#HackerKast 41: HackingTeam, Adobe Flash Bug, UK Government’s Possible Encryption Ban

Hello everyone! Welcome to Week 41! Hope everyone enjoyed the holiday last week. Let’s get right to it:

First off, we talked about HackingTeam which is an Italian survaillence firm which sells its tools to governments to spy on citizens. We don’t know much about the breach itself in terms of technical details but the fact that this is a security company who builds malware makes it super interesting. One of the things revealed in their malware source code that was breached was weaponized child pornography which would plant this nasty stuff on victim’s computers. Also in the mix was some 0-days, most notably a previously unknown flash bug.

We covered a bit about the Flash bug which Adobe has already released a patch for and which is now available in exploit kits and Metasploit. HD Moore’s law in full effect here as we are seeing how fast these things get picked up and weaponized. We quickly rehashed some advice from the past of enabling click-to-play or uninstall this stuff completely as these things pop up constantly. It is also super telling that the only way we know about this bug is that it was leaked from an already existing exploit kit being hoarded by a private firm. There are likely tons of these floating around. Another behavior of some of these Flash bugs is once you are compromised by them, they patch the hole they used in order to make sure other hackers can’t get in.

Another story that keeps rearing its head is the UK government trying to ban encryption entirely. They’ve been talking about this for a while now but it keeps bubbling up in political news stories. Governments want the ability to spy on their own citizens as a whole and encryption is not allowing them to. We touched on the same conversation going on in the USA where the FBI wants a “golden key” scenario where there would still be encryption but they’d have the backdoor to decrypt everything. This is inherently insecure and an awful idea but lots of people keep bringing it up. This is closest to becoming a reality in the UK which would make even things like iMessage illegal and unusable.

We’re all looking forward to Vegas for BlackHat in a few weeks. Be sure to hunt us down to say hi!

Thanks for listening! Check us out on iTunes if you want an audio only version for your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast or write us directly @jeremiahg, @rsnake, @mattjay

OpenSSL CVE-2015-1793

OpenSSL released a security advisory regarding CVE-2015-1793, a bug in the implementation of the certificate verification process:

… from version 1.0.1n and 1.0.2b) will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

This largely impacts clients which verify certificates and servers leveraging client authentication. Additionally, most major browsers, IE, FF and Chrome, do not utilize OpenSSL as the client for TLS connections. Thus while this is a high severity vulnerability it also carries a low impact. Due to the nature of this particular issue implementing a test in Sentinel is unnecessary.

If you have any questions please contact WhiteHat Customer Support at support@whitehatsec.com.

The following OpenSSL versions are affected:

* 1.0.2c, 1.0.2b
* 1.0.1n, 1.0.1o

The recommended solution is to update the affected version of OpenSSL:

* OpenSSL 1.0.2b/1.0.2c users should upgrade to 1.0.2d
* OpenSSL 1.0.1n/1.0.1o users should upgrade to 1.0.1p

References:

*https://www.openssl.org/news/secadv_20150709.txt
*https://access.redhat.com/solutions/1523323
*http://lists.opensuse.org/opensuse-security-announce/2015-07/msg00019.html

Importance of a Security Mindset

Back in 2008, Bruce Schneier wrote an article in Wired about the security mindset. In it he wrote:

This kind of thinking is not natural for most people. It’s not natural for engineers. Good engineering involves thinking about how things can be made to work; the security mindset involves thinking about how things can be made to fail. It involves thinking like an attacker, an adversary or a criminal. You don’t have to exploit the vulnerabilities you find, but if you don’t see the world that way, you’ll never notice most security problems.

I’ve often speculated about how much of this is innate, and how much is teachable. In general, I think it’s a particular way of looking at the world, and that it’s far easier to teach someone domain expertise — cryptography or software security or safecracking or document forgery — than it is to teach someone a security mindset.

He was very sure that mindset is a good thing:

That part’s obvious, but I think the security mindset is beneficial in many more ways. If people can learn how to think outside their narrow focus and see a bigger picture, whether in technology or politics or their everyday lives, they’ll be more sophisticated consumers, more skeptical citizens, less gullible people….

There’s nothing magical about this particular university class; anyone can exercise a security mindset simply by trying to look at the world from an attacker’s perspective. If I wanted to evade this particular security device, how would I do it? Could I follow the letter of this law but get around the spirit? If the person who wrote this advertisement, essay, article or television documentary were unscrupulous, what could he have done? And then, how can I protect myself from these attacks?

The security mindset is a valuable skill that everyone can benefit from, regardless of career path.

In practice, not everyone seems to agree with that last sentence. One person’s “careful and thorough” is another person’s “inconvenient and unnecessary,” when they don’t share the same picture of reality.

This case is extreme but illustrative. It’s taken from the book Even Paranoids Have Enemies: New Perspectives on Paranoia and Persecution:

Dinora Pines (1995) describes her experience with a patient from Russia who had given his KGB companion the slip when he was brought to London. The patient appeared to her to be obsessed by his fantasies about Baba Yar. He never gave her his home address or telephone number and always seemed to slip into his sessions in a shadowy and haunted manner. Pines’s patient did not arouse any emotional response in her and she felt bored, only subsequently realizing that she was in the presence of a person whose main internal difficulty was a “falseness”, a tendency to disallow emotional engagement and closeness. Her non-existent feelings towards him troubled her, keeping her thinking about his internal world until one day external reality erupted in her consulting room. After the murder of a Bulgarian dissident in Oxford Street, her patient disappeared. She never heard another word about him until she was shocked to read an obituary about him in the local newspaper. Pine writes:

I feel very guilty about my previous indifference towards him, and my irritation with him for what seemed to be illogical precautions as to his safety. Yet it also seemed to me, with hindsight, that he was right and I was totally wrong about his reality.

Her patient’s past life experience differed enormously from hers and matters were further complicated by their cultural differences and his own psychological difficulties in being honest and open with those, such as his analyst, whom he perceived to be in a position of authority.

Thankfully, most of us don’t need to worry about anything like the KGB killing us with ricin pellets shot from an umbrella. But these things do happen.

Those of us who aren’t dealing with Advanced Persistent Threats still have enemies on the internet, but we aren’t defenseless. WhiteHat Security can help with reducing your organization’s attack surface, but there are lots of things everyone can do to make their online lives safer (and a little bit less convenient). You can think of our Web Security for the Tech Impaired series as Security Mindset 101.

Web Security for the Tech Impaired: Connecting to WiFi

We’ve all been at an airport or coffee shop and checked our phone to see that your internet connection is incredibly slow. You curse the heavens in frustration and then you notice that they offer free WiFi. “What fortuitous circumstances!” you think. You look on your phone for what networks are available around you and you see:
Starbucks
FREE_Starbucks
Public-Starbucks

Uh……. ok…… which one do you choose? They all seem to be owned by Starbucks so you go ahead and connect to the first one. After a few days you notice your credit card has some weird unauthorized charges. “That’s odd” you think, “maybe it had something to do with that free WiFi I connected to….

While connecting to free WiFi networks seems like a good idea, it can be extremely dangerous. The danger is that it is incredibly easy to setup your own WiFi network at these locations. An attacker buys a relatively inexpensive tool which he can set up at any location and give it any name they like. Victims will think that the network is legitimate and connect to the attackers WiFi network. After connecting, the attacker can now see the traffic going between the victim and the internet, effectively spying on all the traffic going back and forth between the victim and any site they are browsing. This is what is known as a ‘man in the middle’ attack.

So how do you protect yourself from being a victim?
1) I always like to turn off WiFi if it’s not being used. This serves two purposes. It saves your battery which is always nice and it protects you from having your device connect to an undesirable WiFi network without you knowing it.

2) If you need to connect to a WiFi network confirm the name of the network with someone at the business. Often in airports there will be official signs with the networks name on them hung throughout. Smaller locations are tougher because attackers can make very convincing fake signs and sprinkle them throughout the business. In these cases I like to ask someone working there what the network name should be.

3) Never trust a WiFi network. I never do any banking, purchasing or sensitive transaction while connected to a public WiFi network. Save that for home or a WiFi network you know and trust. It’s just not worth it. If you absolutely have to, make sure the site is using “https” in front of the URL.

4) If you do connect to a public network, use your phone or computer’s ‘forget network’ feature after you’re done. Your phone will have a list of all networks it’s connected to in the past somewhere within your WiFi settings panel. If WiFi is enabled your phone will automatically connect to these networks. To prevent it from doing that, always go into this settings and either long hold them or select the options menu and select ‘forget network’. This will prevent your phone from automatically connecting.

#HackerKast 40: OPM Breach, Sourcepoint, AdBlock Plus, NSA and AV software, Adobe Flash, Chrome Listens In via Computer Mic

Hey Everybody! Welcome to our 40th HackerKast! Thanks for listening as always and lets get to the news!

Our first story to chat about this week was news bubbling up still about the recent OPM breach. This time, the news outlets are latching on to the fact that data encryption wouldn’t have helped them in this case. Jeremiah poses the question “Is this true? And if so, when does it protect you?” Robert and I go back and forth a bit about layers of protection and how encryption in this regard will only help with host layer issues. Some other ideas come up about data restrictions being put upon the database queries as they are taking place so that the crown jewels can’t be stolen via one simple hole.

Next, we moved on to a story Robert was drooling over about Google’s new pet project company, Sourcepoint, which exists to stop ad blocking. Apparently they originally launched to detect when ads are being modified, which was apparently an issue in the SEO world. However, the way the tech worked, monitoring the DOM allowed them to pivot a bit to detect ad blocking by users. This could be leveraged to stop the user from blocking, or could alert the user and ask really nicely for them not to block ads which could be harming some sites’ revenue. We then all made the comparison here that the modern age of ads looks a lot like the age of Anti-Virus with the whole cat and mouse game of writing signatures to catch which domains are serving ads.

On the topic of ad blockers, AdBlock Plus added a feature which would allow enterprise level IT admins to roll out the browser plugin to an entire company. We need to remind people that AdBlock Plus also is the ad blocker on the market that will allow ads that pay them to be whitelisted. This means the more computers their software is on, the more they can ask to be whitelisted.

Jer couldn’t wait to talk about this next story about the NSA reverse engineering AV software. He starts by giving us all a quick history lesson of his interest in AV being the ironic attack vector for hackers to get into systems. The current story is about a recently leaked Snowden document that outlined an NSA program which reversed AV software — including Kaspersky — to utilize it to track and monitor users. Not a good week for Kaspersky coming off the heels of Duqu 2.0 recently.

Our transition from one virus propagator to another here brings us to our next story: Adobe Flash. The initial story that made our list was Brian Krebs talking about detoxing from Flash for 30 days with it completely removed from his system. He gives some good advice about disabling flash, removing it altogether, or enabling click to play. While editing this story though, he had to add a note at the top which proved his point that the day it was published there was an out-of-band Zero-Day patch Adobe released this week. The Zero-Day was identified by some ridiculously named FireEye report of an attack being used in Singapore from a Chinese hacking group they call APT3. We have a good conversation about Flash and what a huge target it’s been and what a nightmare it is to get users to update.

The icing on our cake to go back to ragging on Google is a story that hit the privacy community this week of Chrome listening to you via your computer microphone. For some reason, the initial group they decided to test this with was Chromium users on Debian who noticed the silent update start to log this audio information. Apparently there is some legitimate purpose behind this, like saying “Hi Google” to your computer and giving it voice commands. They then send this audio to their servers to do analysis to improve their service. They double, triple, super duper promise they aren’t logging it or sharing the audio. We went off on a tangent here on how awful of an idea this is. I brought up how we’ve got a nice diagram from the NSA showing how they strip HTTPS at the Google layer to monitor users so it really doesn’t matter if they log or store it if the NSA can just snoop on the wire there. Who knows where this is going to go, but now you might have an always on microphone in your house.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

Encryption Would Not Have Helped at OPM Says DHS Official
Former Google Exec Launches Sourcepoint To Stop Ad Blockers
Adblock Plus Rolls Out Mass Deployment For IT Administrators
NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users
Operation Clandestine Wolf: Adobe Flash Zero-Day
Krebs month without Adobe Flash Player
Google Chrome Listening In To Your Room Shows The Importance of Privacy Defense In Depth
Just another source on the Chrome listening to you

Notable stories this week that didn’t make the cut:

Heinz QR porn code too saucy for ketchup customer/
Critical Bug Found in Drupal OpenId
The Myth of the Dark Web
How DOJ Gagged Google over Surveillance of Wikileak’s Appelbaum
1,400 Passengers Grounded in Warsaw Due to Airport Hack
DuckDuckGo on CNBC: We’ve grown 600% since NSA surveillance news broke

#HackerKast 39: MLB Astros Hacked By Cardinals, Duqu 2.0, More Ad Blocking News and RIP Microsoft Ask Toolbar

Hey everybody and welcome to another week in Internet Security. Robert and I were trying our best to stay above water with Tropical Storm Bill hitting Southern Texas while Jeremiah was making us jealous with his palm trees and blue skies in Hawaii. I’ll remember that one Jer…

Back on topic, our first story was some shameless self promotion of Jeremiah talking about eSecurityPlanet doing a story on the Top 20 Influencers in the security industry. He happened to make the list himself but there are a lot of other notable names on there with links to lots of good research going on. Notably for me was our friend Dan Goodin who is a journalist that we link to a lot in HackerKast and is the first to cover many security news stories. Kudos to all.

Next, some news broke right before we started recording that was super interesting about some MLB teams getting into the hacking space. Turns out a former employee of the Houston Astros who left and now works for the St. Louis Cardinals never had his access turned off and was leveraging his old credentials. The Astros have some high-end scouting data that was put together with some cutting edge “Moneyball” style metrics that the Cardinals wanted their hands on. The FBI has been brought in to investigate this, how far this incident went and to prosecute those at fault.

We moved on from the baseball hack and into a security company admitting getting hacked with Kaspersky coming out and talking about Duqu 2.0. Robert touched on this and what made it interesting was that Duqu is almost certainly developed by a nation state due to some evidence reported on about it. The other major interesting tidbit about this is Duqu at some point, stole a valid Foxconn SSL certificate which allowed the malware to bypass a lot of first lines of defense. By using a valid cert, Duqu wouldn’t trip many of the alarms that normal malware would have upon entering a network. Robert also mentioned that in light of this, Foxconn should probably be doing some forensics and incident response into figuring out how their certificate was stolen.

Couldn’t make it out of another HackerKast without talking about one of our favorite topics, ad blocking. There was an article this week in Wired which discusses the differences in ad blocking on desktop platforms and mobile devices. Since browser extensions have become so prevalent and are cutting into the wallets of certain advertisers, *cough*Google*cough, there is a movement towards pushing users to use specific apps for content that they’d like to digest. Robert’s discusses an example with CNN where it would push users to use the CNN mobile app where they control the content fully and there would be no such thing as ad blocking.

Staying on the ad topic, Microsoft put out a research paper about serving web ads locally from your own computer. Think of this as a super cache which would have some implications on bandwidth, load time, ad blocking, and some malware related consequences. The major motivation here is almost certainly avoiding ad blocking since the ads are not loading dynamically from the web. Jer made the joke of hoping that chmod 000 being a thing for that folder.

Lastly we finish off with a Dan Goodin story with a witty title of “Ding Dong, the witch is dead” referring to Microsoft finally bringing the hammer down on the Ask toolbar. Microsoft’s malware team and suite of software including Microsoft Security Essentials will now flag the Ask Toolbar, most notably bundled with Oracle products by default such as Java, as unwanted software. The criteria of this flagging is software that includes “unwanted behavior, delivery of unwanted advertising, and a loss of user’s privacy”. The other speculation we made was that this would save Microsoft millions of dollars in customer service calls of how to remove it from Internet Explorer from unsavvy users who accidentally installed it. We all smell lawsuits on the horizon and will be an interesting one to watch.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

20 Top Security Influencers
Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network
The Duqu 2.0 hackers used a Legitimate digital certificate from Foxconn in the Kaspersky attack.
Apple’s Support for Ad Blocking will Upend How the Web Works
A Microsoft Research paper considers serving web-ads from your own computer
Ding dong, the witch is dead: Microsoft AV gets tough on Ask Toolbar

Notable stories this week that didn’t make the cut:
FBI seizes Computers Involved in Massive Celeb Nude Leak
Report: Hack of government employee records discovered by product demo
Catching Up on the OPM Breach
Bing to Start Encrypting Search Traffic
LastPass Hacked – Email Addresses and Password Reminders and More Compromised
Stealing Money from the Internet’s ATMs or Paying for a Bottle of Macallan
Using the Redis Vulnerability to Patch Itself

#HackerKast 38: Pulse tests .gov sites, China hacked US government, DuckDuckGo, NSA Quantum Insert attacks and Google finds Ad Blocking annoying

Hey All! Welcome to another HackerKast! I’m back whether you like it or not.

Gave a quick rundown of my Europe trip before jumping into the news and we started with one of my favorite stories we’ve covered in a while. This one was about a project called Pulse which grabbed every .gov site it could get its hands on and ran an SSL Labs tester on it (hat tip to the awesome Ivan Ristic). Pulse then takes all the results and puts them in a very nice sortable table that, with one click, reveals pages and pages of government agencies with “F” grade scores. An “F” basically means they are vulnerable in at least 1 way to a major SSL flaw like POODLE or Heartbleed. Jeremiah tied this in to another story of an order in the government that mandates all websites are to be compliant with up to date SSL/TLS standards in the next year and a half or risk being taken offline.

Next, the story we couldn’t avoid, it is being reported that hackers from China stole over 4 million records from our government’s personnel office network. These records detail tons of information about current and past government employees. Some of the scariest pieces of info stolen are the results of secret clearance data which dives deep into the personal lives of people applying for secret or above clearances. Speculations have been made theorizing that this could be used to blackmail and flip people into working for foreign entities.

After getting off on a tangent about all that, Robert talked about the next story of some new DuckDuckGo features. Seems they are adding a whole suite of crypto related search features that are pretty neat, including generating strong passwords, identifying hashing algorithms, hashing things for you, and last but not least, searching for known plaintext of hashes. If you have some hashed passwords from a dump that you got your hands on, you can type the hash into DuckDuckGo and ask it to search known previously cracked hashes to see if its on the list. Who needs your own rainbow table anyway?

Screen Shot 2015-06-11 at 12.04.49 PM

Robert continues with a serious deep dive into a story about detecting the NSA’s complex Quantum Insert attacks. This topic has whole blog posts dedicated to itself if you’re interested in what it is and how the NSA is using it. It could be easy enough to create a piece of code to sit on your computer and look for anomalies in your packets consistent with this type of Insert attack to detect if you’re being MiTM’ed in this way.

The last complete tangent we went off on was about Ad Blocking which is a subject near and dear to our hearts. The story in question was detailing how popular Ad Blocking software is getting and how Google is feeling about this. A notable quote from Google’s CEO about this basically states that Ad Blocking is used to block “annoying” ads so in order to make it less popular is to make less annoying ads. We all got a laugh about how “annoying” malware, user tracking, loss of privacy, bandwidth usage, power consumption, etc. all are.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
SSLLabs per .gov site
Chinese hackers breach federal government’s personnel office
DuckDuckGo Crypto Hacks
How to detect NSAs Complex Quantum Insert Attacks
Google’s Larry Page was asked whether he was worried about the rise of ad blockers — here’s what he said
Adblocking And The End Of Big Advertising

Notable stories this week that didn’t make the cut:
Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy
Good luck USA, China and Russia Promise Not To Hack Each-Other
SourceForge Has Now Seized Nmap Project Account
Hijacking Whatsapp Accounts
SEA Hacks army.mil
U.S. Army public website compromised
Sony Hack Movie in the Works from Oscar-Nominated Team (Exclusive)
Twitter Shuts Down Political Transparency Tool Politwoops
FBI official: Companies should help us ‘prevent encryption above all else’

The Well-Rounded Engineer

I am not a security industry luminary. In fact, prior to WhiteHat I had never worked in security. The closest I came was a consulting project using Perl::Critic for Security Audits in 2012. It was static analysis trying to uncover XSS and SQLi vulnerabilities in large, legacy Perl applications — toy compared to what Eric Sheridan and his team do here at WhiteHat.

I was recruited by WhiteHat in 2012 for my front-end development experience. At that point I considered myself an expert at web development. What I learned here is how much I still have to learn! My first Hacker Kombat was enlightening. Here I am, having built web applications professionally for fifteen years, and in a competition designed to break into web applications I have no skills.

Working at WhiteHat, in the security industry, fundamentally changed my approach to building software. Security is now a front-of-mind aspect of designing software for me. Like many difficult disciplines I had a shallow understanding. I knew a little about threat modeling, vulnerabilities, and attack vectors. I didn’t realize how deep and complex software security was until I was in the middle of it (and I should be completely honest, there is still so much I don’t know). This experience has made me a better engineer, a more well-rounded engineer.

Seek more experiences

Every engineer should have the opportunity to dive deep into security. Keeping an application secure, and its data safe, is a complicated mix of preparation and probability. True appreciation for its difficulty is best accrued through experience. Reading about it isn’t enough. Studying won’t provide the same benefit as lived experience.

LinkedIn founder Reid Hoffman writes about the tour of duty framework for collecting experiences. In his model, if motivated employees “signed up for a 2–4 year tour of duty and made an important contribution to some part of the business, Reid and the company would help advance their careers, preferably in the form of another tour of duty at LinkedIn.” I strongly recommend engineers follow this approach to their career. In the case of LinkedIn it worked well for the company, too. They “got an engaged employee who worked to achieve tangible results for LinkedIn. The employee transformed [their] career by enhancing [their] portfolio of skills and experiences.”

My recommended experiences

Security is only one facet of a well-rounded engineer’s experience. Here are a few areas where I recommend gaining additional experience if you haven’t already:

Design

Work on your user interfaces, or go work for a design company. Building software with a design-first approach will break your brain as a developer. You will gain empathy for the experience of the real people interacting with your creations. You’ll see their pain, and you’ll want to make it better. Further reading on this topic: The User Experience Team of One by Leah Buley.

Consulting

Working for a consulting agency or being an independent consultant are excellent ways to learn about this. Another method is a tour of duty in field engineering, customer success, or sales engineering. Consulting will train you to ask a lot of questions for greater understanding, avoid over-promising, and how to iterate quickly with customers. Further reading on this topic: The Secrets of Consulting by Gerald M. Weinberg.

DevOps

The guiding principal behind DevOps is if you build it, you run it. Every engineering team should be able to deploy, manage, and scale their software. Spend some time with your production operations team. Automate something that’s done manually. If your application isn’t yet a 12 factor app this is a great opportunity to attempt to make it cloud ready and run on a platform designed for scale. Further reading on this topic: The Phoenix Project by Gene Kim.

Strive to be well-rounded

As a web application developer the spectre of the full-stack developer is all around me. The pressure to have deep experience in every architectural layer is heavy. This isn’t really possible, and as an industry we’re coming to grips with that. I would recommend we focus, as engineers, on being well-rounded. We ought to attain familiarity and working knowledge of new facets of software development through the procurement of experiences.

#HackerKast 37: More router hacking, StegoSploit, XSS Polyglot and Columbia Casualty Insurance refuses to pay Cottage Health

One more lonely week without Matt Johansen as Jeremiah and I have braved another HackerKast on our own. Thankfully we were comforted by some very interesting stories. Most of them were technical but one of them was around insurance.

First up was about router hacking – one of Jer and my favorite topics. It turns out someone has been automating intranet hacking using the browser to attack various different SOHO routers and firewalls. This is neat because it’s actually in the wild, being used. It attempts various passwords, and ultimately tries to re-write DNS or route users to another location. Pretty nasty. I had a brief conversation with NoScript’s author, Giorgio Maone who is considering writing Application Boundary Enforcement into a stand-alone plugin.

Then we talked about two stories, StegoSploit and something called XSS Polyglot. They’re different takes on the same issue. If you need to do some hosting of content on another domain for some reason (typically payloads) you can do so in an image or using Flash. Both are great articles and they both do a pretty good job of breaking CSP in certain implementations.

Lastly we talked about an insurance provider called Columbia Casualty Insurance who refuses to pay out Cottage Health due to lax security. Namely, Cottage Health allegedly failed to do the things their policy required of them. If you don’t do what you say you’re doing, it’s hard to see why they would be obligated to pay out. Either way, it’s an interesting case, and probably the first of many to come.

Resources:

An Exploit Kit Dedicated to CSRF
StegoSploit – Metasploit in an SVG image
Using Ads To Bypass CSP
Insurer Cites Lax Security in Challenge to Cottage Health Claim

Notable stories this week that didn’t make the cut:
Disconnect.Me Files Antitrust Case Against Google In Europe Over Banned Anti-Malware Android App
The Efficacy of Google’s Privacy Extension
AppSec USA: Full List of Accepted Talks
Criminals use IRS website to steal data on 104,000 people
Weaponizing code: America’s quest to control the exploit market
The Security Issue of Blockchaininfos and Android
Thousands of Websites Block Congress in Protest of NSA Surveillance and this Naked campagin
SourceForge Grabs Gimp For Windows And Wraps It With AdWare
I Fooled Millions Into Thinking Chocolate Helps Weight
AdBlock Wins in Court Twice in Weeks
Ross Ulbricht Pleads For Leniency
CareFirst Breached
St. Louis Federal Reserve Had DNS Hijacked
LaZagne – Password Recovery Tool
How Many Million BIOSes Would You Like To Infect
Facebook Supports PGP
Airbus confirms software brought down A400M transport plane

#HackerKast 36: Moose Router Worm, Adult Friend Finder male users hacked, Firefox and advertising, WHS Stats Report, and IRS Data Breach

It was just Jeremiah and me again today, as Matt is shamelessly galavanting around Europe at various security conferences (I think it’s safe to hate him for it, isn’t it?). But we had a ton of interesting stories this week to cover and didn’t have much time to do it.

The first up was the Moose Router Worm – similar to the Internet Census Project, it used default usernames and passwords to compromise remote routers. We don’t know how many routers were compromised but it was a lot, I’m sure. Jer seems to think that routers shouldn’t even have this feature at all – and I’m inclined to agree.

It was a bad week for Adult Friend Finder, but an even worse week for their users, who had user account data stolen and published on the Internet. The data dump was incomplete and only comprised about 300M worth of data. Also, interestingly enough, it seemed to contain only data from the male users, which implies that it’s probably more about who is most easily blackmailed and less about what the actual adversaries have.

Next up we discussed Firefox and their rather strange move to build an advertising platform into the browser. Their reasoning is complicated, but it seems to revolve around a mix of making money and doing right by their users – except I don’t recall a user ever asking for this. Meanwhile one of Mozilla’s own employees wrote up a great paper on how users with ad blocking and privacy protection can save up to 40% bandwidth and page load time on the top Alexa sites. Shortly after, that same employee promptly left the company under somewhat mysterious circumstances.

Then we covered the stats report. You’ll have to download it to see for yourself, but there are a great number of interesting findings in there. For instance it appears to refute the idea of a best practice. There just doesn’t seem to be any one security factor that will prevent people from being hackable. Maybe they work in some combination, but not in a vacuum. Check it out.

Lastly, we briefly touched on the IRS data breech (if you can call it that) where north of 100k people’s tax data were stolen. This is almost certainly the result of stealing user data through something like Zeus or other public places and combining data to attempt to log in as the user. Jer’s point couldn’t be more clear – Social Security Numbers aren’t a good password, stop using them. If you are, you’re site is hackable.

That’s it for the week, I hope you enjoyed it! We’ll be back next week. Rate, subscribe, and give us feedback on things you’d like us to cover.

Resources:
Moose Router Worm
Adult Friend Finder Compromised
Firefox Will Soon Get Sponsored Suggested Tiles Based On Your Browsing History
Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015
Website Security Statistics Report 2015
100k+ Tax Records Breached from the IRS

Notable stories this week that didn’t make the cut:
Android Chrome ARC Welder
Chrome Extension Transmits Information Via Sound
Phuctor – RSA Super Collider
Two Diablo III players stole virtual armor and gold — and got prosecuted IRL
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 1
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 2
New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 3
FCC Warns Internet Providers That They’re On the Hook For User Privacy
Adblock Browser for Android
Hacking Starbucks for unlimited coffee
Logjam Attack against the TLS Protocol article 1
Logjam Attack against the TLS Protocol article 2
Specially Crafted Message Crashes iPhones article 1
Specially Crafted Message Crashes iPhones article 2
40% of Docker Images Are Vulnerable to High Severity CVEs