Technical Insight-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 37: More router hacking, StegoSploit, XSS Polyglot and Columbia Casualty Insurance refuses to pay Cottage Health

One more lonely week without Matt Johansen as Jeremiah and I have braved another HackerKast on our own. Thankfully we were comforted by some very interesting stories. Most of them were technical but one of them was around insurance.

First up was about router hacking – one of Jer and my favorite topics. It turns out someone has been automating intranet hacking using the browser to attack various different SOHO routers and firewalls. This is neat because it’s actually in the wild, being used. It attempts various passwords, and ultimately tries to re-write DNS or route users to another location. Pretty nasty. I had a brief conversation with NoScript’s author, Giorgio Maone who is considering writing Application Boundary Enforcement into a stand-alone plugin.

Then we talked about two stories, StegoSploit and something called XSS Polyglot. They’re different takes on the same issue. If you need to do some hosting of content on another domain for some reason (typically payloads) you can do so in an image or using Flash. Both are great articles and they both do a pretty good job of breaking CSP in certain implementations.

Lastly we talked about an insurance provider called Columbia Casualty Insurance who refuses to pay out Cottage Health due to lax security. Namely, Cottage Health allegedly failed to do the things their policy required of them. If you don’t do what you say you’re doing, it’s hard to see why they would be obligated to pay out. Either way, it’s an interesting case, and probably the first of many to come.


An Exploit Kit Dedicated to CSRF

StegoSploit – Metasploit in an SVG image

Using Ads To Bypass CSP

Insurer Cites Lax Security in Challenge to Cottage Health Claim

Notable stories this week that didn’t make the cut:

Disconnect.Me Files Antitrust Case Against Google In Europe Over Banned Anti-Malware Android App

The Efficacy of Google’s Privacy Extension

AppSec USA: Full List of Accepted Talks

Criminals use IRS website to steal data on 104,000 people

Weaponizing code: America’s quest to control the exploit market

The Security Issue of Blockchaininfos and Android

Thousands of Websites Block Congress in Protest of NSA Surveillance and this Naked campagin

SourceForge Grabs Gimp For Windows And Wraps It With AdWare

I Fooled Millions Into Thinking Chocolate Helps Weight

AdBlock Wins in Court Twice in Weeks

Ross Ulbricht Pleads For Leniency

CareFirst Breached

St. Louis Federal Reserve Had DNS Hijacked

LaZagne – Password Recovery Tool

How Many Million BIOSes Would You Like To Infect

Facebook Supports PGP

Airbus confirms software brought down A400M transport plane