Web Application Security-WhiteHat HackerKast

#HackerKast 23: Lenovo, Venmo Sex, Drugs, and Guns, Casino Hacked, WordPress, Remotely Hacking Cars

Hey everybody! Welcome to this week’s HackerKast. We’ve got Jer back! We put this one out late this week just to get him back in the mix.

First, we absolutely HAD to talk about Lenovo and Superfish. For those living under a rock, Superfish is default installed on Lenovo laptops and does all sorts of nasty MiTM things by breaking SSL locally to inspect traffic. They did this under the guise of advertising (of course) but it was awful once we all found out. Robert Graham over at Errata Security did a great writeup on all of some technical deep diving he did into what was going on with these certificates.

Tied to that same story, Lizard Squad reared their head again with their specialty, a DNS hack! Their target this time was Lenovo due to recent events and they were able to take over their domain registrar through Command Injection. Brian Krebs did some digging and realized it was all due to the WebNIC registrar being vulnerable to an attack.

Moving along to some fun clickbait story with an actual funny privacy twist, Venmo made the news this week in a bad way. The headline we couldn’t ignore was “New Site Tells You Who’s Paying For Sex, Drugs, and Alcohol Using Venmo.” Sounds interesting right? Well turns out Venmo has turned itself into a bit of a social network on who is giving money to whom and for what. The kicker here is that all that information goes to a public timeline unless specifically turned private. Nobody bothers to change anything to private so a site called Vicemo popped up to gather all the illicit payments and put them in their own feed. Check out all the amusing things people are sharing money for.

Next, Jer talked about a few more details of a story we talked about back in 2014 of a Las Vegas Casino getting hacked via a publicly facing development site. The hack is being attributed to the Iranians who ran amok once they got in the network of the Casino. They did this after a lot of time brute forcing their VPN to no avail. Just goes to show how important it is to figure out what websites are public facing!

We had to talk about this next one even though it’s a bit embarrassing. We’ve all got vulns! Even WhiteHat! We eat our own dog food and run our scanner on our website constantly and we found a bug on our blog caused by the WordPress plugin we use to publish our podcast on iTunes. Imagine that… A WordPress plugin causing a vulnerability… Who woulda thunk? Anyway, we emailed them and in the mean time coded up a hotfix after immediately removing the plugin from production. Before we even got a chance to hot patch with our own code though, the developer of the plugin from South Africa woke up and rolled out his own fix in less than 1 day. Good news all around!

Lastly we talked about a fun and scary news story about remotely bricking cars. Some car dealerships install these little black boxes they install in cars that they sell. These boxes are used to remotely disable the car if people get behind on their payments making the cars easier to repossess. What were all of these black boxes controlled by? A web app! Some IT guy who left the company “hacked” back in (I’m guessing used his access that wasn’t turned off yet) and started remotely shutting down cars in Texas left and right. This brings up a bit of a conversation about Internet of Things where Robert does what he does best and scares everybody off the Internet.

Sorry for the late one this week, hope you all enjoyed!

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay

Resources:

Lenovo shipping with pre-installed Adware and SSL certificate “Komodia”

Extracting the Superfish Certificate

Lenovo’s DNS Gets Hijacked by Lizard Squad using Command Injection in Registrar

Webnic Registrar Blamed for Hijack of Lenovo, Google Domains

Site Discloses Who is Paying for Sex, Drugs and Guns

Las Vegas Casino Hacked by Iranians in 2014

The time a hacker remotely bricked cars in Texas

Notable stories this week that didn’t make the cut:

AT&T Extorts Users For Privacy

Cybersecury Czar Claims Selfies Are Good Biometrics

HTTP/2.0 “Finalized”

Google’s new Hacker Classifier Misclassifies Websites As Hacked

GCHQ & NSA’s Great SIM Heist

Turbotax’s Anti-Fraud Efforts Under Scrutiny

Origins of Russian Astroturfing

Google Making Adult Blogs Private – Effectively Shutting Them Down

Infinity Million Bug Bounty for Pwnium

Net Neutrality Passed!

Tags: web application security, whitehat security