Industry Observations-Technical Insight-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 38: Pulse tests .gov sites, China hacked US government, DuckDuckGo, NSA Quantum Insert attacks and Google finds Ad Blocking annoying

Hey All! Welcome to another HackerKast! I’m back whether you like it or not.

Gave a quick rundown of my Europe trip before jumping into the news and we started with one of my favorite stories we’ve covered in a while. This one was about a project called Pulse which grabbed every .gov site it could get its hands on and ran an SSL Labs tester on it (hat tip to the awesome Ivan Ristic). Pulse then takes all the results and puts them in a very nice sortable table that, with one click, reveals pages and pages of government agencies with “F” grade scores. An “F” basically means they are vulnerable in at least 1 way to a major SSL flaw like POODLE or Heartbleed. Jeremiah tied this in to another story of an order in the government that mandates all websites are to be compliant with up to date SSL/TLS standards in the next year and a half or risk being taken offline.

Next, the story we couldn’t avoid, it is being reported that hackers from China stole over 4 million records from our government’s personnel office network. These records detail tons of information about current and past government employees. Some of the scariest pieces of info stolen are the results of secret clearance data which dives deep into the personal lives of people applying for secret or above clearances. Speculations have been made theorizing that this could be used to blackmail and flip people into working for foreign entities.

After getting off on a tangent about all that, Robert talked about the next story of some new DuckDuckGo features. Seems they are adding a whole suite of crypto related search features that are pretty neat, including generating strong passwords, identifying hashing algorithms, hashing things for you, and last but not least, searching for known plaintext of hashes. If you have some hashed passwords from a dump that you got your hands on, you can type the hash into DuckDuckGo and ask it to search known previously cracked hashes to see if its on the list. Who needs your own rainbow table anyway?

Screen Shot 2015-06-11 at 12.04.49 PM

Robert continues with a serious deep dive into a story about detecting the NSA’s complex Quantum Insert attacks. This topic has whole blog posts dedicated to itself if you’re interested in what it is and how the NSA is using it. It could be easy enough to create a piece of code to sit on your computer and look for anomalies in your packets consistent with this type of Insert attack to detect if you’re being MiTM’ed in this way.

The last complete tangent we went off on was about Ad Blocking which is a subject near and dear to our hearts. The story in question was detailing how popular Ad Blocking software is getting and how Google is feeling about this. A notable quote from Google’s CEO about this basically states that Ad Blocking is used to block “annoying” ads so in order to make it less popular is to make less annoying ads. We all got a laugh about how “annoying” malware, user tracking, loss of privacy, bandwidth usage, power consumption, etc. all are.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


SSLLabs per .gov site

Chinese hackers breach federal government’s personnel office

DuckDuckGo Crypto Hacks

How to detect NSAs Complex Quantum Insert Attacks

Google’s Larry Page was asked whether he was worried about the rise of ad blockers — here’s what he said

Adblocking And The End Of Big Advertising

Notable stories this week that didn’t make the cut:

Apple’s Tim Cook Delivers Blistering Speech On Encryption, Privacy

Good luck USA, China and Russia Promise Not To Hack Each-Other

SourceForge Has Now Seized Nmap Project Account

Hijacking Whatsapp Accounts

SEA Hacks

U.S. Army public website compromised

Sony Hack Movie in the Works from Oscar-Nominated Team (Exclusive)

Twitter Shuts Down Political Transparency Tool Politwoops

FBI official: Companies should help us ‘prevent encryption above all else’

Tags: NSA