Welcome to the Episode in which we describe the answer to the Ultimate Question of Life, the Universe, and Everything. Maybe we’ll just stick to security but we’ve now done 42 of these things.
Kicking off this week with a gigantic combined story about Hacking Team, the story that keeps on giving. We touched on this breach last week but as people have been plowing through the 400GB of data that was leaked more and more 0-days are being discovered. Seems no operating system of browser is safe and Flash/Java felt the love in full force. At least 3 Flash 0-days have made their way into popular exploit kits so this is fully weaponized and being used in the wild. This, along with Facebook CISO Alex Stamos public statement against Flash, have proved to be a catalyst to both Firefox and Chrome blocking Flash BY DEFAULT. This is amazing. Huge step in the right direction and we are very interested to see where it goes.
Some other crazy revelation from combing through the breach data is, the guys over at Hacking Team were joking around about assassinating ACLU Technologist Chris Soghoian. Chris does a lot of work and public speaking against foreign governments weaponizing exploits which was apparently causing Hacking Team pain. It is a crazy world we live in when we have to accept that the industry we live in is costing enough people enough money that this kind of conversation about assassinations is bound to happen.
Next, some pure awesome web app hacking technique beauty. This week we saw an attack against LastPass password management browser plugin which utilized Clickjacking to steal stored passwords. We love clickjacking and browser security so this story had us all drooling. Before we dove in, props to LastPass security team for being super responsive anytime a security issue is brought to their attention. The PoC used in this case involved Tumblr in an iFrame. The attackers can then fool the user into clicking through the different LastPass prompts which caused the user’s password to be auto-filled into a textbox, which would then be sent to the attacker. Video of the PoC below:
Now if I had a dime for every time I downloaded a Cowboy Adventure game and it caused me problems… Well at least a million Android users would have 10 cents. This super popular game distributed via the Google Play store decided to become malicious and start installing malware onto it’s user’s phones. These mobile apps and devices have tons of permissions which makes these types of malware particularly dangerous as behind the firewall launching points for bigger attacks. Usually we are seeing this type of thing just used to generate ad fraud money for the attacker.
Next, we touched on a new CMS scanning tool that came out called Droopescan which is geared toward Drupal sites. Think, WPScan or CMS Map type tools but for Drupal. This is wildly important tool to exist as, if you’re a regular listener to HackerKast, you’ll know that CMS plugins and old versions are full of holes and have a huge target on their backs. These things are also very easy to find by scanning the entire Internet.
Lastly, we did some shameless self promotion of a project I’ve been working on under my rock for the past few months, WhiteHat Acceleration Services. When we look at our stats report year after year, and the time to fix vulnerabilities is astronomical and isn’t getting much better. This year our customers averaged 193 days to fix any given vulnerability that we identified. We’ve now set out to help that problem out. WhiteHat has been finding vulnerabilities in websites for over 10 years. Today we start helping you FIX them also.
This is the first of 6 new “Acceleration Services” offerings I’ve been tasked with launching this year. Check it out.
Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay
Adobe Flash Zero Day CVE 2015
Third Hacking Team Zero Day Found
Pawn Storm uses Exploit for Unpached Java Flaw
Mozilla Blocks All Versions of Adobe Flash Until Publicly Known Security Vulns are Fixed
Google and Mozilla Pull Adobe Flash
Hacking Team Employee Jokes about Assassinating ACLU Technologist Chris Soghoian
Stealing Lastpass Passwords With Clickjacking
Cowboy Adventure Game Malware Affecting 1MM Android Users
WhiteHat Acceleration Services
Notable stories this week that didn’t make the cut:
Google accidentally reveals data on ‘right to be forgotten’ requests
Michael DeKort’s Jumbawumba
University Rolls Out Adblock Plus, Saves 40 Percent Network Bandwidth
XSSYA 2.0 Released
OPM Hack of Fingerprints breaks Biometrics
Federal Judge overturns Arizona’s Nude Photo Law
Top Five Takeaways Todays Hearings Encryption
XKeyscore Exposé Reaffirms the Need to Rid the Web of Tracking Cookies
Land Rover recalls 65,000 cars because of software bug that could lead to theft