In what is becoming a regular occurrence, black and white hat hackers hit the headlines for their work, with two extremely high-profile examples of what they can achieve. Both of the hacks received major media coverage, and while one may be more serious than the other, the plain truth is that we are living in a connected world where nobody is safe. Continue Reading →
If folks in the United States were worried about the Edward Snowden revelation about the PRISM telecommunications surveillance program, the latest potential threat to the security and privacy of users takes this to a whole other level — and this time on a far bigger scale.
According to NowSecure’s Ryan Welton at the Blackhat Summit in London, a whopping 600 million Samsung Galaxy users may be at risk with a security flaw in the devices’ keyboard software.
According to an Ars Technica report, “the Samsung exploit works through a weakness in the software, which occasionally scans for updates. Hackers can interfere with this process, installing malware that could allow them to remotely control a wide range of the phone’s functions…[including] monitoring the camera and microphone, reading incoming and outgoing text messages, and installing malicious apps.”
June 2, 2015 by Sanjay Zalavadia /
The Internet of Things (IoT) places a great deal of pressure on security testers to ensure that applications on these appliances will be protected from threats.
IoT has become the new buzzword across industries, with many organizations scrambling to accommodate the trend. IoT implies that there will be a lot more connected devices than laptops, smartphones and tablets. Employees are likely to add wearables, coffeemakers and other objects to the new network in order to reap all the benefits IoT has to offer.
All of this places a great deal of pressure on security testers to ensure that applications on these appliances will be protected from threats.
However, this year, they’ve totally upped the ante — to the infinite degree. In fact, according to Entrepreneur, “Google has changed the nature of the prize money at stake…It now goes all the way up to $∞ million.”
Prizes in the hackathon range from $500 up to a new high of $50,000, and there’s no limit on the reward pool, but that could always be scrapped at the drop of a hat. Google says that the changes “are meant to lower the barrier of entry, and remove the incentive for hackers to sit on discovered bugs until the annual competition.”
Dave is a former application developer and security consultant, and now a Gold-rated security tester in the uTest Community. Over the years he’s found too many vulnerabilities to count, including a particularly scary one at a top-tier streaming media company.
Dave is a member and contributor to the Open Web Application Security Project (OWASP) and resides in Texas, USA. He holds CISSP and CSSLP security certifications.
Peter Kim has been in the information security industry for the last 10 years and has been a penetration tester for the last seven. He is the author of the best-selling computer hacking book, ‘The Hacker Playbook: Practical Guide to Penetration Testing.’ He was the lead penetration tester for the U.S. Treasury and Financial Management Systems.
In addition, he was a penetration tester for multiple utility companies, Fortune 1000 entertainment companies, government agencies, and the Federal Reserve. He also gives back to the security community by teaching penetration testing courses at a community college, and creating and maintaining one of the largest security communities in the Santa Monica, CA area. He has also spoken at multiple security conferences. You can find him at his blog Secure Planet.
In this Q&A, uTest spoke with Peter about some of the more memorable vulnerabilities he has come across while hacking web apps, what he thinks of Apple Pay, and why his book is used in college coursework. Stay tuned at the end of the interview for a chapter excerpt from ‘The Hacker Playbook,’ currently the number one-selling software testing book on Amazon.
uTest: You’ve been in security and pen testing for a while now. Without giving out too many specifics, what was one of the more surprising or memorable lapses in judgment you have come across while ethically hacking web applications?
Peter Kim: I could write a book just on this question. I mean, I’ve seen it all, from a single company having 20+ different SQLi vulnerable public web applications, default credentials into their whole camera system, PII data leaks from major e-commerce sites, all the way to having access into equipment that controlled certain types of SCADA utility networks.
The funniest one I came across was about five years ago. A major AV vendor had all their clients talking back to their central web application over HTTP APIs. Sniffing the traffic, I was able to gain the administrative credentials in clear text from a client. Once I logged into the web application, I was able to modify the update agents within the web interface to force the end user to download a malicious file and execute them on the host systems.
We all had a good laugh, because what was meant to protect the network allowed us to compromise the network, and, ironically, the companies that advocated security had one of the worst IT security practices.
Continuing in the Security State of Mind here at the uTest Blog today, some of you may remember that we reported last week that the 2014 SyScan conference was offering a $10,000 bounty for any tester who was able to remotely access a Tesla Model S’ automobile operating system.
That open challenge didn’t last too long, apparently.
According to The Register, students from Zhejiang University late last week were able to take control of the automobile remotely while it was driving, gaining access to its doors and sunroof by opening them, switching on the headlights, and, for some giggles, sounding the horn, too.
If you’ll remember, Tesla didn’t play any part in this open challenge to hackers at the Chinese conference, but it did issue a statement supporting “the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” hoping “security researchers will act responsibly and in good faith.” Opening the doors while the car is driving doesn’t sound too responsible to me, but that just underscores the fact that this is something definitely worth looking into on the part of Tesla.
I know a little company that could help.
Data breaches, hacking, and other security leaks have been in the news for months now. Earlier this year, the Heartbleed bug affected the data security at big names like Google, Yahoo, Instagram, Pinterest, and Netflix. Organizations of all sizes from coast to coast are constantly dealing with security threats and breaches. New York suffered 900 data breaches last year, according to a report from the State Attorney General. In California, an insurance company inadvertently exposed the social security numbers of 18,000 doctors on a public web site.
It seems that the trend of big data breaches making the news is not stopping. This PC World article points out the 5 biggest data breaches of 2014 so far and the list includes recognizable names like eBay, Michaels Stores, and the Montana Department of Public Health. All of this media attention puts the security industry – and security testing – in the spotlight.
You can get up to speed on security testing using our course track, which includes:
Bug bounties are a dime a dozen these days with companies from Facebook to Microsoft paying out hefty ransoms of up to $100,000 for testers that find critical vulnerabilities. But this latest bug bounty may have just taken security testing into the future…and to a whole other level of awesomeness.
According to the International Business Times, the 2014 SyScan conference will be offering a $10,000 bounty for any tester who is able to remotely access a Tesla Model S’ automobile operating system. The luxury electric car manufacturer isn’t behind the stunt, but one of the sleek models will still be on hand for conference attendees. Anyone who registers for the security show, beginning this week in Beijing and one of the most well-known in Asia, is eligible to take the challenge.
The bounty seeks to highlight the most vulnerable of areas that black hat testers could seek to exploit: the link between a driver’s mobile phone and the car’s onboard computer system.
Personally, I’d want the sweet ride that I had just hacked into versus the cash bounty, but that’s just me.
What do you think? Is the Tesla hackathon the beginning of a new dawn for security testers? Would you have what it takes to hack into an automobile operating system that is widely thought to be pretty iron-clad? Sound off in the comments below.
Not a uTester yet? Sign up today to comment on all of our blogs, and gain access to free training, the latest software testing news, opportunities to work on paid testing projects, and networking with over 150,000 testing pros. Join now.
In the second part of this two-part interview, application security expert Dave Ferguson talks about the security testing landscape, top security tools and the job market for AppSec professionals. Be sure to follow Dave on Twitter @dferguson_usa or his blog, and get to know him along with the first part of our interview.
uTest: You tend to hear about breaches and security the most when they hit consumers’ wallets (i.e. Target). Is retail, for instance, more vulnerable than another industry right now?
DF: Higher education has a constant stream of data breaches as well, but retailers are definitely a huge target (no pun intended). Retailers process payments and handle personally identifiable information, but they don’t often have a culture of security like a financial services company, government, or defense contractor. They also don’t have big security budgets or vast resources like those other types of organizations. I have a feeling retailers are starting to devote more attention to security now, though.
uTest: Do you think that something as huge as Heartbleed awakened some organizations that may have otherwise been lax in certain areas of their security strategies?
DF: Absolutely. The Target data breach and the Heartbleed flaw in the OpenSSL library have spurred action within many organizations. Company executives and boards of directors want some assurance that they are not vulnerable. Increased security testing of applications, especially Internet-facing apps, is going to be a major component of that.
uTest: What’s changed the most in the security testing landscape just in the past couple of years?
DF: The most dramatic change is that formal bug bounty programs are now being rolled out by many organizations. This would have been a very radical idea just a few years ago. A bug bounty program defines rules of engagement and offers cash rewards to security researchers who find vulnerabilities and disclose them in a responsible manner. Bug bounties are a welcome change. I wish the streaming media company I had contacted had a such a program back in 2006!
Two other changes I’ve seen are a dramatic increase in the need for security testing of mobile applications, and a realization that the security of third-party software components needs to be verified.
Our guest in this installment of Testing the Limits is Dave Ferguson, a former software developer and specialist in Application Security since 2006. As a consultant, he tested for security holes in countless web applications. Dave also taught developers about security in a formal classroom setting to help them understand how to write secure code. For three years, he held QSA and PA-QSA qualifications from the Payment Card Industry Security Standards Council (PCI-SSC).
In the first part of this two-part interview, Dave talks about where organizations’ apps are most vulnerable today, and how he contacted a top-tier streaming media company about a major hole in their security.
uTest: You’re a web application security professional. How and why did you break into this subset of security?
DF: I was an application developer and manager for over a decade, and didn’t give much thought to security at all. In fact, I’m sure I coded my share of vulnerabilities over the years. Eventually I discovered this knack for finding unexpected bugs in our software, such as URL manipulation to view another person’s data. It wasn’t my job to test for security bugs. It just came from being a curious fellow and wanting to understand how the application would behave if I tried to do “X” as an end user. The QA teams were certainly not finding these types of bugs. In 2004, I decided to pursue a career in the field of Application Security and by 2006, had a full-time job doing penetration testing of web applications.
In fact, don’t do anything in Internet Explorer. At least that’s the advice of both the US and UK governments, along with nearly every major tech publication. Why? Because a recently discovered exploit in the popular web browser could – maybe, possibly – be used to highjack your computer.
Here are the details of this new bug, courtesy of CNN:
If you’re using Internet Explorer and click on the wrong link, a hacker could hijack your computer. Microsoft is racing to address a weakness in its popular Web browser that security experts at FireEye revealed over the weekend. The researchers discovered that hackers have exploited the bug and created a new type of attack.
This is how it works: Hackers set up a website that installs malware when you visit it. If you’re duped into visiting the website while using the Internet Explorer program, malware seeps into your computer and gives a stranger total control. You might not even notice.
Not to downplay the issue – as Microsoft has admitted the existence of the flaw, and is working around the clock on a fix – but one has to wonder whether this exploit would have been as sensationalized if it had not been for the Heartbleed bug from a weeks back. I supposed we can only speculate.
In any event, what we know for certain is that this exploit is fundamentally similar to almost every other serious exploit, in that it could lead to compromised personal data. Once said hacker has control of your PC, he or she would also have access to your email, your passwords – basically, everything you wouldn’t want them to have. But as CNN notes, because this is a Windows-specific bug, it comes with a few caveats and complications. First and foremost, the coming security patch will not be applied to anything older than Windows 7:
It’s worse for those using Windows XP, because Microsoft no longer supports that operating system with security patches. To them, Microsoft says: Go upgrade to Windows 7 or 8.1.
And then, of course, is the fact that the world essentially runs on Windows:
But this bug is more omnipresent than it seems. Lots of machines use Windows — bank ATMs, point of sale systems, restaurant seating tools — and Internet Explorer is their default browser. If hackers manage to send them to a bad website, that machine is now under their control. It won’t be easy, but it’s possible.
“You don’t think of them as Windows PCs running software,” said Paco Hope, a consultant with software security firm Cigital. He advises that businesses talk to equipment vendors to determine how vulnerable they are.