.ORG for DNS
		Relies on pdns2.ultradns.net for DNS
		Relies on pdns5.ultradns.info for DNS
		Relies on pdns6.ultradns.co.uk for DNS
		Relies on dnsadmin@mxlogic.com for Domain Admin Control
		Relies on register.com for Registrar
			Relies on NS-1119.AWSDNS-11.ORG for DNS
				Relies on hostmaster@amazon.com for Domain Admin Control
					Relies on dynect.net for DNS
						Relies on dynamicnetworkservices.net for DNS
							Relies on dynamicnetworkservices.net@secretregistration.com for Domain Admin Control
						Relies on mailhop.org for Mail
							Relies on tucowsdomains.com for Registrar
								Relies on tucowsdomains.com@contactprivacy.com for Domain Admin Control
								Relies on TUCOWS.COM on DNS
						Relies on hostmaster@dyn.com for Domain Admin Control
					Relies on markmonitor.com for Registrar
						Relies on psmtp.com for MX					
							Relies on google.com for MX
							Relies on google.com for DNS
	                                        Shares Host with allwhois.co.uk
	                                        Shares Host with allwhois.com
	                                        Shares Host with bannermonitor.com
	                                        Shares Host with brandseyeview.com
	                                        Shares Host with collectivetrust.com
	                                        Shares Host with collectivetrust.net
	                                        Shares Host with collectivetrust.org
	                                        Shares Host with collectivetrustsolutions.com
	                                        Shares Host with dtecnet.com
	                                        Shares Host with dtecnet.dk
	                                        Shares Host with dtecnet.net
	                                        Shares Host with dtecnetusa.com
	                                        Shares Host with emarkmonitor.biz
	                                        Shares Host with emarkmonitor.cn
	                                        Shares Host with emarkmonitor.com
	                                        Shares Host with emarkmonitor.info
	                                        Shares Host with emarkmonitor.net
	                                        Shares Host with emarkmonitor.org
	                                        Shares Host with emarkmonitor.us
	                                        Shares Host with idaworks.com
	                                        Shares Host with insiderforum07.com
	                                        Shares Host with mark-monitor.at
	                                        Shares Host with mark-monitor.biz
	                                        Shares Host with mark-monitor.fr
	                                        Shares Host with mark-monitor.info
	                                        Shares Host with mark-monitor.it
	                                        Shares Host with mark-monitor.net
	                                        Shares Host with mark-monitor.org
	                                        Shares Host with mark-monitor.ru
	                                        Shares Host with markmonitor.am
	                                        Shares Host with markmonitor.at
	                                        Shares Host with markmonitor.be
	                                        Shares Host with markmonitor.biz
	                                        Shares Host with markmonitor.ca
	                                        Shares Host with markmonitor.ch
	                                        Shares Host with markmonitor.ci
	                                        Shares Host with markmonitor.cn
	                                        Shares Host with markmonitor.co.kr
	                                        Shares Host with markmonitor.co.nz
	                                        Shares Host with markmonitor.co.uk
	                                        Shares Host with markmonitor.com
	                                        Shares Host with markmonitor.com.au
	                                        Shares Host with markmonitor.com.br
	                                        Shares Host with markmonitor.com.kh
	                                        Shares Host with markmonitor.com.py
	                                        Shares Host with markmonitor.com.ru
	                                        Shares Host with markmonitor.cz
	                                        Shares Host with markmonitor.de
	                                        Shares Host with markmonitor.dk
	                                        Shares Host with markmonitor.es
	                                        Shares Host with markmonitor.eu
	                                        Shares Host with markmonitor.fi
	                                        Shares Host with markmonitor.fr
	                                        Shares Host with markmonitor.gr
	                                        Shares Host with markmonitor.gy
	                                        Shares Host with markmonitor.hu
	                                        Shares Host with markmonitor.in
	                                        Shares Host with markmonitor.info
	                                        Shares Host with markmonitor.it
	                                        Shares Host with markmonitor.jp
	                                        Shares Host with markmonitor.la
	                                        Shares Host with markmonitor.lt
	                                        Shares Host with markmonitor.lu
	                                        Shares Host with markmonitor.lv
	                                        Shares Host with markmonitor.name
	                                        Shares Host with markmonitor.net
	                                        Shares Host with markmonitor.nl
	                                        Shares Host with markmonitor.nu
	                                        Shares Host with markmonitor.org
	                                        Shares Host with markmonitor.pl
	                                        Shares Host with markmonitor.pt
	                                        Shares Host with markmonitor.ro
	                                        Shares Host with markmonitor.se
	                                        Shares Host with markmonitor.sk
	                                        Shares Host with markmonitor.su
	                                        Shares Host with markmonitor.tc
	                                        Shares Host with markmonitor.tv
	                                        Shares Host with markmonitor.us
	                                        Shares Host with markmonitor.vg
	                                        Shares Host with markmonitorglobal.com
	                                        Shares Host with mm-test-08c.info
	                                        Shares Host with mmdomain53.biz
	                                        Shares Host with mmdomain53.net
	                                        Shares Host with mmdomain53.org
	                                        Shares Host with wwwmarkmonitor.ch
	                                        Shares Host with wwwmarkmonitor.it
	                                        Shares Host with wwwmarkmonitor.ru
			Relies on NS-1887.AWSDNS-43.CO.UK for DNS
			Relies on NS-226.AWSDNS-28.COM for DNS
			Relies on NS-948.AWSDNS-54.NET for DNS

And this doesn’t even cover the Supply Chain for her hosting providers for mail.clintonemail.com or sslvpn.clintonemail.com. Now step back for a minute and ask yourself not “how easy would it be to break into all of these,” but “how easy would be for someone to break into any one of these domains?” I know both Rackspace and Google are on the list, and they were both targeted in the Aurora attacks that were allegedly attributed to the Chinese military (as an example). So it’s not a matter of whether it is possible to break into a domain, it’s just a matter of how hard someone is willing to try. Can you have a secure website without secure email? (Spoiler no you cannot).

We are putting all our eggs in a very small basket that hundreds of thousands of people could potentially have access to. The real issue isn’t Hillary Clinton and her blackberry. The real problem is that everyone everywhere who is on the public Internet is subject to this Internet Service Supply Chain. It’s inescapable because the Internet isn’t a bunch of islands; it’s far more interconnected, with consolidated power resting with a handful of service providers. We are all just as vulnerable as Hillary is, if we use the same Internet that she does.

Hillary is no different from anyone else. I could have done this same analysis on any company anywhere, and gotten roughly the same results. Let’s say the target was actually secure (Hillary’s email in this case); it doesn’t matter. If there is any vulnerability in any one of the companies the target relies on, the target is vulnerable. That is what happened with Lenovo, whose Registrar (Webnic) was hacked. And that’s just one example from less than a month ago.

That’s the problem with the Internet Services Supply Chain – any weak link in the chain can cause a cascade/ripple effect. It also means the stakes are getting even higher for those service providers and those who use them as power is consolidated to a few mega-companies that have the reach and access to control so many other companies. At some point no company and no individual will be able to ensure their own or their partners’ security.

And now you’re probably asking yourself, “Why, oh why did I pick the red pill?”

#HackerKast 25: Email Tripwire – How to Tell if My Email Has Been Hacked Into

How can you tell if someone is reading your email? Recently there has been concern about not just hacker but also employees of companies, administrators and so on who can access your account. Even in a non-nefarious situation it’s still important to know that someone has been looking through your inbox.

Jer took me on a trip down memory lane and asked me to look into an old blog post he had written a while back about how you can detect if your webmail account has been hacked into. The theory is simple, send yourself an HTML encoded MIME email, attach a reference to an image, and when the image is called you know someone has read that email.

By looking through your logs and identifying if the image ever loads, you’ll be able to tell that someone has looked through your email. It’s not bullet-proof and doesn’t work on all types of mail clients, for a number of reasons, but it’s a solid idea.

So I went back and wrote a little Perl script called “emailtripwire” that sends just such an email. I tested it on Yahoo mail and it worked perfectly. Google had delivery issues that I never got around to diagnosing. Outlook works great if you allow the image to load once – Outlook remembers that and will continue to do so, however that setting may be dependent on your local setup and may not carry over to other Outlook installs. But it does appear to work, and that’s the important part.

Using your own server to host the image is naturally the best solution if you already have a server, but a lot of people don’t have access to their own server. Instead, people interested in this technique can use an image-based tracking server like Fraudlog that can show you when someone has visited the image after reading the email.

So it is still possible to use this method to detect if your email has been compromised or detect when someone like an administrator has been in your account, even without the ability to host your own image. Sometimes it’s the simple tricks that work the best!

Resources:
Facebook explains when employees can access your account without your password
How to check if your WebMail account has been hacked
emailtripwire
Fraudlog

#HackerKast 24: Uber driver data hacked, Hilary Clinton’s personal email, Relative Path Overwrite

Hey Everybody! Thanks for checking out this week’s HackerKast. Lets get started!

Started off this week talking about Uber’s data breach that happened recently. For those who haven’t heard about it, it seems 50,000 of their drivers personal information was accessed illegally. Info such as their names, drivers license info, plate numbers, etc. The culprit here was a familiar one to us which is private database keys ending up on a public github repository. GitHub and Amazon actively scan GitHub repos for private keys to notify their users they might want to take them down. Shows that apparently this is happening enough for it to be a big enough problem for these guys to be monitoring for.

Next, we did some shameless self promotion on a cool thing Robert whipped up. A huge problem lately, has been registrars and DNS providers being hacked in order to redirect domains to malicious servers. In order to stay on top of this Robert wrote a tool to monitor your DNS so that if your record ever changes you’ll get an alert and can minimize the problem. Feel free to download the little script and mess around with it!

Hillary Clinton made security news this week due to some email issues that came to light after a few years. Turns out she was utilizing a personal email address instead of a state department email address during her time there. Tons of speculation on why she did this and if it was a good idea or not but it certainly seems out of the norm. The fact that this email server’s login page is public facing and being talked about is probably a bad thing since anybody can try to login.

In top level domain news, all sites on the .tp TLD are being phased out and switched over the .tl space. Now that TLDs are open to registration, if somebody goes back and registers .tp domains they’ll start getting a lot of unintended inbound traffic. This is the first time any of us have heard of a TLD switching. Robert points out if somebody registers google.tp the implications will be pretty nasty.

We gave a quick shout out to a bunch of our favorite conferences coming up that a few of us are getting involved in. Jer and I are both speaking at RSA and the AppSecUSA CFP is open. We always love AppSecUSA as one of our favorite conferences of the year.

Lastly, Robert covered some really cool new research called a Relative Path Overwrite. This comes to us from Gareth Hayes who is always coming out with great stuff and this is no exception. The attack has to do with the way paths are coded into websites with some popular shorthand in relative paths. Simply leaving off a slash at the end of a path or using some ../../ notation will make you vulnerable to this attack in certain browsers. Be sure to check out this research for some juicy new web app fun.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources

Notable stories this week that didn’t make the cut:
Alleged Anonymous hacker, deported to U.S. after Canada refused to grant asylum
Apple Pay Scam
PayPal Drops Mega Due to End-To-End Encryption
D-LINK ROUTERS HAUNTED BY REMOTE COMMAND INJECTION BUG

CVE-2015-0204 Freak Attack

It has been discovered that OpenSSL before 0.9.8zd, 1.0.0 before 1.0.0p, and 1.0.1 before 1.0.1k are vulnerable to a downgrade attack. In short, an attacker could man-in-the-middle a user and web server, force the user and server to downgrade to a set of export ciphers which are weak and outdated. They could then brute force the key and thus decrypt the HTTPS traffic between the user and the web application. Once the key has been decrypted the attacker can use the key for all HTTPS traffic from the server until a new key is produced.

The current solution is to disable support for any export suites. According to freakattack.com the best solution is to “disable support for any export suites. However, instead of simply excluding RSA export cipher suites, we encourage administrators to disable support for all known insecure ciphers (e.g., there are export cipher suites protocols beyond RSA) and enable forward secrecy. Mozilla has published a guide and SSL Configuration Generator, which will generate known good configurations for common servers. You can check whether your site using the SSL Labs’ SSL Server Test.”

WhiteHat Security already tests for weak cipher suites as part of our Premium Edition service. If you have any questions about this vulnerability please reach out to our Customer Support team at support@whitehatsec.com

dnstest – Monitor Your DNS for Hijacking

In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don’t know what to do about it. More importantly, many companies don’t even notice they’ve been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only accept comments through a website, they may never know unless they randomly check, or the attacker releases the site and the flood of complaints comes rolling in after the fact.

So I wrote a little tool called “dnstest.pl” (yes a Perl script) that can be run out of cron and can monitor one or more hostname-to-IP-address pairs of sites that are critical to you. If anything happens it’ll send you an alert via email. There are other tools that do this or similar things, but it’s another tool in your arsenal; and most importantly dnstest is meant to be very lightweight and simple to use. You can download dnstest here.

Of course this is only the first step. Reacting quickly to the alert simply reduces the outage and the chance of customer complaints or similar damage. If you like it but want it to do something else, go ahead and fork it. Enjoy!

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.

tls13

Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.

facebookDelete

Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.

pinterestblocked

We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Some guy figured out how to delete “every” photo on Facebook
Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site
40,000 MongoDB Instances Found Open and Vulnerable
Ten Million Passwords
Jeb Bush Email Dump
PCI considers SSL Dead”>
Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:
Lawmakers Call for Investigation on Verizon SuperCookies
NSA may be Trolling You

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds
Anthem and Turbotax Hack
Sony Hack Has Cost Its Business $15M So Far
Data Breach at Health Insurer Anthem Could Impact Millions
Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash
Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:
NSA Using Disclosed Hacker Data
Uber Lost and Found DB left open
Fancybox WordPress Vuln
Meanwhile TrueCrypt is Replaced by VeraCrypt