Industry Observations-Technical Insight-Vulnerabilities-WhiteHat HackerKast

#HackerKast 21: GCHQ, Anthem Breach, TurboTax Fraud, Sony Incident Response, GPG Donations, iPhone App Rating Manipulation

Hey Everybody! Welcome to a romantic Valentine’s edition of HackerKast. We’ve got the gang all back together and are ready to talk about some of this week’s AppSec news.

We started out with a story of the GCHQ, which is a British version of the Secret Service/CIA/NSA. It came out this week that they wrote a program to scrape Twitter feeds of hacker types in order to get some information about who was breached and other valuable tid bits. Jer and Robert were a bit sad they were left out off the list and they aren’t cool enough to monitor.

We couldn’t get out of this week without talking about the Anthem breach that has been making waves throughout the industry. The health insurance provider was breached this week and their user’s information that they were storing was stolen. We don’t know much about this breach but of course attribution game is being played and China is being blamed. We really just don’t know much but it seems like a sizable breach. Jer speculated a bit that this might be part of a bigger cybercrime related hack.

Next in a related incident, TurboTax has been having some identity theft problems that have been surfacing lately. We don’t think this is anything new but the size here seems to be staggering. Robert is talking about $4billion annually on fraudulently filing taxes on behalf of people and getting their refund. We are talking $3k on average per refund but just multiplied by tons of people. The motivational problem to fix this for TurboTax is a bit weird because they actually get paid to process the refund, fraudulent or not. Since this is making so much news they might be forced to figure something out now though.

The Sony breach made headlines again recently in terms of how much money this has been causing them to lose. Since Sony is public they need to file their earnings for the quarter which is now bringing some of the costs of the breach to light. It looks like $15million is the magic number it cost them for just investigation and response. Before I read the specifics of what this covered I thought the number was WAY low but I’m thinking this wasn’t including money or revenue lost. This can’t include what they lost at the box office for the movies leaked, or just the downtime from their network being down.

In more uplifting news from our industry this week, it came to everyone’s attention that the man behind GPG was relying on a very small amount of donations to get by. For the past 14 years Werner Koch has been making on average $25,000 per year for Gnu Privacy Guard, a tool that the Internet highly relies upon for secure communications. Koch was one of the early proponents of free software but it was becoming apparent that this was not something he could keep up. The community came together and raised $150,000 to support his cause including Facebook and Stripe pledging $50,0000/year each. Score one for the good guys!

Lastly we talked about a weird one. We like weird ones. Robert brought up a crazy iPhone rig that seems to be in use in China to manipulate App store ratings. For a very small wage, they have people sitting in front of a wall of iPhones clicking through apps waiting to get prompted for a rating and then giving them a high rating. This helps get the app to the top rated list which will in turn get more downloads for the app maker. As long as it makes more money than it costs to have the person clicking around this will keep happening. Jeremiah made the comparison of CAPTCHA cracking farms but for App ratings which I thought was a good one.

Ended with some shameless self promotion of my Top 10 Web Hacking Techniques of 2014 survey that I’m running. Please go vote for your favorite technique of the year as this is completely community driven part of the process!

Blog outlinging the Top 10

Survey: https://www.surveymonkey.com/r/Top10WebHacks2014

Thanks for listening everybody! Check us out on iTunes if you want an audio only version on your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

GCHQ Using LOVELY HORSE to Monitor Hackers’ Twitter Feeds

Anthem and Turbotax Hack

Sony Hack Has Cost Its Business $15M So Far

Data Breach at Health Insurer Anthem Could Impact Millions

Internet lobs $$$s at dev of crucial GPG tool after he runs short of cash

Iphone Rig to Manipulate App Store Rankings

Notable stories this week that didn’t make the cut:

NSA Using Disclosed Hacker Data

Uber Lost and Found DB left open

Fancybox WordPress Vuln

Meanwhile TrueCrypt is Replaced by VeraCrypt