Web Security for the Tech-Impaired: Passwords that Pass the Test

In my last post, “The Dangers of Email”, I explored ways that folks who are less than technically savvy can practice good email security hygiene. Today we’ll get into a somewhat controversial subject: passwords. You use them everyday to log in to your bank account, credit card, Amazon — the list goes on and on. You probably log in to a few websites everyday, but how often do you think about that password you’ve chosen? Password security is a hot button topic and everyone has their own suggestion about what constitutes a good strong password. This post will help guide you to a relatively secure password.

Your password is your key to your online accounts. It’s the ID you create to prove that you are who you say you are in a digital world. As humans we tend to make passwords that are easy to remember. If you forget your password you often are prompted with a difficult series of steps to recover it, from answering security questions to calling a support line. To skip all that headache we often create passwords that are pretty easy to guess and we use those passwords for all our accounts. This makes it very easy for an attacker to gain access to all your accounts. If one site where I use that password is compromised and my password is leaked, the attackers now know my password for every single account I’ve created. No matter how quick I change those passwords I will most likely miss or forget one. This is why it’s a good idea to use a variety of passwords. Very secure folks will create a different password for every account they create. I would recommend that at the very least you create separate passwords for your sensitive accounts (your bank account, credit card, 401k, and so on).

Now the question is, what is considered a good password? It might surprise you to know that modern computers can ‘guess’ passwords quite quickly, often going through millions of potential passwords a day. Passwords that are just words are incredibly weak passwords that can be guessed quite quickly. Also short passwords are out. Most experts agree that passwords should be at least 12 characters long. To make it harder to break, your password should contain a mixture of upper case and lower case characters, numbers, and special characters (such as !,@,#,$,?). It’s also a good idea to vary where these characters are placed. A friend of mine recently played ‘mind reader’ to some colleagues of mine. He had them think of a password of theirs. He then guessed that the first part of the password was a word of about 8 characters. That word is then followed by two numbers. The last character of the password is a special character. They were dumbfounded. Yes the human brain works the same for all of us. As we’re asked to do more and more things to our passwords we simply tack them on at the end. This is a pattern that hackers know about and will exploit.

So to sum up, here are some tips to help you practice good password habits:
1) Use a different password for all your important accounts. To win a gold star use a different password on all accounts.
2) Your password should be no less then 12 characters
3) Use a mix of lower case, upper case, numbers and special characters.
4) Don’t use the very common sequence of word-number-special character. Mix up where these are placed in your password.

Again, I urge our readers to feel free to forward this post on to friends or family that may benefit from these tips. Many in the security industry often forget that most consumers are less technically savvy, and therefore less security aware, than we are. This series is designed to help you, help them.

#HackerKast 22: PCI says SSL is Dead, Delete all photos on Facebook, 10 million passwords leaked, Pinterest bans affiliate links, Jeb Bush Facepalm, 40,000 Vulnerable MongoDB instances, Russia Bans VPN & Tor

Hey everybody! Welcome to this week’s HackerKast – Episode 22! We are Jeremiahless again this week so it is just Robert and myself covering a ton of news!

Some big news came out of PCI land this week where they are announcing that no form of SSL is good enough anymore. TLS or bust apparently to pass PCI compliance. This is pretty huge and will really force a lot of people to shape up or ship out. It also brings up some interesting points about hard breaking a portion of websites for the greater good of the Internet, which has been a contentious debate lately especially with browser vendors. For those interested in the future of SSL/TLS on the web, one of the best talks I saw last year was by Brian Sniffen of Akamai who is part of the team working on implementing TLS 1.3. Highly recommend you watch the talk: Here.

tls13

Next, we always like talking about interesting bug bounty disclosures & payouts, and this one from Facebook fit the bill. A researcher was awarded $12,500 for a nice bug where by he proved he could delete any photo album on Facebook he had access to. By access I mean, any public photo album or one that was of his friends that he had permission to see. Was a pretty simple DELETE request sent without any authorization checks at all that would just process the deletion of the entire photo directory.

facebookDelete

Robert found a story about a juicy list of usernames and passwords that were dumped publicly. The researcher posted a list of 10 million, yes million with an M, username/password combinations. This is a huge list and we aren’t clear where they came from. The person who posted this was clearly concerned for their safety from law enforcement on this.

Moving along, Pinterest dropped a bomb this week that it was banning affiliate links, redirects, and trackers site wide. This seems to be in a war against spam and scams on it’s site but has some real user repercussions that they will most likely get kick back from. We always love the moves by big websites to make decisions that will hurt users for the short term but make them more secure in the long term.

pinterestblocked

We couldn’t get away with not laughing about the facepalm of the week brought to us by Jeb Bush. He decided it would be a good idea to post the entirety of his email from the late 90s, early 2000s while he was governor. This was under the guise of being as transparent as possible but had the unintended consequence of publishing TONS of sensitive information about people who wrote to him. Addresses, telephone numbers, etc. of people writing to their Governor but Robert also found tons of politically sensitive stuff that probably shouldn’t be out there. Under 1 TB of emails is out there forever now though.

MongoDB is a hot topic among a lot of technology circles nowadays but has had some limited security rumblings about it. As these types of databases get more popular we are bound to find some serious security issues. This week somebody used the power of Shodan to find 40,000 vulnerable MongoDB instances floating around on the Internet at large. There was no real vulnerability in MongoDB disclosed here, just some serious omissions in a lot of popular documentation which didn’t lead people to put any sort of access control or encrypted communications in place. Roberts lesson of the day here is use at least *some* security when installing things.

Lastly we let Robert talk about a few of his favorite things again, Russia and Tor. At least it wasn’t China right? Anyway, it looks like Russia is proposing a ban on all VPN services and the use of Tor country wide. This would be an interesting move for an entire country to say the least. The other notable piece to this puzzle is that these bans would of course be avoidable but it would make it much more inconvenient to use these services. The Internet finds a way though.

Thanks for listening everybody! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Some guy figured out how to delete “every” photo on Facebook
Pintrest Bans Affiliate Links, Redirects and Trackers Across Entire Site
40,000 MongoDB Instances Found Open and Vulnerable
Ten Million Passwords
Jeb Bush Email Dump
PCI considers SSL Dead”>
Russian Ban on VPNs and Tor

Notable stories this week that didn’t make the cut:
Lawmakers Call for Investigation on Verizon SuperCookies
NSA may be Trolling You

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds
Anthem and Turbotax Hack
Sony Hack Has Cost Its Business $15M So Far
Data Breach at Health Insurer Anthem Could Impact Millions
Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash
Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:
NSA Using Disclosed Hacker Data
Uber Lost and Found DB left open
Fancybox WordPress Vuln
Meanwhile TrueCrypt is Replaced by VeraCrypt

How to Get Accepted at Blackhat

One of the most common things I get asked as part of my Review Board for the Blackhat security conference is, “How do I get my submission accepted?” It’s a fair question and it’s understandable how it would appear to be a total black box. But there are actually a fairly clear set of criteria that the board uses. We aren’t strict about these rules, which can vary from Review Board member to Review Board member. However, this is a pretty good list of things to think about when you’re submitting a talk:

  1. Make sure your content is original. This might seem obvious but it apparently isn’t to the vast majority of people who submit talks to Blackhat. Most of the submissions we receive are actually just re-hashes of other people’s presentations, either blatantly or inadvertently. Quite often people will try to package it as if they were the first ones to find it, even coming up with their own acronyms. This is a pretty sure-fire way to get rejected.
  2. Make sure your content impacts a lot of people. This is also often called the “marketing” requirement. Blackhat needs to get people to care about your presentation. If your wonderfully researched presentation filled with interesting technical detail impacts you and your friend but no-one else in the world, frankly, we applaud you, but we can’t fill a room with a presentation like that. Ideally your research should impact everyone, but think big. If your parents wouldn’t care if they saw the impact of your research on the news, chances are no one else will either.
  3. Make sure you fill out the CFP completely. If you forget to fill fields out, we will reject you. So don’t leave anything blank.
  4. Make sure you fill out the CFP correctly. Your outline matters. The tags you use matter. When we ask you why this would be a good presentation don’t tell us because you like Blackhat. We appreciate that, but it’s important for you to actually answer the question. We read everything.
  5. Make us understand what you actually want to present. This might actually require some work on your part. We might be too dumb to grok your genius without some pretty pictures. But the short of it is if we don’t understand what you’re trying to say, we might assume you don’t either. Outlines are important for us to understand the flow of your presentation and see what kind of guidance we might want to give you. Make sure your outlines are as detailed as you can get. Don’t be afraid of writing a lot, we’ll read it.
  6. Respond to the board when they ask questions. If you don’t reply to us, we may have to assume you’ve gone radio silent and aren’t interested in talking anymore. If we ask you a question and you do respond, please respond with as much detail as possible. We often have to get clarity on the vulns you’re sending us to make sure there isn’t overlap with existing research or other people who are presenting. Don’t worry, we keep our mouths shut – we’re all under confidentiality agreements.
  7. Demos, tools and 0days are much beloved. If you have a demo, that’s great. If you’re going to actually release (not just show) a tool, that’s even better. But the best is when you give us 0day. That always draws a crowd! Unfortunately the harsh reality is that offensive research always draws more asses-into-seats than defensive research. However, we are going to start having a defense-only track just for people who are interested in it. But if you say you’re giving us an 0day and then tell us that you told the company and it’s now been fixed, that’s not exactly an 0day now is it? Call it what it is, a non-issue for anyone who has patched.
  8. Make sure you speak the language, or get a translator. We definitely want people from all over the world to come and present. But please make sure that you are fluent in the language, and feel confident you can deliver your presentation without reaching for the words. Worst case, we’ll get you a translator, but we need you to tell us that you need one.
  9. Make it technical. Technical presentations are the cornerstone of Blackhat. If you aren’t technical, you’ll have to really step up your game to get past that threshold. Keynotes, for instance, don’t have to be technical, and some legal discussions can miss that too. But you really should try to submit a talk that is technical. Don’t underestimate how technical the audience can be. At the same time, you’ll need to explain yourself to those who aren’t as technical. So make sure you understand it well enough to explain it to your audience when they ask questions.
  10. Don’t submit a sales pitch. If you are selling product, great. If you work for a company, great. If you give a presentation about your product features and your client list and pricing, etc… you’ll never speak at Blackhat again. If we get a whiff of you submitting a talk that is a sales pitch, you’ll get rejected. We really really don’t like that. Really.
  11. Don’t spam the review board. Occasionally someone from some big company gets the crazy idea to submit dozens of presentations that are all the same or almost all the same. You spent countless hours doing the research and writing up all of those submissions and we rejected all of them without reading any of them in 10 seconds. Don’t do it.
  12. Don’t ask for 3 hours when you can do it in 15 minutes. This is a tough one because so many presentations could go on forever with all of the issues related to them, but when in doubt go to the shorter time slot. We have more of the shorter slots so you’re more likely to get approved. If we see something is three hours we will do about three times the scrutiny of a one hour submission. It’s a big commitment to give someone a room for three hours, so if you’re going to ask for it you had better be able to back that up with three solid hours of good research.
  13. Be entertaining. Some people are just awesome. They’re charismatic, funny, well spoken, or just have amazing slides. Be that person. It helps.
  14. Don’t mess up! Just because you got accepted to Blackhat doesn’t mean you are instantly a hero. It’s actually probably the hard-swallow followed up by a “Dear lord, what have I just signed myself up for” moment. You now need to spend between 2-4 months to get your research in order. People who don’t put that much time in almost always come across as under-prepared. People who don’t practice their presentation will naturally score lower. The reason you see researchers coming back to do more than one presentation is because they did good research and presented well. If you mess up you’ll probably never be speaking at Blackhat again, or at least not until you up your game. I am proof that Blackhat forgives — I gave a not-so-hot presentation when I was very young — but my advice would be to not mess up in the first place.

Occasionally when I tell people what they need to do, they say things like, “I don’t really have anything that would get past that gauntlet.” To which I have to tell them the hard truth is that we get many hundreds of submissions and reject most of them. Yes, some people are destined to never speak at Blackhat. But there are many other conferences out there for less-technical content.

I’m on several other review boards as well for other conferences, and for the most part these rules all still apply, with the exception of the types of presentations that we’re most interested in. So this is a fairly good rule of thumb for all up-and-coming presenters. We love new presenters. Some of the best presentations I’ve ever seen were by untested new presenters, so don’t think that you have to be a seasoned old-timer to get into Blackhat or really any conference. Just make sure you’re as awesome as you can be! Also, be sure to check out Jer’s thoughts on the same topic for his take on things you should be thinking about.

That said, please submit!

#HackerKast 20: Internet Explorer Universal XSS and Same Origin Policy Bypass, Browser DDoS via DNS Spoofing, HackerOne Bug Bounty Vulnerability

Hey everybody! Slow news week this week so we sent Jeremiah to Germany…. in the winter. Poor Hawaiian!

Anyway, we started this week off talking about a really cool bug in Internet Explorer. This vuln is a Universal Cross Site Scripting (XSS) bug that also bypasses Same Origin Policy and works in even the latest IE version 11. That is a mouthful and it’s all bad. What this means is that by abusing iFrames, an attacker could execute XSS in any site they want via your browser. Websites could be doing everything completely right but if they aren’t using X-Frame-Options header properly than an attacker can effectively do anything they want on those sites. Bad day to be an IE user or an IE developer for sure.

Next I passed it over to Robert to talk about a few of his favorite things, Denial of Service, browser security, DNS, and even China! If Robert was playing a game of Bingo of the things he likes to talk about, this next story would definitely be on the game board. This week a company noticed a massive spike in traffic coming from China and all going to weird URLs. With the information we have, it looks like somebody was poisoning DNS and making requests originally destined for other websites all pointing at a single website. Interesting DDoS vector! The solution applied was to block the IP addresses which, as Robert shares, is a really bad idea. He also discusses the fact that we probably have a bunch of research to do around browser-based DoS in the future.

Last story we ended up talking about was a fun bug disclosure from HackerOne today which also has a really cool PoC cherry on the cake to check out. For those unfamiliar, HackerOne organizes a bunch of bug bounty efforts for lots of different websites including their own. This particular bug has to do with the abuse of an ineffective escaping method for the “\” character. The timeline is over on the HackerOne website and you can see how the researcher figures out how to make this bug progressively more severe. He started with just editing some HTML, including spoofing a profile picture or style sheet, but he ends up figuring out he can use a tag to immediately redirect a user to a potentially evil site. At that point he can utilize phishing, driveby malware downloads, all sorts of Javascript attacks, etc. Even possibly take advantage of a Universal XSS SOP bypass in IE 11 to bring it full circle. Kudos to HackerOne for fixing this in about a day and also publicly disclosing the information and the fact they paid out $5,000 for the bug.

Ended today’s session with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is the completely community-driven part of the process!
Blog outlinging the Top 10
Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio-only version for your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
IE UXSS Bypass 1
IE UXSS Bypass 2
IE UXSS Bypass3
Browser DDoS via DNS Spoofing Coming from China
Fun bug disclosure from HackerOne today

Notable stories this week that didn’t make the cut:
Possible New Origins of the Word “Hack”
Web-RTC leaks VPN origin IPs
UK National Health Service – Tons of Vulns
Really cool PoC

#HackerKast 19: Pressable Slowloris Attack, GoDaddy CSRF, Decloak Tor Hidden Services via SSH, LizardSquad Hacks Malaysian Airlines, GHOST Vulnerability

Welcome to this week’s HackerKast everybody! This week Jeremiah and I were lucky enough to be shooting this episode beachside while at AppSecCali down in Santa Monica. Poor Robert was stuck at home but I was happy to pull a Jeremiah and have palm trees behind me just like he does while he is in Hawaii.

This week we started with a story near and dear to Robert’s heart about a Slowloris Denial of Service attack on Pressable. Near and dear since Robert is the father of this type of DoS attack. Pressable is a big WordPress provider – I know, I know, we just can’t leave WordPress alone can we Internet? Slowloris is pretty easy to defend against if you are trying to but a lot of default web servers, such as Apache, don’t enable such protections. This DoS attack lasted 4 or 5 days and caused Pressable to lose tons of customers. Robert talked about popular defenses in the video if you are interested in that. We also briefly mentioned a new tool called CapTipper that is a malicious HTTP traffic explorer which could be used to help dig into information if you are undergoing one of these attacks.

Next, I talked about a GoDaddy CSRF vulnerability that was disclosed which was pretty nasty not to mention scary to think about how long it might have been around. For those unfamiliar, CSRF is when an attacker can force a user’s browser to make requests on their behalf. This is particularly bad news for GoDaddy since an attacker would have been able to force an authenticated user to change their nameservers, auto-renew settings, and edit the dns zone file. This combination would be deadly in forcing a website to point towards malicious servers, or even turning off auto-renew to snipe domain names away from GoDaddy users. This was disclosed and fixed in 3 days which is VERY impressive considering the average time to fix for most companies is much longer than that.

We seem to be talking about Lizard Squad (Mafia? Crew?) lately and this time they went after Malaysian Airlines. They attacked the airline’s DNS servers and forced the page to redirect to a page that said “404 Plane Not Found.” We see these DNS server attacks more and more lately as it is seeming to be a bit of an easy target instead of going after the websites themselves.

Another topic this week near to Robert’s heart was a new way to identify Tor hidden services via SSH Fingerprints. What some researchers have done is scan the internet for open SSH services, grab the fingerprint off that and then compare the fingerprint to a Tor Hidden service and decloak the real IP address of the site. This technique could be used for other purposes such as websites behind Akamai or CloudFlare who don’t want their real IP public.

Last story we covered for this week is a new vulnerability called GHOST that seems like it could be serious but we haven’t had a lot of time to research it but had to mention. It has a name and is branded so it must be super serious, right? We’ll most likely do a follow up post about this but if you are interested in this vulnerability, it seems to be a glibc buffer overflow in DNS resolvers. More soon!

References:
Pressable Slowloris DoS Outage
Taking over Godaddy Account using CSRF
Malasian Airlines DNS Redirected (404 Plane Not Found)
Using SSH fingerprints to identify Tor hidden Services
GHOST Vulnerability – glibc buffer overflow in DNS resolver

Notable stories this week that didn’t make the cut:
Flash 0day in the wild
CapTipper – Malicious HTTP traffic explorer tool”
Nearly every US Arms Program Found Vulnerable to Cyber Attacks
China Cracks Down on VPN Services After Censorship System ‘Upgrade’
FBI Seeks To Legally Hack You If You’re Connected To TOR Or a VPN
Oracle/Java vulnerabilities
Referrer Changes in W3C
Healthcare.gov Or 3rd Party Vendors may fun Afoul of new CFAA rules

#HackerKast 18 Bonus Round: Password Cracking

Hey Everybody! Thanks for checking out this week’s bonus footage. We like to do these to not just focus on current events but to also get our hands dirty with some technical demos. This week, we decided to talk about password cracking.

You hear news stories all the time about passwords being stolen and you may have heard of password hashes being cracked. What this means is that somebody got a hashed copy of a lot of passwords out of a database and are running programs against it to get the plain text password out.

For those of you familiar with password cracking this will be super boring but we decided to actually show what this looks like for those who haven’t seen it. I decided to use John the Ripper for this demo but could have used a ton of others like OCL Hashcat. Kali Linux has a few of these installed by default for those who want to play.

Since we are web app guys here at WhiteHat I decided to pick on some password hashes that make sense in our world, WordPress. Most password cracking demos you’ll see are running against local machine password files so instead of that I made a few of my own WordPress password hashes. The giveaway showing that these are WordPress hashed passwords is that they use a PHPass algorithm which results in a hash that always starts with $P$B.

The passwords I chose were pretty easy ones just to prove to you guys how easy cracking easy passwords is. Anything in the top couple of 1000 used passwords will be cracked in seconds with the help of a word list, as you’ll see in the video.

The other major point I wanted to make is that seemingly “good” passwords that follow all the rules of a websites password strength requirements can actually be pretty weak. The example I used was “Jeremiah29:11″ as a password passes most requirements. It’s over 8-10 characters, it is has upper and lower case letters, has numbers, and special characters. Seems great right? Well since it is a popular bible verse, this took less than 30 min. to crack on my laptop and would take seconds on a computer built for password cracking.

Check out the end of the video for some of our tips on secure password selection. Let us know what you think!

#HackerKast #18: Verizon Tracking Cookie, NSA tracking via mobile ads, hackers for hire, AppSec Program Quick Start Guide

Hey Everybody! Can’t believe we’ve done 18 of these. Lets get right into it.

We started off this week by chatting a bit about Verizon. The headline kind of speaks for itself: “Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused? Yeah, Well, Funny Story…” Turns out Verizon will set a cookie in your browser and can track you across IP address, and all sorts of nastiness. Robert has some recommendations on how to work around this if you are worried about it. News flash, advertisers aren’t working in the user’s best interest.

Another news flash, NSA is tracking people. The newest revelation is that the NSA is using ads in mobile platforms to track users. This avenue is useful for them because the geo location is sent through a lot of these mobile apps ads so not only can they track users’ usage preferences but also physical location! Repeat after me, ads are bad.

Funny little website popped up recently called Hackers List. For those familiar with O-Desk this is the same thing but for hacking. This website is acting as a medium for people to post requests and a dollar amount for hacking services. Some of my favorite entries include, “Change my grades – $300″ and “Hack Facebook account ASAP – $200″, among others. We got into a bit of discussion of the legality of all of this and some possible loopholes that they are using to keep this website up and kicking. Consensus is that this will most likely be taken down, fast.

Finally, with some shameless self promotion, we chatted about a new OWASP project started by a few of us WhiteHat folk called the Application Security Program Quick Start Guide. Our goal here was some quick rule of thumb points on starting an AppSec program from scratch. Nothing like this existed to our knowledge so we tried to fill what we saw as a void. It is completely open license and free to download so feel free to use and abuse! Check out our blog outlining it and let us know what you think!

Notable stories this week that didn’t make the cut:
How to protect yourself against Verizon’s Mobile Tracking”>
New York Post Twitter Feed Hacked – declares we are at war
Obama sides with Cameron in Encryption Fight
Against DNSSEC
Why Not DANE in Browsers
Someone in China MitM’d Outlook.com Traffic With Fake SSL Certificate
Reflected XSS in PayPal

References:
Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused?
New Snowden documents show that the NSA and its allies are laughing at the rest of the world
Hacker’s List allows you to hire a hacker anonymously and quickly
OWASP Application Security Program Quick Start Guide Project
5 Days to Setting Up an Application Security Program

Web Security For the Tech-Impaired: The Dangers of Email

Editor’s Note: The following post is the first in a series of blasts that we will be sharing for readers who are – or who know people that are – not technically savvy. We will touch on topics that we in the security community are very aware of and attempt to break them down into language that those who are not as internet skilled may understand. If you have suggestions for topics you wish for us to cover in this series, please share in the comments.

You’ve all been there. You open your email and your mom has sent you something. You see the two letters you dread: FW. Oh look, it’s an email with a link to a YouTube video about a cat who just can’t seem to figure out that the sliding glass door is a solid object. You contemplate sending back an email saying ‘Come on Mom, you should know to never ever click on links in emails,’ but you don’t want to ruin her fun — and more than likely she won’t understand WHY clicking on links in emails is a bad thing. You could try to explain it to her, but you’re afraid her brain will explode if you start talking about things like “Cross Site Scripting”. Well folks, I’m going to try and help you out. In this new blog series, I am aiming to provide tips and advice that you can share with your less-than-tech-savvy friends and family – whether its your mom, grandpa, cousin Vinny or whomever. These are posts that I intend for you to FW: (uh oh, there are those letters again) the links to your mom (or whomever) so that they can get a non technical explanation of the dangers of the ‘internets.’ Now begins the non-technical explanation, here we go!

Hello there! You’re no doubt reading this as a result of your son/daughter/grandson/granddaughter having sent you here for guidance. Fear not, I will help guide you through the dangers of the internet and help you be more secure with your personal information. No doubt you’ve heard of recent credit card breaches in stores you visit every day. You’ve also probably heard about ‘phishing’ emails that ask for your personal information in an email or ask you to click some link. You may have seen emails that say ‘Your credit card has been stolen, please email your Social Security number, mother’s maiden name and birthdate to this email address.’ The good news is that you can prevent yourself from being a victim of these scams.

The first thing you’ll need to know is that you should be very, VERY paranoid about anything you get in an email. If someone knocks on your front door, you’re always skeptical about what they want; the same principle should be applied to email. Anyone and everyone can email you and not all emails should be trusted, particularly from contacts that you do not know or that ask you for personal information. Most businesses make it a point to not request such information over email, so if you get such a request, it is quite likely a scam. Secondly it is very easy to fake the sender of an email. Just because it says ‘admin@bankofamerica.com’ doesn’t mean it is. Never trust that your email is coming from the business that it purports to be coming from.

Furthermore, links and attachments in emails can be bad news. Just as it’s very easy to make it look like an email is coming from someone else, it’s just as easy to make a link in an email look different. I can easily make it look like it’s going to ‘www.youtube.com/someFunnyCatVideo’ but really when you click on the link it will take you to ‘www.ImSoEvil.com/LookAtHowEvilIAm.’ Fake sites are set up under the guise of seemingly legitimate URLs in an effort to get you to click on them which could lead to theft of personal information or worse. Attachments in emails from unknown sources are also bad news. You could be unknowingly downloading malware — software that can interfere with the proper functioning of your computer, damage your privacy or even install the dreaded virus.

All this sounds pretty frightening already. You may think you now need to go make a tin foil hat and build a bunker in your backyard. But with this knowledge you are well-armed to combat identity thieves. Here are a few simple things you can do to help protect yourself:

* Never give your personal information to anyone. No legitimate business will ask you to email them your Social Security number, credit card number, passwords, date of births, etc., over email. If they’re asking for that information it is 99.9% likely that it’s a scam. Sometimes an attacker will send an email that makes it sound like there’s an emergency — if you don’t do what they’re asking for right away something horrible will happen! Instead of doing what the email says, if it looks like it might be from a legitimate business – like a bank that you do actually have an account with – contact that business directly. Don’t use any links from that email. Let them know what email you received and that you want to confirm whether or not it was a legitimate email.

* Never click on a link in an email — it’s just asking for trouble. If you really want to watch that cat video, copy the link address into your browser window so you can be sure you’re sending your browser where you actually want it to go.

* If you receive an email that has an attachment and you were not specifically expecting that person to send you that attachment, contact them directly and confirm that they sent it and it’s a legitimate attachment. More than once a friend of mine has found out that their email account was hacked because I contacted them about a suspicious attachment.

This is all but the beginning of your training and you should come back to this blog often to hear more helpful (and hopefully easy to understand) advice on how to better protect yourself on the internet. Go forth and click on!

Blackhat – A Review

Editor’s Note: Dan Lacey is a TRC Training Supervisor at WhiteHat Security and he recently blogged about the new move ‘Blackhat’ which was released in the theaters on Jan. 16 on his own personal blog. We have republished his movie review here as we are sure that many of our readers might be considering this movie as part of their upcoming entertainment plans. Please note, there are some spoilers in the following post. Enjoy!

As a WhiteHat hacker, I knew I needed to see a movie called Blackhat. As a movie buff, I dreaded seeing a movie that looked, frankly, bad. Fortunately, I work for WhiteHat, who rented out a theater so that we could all see Hollywood’s latest portrayal of our profession. Watching it in company made the experience a whole lot more enjoyable!

Some of you know that I write movie reviews. I also know that not all of you joined us for the screening of Blackhat. To save you the wasted time, here is my review. Feel free to share. Link is http://www.whitefoxmoviereviews.com/2015/01/blackhat.html

Movies that are released in January are awful. Hacking movies are awful. Blackhat is a hacking movie released in January. It should be no surprise, therefore, that it is awful. What is a surprise is that the depiction of hacking was not one of the worst parts of the movie. The plot, editing, and cinematography are far worse.

The inciting incident (the nuclear power plant breach, which was shown in the trailer) isn’t actually particularly farfetched. Last year hackers did serious damage to a German steel factory by hacking with the controllers to a blast furnace, which melted down. The Stuxnet work destroyed a whole lot of Iranian centrifuges around 2010 (meta-source). Most of the rest of the hacking shown is phishing or social engineering, most of which is technically reasonable (though if I were designing a bank’s network, I would not connect the machines at the front desk to the financial systems).

Unfortunately, the plot wrapped around the hacking is not nearly as reasonable. The main characters all suffer from Jack Ryan Syndrome, in which an analyst or other technical asset suddenly turns into a competent field agent, including the ability to make long-distance pistol shots while under fire better than trained assassins. Nearly everything about who they are and what they do strains credulity. The villain has no motivation beyond “crazy” – and while that can be done well, this is not. The romance subplot is laughably bad. Wei Tang does a fine job of acting the character which was given to her, but that character exists in the plot for the sole reason of being the romantic interest, which is pretty pathetic. None of the other performances are worth mentioning, mostly because the characters are not interesting in the slightest.

Blackhat is 2 hours and 13 minutes long, and I’m not sure why. I think there might have been about an hour and a half of plot, maybe an hour 45 if I’m generous. Nearly every shot lasts ten seconds or so more than it needs to, though, which makes the movie drag terribly. Some of those shots are completely out of focus for no reason whatesoever. Action movies should not be boring, but this one is.

Worst of all, every single shot is so shaky that the movie is almost unwatchable. Long-time readers will know that I am not a fan of shakycam; this is some of the worst I’ve seen. Even in shots with no movement, the camera waves around nauseatingly. Action scenes are far, far worse.

There is no reason to watch this movie unless you’re a hacker, want to see how bad it is, are seeing it for free, and want a headache.

I take solace in the strong possibility that every movie I see for the remainder of the year will be better than this one.