Industry Observations-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 15: New Year. Same Hacks.

WhiteHat Security Top Security Stories of the Week: December 29, 2014 to January 2, 2015 from WhiteHat Security on Vimeo.

We were able to squeeze a recording in between Christmas and New Year’s Eve and I’m glad we did because we had a lot to chat about. Although we were still in a food coma from Christmas, I think we were able to shake it off and record a good episode for you guys.

First, we hit on a funny story of Instagram getting wise to millions of fake profiles and giving them all the axe at the same time. These sockpuppet accounts were all over; I personally noticed a severe uptick recently and was in contact with Facebook/Instagram security team to chat about it. Some of the hilarity being noted in the post-spamageddon world is that fairly popular-seeming accounts dropped to near zero followers as their numbers were very bloated by robots.

Next, somebody came up with a clever way to bypass the age old two-factor authentication implementation of a trusty fingerprint. Wait… did I say “trusty”? Scratch that. This research shows that with a high resolution photo of somebody’s finger, you can recreate their fingerprint well enough to bypass a touch ID scanner. They proved this by copying the fingerprint of Germany’s Minister of Defense, Ursula von der Leyen, off of a simple photo. Robert points out that your fingerprints are left nearly everywhere you go and are a pretty weak second factor authentication mechanism due to the many ways to get around it.

Now we get to two of Robert’s favorite topics that just so happen to both be in the same story this week: Google AND China. Turns out, China blocked another site this week, as they tend to do, but this time the site was a little known email provider called Gmail. This is pretty huge news in itself but as Robert points out, this could have a major ripple effect of nobody in China being able to receive email from a gmail address. So not only might this force people in China to a different email provider, it might force people around the world who need to communicate with people/businesses in China to use something else as well.

We couldn’t get out of a HackerKast without talking about Lizard Mafia (Patrol? Squad?). A sentence I never thought I’d say. Anyway, this slowly becoming infamous hacker crew of lizards – who have been tormenting Brian Krebs and took down Xbox Live/PSN over Christmas – have now set their crosshairs upon Tor. They made a clever attempt to DoS Tor with what is known as a Sybil attack, which spokespeople from Tor have noted would probably cause them some problems if launched by an adversary who had sufficient time/means. This attempt wasn’t successful, but it is interesting to read how they were going about trying.

I touched quickly on a fun business logic flaw (near and dear to my heart and to Jer’s) that had to do with getting cheaper hotel rooms. By the nature of being a logic flaw, this isn’t really a technical “hack” so-to-speak but it is clever nonetheless. The “attack” outlined a method of getting a huge discount on your hotel room by booking alongside some local conferences. These conferences that have huge draws (RSA anyone?) usually strike deals with local hotels to get a “conference rate.” Well it turns out that this rate is sometimes given out with little-to-no verification as to whether you are actually a conference attendee. In some cases this knocked the price down more than $200 per night from the current research.

Guess what everybody? WordPress caused a site to get hacked! Contain your shock/awe/riots please. In this case, was hacked – allegedly the fault of a WordPress install – and was serving up malware. ISC is popular for its creation of things like BIND DNS, DHCP, etc., and as Robert points out the scary thing about this hack might not be the website itself but the highly technical system admin type users who might be compromised. Imagine your IT person – who also has the keys to the corporate kingdom – is the one who gets malware on their machine for a minute. Doesn’t sound good right? ISC swears this breach was just on their website and no sensitive code was compromised but we aren’t really sure of any details.

Lastly, Jeremiah showed us a pretty picture. No really! A popular infographic made its way around the tubes this week showing the immense size of records lost in data breaches in the last decade or so. This one was super cool, letting you check out how something like the Target breach last year compared to the TJ Maxx or Heartland breaches of a few years ago. The moral of this story is that information about you is probably stored somewhere that will be compromised, so be diligent about what you put where and prepare for what happens when it gets stolen. Also, a lesson for companies: don’t store what you don’t have to! I know we live in a data-centric world but unless you absolutely must, you probably should “just say no” [insert Smokey the Bear motivational image] to storing sensitive data.

That’s all for us folks. Sorry for the long one today but there was a lot going on while we were all opening gifts, sipping eggnog, and toasting the new year! Hope your 2015 is off to a great start!


Hackers say they can copy your fingerprint from just a photograph

Gmail has been blocked in China

Hackers who shut down PSN and Xbox Live now attacking Tor

How we hacked the hotel industry to save $200+ per night

Someone went from 3.6 million Instagram followers to 8 today. Eight. website hacked: Scan your PC for malware if you stopped by

The world’s biggest data breaches, in one incredible infographic

Tags: Google, Tor, Vulnerabilities, WordPress