Web Application Security-WhiteHat HackerKast

#HackerKast #18: Verizon Tracking Cookie, NSA tracking via mobile ads, hackers for hire, AppSec Program Quick Start Guide

Hey Everybody! Can’t believe we’ve done 18 of these. Lets get right into it.

We started off this week by chatting a bit about Verizon. The headline kind of speaks for itself: “Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused? Yeah, Well, Funny Story…” Turns out Verizon will set a cookie in your browser and can track you across IP address, and all sorts of nastiness. Robert has some recommendations on how to work around this if you are worried about it. News flash, advertisers aren’t working in the user’s best interest.

Another news flash, NSA is tracking people. The newest revelation is that the NSA is using ads in mobile platforms to track users. This avenue is useful for them because the geo location is sent through a lot of these mobile apps ads so not only can they track users’ usage preferences but also physical location! Repeat after me, ads are bad.

Funny little website popped up recently called Hackers List. For those familiar with O-Desk this is the same thing but for hacking. This website is acting as a medium for people to post requests and a dollar amount for hacking services. Some of my favorite entries include, “Change my grades – $300” and “Hack Facebook account ASAP – $200”, among others. We got into a bit of discussion of the legality of all of this and some possible loopholes that they are using to keep this website up and kicking. Consensus is that this will most likely be taken down, fast.

Finally, with some shameless self promotion, we chatted about a new OWASP project started by a few of us WhiteHat folk called the Application Security Program Quick Start Guide. Our goal here was some quick rule of thumb points on starting an AppSec program from scratch. Nothing like this existed to our knowledge so we tried to fill what we saw as a void. It is completely open license and free to download so feel free to use and abuse! Check out our blog outlining it and let us know what you think!

Notable stories this week that didn’t make the cut:

How to protect yourself against Verizon’s Mobile Tracking”>

New York Post Twitter Feed Hacked – declares we are at war

Obama sides with Cameron in Encryption Fight

Against DNSSEC

Why Not DANE in Browsers

Someone in China MitM’d Outlook.com Traffic With Fake SSL Certificate

Reflected XSS in PayPal

References:

Remember That Undeletable Super Cookie Verizon Claimed Wouldn’t Be Abused?

New Snowden documents show that the NSA and its allies are laughing at the rest of the world

Hacker’s List allows you to hire a hacker anonymously and quickly

OWASP Application Security Program Quick Start Guide Project

5 Days to Setting Up an Application Security Program