Technical Insight-Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 39: MLB Astros Hacked By Cardinals, Duqu 2.0, More Ad Blocking News and RIP Microsoft Ask Toolbar

Hey everybody and welcome to another week in Internet Security. Robert and I were trying our best to stay above water with Tropical Storm Bill hitting Southern Texas while Jeremiah was making us jealous with his palm trees and blue skies in Hawaii. I’ll remember that one Jer…

Back on topic, our first story was some shameless self promotion of Jeremiah talking about eSecurityPlanet doing a story on the Top 20 Influencers in the security industry. He happened to make the list himself but there are a lot of other notable names on there with links to lots of good research going on. Notably for me was our friend Dan Goodin who is a journalist that we link to a lot in HackerKast and is the first to cover many security news stories. Kudos to all.

Next, some news broke right before we started recording that was super interesting about some MLB teams getting into the hacking space. Turns out a former employee of the Houston Astros who left and now works for the St. Louis Cardinals never had his access turned off and was leveraging his old credentials. The Astros have some high-end scouting data that was put together with some cutting edge “Moneyball” style metrics that the Cardinals wanted their hands on. The FBI has been brought in to investigate this, how far this incident went and to prosecute those at fault.

We moved on from the baseball hack and into a security company admitting getting hacked with Kaspersky coming out and talking about Duqu 2.0. Robert touched on this and what made it interesting was that Duqu is almost certainly developed by a nation state due to some evidence reported on about it. The other major interesting tidbit about this is Duqu at some point, stole a valid Foxconn SSL certificate which allowed the malware to bypass a lot of first lines of defense. By using a valid cert, Duqu wouldn’t trip many of the alarms that normal malware would have upon entering a network. Robert also mentioned that in light of this, Foxconn should probably be doing some forensics and incident response into figuring out how their certificate was stolen.

Couldn’t make it out of another HackerKast without talking about one of our favorite topics, ad blocking. There was an article this week in Wired which discusses the differences in ad blocking on desktop platforms and mobile devices. Since browser extensions have become so prevalent and are cutting into the wallets of certain advertisers, *cough*Google*cough, there is a movement towards pushing users to use specific apps for content that they’d like to digest. Robert’s discusses an example with CNN where it would push users to use the CNN mobile app where they control the content fully and there would be no such thing as ad blocking.

Staying on the ad topic, Microsoft put out a research paper about serving web ads locally from your own computer. Think of this as a super cache which would have some implications on bandwidth, load time, ad blocking, and some malware related consequences. The major motivation here is almost certainly avoiding ad blocking since the ads are not loading dynamically from the web. Jer made the joke of hoping that chmod 000 being a thing for that folder.

Lastly we finish off with a Dan Goodin story with a witty title of “Ding Dong, the witch is dead” referring to Microsoft finally bringing the hammer down on the Ask toolbar. Microsoft’s malware team and suite of software including Microsoft Security Essentials will now flag the Ask Toolbar, most notably bundled with Oracle products by default such as Java, as unwanted software. The criteria of this flagging is software that includes “unwanted behavior, delivery of unwanted advertising, and a loss of user’s privacy”. The other speculation we made was that this would save Microsoft millions of dollars in customer service calls of how to remove it from Internet Explorer from unsavvy users who accidentally installed it. We all smell lawsuits on the horizon and will be an interesting one to watch.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


20 Top Security Influencers

Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network

The Duqu 2.0 hackers used a Legitimate digital certificate from Foxconn in the Kaspersky attack.

Apple’s Support for Ad Blocking will Upend How the Web Works

A Microsoft Research paper considers serving web-ads from your own computer

Ding dong, the witch is dead: Microsoft AV gets tough on Ask Toolbar

Notable stories this week that didn’t make the cut:

FBI seizes Computers Involved in Massive Celeb Nude Leak

Report: Hack of government employee records discovered by product demo

Catching Up on the OPM Breach

Bing to Start Encrypting Search Traffic

LastPass Hacked – Email Addresses and Password Reminders and More Compromised

Stealing Money from the Internet’s ATMs or Paying for a Bottle of Macallan

Using the Redis Vulnerability to Patch Itself