Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 28: Unicode Chrome Crash, Brain Waves, Top 10 Web Hacks, PWN2OWN, Wind Turbine CSRF, TLS certificates

Hey Everybody! Thanks for checking out this week’s HackerKast! We’ve got some fun stories this week that were a good time to chat about.

First we mentioned a bit of a concerning story but also an amusing one. There was a little magic string of Unicode characters that would crash Chrome completely when viewed. This had to do with some language libraries that were installed locally that didn’t play nicely together. Robert, being the hacker he is, couldn’t resist but putting this string of characters in a Facebook status and tweet. He got a lot of hate mail. (Oh and if Chrome crashes while reading this post, you should really install updates ܝܘܚܢܢ ܒܝܬ ܐܦܪܝܡ).

Now we all love when security topics get themselves out of the echo chamber, but I think this next story is fairly unique as to what industry it popped up in. Turns out some biology research went on when some scientists decided to perform an MRI of people while they were browsing the web. We all know users just click things to get them out of the way but it turns out there is a biological reason for this! Certain parts of the brain actually turn off and become inactive on the MRI when the users were viewing security warnings, like the ones for invalid SSL certificates. Now we can all collectively say that security is making people brain dead.

Finally my life is a bit back to normal as the Top 10 Web Hacks talk is complete and published. For those of you who missed the webinar you can check it out here: Recording. I went through the run down of what this talk is and touched on a few of the interesting pieces of research that made the list in the video. I’ll also be giving the talk again in person at RSA for all of you there! Check it out.

Next, we talked a bit about PWN2OWN contest up at CanSecWest this year. All major browsers fell by the 2nd day of trying. For those unfamiliar, PWN2OWN is basically an 0-Day contest. Show up and own a box completely by navigating an up to date browser/OS to a website. One researcher scored a total of $225K in a single day for his exploits. That is some serious 0-day cash! Jeremiah also mentioned, as he does every now and then, his idea of a PWN2OWN category that rewards bugs found via AntiVirus software. Owned by the software you installed to protect yourself.

Another fun one I touched on next was a vulnerability that was found in an actual wind turbine. This turbine, for whatever reason, has a web admin portal. The portal was vulnerable to CSRF via an HTTP GET request to force a credential change for the admin account. Once credentials are changed, the attacker can completely control the turbine and even stop it from generating power.

The last story we touched on was a complicated story about SSL/TLS certificates where Google was warning this week that some unauthorized TLS certs were trusted by almost any Operating System. Robert goes into the technical details here for those interested listen up! The cliff notes is that if you are in Egypt, you should watch what you say online, especially while using Google via Internet Explorer. FireFox and Chrome’s certificate pinning helps a bit here if in use so those should be slightly better off.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Crashing Chrome Tabs with Unicode

MRIs Shows Brains Shutting Down With Security Prompts

Top 10 Web Hacking Techniques of 2014

All Major Browsers Fall At PWN2OWN Day 2

Wind turbine blown away by control system vulnerability

Google warns of unauthorized TLS certificates trusted by almost all OSes

Notable stories this week that didn’t make the cut:

North Korea Web Outage Was Response To Sony Hack, Congressman Says

China Admits To Having a Hacking Group

Cisco to Ship Boxes to Empty Houses To Evade the NSA

Kapersky Being Accused Of Ties To Russian Military

No password or PIN, but I have a fake ID. Sure, take the domain

FREAK uses Similar Modulo Attacks

Brute Forcing IOS Screenlock

Need a security expert? Hire a coder