Technical Insight-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 36: Moose Router Worm, Adult Friend Finder male users hacked, Firefox and advertising, WHS Stats Report, and IRS Data Breach

It was just Jeremiah and me again today, as Matt is shamelessly galavanting around Europe at various security conferences (I think it’s safe to hate him for it, isn’t it?). But we had a ton of interesting stories this week to cover and didn’t have much time to do it.

The first up was the Moose Router Worm – similar to the Internet Census Project, it used default usernames and passwords to compromise remote routers. We don’t know how many routers were compromised but it was a lot, I’m sure. Jer seems to think that routers shouldn’t even have this feature at all – and I’m inclined to agree.

It was a bad week for Adult Friend Finder, but an even worse week for their users, who had user account data stolen and published on the Internet. The data dump was incomplete and only comprised about 300M worth of data. Also, interestingly enough, it seemed to contain only data from the male users, which implies that it’s probably more about who is most easily blackmailed and less about what the actual adversaries have.

Next up we discussed Firefox and their rather strange move to build an advertising platform into the browser. Their reasoning is complicated, but it seems to revolve around a mix of making money and doing right by their users – except I don’t recall a user ever asking for this. Meanwhile one of Mozilla’s own employees wrote up a great paper on how users with ad blocking and privacy protection can save up to 40% bandwidth and page load time on the top Alexa sites. Shortly after, that same employee promptly left the company under somewhat mysterious circumstances.

Then we covered the stats report. You’ll have to download it to see for yourself, but there are a great number of interesting findings in there. For instance it appears to refute the idea of a best practice. There just doesn’t seem to be any one security factor that will prevent people from being hackable. Maybe they work in some combination, but not in a vacuum. Check it out.

Lastly, we briefly touched on the IRS data breech (if you can call it that) where north of 100k people’s tax data were stolen. This is almost certainly the result of stealing user data through something like Zeus or other public places and combining data to attempt to log in as the user. Jer’s point couldn’t be more clear – Social Security Numbers aren’t a good password, stop using them. If you are, you’re site is hackable.

That’s it for the week, I hope you enjoyed it! We’ll be back next week. Rate, subscribe, and give us feedback on things you’d like us to cover.


Moose Router Worm

Adult Friend Finder Compromised

Firefox Will Soon Get Sponsored Suggested Tiles Based On Your Browsing History

Tracking Protection for Firefox at Web 2.0 Security and Privacy 2015

Website Security Statistics Report 2015

100k+ Tax Records Breached from the IRS

Notable stories this week that didn’t make the cut:

Android Chrome ARC Welder

Chrome Extension Transmits Information Via Sound

Phuctor – RSA Super Collider

Two Diablo III players stole virtual armor and gold — and got prosecuted IRL

New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 1

New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 2

New Cyber Security Legislation On Export of Cyber Weapons (Wassenaar) article 3

FCC Warns Internet Providers That They’re On the Hook For User Privacy

Adblock Browser for Android

Hacking Starbucks for unlimited coffee

Logjam Attack against the TLS Protocol article 1

Logjam Attack against the TLS Protocol article 2

Specially Crafted Message Crashes iPhones article 1

Specially Crafted Message Crashes iPhones article 2

40% of Docker Images Are Vulnerable to High Severity CVEs

Tags: WhiteHat Security Statistics Report