Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 30: Verizon Supercookie, Tesla Stock April Fools, Bugs in Tor, YouTube Bounty Hack, ‘Do Not Track’ and Microsoft

Hey All! We made it to 30 Episodes! Thanks for coming along for the ride, and hope you’re enjoying HackerKast. Now… the news!

First we talked about the follow up to a story we spoke about a few weeks back that had to do with Verizon tracking its customers. They were doing this by implementing a sort of “supercookie” which was injected into HTTP requests on their end. This isn’t something that would go away if you cleared your cache, cookies, browser files, etc. This was basically the glitter of user tracking, it never went away. News this week was that Verizon spokespeople made some hand wavy announcement of how this isn’t a problem since users can opt-out of this tracking if they wish. The problem we discuss here is that nobody is going to do that or even take the time to figure out how to do it via some random Verizon web interface. Bad form on Verizon’s part and just shows that the users’ interests are not truly at the heart here. The age old adage of “if you aren’t paying for it, you’re the product” doesn’t even apply here since you ARE paying for Verizon. They are just squeezing your data for more money.

Privacy tangent aside, in lighter news, the stock market is being automated! Lighter news? I guess so, due to the context here of an April Fools joke by Tesla. They announced the brand new ‘Model W’ which caused a bit of a commotion amongst the robots on the Internet. Turns out the Model W wasn’t a new line of Tesla cars but a joke about them making a watch which could do phenomenal things such as telling time. At the time of this announcement a bunch of excited robots made Tesla stock jump by nearly 1% and there were over 400,000 trades in 60 seconds, which was the largest surge for Tesla since their IPO. This may be a funny instance of this but it is a scary thought that a practical joke could have cost people hundreds of thousands of dollars because of some trigger happy robots.

Next, we talked about some new issues discovered and written about with Tor. In this case, we are talking about Denial of Service technique that is unique to a Tor Hidden Service. By using a ton of requests that open up “circuits” to hidden services, which kind of act like sockets, an attacker can flood the server and take it down. By building up a lot of these circuits, a hidden service will need to utilize a ton of CPU and memory to handle all of this. This is being called a bug but Robert doesn’t like that terminology because it is kind of by design how hidden services work, just being used maliciously.

Now we are talking about something we all really like the sound of, deleting Justin Bieber videos off the Internet. Well, that was the click bait for this one. The real topic is that a researcher found a way to delete any video off of YouTube immediately. Turns out that Google paid this researcher $5,000 for this bug which we all agreed seemed a bit low for such a serious bug, but we might not have all the information. The funny part here is the researcher discussed how hard it was to fight the urge to not deleting Bieber fan channels. Good bug.

Lastly, Microsoft announced that it will not be supporting ‘Do Not Track’ by default in the next version of their browsers, whatever they are calling it these days. This is coming right after ‘Do Not Track’ was finally supported by default only in their latest version of Internet Explorer. This sounds like a loss for privacy of the users but, in reality, DNT doesn’t really work. Nobody really pays attention to this and it costs more bandwidth anyway so there really is no point at this stage in the game.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Verizon Customers Can Now Opt Out of Supercookie Due to Government Pressure

Tesla Stockholders Can’t take a Joke

Bugs in Tor Network Used In Attacks Against Underground Markets

YouTube hack ‘threatened’ Justin Bieber videos

‘Do Not Track’ no longer default setting for Microsoft browsers

Notable stories this week that didn’t make the cut:

Turkey Blocks Social Media Again – People Resort to Posters to Educate

Tags: Tor