Industry Observations-Web Application Security-WhiteHat HackerKast

#HackerKast 9: .NET Goes Open Source, “SChannel” Vulnerability and Browserstack’s Breach Report

“Oh. My. God. Becky, look at that .NET code”

Leading story of this week’s HackerKast was about Microsoft choosing to open source .NET on GitHub. This is a pretty huge deal and a bold move from the big wigs up in Seattle. The issue here? Everybody has access to the source code, good and bad people alike. Robert is a bit pessimistic, understandably so. The thing we all agree on is that right out of the gate starting today there will be new vulnerabilities found. The real question comes down to which side puts in more diligence in flushing out the low-hanging fruit first. After that, things will be mostly unchanged from the current state except with the added benefit of the community getting to find and even help fix vulnerabilities via pull requests.

Next, Jeremiah dug into a new breach report from the team over at Browserstack. Really cool service that if you’re not familiar with you should go check out. Turns out they were hacked by Shellshock, cleaned it up, did a post mortem, and (most importantly to us) published their lessons learned! Super interesting incident response writeup so go check it out. Side note: The other company I was referring to in the video was CodeSpaces going out of business due to their AWS getting hacked in a similar fashion.

Robert followed that up with an overview of some of the recent TOR news about the Silk Road clones getting taken down by law enforcement. The interesting point here is that none of us know for sure how the feds found the actual location of the TOR Hidden Services. TOR did a great job by putting out a response blog of possibilities of how these things got decloaked. The most AppSec related avenue of attack TOR mentioned was SQL Injection which could possibly be a cause of deanonymizing the server.

I rounded this week’s HackerKast out by getting the word out about the latest major Microsoft 0-Day. This time the culprit is the Secure Channel or “SChannel” package that is used to turn on SSL/TLS implementations on all sorts of Windows Server boxes going back to 2003. The bug found was a remote code execution and can lead to some seriously nasty compromise. Now that this has been announced and the severity is well understood, the attackers will be all over this in a matter of days so please go patch!

Resources:

Microsoft Security Bulletin MS14-066 – Critical

BrowserStack Explains The Hacking Attack With Honesty And Maturity

Both Of The Men Accused Of Running The Silk Road Made The Exact Same Mistake

Tags: shellshock, vulnerability