Vulnerabilities-Web Application Security-WhiteHat HackerKast

#HackerKast 43: Ashley Madison Hacked, Firefox Tracking Services and Cookies, HTML5 Malware Evasion Techniques, Miami Cops Use Waze

Hey Everybody! Welcome to another HackerKast. Lets get right to it!

We had to start off with the big story of the week which was that Ashley Madison got hacked. For those of you fortunate enough to not know what Ashley Madison is, it is a dating website dedicated to members who are in relationships and looking to have affairs. This breach was a twist from most other breaches as the hacker is threatening to release all of the stolen data unless the website shuts its doors for good. Ashley Madison’s upcoming IPO could also be messed up now that the 7 million user’s data are lost and no longer private. Our friend Troy Hunt also posted a business logic flaw that allowed you to harvest registered email addresses from the forgot password functionality that didn’t rely on the leaking of the breach.

Next, in browser news, Robert was looking at an about:config setting in Mozilla Firefox that can turn off tracking services and cookies. Some studies that looked into this measured that, with this flag turned off, load time went down by 44% and bandwidth usage was down 30%. This flag is a small win for privacy but still leaks user info to Google but not to a lot of other sites. Not a perfect option since you can use a lot of browser add-ons that do a better job but this one is baked into Firefox. This is a huge usage statistic that people’s bandwidth and load time improved so drastically.

In related news, an Apple iAd executive left Apple and made some noise on his way out. He seemed to be frustrated that Apple has tons of user’s data and since they respect some level of privacy they are not living up to their full potential. This is good news for you and I who care about privacy. Where it gets worse is that he left to go to a company called Drawbridge which is focused on deanonymizing users based on lots of data of shared wifi networks, unique machine IDs, etc.

I liked this next story since it is a creative business logic issue which are always my favorite. This issue was involved with the mobile GPS directions app called Waze. What Waze does is uses crowd sourcing in order to provide real time traffic data to help reroute users around jams with a more accurate and speedier result. The other major use of Waze is reporting cops and speed traps on the road. Turns out that cops have caught wind of this and I’m assuming it’s hit their fine-based economy bottom line because hundreds of cops in Miami downloaded the app and start submitting fake cop reports. By doing this the information becomes a lot less reliable for users and cops can probably catch more people. We discussed the ethics here and whether Google (who owns Waze) would want to go toe-to-toe on this issue.

Next up, we touched on this year’s State of Application Security Report that is put out by SANS Institute every year. We didn’t go through the whole thing due to time constraints but it is full of interesting data as usual. They broke up this report into 2 major sections that they studied, Builders & Defenders. Some of the major pain points were Asset Management, such as finding every Internet facing web application which is always a challenge. Another was modifying production code and potentially breaking the app in lieu of trying to fix a security issue. The builders on the other hand were basically the inverse which was focused on delivering features and time to market. Builders also feel they are lacking knowledge in security which has been a known issue for a long time.

Last up was some straight up web app research which is always a lot of fun. Some research recently came out and was expanded on that proved that drive by download malware could avoid detection by using some common HTML5 APIs. One popular technique to download malware to a user’s machine is to chunk up the malware upon download and then reassemble it all locally later. A lot of malware detection has caught up to this and it gets detected. The same malware that would be detected using traditional methods was undetected using some combination of HTML5 techniques such as localStorage, Web Workers, etc. Great research! Looking forward to more follow ups on this.

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here

Join the conversation over on Twitter at #HackerKast

or write us directly @jeremiahg, @rsnake, @mattjay


Ashely Madison Hacked

Your affairs were never discreet – Ashley Madison always disclosed customer identities

Firefox’s tracking cookie blacklist reduces website load time by 44%

Former iAd exec leaves Apple, suggests company platform is held back by user data privacy policy

Miami Cops Actively Working to Sabotage Waze with Fake Submissions

2015 State of Application Security: Closing the Gap

Researchers prove HTML5 can be used to hide malware

Notable stories this week that didn’t make the cut:

Self Driving Cars Could Destroy Fine Based Economy

Hackers Remotely Kill a Jeep on the Highway—With Me in It

Redstar OS Watermarking

The Death of the SIM card is Nigh

How I got XSS’d by my ad network

FTC Takes Action Against LifeLock for Alleged Violations of 2010 Order

OpenSSH Keyboard Interactive Authentication Brute Force Vuln

NSA releases new security tool

Tags: Google