Introducing Craig Hinkley, WhiteHat Security CEO

As many of you know, I took on the role of “interim” CEO in February 2014, and along with the management team, led WhiteHat through a much needed period of re-strategizing and narrowing our focus onto the needs of our customers. In that time, we made great progress and improved every single metric that matters.

All the while, the Board of Directors and I were diligently searching to find the right person to step in as the permanent CEO. As founder, I may be biased, but WhiteHat is not just another security company. WhiteHat is something special and the work we do, web security, is important to the world. We needed a long-term CEO equal to the task. We needed someone who is passionate about web security and capable of taking WhiteHat to the next level; someone with the right skill set, experience, drive, vision, customer dedication, and most importantly, the ability to execute with us. Every. Single. Day.

At long last, we have found that person. On behalf of everyone here at WhiteHat Security, I am happy to introduce our new CEO, Craig Hinkley. Craig is an accomplished leader and I am confident that he is the right person to build on the foundation and momentum achieved by the WhiteHat team. While Craig’s resume is certainly impressive, it barely begins to do him justice. He’s the type of person who is driven, immediately engaging, and open to new ideas, while inspiring vision and excitement. We look forward to the key leadership he will bring to the WhiteHat team.

Many of you are probably asking, “What does this mean for Jeremiah?” My passion is, and continues to be, Web security, and WhiteHat is the very best place to do that. The vast majority of my day-to-day activity will remain largely unchanged. I will be heavily focused on our technology, product innovation, and strategy. With Craig on board, I’ll be freed up to focus more of my time and attention on those critical details.

Now, please join me in welcoming Craig as he takes the helm as CEO of WhiteHat Security.

View the official press release here.

The Perils of Privacy Personas

Privacy is a complex beast, and depending on who you talk to, you get very different opinions of what is required to be private online. Some people really don’t care, and others really do. It just depends on the reasons why they care and the lengths they are both willing and able to go through to protect that privacy. This is a brief run-down on some various persona types. I’m sure people can come up with others, but this is a sampling of the kinds of people I have run across.

Alice (The Willfully Ignorant Consumer)

  • How Alice talks about online privacy: “I don’t have anything to hide.”
  • Alice’s perspective: Alice doesn’t see the issues with online advertising, governmental spying and doesn’t care who reads her email, what people do with her information, etc. She may, in the back of her mind, know that there are things she has to hide but she refuses to acknowledge it. She is not upset by invasive marketing, and feels the world will treat her the same way she treats it. She’s unwilling to do anything to protect herself, or learn anything beyond what she already knows. She’s much more interested in other things and doesn’t think it’s worth the time to protect herself. She will give people her password, because she denies the possibility of danger. She is a danger to all around her who would entrust her with any secrets.
  • Advice for Alice: Alice should do nothing. All of the terrible things that could happen to her don’t seem to matter to her, even when she is advised of the risks. This type of user can actually be embodied by Microsoft’s research paper So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users, which is to say that spending time on security has a negative financial tradeoff for most of the population when taken in a vacuum where one person’s security does not impact another’s.

Bob (The Risk Taker)

  • How Bob talks about online privacy: “I know I shouldn’t do X but it’s so convenient.”
  • Bob’s perspective: Bob knows that bad things do happen, and is even somewhat concerned about them. However, he knows he doesn’t know enough to protect himself and is more concerned about usability and convenience. He feels that the more he does to protect himself, the more inconvenient life is. He can be summed up with the term “Carpe Diem.” Every one of his passwords is the same. He choses weak security questions. He uses password managers. He clicks through any warning he sees. He downloads all of the programs he finds regardless of origin. He interacts on every social media site with a laissez-faire attitude.
  • Advice for Bob: He should pick email/hosting providers and vendors that naturally take his privacy and security seriously. Beyond that, there’s not much else he would be willing to change.

Cathy (The Average Consumer)

  • How Cathy talks about online privacy: “This whole Internet thing is terrifying, but really, what can I do? Tax preparation software, my utilities and email are essential. I can’t just leave the Internet.”
  • Cathy’s perspective: Cathy knows that the Internet is a scary place. Perhaps she or one of her friends has already been hacked. She would pick more secure and private options, but simply has no idea where to start. Everyone says she should take her security and privacy seriously, but how and who should she trust to give her the best advice? Advertisers are untrustworthy, security companies seem to get hacked all the time – nothing seems secure. It’s almost paralyzing. She follows whatever best practices she can find, but doesn’t even know where to begin unless it shows up in whatever publications she reads and happens to trust.
  • Advice for Cathy: Cathy should try to find options that have gone through rigorous third party testing by asking for certificates of attestation, or attempt to self-host where possible (E.g. local copies of tax software versus Internet-based versions), and follow all best practices for two-factor authentication. She should use ad-blocking software, VPNs and logs out of anything sensitive when finished. Ideally she should use a second browser for banking versus Internet activities. She shouldn’t click on links out of emails, shouldn’t install any unknown applications and even shouldn’t download trustworthy applications from untrustworthy websites. If a site is unknown, has a bad or nonexistent BBB rating or seems to not look “right”, she should avoid it. It may have been hacked or taken over. She should also do reputation checking on the site using Web of Trust or similar tools. She should look for the lock in her browser to make sure she is using SSL/TLS. She shouldn’t use public wifi connections. She should install all updates for every software that is already on her computer, uninstall anything she doesn’t need and make sure all services are disabled that aren’t necessary. If anything looks suspicious, she should ask a more technical person for help, and make sure she has backups of everything in the case of compromise.

Dave (The Paranoid Reporter)

  • How Dave thinks about online privacy: “I know the government is capable of just about anything. So I’ll do what I can to protect my sources, insomuch as that it enables me to do my job.”
  • Dave’s perspective: Dave is vaguely aware of some of the programs the various government agencies have in place. He may or may not be aware that other governments are just as interested in his information as the US government. Therefore, he places trust in poor places, mistakenly thinking he is somehow protected by geography or rule of law. He will go out of his way to install encryption software, and possibly some browser security and privacy plugins/add-ons, like ad-blocking software like Disconnect or maybe even something more draconian like NoScript. He’s downloaded Tor once to check it out, and has a PGP/GPG key that no one has ever used posted on his website. He relies heavily on his IT department to secure his computer. But he uses all social media, chats with friends, has an unsecured phone and still uses third party webmail for most things.
  • Advice for Dave: For the most part, Dave is woefully unequipped to handle sensitive information online. His phone(s) are easily tapped, his email is easily subpoenaed and his social media is easily crawled/monitored. Also, his whereabouts are always monitored in several different ways through his phone and social media. He is at risk of putting people’s lives in danger due to how he operates. He needs to have complete isolation and compartmentalization of his two lives. Meaning, his work computer and personal email/social presence should not intertwine. All sensitive stuff should be done through anonymous networks, and using heavily encrypted data that ideally becomes useless after a certain period of time. He should be using burner phones and he should be avoiding any easily discernible patterns when meeting with sources in person or talking to sources over the Internet.

Eve (The Political Dissident)

  • How Eve thinks about online privacy: “What I’m doing is life or death. Everyone wants to know who I am. It’s not paranoia if you’re right.”
  • Eve’s perspective: Eve knows the full breadth of government surveillance from all angles. She’s incredibly tuned in to how the Internet is effectively always spying on her traffic. Her life and the lives of her friends and family around her are at risk because of what she is working on. She cannot rely on anyone she knows to help her because it will put them and ultimately, herself, in the process. She is well read on all topics of Internet security and privacy and she takes absolutely every last precaution to protect her identity.
  • Advice for Eve: Eve needs to got to incredible lengths to use false identities to build up personas so that nothing is ever in her name. There should always be a fall-back secondary persona (also known as a backstop) that will take the fall if her primary persona is ever de-anonymized instead of her actual identity. She should never connect to the Internet from her own house, but rather travel to random destinations and connect into wifi at distances that won’t make it visually obvious. Everything she does should be encrypted. Her operating system should be using plausible deniability (E.g. VeraCrypt) and she should actually have a plausibly deniable reason for it to be enabled. She should use a VPN or hacked machines before surfing through a stripped down version of Tails, running various plugins that ensure that her browser is incapable of doing her harm. That includes plugins like NoScript, Request Policy, HTTPS Everywhere, etc. She should never go to the same wifi connection twice, and should use different modes of transportation whenever possible. She should never use her own credit card, but instead trade in various forms of online crypto-currencies, pre-paid credit cards, physical cash and barter/trade. She should use anonymous remailers and avoid using the same email address more than once. She should regularly destroy all evidence of her actions before returning to any place where she might be recognized. She should avoid wearing recognizable outfits, and cover her face as much as possible without drawing attention. She should never carry a phone, but if she must, it should have the battery removed. Her voice should never be transmitted due to voice-prints and phone-line/background noise forensics. All of her IDs should be put into a Faraday wallet. She should never create any social media accounts under her own name, never upload a picture of herself or surroundings, and never talk to anyone she knows personally while surfing online. She should avoid using any jargon, slang or words that are unique to her location. She should never talk about where she is, where she’s from or where she’s going. She should never tell anyone in real life what she’s doing and she should always have a cover story for every action she takes.

I think one of the biggest problems in our industry is the fact that we tend to give generic one-size-fits-all privacy advice. As you can see above, this sampling of various types of people isn’t perfect but it never could be. People’s backgrounds are so diverse and varied, that it would be impossible to precisely fit any one person into any bucket. Therefore privacy advice must be tailored to people’s ability to understand their interest in protecting themselves and the actual threat they’re facing.

Also, we often are talking at odds with regards to privacy vs security. Even if we didn’t have to worry about the intentions of those giving advice, as discussed in that video, we still can’t rely on the advice itself necessarily. Nor can we rely on the advice being well taken by the person we are giving it to. One party might fully believe that they’re doing all they need to be doing, while they are in fact making it extremely dangerous for those around them who have higher security requirements.

Anything could be a factor in people’s needs/interest/abilities with regards to privacy – age, sex, race, religion, cultural differences, philosophies, their location, which government they agree with, who they’re related to, how much money they have, etc. Who knows how any of those things might impact their privacy concerns and needs? If we give people one-size-fits-all privacy advice it is guaranteed to be a bad fit for most people.

#HackerKast 30: Verizon Supercookie, Tesla Stock April Fools, Bugs in Tor, YouTube Bounty Hack, ‘Do Not Track’ and Microsoft

Hey All! We made it to 30 Episodes! Thanks for coming along for the ride, and hope you’re enjoying HackerKast. Now… the news!

First we talked about the follow up to a story we spoke about a few weeks back that had to do with Verizon tracking its customers. They were doing this by implementing a sort of “supercookie” which was injected into HTTP requests on their end. This isn’t something that would go away if you cleared your cache, cookies, browser files, etc. This was basically the glitter of user tracking, it never went away. News this week was that Verizon spokespeople made some hand wavy announcement of how this isn’t a problem since users can opt-out of this tracking if they wish. The problem we discuss here is that nobody is going to do that or even take the time to figure out how to do it via some random Verizon web interface. Bad form on Verizon’s part and just shows that the users’ interests are not truly at the heart here. The age old adage of “if you aren’t paying for it, you’re the product” doesn’t even apply here since you ARE paying for Verizon. They are just squeezing your data for more money.

Privacy tangent aside, in lighter news, the stock market is being automated! Lighter news? I guess so, due to the context here of an April Fools joke by Tesla. They announced the brand new ‘Model W’ which caused a bit of a commotion amongst the robots on the Internet. Turns out the Model W wasn’t a new line of Tesla cars but a joke about them making a watch which could do phenomenal things such as telling time. At the time of this announcement a bunch of excited robots made Tesla stock jump by nearly 1% and there were over 400,000 trades in 60 seconds, which was the largest surge for Tesla since their IPO. This may be a funny instance of this but it is a scary thought that a practical joke could have cost people hundreds of thousands of dollars because of some trigger happy robots.

Next, we talked about some new issues discovered and written about with Tor. In this case, we are talking about Denial of Service technique that is unique to a Tor Hidden Service. By using a ton of requests that open up “circuits” to hidden services, which kind of act like sockets, an attacker can flood the server and take it down. By building up a lot of these circuits, a hidden service will need to utilize a ton of CPU and memory to handle all of this. This is being called a bug but Robert doesn’t like that terminology because it is kind of by design how hidden services work, just being used maliciously.

Now we are talking about something we all really like the sound of, deleting Justin Bieber videos off the Internet. Well, that was the click bait for this one. The real topic is that a researcher found a way to delete any video off of YouTube immediately. Turns out that Google paid this researcher $5,000 for this bug which we all agreed seemed a bit low for such a serious bug, but we might not have all the information. The funny part here is the researcher discussed how hard it was to fight the urge to not deleting Bieber fan channels. Good bug.

Lastly, Microsoft announced that it will not be supporting ‘Do Not Track’ by default in the next version of their browsers, whatever they are calling it these days. This is coming right after ‘Do Not Track’ was finally supported by default only in their latest version of Internet Explorer. This sounds like a loss for privacy of the users but, in reality, DNT doesn’t really work. Nobody really pays attention to this and it costs more bandwidth anyway so there really is no point at this stage in the game.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Verizon Customers Can Now Opt Out of Supercookie Due to Government Pressure
Tesla Stockholders Can’t take a Joke
Bugs in Tor Network Used In Attacks Against Underground Markets
YouTube hack ‘threatened’ Justin Bieber videos
‘Do Not Track’ no longer default setting for Microsoft browsers

Notable stories this week that didn’t make the cut:
Turkey Blocks Social Media Again – People Resort to Posters to Educate

#HackerKast 29: China DDoS Github, IAB endorses SSL use in ads, Cisco praising Adblock, SEA hacks Bluehost and more, Google XSS around the world, PHP file upload vuln

Hey Everybody! Welcome to this weeks HackerKast!

First story we talked about this week was the latest DDoS attack on GitHub which was coming from China this time. The fact that it was a DDoS wasn’t the interesting bit, it was the method of DDoS we were focusing on. Turns out, the avenue of attack here seemed an awful lot like Jeremiah and my BlackHat research on “Million Browser Botnet”. The attackers were utilizing Baidu analytics JavaScript to force unknowing browsers to constantly reload two specific GitHub pages. Of course, this is slightly different than ad network delivery but the concept is pretty much the same. The other scary part is that the attacking browsers were only about 1% of the Baidu analytics traffic, if this was ramped up a significant amount then who knows what it would’ve looked like.

Next, in a related ad network story, we talked about the IAB writing a blog post announcing they would encourage all their members and partners to utilize SSL properly. This got a chuckle from us because the advertising industry is advocating security. If this would happen, SSL everywhere would be one step closer to being feasible without breaking ad networks. This would’ve stopped China from Man-in-the-Middling these ads and injecting anything into them.

Also related, Jeremiah touched on a post put out by Cisco praising ad blocking to combat drive by malware downloads. We all got a laugh out of this as we’ve been saying it for years so for somebody like Cisco to say it is funny. None of us are against the idea of advertising completely, but it is dangerous on the Internet.

Back to the hacking, Robert talked about the Syrian Electronic Army hacking the umbrella company that owns BlueHost, Justhost, Hostgator, and more. Due to a few VPN hacks, the SEA is claiming they got access to the administrator panels on all of these shared hosting providers, and in turn their customers. This was a hacktivism motivated event due to these shared hosting providers hosting the Islamic State websites which the SEA is against. We wrapped up this topic with some thoughts on overall shared hosting security, seems to us like a big single point of failure on the web.

In other hacking news, a creative bounty hunter found some fun XSS recently and displayed it in a fun way. This researcher found an XSS bug in Google that not only worked on the .com domains but actually worked on *every* Google TLD around the world. This led them to create a YouTube video called “Google XSS World Tour” with some fun classical music and an ever redirecting browser demonstrating the XSS working on many international Google domains. One bug to rule them all… or something like that…

Last, we talked about a PHP file upload vulnerability that was found this week. Seems there is a core PHP function called move_uploaded_file which is vulnerable to a clever bug which avoids file type validation. With just the addition of a null byte at the end of your file name, you can upload any file type you’d like and execute malicious code on the PHP web server. With a quick search on GitHub for move_uploaded_file, we get 245,006 results of code using this vulnerable function.


Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Syrian Electronic Army Hacks BlueHost, Justhost, Hostgator, Fastdomain, Hostmonster to go after Islamic State
Cisco recommends Adblock & Ghostery to combat malvertising
Google XSS World Tour
China’s Man-on-the-Side Attack on GitHub
Adopting Encryption: The Need for HTTPS
Exploiting PHP Upload Forms

Notable stories this week that didn’t make the cut:
Google to drop China’s CNNIC Root Certificate Authority after trust breach
Obama Declares War on Foreign Hackers
AllCrypt Hacked Using Brute Force and Password Reset
The old is new, again. CVE-2011-2461 is back!
Instagram API Bug Could Allow Malicious File Downloads
DEA Charged with Being Mole for Silkroad

#HackerKast 29 Bonus Round: Formaction Scriptless Attack

Today on HackerKast, Matt and I discussed something called a Formaction Scriptless Attack. Content Security Policy (CSP) has put a big theoretical dent in cross site scripting. I say theoretical because relatively few sites are taking advantage of it yet; but even if it is implemented to prevent JavaScript from loading on the page, that doesn’t necessarily remove the possibility of attack from HTML injection.

For example, let’s say you have a site that has CSP set up to prevent inline and remote JavaScript from loading using the nonce feature, which requires all script tags to include the nonce before they will load. The nonce is probably based on some locally known secret XOR’d with the user’s credential or something similar. Whatever the case the CSP nonce is not known. But what they really want to do is submit some form. Now the form itself might protect itself in a different way, using a server-generated nonce (a second one) to prevent cross site request forgeries. Barring any side channel attacks, MitM attacks or attacks against the server itself, it seems like this might stop you in your tracks.

HTML5 to the rescue! Let’s say the form has an id set of id=”form1″. HTML5 has a feature where any input field anywhere on the page (yes, even outside of the form block) can say that it belongs to any form using the “form” parameter (e.g. form=”form1”). That might be somewhat bad, because perhaps I can include an extra form field and make the user do something they didn’t mean to do. But worse yet, HTML5 also has a feature called formaction. Formaction allows me to change the location where the form is being submitted.

So if the attacker submits an input field that associates itself with the form that contains the secret nonce and also with the formaction directive which points the form to the attacker’s website, it’s pretty much game over if the user clicks on that button. So now the trick is to get the attacker to click on the button. Oh, if only there was a way to get people to click on arbitrary places on a page from another domain… oh wait! Clickjacking!

So if the site is using CSP but not using X-Frame-Options or similar techniques to prevent the site from being framed, the attacker can frame the page and force the user to click on the evil button that has set a formaction which points the form back to the attacker’s site. The attacker then takes that nonce, creates a page that automatically uses the nonces and forces a CSRF request with the secret nonce. So much for CSRF protection! Here is the original vulnerable page and here is the clickjacked version of it with semi-opacity enabled to make it easier to see (tested in Firefox only).

Scriptless attacks aren’t new, Mario Heiderich for example has been working on them for years, but they are deadly. It’s not quite the same thing as a cross domain read in this case, but it has the same effect – allowing the attacker to read information from the target domain for use in an attack. I highly recommend using X-Frame-Options on all your pages. But that only stops one form of the attack. It’s still possible to social engineer people and so on. Why devs need to associate input fields with forms outside of the form block is still a bit of a mystery to me and why they need to change the form action after the fact — even overriding the original location — is also a puzzle. But with every new feature comes a new way to abuse it. HTML5 is an interesting beast, that’s for sure!

Update: As mentioned on Twitter, you can use CSP to block formaction, but you have to do that or the attack will still work with other CSP rules. Also you can do the equivalent of X-Frame-Options in CSP as well. So a properly configured CSP might actually save you – very cool!

Security and the SDLC: Integrating application security in developer environments

As we wind down the end of the year, I thought it would be good to talk about some big thinking in regard to vuln classification and prioritization. There are two common overlooked issues when enterprises attempt to secure themselves:

1. Once a company finds out about a vulnerability, how do they track it? A company can end up with tens of thousands of vulnerabilities or more if their environment is large and complex enough. And we’re not talking about false positives – I mean real, remotely exploitable vulns.
2. How do you ensure the vulnerabilities actually get fixed? Just because you find a vulnerability doesn’t mean your developers know about it, or know to prioritize it, etc. And what if they just claim that it’s fixed…?

The problem is scale. Any off the shelf scanner will work fine when you’re talking about one app, or a few apps. But where they fall down is when they have to scan hundreds or thousands of apps. Not only do companies not have the manpower to manage all of those scans, and the associated credentials, but even if they did, they’re left with a huge homework assignment – transcribing thousands of vulns into some system that the developers know to look at.

Integration with some sort of case management system, therefore, is a critical component of SDLC (software/security development life cycle) integration. It’s not just a nice-to-have checklist item – if you aren’t doing it, vulns are getting lost, and that’s just a fact. Worse yet, if you don’t have bi-directional communication, vulns can get closed and then you’ll end up opening a new ticket every time you scan. Knowing which vuln corresponds to scanner findings allows you to see when a developer just wants to close a few tickets before 5PM on Friday. When the vulns all re-open on the next scan-run you’ll know who is just trying to game the system and therefore which developer/QA engineers are leaving you unnecessarily vulnerable.

Then you have the whole issue of vuln priority. Without knowing something about the systems in question you could inadvertently prioritize a vuln on an internal device ahead of something that is in production. Scanners are ultimately dumb (yes, it’s true, no matter how much we like to pretend they’re not) and they need to be told how to think about the environment. If your scanner can’t take in information from systems like Archer or similar GRC (Governance Risk Compliance) tools, to know how important a site is, it’s entirely possible that you’re fixing the wrong issues in the wrong order. It’s putting your company unnecessarily at risk and wasting resources in the process.

There is a real art to making sure you are looking at the correct vulns. The more you think about it, the more you’ll probably agree this is the right path forward – adding in all sorts of additional/useful criteria. For instance, knowing how much a site is getting attacked is useful. Knowing which sites take and store PII (personally identifiable information) is useful. Knowing which sites live in the DMZ (de-militarized zone) together is useful. All of those things can help you prioritize and stop wasting time on vulns that either don’t matter because they’re nearly impossible to exploit or are less critical because they are protected by other controls.

There’s obviously a lot more to it, but this should be a good primer on how to start thinking about vulns. If you want more information, we have several webinars that go into this in more gory detail. Either way, if you aren’t spending time identifying your assets and prioritizing them, you’re wasting time and money – and who’s got that?

#HackerKast 28: Unicode Chrome Crash, Brain Waves, Top 10 Web Hacks, PWN2OWN, Wind Turbine CSRF, TLS certificates

Hey Everybody! Thanks for checking out this week’s HackerKast! We’ve got some fun stories this week that were a good time to chat about.

First we mentioned a bit of a concerning story but also an amusing one. There was a little magic string of Unicode characters that would crash Chrome completely when viewed. This had to do with some language libraries that were installed locally that didn’t play nicely together. Robert, being the hacker he is, couldn’t resist but putting this string of characters in a Facebook status and tweet. He got a lot of hate mail. (Oh and if Chrome crashes while reading this post, you should really install updates ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ).

Now we all love when security topics get themselves out of the echo chamber, but I think this next story is fairly unique as to what industry it popped up in. Turns out some biology research went on when some scientists decided to perform an MRI of people while they were browsing the web. We all know users just click things to get them out of the way but it turns out there is a biological reason for this! Certain parts of the brain actually turn off and become inactive on the MRI when the users were viewing security warnings, like the ones for invalid SSL certificates. Now we can all collectively say that security is making people brain dead.

Finally my life is a bit back to normal as the Top 10 Web Hacks talk is complete and published. For those of you who missed the webinar you can check it out here: Recording. I went through the run down of what this talk is and touched on a few of the interesting pieces of research that made the list in the video. I’ll also be giving the talk again in person at RSA for all of you there! Check it out.

Next, we talked a bit about PWN2OWN contest up at CanSecWest this year. All major browsers fell by the 2nd day of trying. For those unfamiliar, PWN2OWN is basically an 0-Day contest. Show up and own a box completely by navigating an up to date browser/OS to a website. One researcher scored a total of $225K in a single day for his exploits. That is some serious 0-day cash! Jeremiah also mentioned, as he does every now and then, his idea of a PWN2OWN category that rewards bugs found via AntiVirus software. Owned by the software you installed to protect yourself.

Another fun one I touched on next was a vulnerability that was found in an actual wind turbine. This turbine, for whatever reason, has a web admin portal. The portal was vulnerable to CSRF via an HTTP GET request to force a credential change for the admin account. Once credentials are changed, the attacker can completely control the turbine and even stop it from generating power.

The last story we touched on was a complicated story about SSL/TLS certificates where Google was warning this week that some unauthorized TLS certs were trusted by almost any Operating System. Robert goes into the technical details here for those interested listen up! The cliff notes is that if you are in Egypt, you should watch what you say online, especially while using Google via Internet Explorer. FireFox and Chrome’s certificate pinning helps a bit here if in use so those should be slightly better off.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Crashing Chrome Tabs with Unicode
MRIs Shows Brains Shutting Down With Security Prompts
Top 10 Web Hacking Techniques of 2014
All Major Browsers Fall At PWN2OWN Day 2
Wind turbine blown away by control system vulnerability
Google warns of unauthorized TLS certificates trusted by almost all OSes

Notable stories this week that didn’t make the cut:
North Korea Web Outage Was Response To Sony Hack, Congressman Says
China Admits To Having a Hacking Group
Cisco to Ship Boxes to Empty Houses To Evade the NSA
Kapersky Being Accused Of Ties To Russian Military
No password or PIN, but I have a fake ID. Sure, take the domain
FREAK uses Similar Modulo Attacks
Brute Forcing IOS Screenlock
Need a security expert? Hire a coder

Top 10 Web Hacking Techniques of 2014

UPDATE – 3/19, 11:00 a.m PT We have our Top 10 list folks! After weeks of coordination, research, voting by the community and judging by our esteemed panelists, we are pleased to announce our Top 10 List of Web Hacking Techniques for 2014:

  1. Heartbleed
  2. ShellShock
  3. Poodle
  4. Rosetta Flash
  5. Residential Gateway “Misfortune Cookie”
  6. Hacking PayPal Accounts with 1 Click
  7. Google Two-Factor Authentication Bypass
  8. Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
  9. Facebook hosted DDOS with notes app
  10. Covert Timing Channels based on HTTP Cache Headers

Congratulations to all those that made the list! Your research contributions are admired and should be respected. And a special thanks to everyone that voted or shared feedback. Also, for anyone that would be interested in learning more about this list, Johnathan Kuskos and I will be presenting the list at RSA in San Francisco next month. Come check it out!

Agree with the list? Disagree? Share your comments below.

Every year the security community produces a stunning number of new Web hacking techniques that are published in various white papers, blog posts, magazine articles, mailing list emails, conference presentations, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and their mobile platform equivalents. Beyond individual vulnerabilities with CVE numbers or system compromises, we are solely focused on new and creative methods of Web-based attack. Now in its ninth year, the Top 10 Web Hacking Techniques list encourages information sharing, provides a centralized knowledge base, and recognizes researchers who contribute excellent work. Past Top 10s and the number of new attack techniques discovered in each year:

2006 (65), 2007 (83), 2008 (70), 2009 (82), 2010 (69), 2011 (51), 2012 (56) and 2013 (31).

Phase 1: Open community submissions [Jan 7-Jan 30]
Comment this post with your submissions from now until Jan 30. The submissions will be reviewed and verified.

Phase 2: Open community voting for the final 15 [Feb 2-Feb 20]
Each verified attack technique will be added to a survey which will be linked below on Feb 2. The survey will remain open until Feb 20. Each attack technique (listed alphabetically) receives points depending on how high the entry is ranked in each ballot. For example, an entry in position #1 will be given 15 points, position #2 will get 14 points, position #3 gets 13 points, and so on down to 1 point. At the end all points from all ballots will be tabulated to ascertain the top 15 overall.

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Phase 3: Panel of Security Experts Voting [Feb 23-Mar 19]

From the result of the open community voting, the final 15 Web Hacking Techniques will be ranked based on votes by a panel of security experts. (Panel to be announced soon!) Using the exact same voting process as Phase 2, the judges will rank the final 15 based on novelty, impact, and overall pervasiveness. Once tabulation is completed, we’ll have the Top 10 Web Hacking Techniques of 2014!

Prizes [to be announced]

The winner of this year’s top 10 will receive a prize!

Ongoing List of 2014 Hacks (in no particular order)
TweetDeck XSS
OpenSSL CVE-2014-0224
Rosetta Flash
Unauthenticated Backup and Password Disclosure In HandsomeWeb SOS Webpages cve-2014-3445
CTA: The weaknesses in client side xss filtering targeting Chrome’s XSS Auditor
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Facebook hosted DDOS with notes app
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
Remote File Upload Vulnerability in WordPress MailPoet Plugin (wysija-newsletters)
The PayPal 2FA Bypass
AIR Flash RCE from PWN2OWN
PXSS on long length videos to DOS
MSIE Flash 0day targeting french aerospace
Linskys E420 Authentication Bypass Disclosure
Paypal Manager Account Hijack
Covert Redirect Vulnerability Related to OAuth 2.0 and OpenID
How I hacked Instagram to see your private photos
How I hacked GitHub again
Residential Gateway “Misfortune Cookie”
Recursive DNS Resolver (DOS)
Belkin Buffer Overflow via Web
Google User De-Anonymization
Soaksoak WordPress Malware
Hacking PayPal Accounts with 1 Click
Same Origin Bypass in Adobe Reader CVE-2014-8453
HikaShop Object Injection
Covert Timing Channels based on HTTP Cache Headers
Bypassing NoCAPTHCA
Delta Boarding Pass Spoofing
Cryptophp Backdoor
Microsoft SChannel Vulnerability
Google Two-Factor Authentication Bypass
Drupal 7 Core SQLi
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Reflected File Download
Misfortune Cookie – TR-069 ACS Vulnerabilities in residential gateway routers
Hostile Subdomain Takeover using Heroku/Github/Desk + more: Example 1 and Example 2
File Name Enumeration in Rails
Canadian Beacon
setTimeout Clickjacking

Click here to vote for your favorite web hacks of the year! ***CLOSED***

Final 15 (in no particular order):
AIR Flash RCE from PWN2OWN
Belkin Buffer Overflow via Web
Apache Struts ClassLoader Manipulation Remote Code Execution and Blog Post
Advanced Exploitation of Mozilla Firefox Use-After-Free Vulnerability (Pwn2Own 2014) CVE-2014-1512
Covert Timing Channels based on HTTP Cache Headers
Canadian Beacon
Cryptophp Backdoor
Hacking PayPal Accounts with 1 Click
Google Two-Factor Authentication Bypass
Facebook hosted DDOS with notes app
Rosetta Flash
Residential Gateway “Misfortune Cookie”

#HackerKast 27: SXSW, Copy Magic Paste, Tinder AI, GTA V, Mystery SSL Fix

Hey everybody! Quick recap this week as we are gearing up for the Top 10 Web Hacks Webinar (Which you can register to watch here)

Robert and I just got back from SXSW this weekend and that was a very interesting experience. My first big trade show floor that wasn’t security related. Tons of interesting stuff floating around Austin this week!

First story we covered was about a Copy Magic Paste trick that Robert found from the SEO crowd. This idea started as a way for websites to force citation for people stealing content but Robert was talking about the possibility of utilizing this to sneak javascript in places.

Next, I touched on a fun Tinder story from SXSW where a movie about AI used a robot Tinder profile to match with people at the conference and after a short conversation the bot would point the person they tricked towards an Instagram promoting the movie. This brought up a lot of topics related to AI that were floating around the conference which Robert has a ton to say about.

A quick fun logic flaw in GTA V wound up with some real $ consequences. Jer and I love logic flaws, they feel like hacking without hacking. This was a pretty simple, make an in game car for a few thousand in game dollars and sell it for about 10x that. The writers of this article did the conversion on how much money real world this would turn into and it seemed people could make about $5 every 20 minutes. If this could be automated it would’ve been some nice passive income.

Jer talked about a new exciting story that we are all very hopeful about, Yahoo Mail end to end encryption. Alex Stamos, CISO over at Yahoo, announced a new program to use end to end encryption in their webmail client. The big question here is how usable this will be. If it is as usable as PGP, we probably won’t see a huge uptick in adoption. We’ll be watching this closely as it has huge potential.

Lastly we touched on a “mystery” SSL fix from the OpenSSL community. A mailing list announcement mentioned some new version patches coming out that fix a high severity vulnerability. We don’t have much detail here but once we do know, it will be pretty interesting. In the wake of Heartbleed, we are all a bit nervous when OpenSSL is mentioned in the context of vulnerabilities.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Copy Magic Paste Modifies Copy Event on your Website
Tinder Users at SXSW Are Falling For a Robot
Grand Theft Auto Logic Flaw Leads To Real Money
User-Focused Security: End-to-End Encryption Extension for Yahoo Mail
New Mystery SSL Fix To Be Released Thursday

Notable stories this week that didn’t make the cut:
Strange snafu hijacks UK nuke maker’s traffic, routes it through Ukraine
Microsoft Is Killing off the Internet Explorer Brand (now called Spartan)
Chromium to Block RFC1918 (Probably)

#HackerKast 26: Rowhammer, uTorrent bitcoin trojan, Chrome Same Origin Policy Bypass

Hey Everybody! Hard to believe we’ve done 26 of these already. Hope you’re having as much fun watching/listening to these as we are having while making them!

First and most importantly this week we HAD to cover Rowhammer. For those of you who haven’t heard, the latest research to come from some smart folks over at Google is pretty scary. This creative attack has to do with circuits in memory being lined up in specific rows (hence “Rowhammer”). By sending different signals to these circuits, these researchers were able to predictably flip certain adjacent bits which would allow for privilege escalation. Robert goes into way more detail so listen up if you’re interested!

Next, I touched a bit on the recent uTorrent debacle. For those of you who use the popular torrent software, beware of the latest update! It comes with a bit of a surprise piece of software. Where I come from, we call that a trojan. Anyway, this time they included a Bitcoin miner called Epic Scale. This of course would cause your performance on your machine to suffer, along with your electric bill. All the while making uTorrent some cash. Not trivial to uninstall this whole mess either, so needless to say, people are pissed.

Finally we finished up with some more great research, this time having to do with a new Chrome Same Origin Policy bypass. This one was super creative and had similar lines of thought from the Pixel Perfect Timing research from last summer because it utilizes some SVG tricks. The researcher will set up a malicious page, source in an image from an external page, and then via javascript can read the image data by jumping through a few hoops. This could be utilized for login detection, private photo snooping, etc.

We didn’t feel like squeezing FREAK into a HackerKast with other stories, so we’ll give it the time it deserves soon. (I know there is some AppSec junkie somewhere out there wondering why we left it out!)

Thanks for listening! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Beware, μTorrent is installing a Bitcoin miner software
Chrome SOP Bypass with SVG (CVE-2014-3160

Notable stories this week that didn’t make the cut:
To protect itself from attack, Estonia is finding ways to back up its data
Stop the presses: HTTPS-crippling “FREAK” bug affects Windows after all
Where there’s a will, there’s a way – The Ambassador who worked from a Nairobi bathroom to avoid State Dept. IT
The CIA Campaign To Steal Apple’s Secrets