Category Archives: Web Application Security

#HackerKast 23: Lenovo, Venmo Sex, Drugs, and Guns, Casino Hacked, WordPress, Remotely Hacking Cars

Hey everybody! Welcome to this week’s HackerKast. We’ve got Jer back! We put this one out late this week just to get him back in the mix.

First, we absolutely HAD to talk about Lenovo and Superfish. For those living under a rock, Superfish is default installed on Lenovo laptops and does all sorts of nasty MiTM things by breaking SSL locally to inspect traffic. They did this under the guise of advertising (of course) but it was awful once we all found out. Robert Graham over at Errata Security did a great writeup on all of some technical deep diving he did into what was going on with these certificates.

Tied to that same story, Lizard Squad reared their head again with their specialty, a DNS hack! Their target this time was Lenovo due to recent events and they were able to take over their domain registrar through Command Injection. Brian Krebs did some digging and realized it was all due to the WebNIC registrar being vulnerable to an attack.

Moving along to some fun clickbait story with an actual funny privacy twist, Venmo made the news this week in a bad way. The headline we couldn’t ignore was “New Site Tells You Who’s Paying For Sex, Drugs, and Alcohol Using Venmo.” Sounds interesting right? Well turns out Venmo has turned itself into a bit of a social network on who is giving money to whom and for what. The kicker here is that all that information goes to a public timeline unless specifically turned private. Nobody bothers to change anything to private so a site called Vicemo popped up to gather all the illicit payments and put them in their own feed. Check out all the amusing things people are sharing money for.

Next, Jer talked about a few more details of a story we talked about back in 2014 of a Las Vegas Casino getting hacked via a publicly facing development site. The hack is being attributed to the Iranians who ran amok once they got in the network of the Casino. They did this after a lot of time brute forcing their VPN to no avail. Just goes to show how important it is to figure out what websites are public facing!

We had to talk about this next one even though it’s a bit embarrassing. We’ve all got vulns! Even WhiteHat! We eat our own dog food and run our scanner on our website constantly and we found a bug on our blog caused by the WordPress plugin we use to publish our podcast on iTunes. Imagine that… A WordPress plugin causing a vulnerability… Who woulda thunk? Anyway, we emailed them and in the mean time coded up a hotfix after immediately removing the plugin from production. Before we even got a chance to hot patch with our own code though, the developer of the plugin from South Africa woke up and rolled out his own fix in less than 1 day. Good news all around!

Lastly we talked about a fun and scary news story about remotely bricking cars. Some car dealerships install these little black boxes they install in cars that they sell. These boxes are used to remotely disable the car if people get behind on their payments making the cars easier to repossess. What were all of these black boxes controlled by? A web app! Some IT guy who left the company “hacked” back in (I’m guessing used his access that wasn’t turned off yet) and started remotely shutting down cars in Texas left and right. This brings up a bit of a conversation about Internet of Things where Robert does what he does best and scares everybody off the Internet.

Sorry for the late one this week, hope you all enjoyed!

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

Lenovo shipping with pre-installed Adware and SSL certificate “Komodia”
Extracting the Superfish Certificate
Lenovo’s DNS Gets Hijacked by Lizard Squad using Command Injection in Registrar
Webnic Registrar Blamed for Hijack of Lenovo, Google Domains
Site Discloses Who is Paying for Sex, Drugs and Guns
Las Vegas Casino Hacked by Iranians in 2014
The time a hacker remotely bricked cars in Texas

Notable stories this week that didn’t make the cut:
AT&T Extorts Users For Privacy
Cybersecury Czar Claims Selfies Are Good Biometrics
HTTP/2.0 “Finalized”
Google’s new Hacker Classifier Misclassifies Websites As Hacked
GCHQ & NSA’s Great SIM Heist
Turbotax’s Anti-Fraud Efforts Under Scrutiny
Origins of Russian Astroturfing
Google Making Adult Blogs Private – Effectively Shutting Them Down
Infinity Million Bug Bounty for Pwnium
Net Neutrality Passed!

dnstest – Monitor Your DNS for Hijacking

In light of the latest round of attacks against and/or hijacking of DNS, it occurred to me that most people really don’t know what to do about it. More importantly, many companies don’t even notice they’ve been attacked until a customer complains. Especially for smaller companies who may not have as many customers, or only accept comments through a website, they may never know unless they randomly check, or the attacker releases the site and the flood of complaints comes rolling in after the fact.

So I wrote a little tool called “dnstest.pl” (yes a Perl script) that can be run out of cron and can monitor one or more hostname-to-IP-address pairs of sites that are critical to you. If anything happens it’ll send you an alert via email. There are other tools that do this or similar things, but it’s another tool in your arsenal; and most importantly dnstest is meant to be very lightweight and simple to use. You can download dnstest here.

Of course this is only the first step. Reacting quickly to the alert simply reduces the outage and the chance of customer complaints or similar damage. If you like it but want it to do something else, go ahead and fork it. Enjoy!

Web Security for the Tech-Impaired: Passwords that Pass the Test

In my last post, “The Dangers of Email”, I explored ways that folks who are less than technically savvy can practice good email security hygiene. Today we’ll get into a somewhat controversial subject: passwords. You use them everyday to log in to your bank account, credit card, Amazon — the list goes on and on. You probably log in to a few websites everyday, but how often do you think about that password you’ve chosen? Password security is a hot button topic and everyone has their own suggestion about what constitutes a good strong password. This post will help guide you to a relatively secure password.

Your password is your key to your online accounts. It’s the ID you create to prove that you are who you say you are in a digital world. As humans we tend to make passwords that are easy to remember. If you forget your password you often are prompted with a difficult series of steps to recover it, from answering security questions to calling a support line. To skip all that headache we often create passwords that are pretty easy to guess and we use those passwords for all our accounts. This makes it very easy for an attacker to gain access to all your accounts. If one site where I use that password is compromised and my password is leaked, the attackers now know my password for every single account I’ve created. No matter how quick I change those passwords I will most likely miss or forget one. This is why it’s a good idea to use a variety of passwords. Very secure folks will create a different password for every account they create. I would recommend that at the very least you create separate passwords for your sensitive accounts (your bank account, credit card, 401k, and so on).

Now the question is, what is considered a good password? It might surprise you to know that modern computers can ‘guess’ passwords quite quickly, often going through millions of potential passwords a day. Passwords that are just words are incredibly weak passwords that can be guessed quite quickly. Also short passwords are out. Most experts agree that passwords should be at least 12 characters long. To make it harder to break, your password should contain a mixture of upper case and lower case characters, numbers, and special characters (such as !,@,#,$,?). It’s also a good idea to vary where these characters are placed. A friend of mine recently played ‘mind reader’ to some colleagues of mine. He had them think of a password of theirs. He then guessed that the first part of the password was a word of about 8 characters. That word is then followed by two numbers. The last character of the password is a special character. They were dumbfounded. Yes the human brain works the same for all of us. As we’re asked to do more and more things to our passwords we simply tack them on at the end. This is a pattern that hackers know about and will exploit.

So to sum up, here are some tips to help you practice good password habits:
1) Use a different password for all your important accounts. To win a gold star use a different password on all accounts.
2) Your password should be no less then 12 characters
3) Use a mix of lower case, upper case, numbers and special characters.
4) Don’t use the very common sequence of word-number-special character. Mix up where these are placed in your password.

Again, I urge our readers to feel free to forward this post on to friends or family that may benefit from these tips. Many in the security industry often forget that most consumers are less technically savvy, and therefore less security aware, than we are. This series is designed to help you, help them.

#HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability

Hey everybody! Slow news week this week so we sent Jeremiah to Germany…. in the winter. Poor Hawaiian!

Anyway, we started this week off talking about a really cool bug in Internet Explorer. This vuln is a Universal Cross Site Scripting (XSS) bug that also bypasses Same Origin Policy and works in even the latest IE version 11. That is a mouthful and it’s all bad. What this means is that by abusing iFrames, an attacker could execute XSS in any site they want via your browser. Websites could be doing everything completely right but if they aren’t using X-Frame-Options header properly than an attacker can effectively do anything they want on those sites. Bad day to be an IE user or an IE developer for sure.

Next I passed it over to Robert to talk about a few of his favorite things, Denial of Service, browser security, DNS, and even China! If Robert was playing a game of Bingo of the things he likes to talk about, this next story would definitely be on the game board. This week a company noticed a massive spike in traffic coming from China and all going to weird URLs. With the information we have, it looks like somebody was poisoning DNS and making requests originally destined for other websites all pointing at a single website. Interesting DDoS vector! The solution applied was to block the IP addresses which, as Robert shares, is a really bad idea. He also discusses the fact that we probably have a bunch of research to do around browser-based DoS in the future.

Last story we ended up talking about was a fun bug disclosure from HackerOne today which also has a really cool PoC cherry on the cake to check out. For those unfamiliar, HackerOne organizes a bunch of bug bounty efforts for lots of different websites including their own. This particular bug has to do with the abuse of an ineffective escaping method for the “\” character. The timeline is over on the HackerOne website and you can see how the researcher figures out how to make this bug progressively more severe. He started with just editing some HTML, including spoofing a profile picture or style sheet, but he ends up figuring out he can use a tag to immediately redirect a user to a potentially evil site. At that point he can utilize phishing, driveby malware downloads, all sorts of Javascript attacks, etc. Even possibly take advantage of a Universal XSS SOP bypass in IE 11 to bring it full circle. Kudos to HackerOne for fixing this in about a day and also publicly disclosing the information and the fact they paid out $5,000 for the bug.

Ended today’s session with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is the completely community-driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
IE UXSS Bypass 1
IE UXSS Bypass 2
IE UXSS Bypass3
Browser DDoS via DNS Spoofing Coming from China
Fun bug disclosure from HackerOne today

Notable stories this week that didn’t make the cut:
Possible New Origins of the Word “Hack”
Web-RTC leaks VPN origin IPs
UK National Health Service – Tons of Vulns
Really cool PoC

#HackerKast 19: Pressable Slowloris Attack, GoDaddy CSRF, Decloak Tor Hidden Services via SSH, LizardSquad Hacks Malaysian Airlines, GHOST Vulnerability

Welcome to this week’s HackerKast everybody! This week Jeremiah and I were lucky enough to be shooting this episode beachside while at AppSecCali down in Santa Monica. Poor Robert was stuck at home but I was happy to pull a Jeremiah and have palm trees behind me just like he does while he is in Hawaii.

This week we started with a story near and dear to Robert’s heart about a Slowloris Denial of Service attack on Pressable. Near and dear since Robert is the father of this type of DoS attack. Pressable is a big WordPress provider – I know, I know, we just can’t leave WordPress alone can we Internet? Slowloris is pretty easy to defend against if you are trying to but a lot of default web servers, such as Apache, don’t enable such protections. This DoS attack lasted 4 or 5 days and caused Pressable to lose tons of customers. Robert talked about popular defenses in the video if you are interested in that. We also briefly mentioned a new tool called CapTipper that is a malicious HTTP traffic explorer which could be used to help dig into information if you are undergoing one of these attacks.

Next, I talked about a GoDaddy CSRF vulnerability that was disclosed which was pretty nasty not to mention scary to think about how long it might have been around. For those unfamiliar, CSRF is when an attacker can force a user’s browser to make requests on their behalf. This is particularly bad news for GoDaddy since an attacker would have been able to force an authenticated user to change their nameservers, auto-renew settings, and edit the dns zone file. This combination would be deadly in forcing a website to point towards malicious servers, or even turning off auto-renew to snipe domain names away from GoDaddy users. This was disclosed and fixed in 3 days which is VERY impressive considering the average time to fix for most companies is much longer than that.

We seem to be talking about Lizard Squad (Mafia? Crew?) lately and this time they went after Malaysian Airlines. They attacked the airline’s DNS servers and forced the page to redirect to a page that said “404 Plane Not Found.” We see these DNS server attacks more and more lately as it is seeming to be a bit of an easy target instead of going after the websites themselves.

Another topic this week near to Robert’s heart was a new way to identify Tor hidden services via SSH Fingerprints. What some researchers have done is scan the internet for open SSH services, grab the fingerprint off that and then compare the fingerprint to a Tor Hidden service and decloak the real IP address of the site. This technique could be used for other purposes such as websites behind Akamai or CloudFlare who don’t want their real IP public.

Last story we covered for this week is a new vulnerability called GHOST that seems like it could be serious but we haven’t had a lot of time to research it but had to mention. It has a name and is branded so it must be super serious, right? We’ll most likely do a follow up post about this but if you are interested in this vulnerability, it seems to be a glibc buffer overflow in DNS resolvers. More soon!

References:
Pressable Slowloris DoS Outage
Taking over Godaddy Account using CSRF
Malasian Airlines DNS Redirected (404 Plane Not Found)
Using SSH fingerprints to identify Tor hidden Services
GHOST Vulnerability – glibc buffer overflow in DNS resolver

Notable stories this week that didn’t make the cut:
Flash 0day in the wild
CapTipper – Malicious HTTP traffic explorer tool”
Nearly every US Arms Program Found Vulnerable to Cyber Attacks
China Cracks Down on VPN Services After Censorship System ‘Upgrade’
FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN
Oracle/Java vulnerabilities
Referrer Changes in W3C
Healthcare.gov Or 3rd Party Vendors may fun Afoul of new CFAA rules

#HackerKast 18 Bonus Round: Password Cracking

Hey Everybody! Thanks for checking out this week’s bonus footage. We like to do these to not just focus on current events but to also get our hands dirty with some technical demos. This week, we decided to talk about password cracking.

You hear news stories all the time about passwords being stolen and you may have heard of password hashes being cracked. What this means is that somebody got a hashed copy of a lot of passwords out of a database and are running programs against it to get the plain text password out.

For those of you familiar with password cracking this will be super boring but we decided to actually show what this looks like for those who haven’t seen it. I decided to use John the Ripper for this demo but could have used a ton of others like OCL Hashcat. Kali Linux has a few of these installed by default for those who want to play.

Since we are web app guys here at WhiteHat I decided to pick on some password hashes that make sense in our world, WordPress. Most password cracking demos you’ll see are running against local machine password files so instead of that I made a few of my own WordPress password hashes. The giveaway showing that these are WordPress hashed passwords is that they use a PHPass algorithm which results in a hash that always starts with $P$B.

The passwords I chose were pretty easy ones just to prove to you guys how easy cracking easy passwords is. Anything in the top couple of 1000 used passwords will be cracked in seconds with the help of a word list, as you’ll see in the video.

The other major point I wanted to make is that seemingly “good” passwords that follow all the rules of a websites password strength requirements can actually be pretty weak. The example I used was “Jeremiah29:11″ as a password passes most requirements. It’s over 8-10 characters, it is has upper and lower case letters, has numbers, and special characters. Seems great right? Well since it is a popular bible verse, this took less than 30 min. to crack on my laptop and would take seconds on a computer built for password cracking.

Check out the end of the video for some of our tips on secure password selection. Let us know what you think!

#HackerKast #18: Verizon Tracking Cookie, NSA tracking via mobile ads, hackers for hire, AppSec Program Quick Start Guide

Hey Everybody! Can’t believe we’ve done 18 of these. Lets get right into it.

We started off this week by chatting a bit about Verizon. The headline kind of speaks for itself: “Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused? Yeah, Well, Funny Story…” Turns out Verizon will set a cookie in your browser and can track you across IP address, and all sorts of nastiness. Robert has some recommendations on how to work around this if you are worried about it. News flash, advertisers aren’t working in the user’s best interest.

Another news flash, NSA is tracking people. The newest revelation is that the NSA is using ads in mobile platforms to track users. This avenue is useful for them because the geo location is sent through a lot of these mobile apps ads so not only can they track users’ usage preferences but also physical location! Repeat after me, ads are bad.

Funny little website popped up recently called Hackers List. For those familiar with O-Desk this is the same thing but for hacking. This website is acting as a medium for people to post requests and a dollar amount for hacking services. Some of my favorite entries include, “Change my grades – $300″ and “Hack Facebook account ASAP – $200″, among others. We got into a bit of discussion of the legality of all of this and some possible loopholes that they are using to keep this website up and kicking. Consensus is that this will most likely be taken down, fast.

Finally, with some shameless self promotion, we chatted about a new OWASP project started by a few of us WhiteHat folk called the Application Security Program Quick Start Guide. Our goal here was some quick rule of thumb points on starting an AppSec program from scratch. Nothing like this existed to our knowledge so we tried to fill what we saw as a void. It is completely open license and free to download so feel free to use and abuse! Check out our blog outlining it and let us know what you think!

Notable stories this week that didn’t make the cut:
How to protect yourself against Verizon’s Mobile Tracking”>
New York Post Twitter Feed Hacked – declares we are at war
Obama sides with Cameron in Encryption Fight
Against DNSSEC
Why Not DANE in Browsers
Someone in China MitM’d Outlook.com Traffic With Fake SSL Certificate
Reflected XSS in PayPal

References:
Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused?
New Snowden documents show that the NSA and its allies are laughing at the rest of the world
Hacker’s List allows you to hire a hacker anonymously and quickly
OWASP Application Security Program Quick Start Guide Project
5 Days to Setting Up an Application Security Program

Web Security For the Tech-Impaired: The Dangers of Email

Editor’s Note: The following post is the first in a series of blasts that we will be sharing for readers who are – or who know people that are – not technically savvy. We will touch on topics that we in the security community are very aware of and attempt to break them down into language that those who are not as internet skilled may understand. If you have suggestions for topics you wish for us to cover in this series, please share in the comments.

You’ve all been there. You open your email and your mom has sent you something. You see the two letters you dread: FW. Oh look, it’s an email with a link to a YouTube video about a cat who just can’t seem to figure out that the sliding glass door is a solid object. You contemplate sending back an email saying ‘Come on Mom, you should know to never ever click on links in emails,’ but you don’t want to ruin her fun — and more than likely she won’t understand WHY clicking on links in emails is a bad thing. You could try to explain it to her, but you’re afraid her brain will explode if you start talking about things like “Cross Site Scripting”. Well folks, I’m going to try and help you out. In this new blog series, I am aiming to provide tips and advice that you can share with your less-than-tech-savvy friends and family – whether its your mom, grandpa, cousin Vinny or whomever. These are posts that I intend for you to FW: (uh oh, there are those letters again) the links to your mom (or whomever) so that they can get a non technical explanation of the dangers of the ‘internets.’ Now begins the non-technical explanation, here we go!

Hello there! You’re no doubt reading this as a result of your son/daughter/grandson/granddaughter having sent you here for guidance. Fear not, I will help guide you through the dangers of the internet and help you be more secure with your personal information. No doubt you’ve heard of recent credit card breaches in stores you visit every day. You’ve also probably heard about ‘phishing’ emails that ask for your personal information in an email or ask you to click some link. You may have seen emails that say ‘Your credit card has been stolen, please email your Social Security number, mother’s maiden name and birthdate to this email address.’ The good news is that you can prevent yourself from being a victim of these scams.

The first thing you’ll need to know is that you should be very, VERY paranoid about anything you get in an email. If someone knocks on your front door, you’re always skeptical about what they want; the same principle should be applied to email. Anyone and everyone can email you and not all emails should be trusted, particularly from contacts that you do not know or that ask you for personal information. Most businesses make it a point to not request such information over email, so if you get such a request, it is quite likely a scam. Secondly it is very easy to fake the sender of an email. Just because it says ‘admin@bankofamerica.com’ doesn’t mean it is. Never trust that your email is coming from the business that it purports to be coming from.

Furthermore, links and attachments in emails can be bad news. Just as it’s very easy to make it look like an email is coming from someone else, it’s just as easy to make a link in an email look different. I can easily make it look like it’s going to ‘www.youtube.com/someFunnyCatVideo’ but really when you click on the link it will take you to ‘www.ImSoEvil.com/LookAtHowEvilIAm.’ Fake sites are set up under the guise of seemingly legitimate URLs in an effort to get you to click on them which could lead to theft of personal information or worse. Attachments in emails from unknown sources are also bad news. You could be unknowingly downloading malware — software that can interfere with the proper functioning of your computer, damage your privacy or even install the dreaded virus.

All this sounds pretty frightening already. You may think you now need to go make a tin foil hat and build a bunker in your backyard. But with this knowledge you are well-armed to combat identity thieves. Here are a few simple things you can do to help protect yourself:

* Never give your personal information to anyone. No legitimate business will ask you to email them your Social Security number, credit card number, passwords, date of births, etc., over email. If they’re asking for that information it is 99.9% likely that it’s a scam. Sometimes an attacker will send an email that makes it sound like there’s an emergency — if you don’t do what they’re asking for right away something horrible will happen! Instead of doing what the email says, if it looks like it might be from a legitimate business – like a bank that you do actually have an account with – contact that business directly. Don’t use any links from that email. Let them know what email you received and that you want to confirm whether or not it was a legitimate email.

* Never click on a link in an email — it’s just asking for trouble. If you really want to watch that cat video, copy the link address into your browser window so you can be sure you’re sending your browser where you actually want it to go.

* If you receive an email that has an attachment and you were not specifically expecting that person to send you that attachment, contact them directly and confirm that they sent it and it’s a legitimate attachment. More than once a friend of mine has found out that their email account was hacked because I contacted them about a suspicious attachment.

This is all but the beginning of your training and you should come back to this blog often to hear more helpful (and hopefully easy to understand) advice on how to better protect yourself on the internet. Go forth and click on!

#HackerKast 17: UK Bans WhatsApp and iMessage, Instagram Privacy Issues, Cross Site Content Hijacking (XSCH), Amazon S3 Bitcoin Hack

Howdy Partners! Hope you all are in full swing in the new year and taking names. I know for a fact that a ton of you are busy since every hotel in Santa Clara, Calif., was sold out this month just as Robert and I were trying to visit the mothership.

Anywho… we started this week’s HackerKast chatting about how our blog post of the North Korean Web Browser got so much traffic that it DoS’d us. The ol’ Reddit hug of death got us and our poor IT department was thrilled with us.

The first news story we covered was the brilliant discussion going on across the pond in the UK about banning a ton of encrypted messaging services, including WhatsApp and iMessage. We all feel this is a silly reactionary measure to try to thwart terrorist communications but will have repercussions that will be wide-reaching. Knowing our audience, I’m probably preaching to the choir, but there are plenty of legitimate reasons for strong encryption protected messaging services. I think another side of my feelings were best summed up by a tweet:

Next, we brought up some Instagram news about a privacy problem they had over there. Turns out that if you ever had your Instagram profile set to public, no matter what your current privacy settings, your photos are accessible via direct URL. This is a thinly veiled illusion of privacy and further proves that if you don’t want a photo seen, you shouldn’t put it on the Internet at all.

Robert followed this up by mentioning briefly some new attack research that was published recently that was dubbed Cross Site Content Hijacking. We need another acronym like we need a hole in the head but this research could prove to be very interesting. The thing that perked our ears up about this type of vuln was that it might be possible to read arbitrary HTTP Headers across domain. This includes referring URLs which are widely used as a CSRF protection in many web applications including the Django framework. We haven’t dug deeply into this one but wanted to bring it up as a potentially interesting bit of research for you folks to chew on.

Some news about an Amazon S3 hack bubbled to the top this week which we’ve heard about before but is still super fun to talk about and – more importantly – to learn to protect yourself from. We all know our private keys are an important thing to keep private but with the ever-growing popularity of programmatically spinning up and down virtual instances in Amazon it is becoming easy to forget those private keys in your code. If you are using these keys in development and you accidentally leave them in your code when you push it up to a GitHub repo, those keys are now public. GitHub and Amazon do a good job of trolling the Internet keeping an eye out for this happening but it still happens, even to the best of us. A popular (mis)use case of this kind of hack is using your private key to spin up instances that start mining bitcoins for the attacker. This usually doesn’t get caught until the victim gets the big bill in the mail for the CPU time.

“Kid hacks into school’s website to shame them for making them go to school when the roads were covered in snow” has to be our favorite headline of the week. We’d love to include the screenshots from this website defacement but they are pretty NSFW. The kids hacking school stories are always a lot of fun because I think it resonates with a lot of us who have memories of being bored in school and playing with computers just wondering if you could switch your grades. Not that any of us did such a thing.

Notable stories this week that didn’t make the cut:
Iran oders 3 communication apps blocked (LINE, WhatsApp and Tango)
AT&T is going to start supporting webrtc
Silk Road Reloaded moving to I2p instead of Tor
Obama proposal: Hacked companies have 30 days to fess up

References:
WhatsApp and iMessage could be banned under new surveillance plans
Iran orders 3 communication apps blocked
Your private Instagrams weren’t as private as you thought they were
Content hijacking proof-of-concept using Flash, PDF and Silverlight
Dev put AWS keys on Github. Then BAD THINGS happened
Angry Student Hacks County’s Website to Apologize for Snow Day

5 Days to Setting Up an Application Security Program

Congratulations! You now have the responsibility of ensuring your web applications are secure. This is the reality that modern day CISOs and security professionals address every day. You may have even lobbied for and championed this initiative because you are acutely aware of the risk that vulnerable web applications present to the business. Or as is often the case in reaction to a breach or an attack (aka a “security event”), web applications have now appeared on the radar of your senior management team. So, where to begin? Where’s the playbook?

To assist you in this endeavor, we have created an “Application Security Program Quick Start Guide.” WhiteHat has years of combined web application and security management experience which came in very handy for this undertaking. This guide is essentially a playbook that is both easy-to-consume yet prescriptive-enough that the reader is able to walk away with concrete action items to set in motion.

Web application testing is not a fledging security activity by any measure. That said, finding resources to help navigate the process of building a web application security program are scarce and often too high-level. In practice, there is no shortage of tools or services to perform web application testing, but testing alone is not a substitute for a comprehensive web application security program. To be successful, we should aim for a program that is more than simply testing sites and delivering results to stake holders. Those activities represent just two of the many inputs and outputs necessary to reduce the risk associated with web applications.

Today we are releasing this “Application Security Program Quick Start Guide” in the hopes that it will help CISOs in their ongoing work to ensure the security of their organization’s web applications and mission-critical information. In addition, we have donated the guide under a Creative Commons license to the OWASP community for everyone to use.

You can download the guide here: https://whitehatsec.com/whitepaper/2015/01/12/whitepaper_appsec_quickstartguide.html

The OWASP project page can be found here: https://www.owasp.org/index.php/OWASP_Application_Security_Program_Quick_Start_Guide_Project

We hope this initial draft serves to spur the collective insights of those willing to participate.