UPDATE: $10,000 Tesla Hacking Challenge Accepted…and Defeated

Continuing in the Security State of Mind here at the uTest Blog today, some of you may remember that we reported last week that teslahack1the 2014 SyScan conference was offering a $10,000 bounty for any tester who was able to remotely access a Tesla Model S’ automobile operating system.

That open challenge didn’t last too long, apparently.

According to The Register, students from Zhejiang University late last week were able to take control of the automobile remotely while it was driving, gaining access to its doors and sunroof by opening them, switching on the headlights, and, for some giggles, sounding the horn, too.

If you’ll remember, Tesla didn’t play any part in this open challenge to hackers at the Chinese conference, but it did issue a statement supporting “the idea of providing an environment in which responsible security researchers can help identify potential vulnerabilities,” hoping “security researchers will act responsibly and in good faith.” Opening the doors while the car is driving doesn’t sound too responsible to me, but that just underscores the fact that this is something definitely worth looking into on the part of Tesla.

I know a little company that could help.

 

Learn Security Testing Basics at uTest University

Data breaches, hacking, and other security leaks have been in the news for months now. Earlier this year, the Heartbleed bug affected the data security at big names like Google, Yahoo, Instagram, Pinterest, and Netflix. Organizations of all sizes from coast to coast are constantly dealing with security threats and breaches. New York suffered 900 data breaches last year, according to a report from the State Attorney General. In California, an insurance company inadvertently exposed the social security numbers of 18,000 doctors on a public web site.security-lock

It seems that the trend of big data breaches making the news is not stopping. This PC World article points out the 5 biggest data breaches of 2014 so far and the list includes recognizable names like eBay, Michaels Stores, and the Montana Department of Public Health. All of this media attention puts the security industry – and security testing – in the spotlight.

You can get up to speed on security testing using our course track, which includes:

Continue Reading

Tesla $10,000 Hacking Challenge: The Beginning of a New Era for Security Testers?

Bug bounties are a dime a dozen these days with companies from Facebook to Microsoft paying out hefty ransoms of up to $100,000 for testers that find critical tesla-svulnerabilities. But this latest bug bounty may have just taken security testing into the future…and to a whole other level of awesomeness.

According to the International Business Times, the 2014 SyScan conference will be offering a $10,000 bounty for any tester who is able to remotely access a Tesla Model S’ automobile operating system. The luxury electric car manufacturer isn’t behind the stunt, but one of the sleek models will still be on hand for conference attendees. Anyone who registers for the security show, beginning this week in Beijing and one of the most well-known in Asia, is eligible to take the challenge.

The bounty seeks to highlight the most vulnerable of areas that black hat testers could seek to exploit: the link between a driver’s mobile phone and the car’s onboard computer system.

Personally, I’d want the sweet ride that I had just hacked into versus the cash bounty, but that’s just me.

What do you think? Is the Tesla hackathon the beginning of a new dawn for security testers? Would you have what it takes to hack into an automobile operating system that is widely thought to be pretty iron-clad? Sound off in the comments below.

Testing the Limits with Dave Ferguson, Application Security Expert: Part II

In the second part of this two-part interview, application security expert Dave Ferguson talks about the security testing landscape, top security tools and the Dave Ferguson, Testing the Limitsjob market for AppSec professionals. Be sure to follow Dave on Twitter @dferguson_usa or his blog, and get to know him along with the first part of our interview.

uTest: You tend to hear about breaches and security the most when they hit consumers’ wallets (i.e. Target). Is retail, for instance, more vulnerable than another industry right now?

DF: Higher education has a constant stream of data breaches as well, but retailers are definitely a huge target (no pun intended). Retailers process payments and handle personally identifiable information, but they don’t often have a culture of security like a financial services company, government, or defense contractor. They also don’t have big security budgets or vast resources like those other types of organizations. I have a feeling retailers are starting to devote more attention to security now, though.

uTest: Do you think that something as huge as Heartbleed awakened some organizations that may have otherwise been lax in certain areas of their security strategies?

DF: Absolutely. The Target data breach and the Heartbleed flaw in the OpenSSL library have spurred action within many organizations. Company executives and boards of directors want some assurance that they are not vulnerable. Increased security testing of applications, especially Internet-facing apps, is going to be a major component of that.

uTest: What’s changed the most in the security testing landscape just in the past couple of years?

DF: The most dramatic change is that formal bug bounty programs are now being rolled out by many organizations. This would have been a very radical idea just a few years ago. A bug bounty program defines rules of engagement and offers cash rewards to security researchers who find vulnerabilities and disclose them in a responsible manner. Bug bounties are a welcome change. I wish the streaming media company I had contacted had a such a program back in 2006!

Two other changes I’ve seen are a dramatic increase in the need for security testing of mobile applications, and a realization that the security of third-party software components needs to be verified.

Continue Reading

Testing the Limits with Dave Ferguson, Application Security Expert: Part I

Our guest in this installment of Testing the Limits is Dave Ferguson, a former software developer and specialist in Application Security since 2006. As a consultant, he tested for security holes in countless web applications. Dave also taught developers about security in a formal classroom setting to help them understand how to write secure code. For three years, he held QSA and PA-QSA qualifications from the Payment Card Industry Security Standards Council (PCI-SSDave Ferguson, Testing the LimitsC).

Dave currently serves as the Application Security Lead at a multibillion dollar travel technology company in the USA. You can find him on Twitter or over at his blog.

In the first part of this two-part interview, Dave talks about where organizations’ apps are most vulnerable today, and how he contacted a top-tier streaming media company about a major hole in their security.

uTest: You’re a web application security professional. How and why did you break into this subset of security?

DF: I was an application developer and manager for over a decade, and didn’t give much thought to security at all. In fact, I’m sure I coded my share of vulnerabilities over the years. Eventually I discovered this knack for finding unexpected bugs in our software, such as URL manipulation to view another person’s data. It wasn’t my job to test for security bugs. It just came from being a curious fellow and wanting to understand how the application would behave if I tried to do “X” as an end user. The QA teams were certainly not finding these types of bugs. In 2004, I decided to pursue a career in the field of Application Security and by 2006, had a full-time job doing penetration testing of web applications.

Continue Reading

Don’t Read This Post in Internet Explorer

IE-logo-300x293In fact, don’t do anything in Internet Explorer. At least that’s the advice of both the US and UK governments, along with nearly every major tech publication. Why? Because a recently discovered exploit in the popular web browser could – maybe, possibly – be used to highjack your computer.

Here are the details of this new bug, courtesy of CNN:

If you’re using Internet Explorer and click on the wrong link, a hacker could hijack your computer. Microsoft is racing to address a weakness in its popular Web browser that security experts at FireEye revealed over the weekend. The researchers discovered that hackers have exploited the bug and created a new type of attack.

This is how it works: Hackers set up a website that installs malware when you visit it. If you’re duped into visiting the website while using the Internet Explorer program, malware seeps into your computer and gives a stranger total control. You might not even notice.

Not to downplay the issue – as Microsoft has admitted the existence of the flaw, and is working around the clock on a fix – but one has to wonder whether this exploit would have been as sensationalized if it had not been for the Heartbleed bug from a weeks back. I supposed we can only speculate.

In any event, what we know for certain is that this exploit is fundamentally similar to almost every other serious exploit, in that it could lead to compromised personal data. Once said hacker has control of your PC, he or she would also have access to your email, your passwords – basically, everything you wouldn’t want them to have. But as CNN notes, because this is a Windows-specific bug, it comes with a few caveats and complications. First and foremost, the coming security patch will not be applied to anything older than Windows 7:

It’s worse for those using Windows XP, because Microsoft no longer supports that operating system with security patches. To them, Microsoft says: Go upgrade to Windows 7 or 8.1.

And then, of course, is the fact that the world essentially runs on Windows:

But this bug is more omnipresent than it seems. Lots of machines use Windows — bank ATMs, point of sale systems, restaurant seating tools — and Internet Explorer is their default browser. If hackers manage to send them to a bad website, that machine is now under their control. It won’t be easy, but it’s possible.

“You don’t think of them as Windows PCs running software,” said Paco Hope, a consultant with software security firm Cigital. He advises that businesses talk to equipment vendors to determine how vulnerable they are.

Continue Reading

5 New Developments Related to the Heartbleed Bug

anyone-who-logs-into-yahoo-imgur-okcupid-could-lose-their-password-thanks-to-heartbleed-bug-300x225With vulnerabilities on giant servers like Google, Amazon, Twitter and Facebook, the Heartbleed Bug is one of the largest security mishaps to ever hit the Internet.

But as the story unfolds, there are a few details that may come as surprise. Here is a list of Heartbleed’s most recent developments.

1. One arrest has been made.  

Canadian police arrested 19-year-old Solis-Reyes in London, Ontario last week. He is accused of exploiting the Heartbleed Bug vulnerability to steal social security numbers from servers of Canada’s tax collection agency and is charged with one count of mischief in relation to the data.

The accusation comes two days after the Canada Revenue Agency announced that the sensitive information of 900 Canadians had been compromised. But law enforcement has not made any direct connection.

The teenager’s lawyer tells a story of when Solis was only 14 and proved that his high school’s computer system was vulnerable to hacking when administration didn’t believe him. It’s very possible that when the Heartbleed Bug news hit mainstream media, he became curious and tested it out for himself. On Tuesday, the Solis-Reyes turned himself in.

2. The company responsible for the OpenSSL software has just 1 full-time employee.  

The breach was the result of a flaw in OpenSSL, a platform designed to provide users with a free set of encryption tools that prevent hackers from obtaining user data.

The irony is that although two-thirds of all websites use this software, the foundation’s revenue stream is so insignificant that it can’t afford a full security audit or to pay a full staff. Therefore, the foundation is comprised of 1 full time employee and 10 volunteers.

Steve Marquess, founder of OpenSSL Software Foundation, released an open statement explaining:

“These guys don’t work on OpenSSL for money. They don’t do it for fame (who outside of geek circles ever heard of them or OpenSSL until “heartbleed” hit the news?). They do it out of pride in craftsmanship[9] and the responsibility for something they believe in.”

Continue Reading

Protecting Yourself Against the Heartbleed Bug

heartbleed-bug-300x223By now, you’ve probably heard about the massive security flaw known as the Heartbleed bug. If you haven’t, then here’s a quick summary:

Heartbleed is a flaw in OpenSSL. Occasionally, one computer may want to check on another computer to ensure that there is a secure connection on the other. In order to do so, it will send out a small packet of data that will ask for a response – like a heartbeat.

However, researchers discovered that it was possible to send a well-disguised packet of data that looked like one of these heartbeats to trick the computer at the other end into sending data stored in its memory. To make matters worse, it has recently been realized that the code in SSL has been opened for the past two years and doesn’t leave much of a trace.

This raises several important questions, not only for testers and developers, but also for the average web user. Let’s take a look at a few in particular:

1. Are You Affected?
Probably. Since hundreds of thousands of sites were affected, chances are that you have used at least of them on a fairly regular basis. While there is no way to tell with 100% certainty, many experts are urging people to take the necessary precautions, which leads us to our next key question…

2. How Can You Protect Yourself?
According to Business Insider, the best way to tackle this problem is to assume that the worst has already happened.  Most major service providers are already updating their sites and taking proactive security measures, but you should also go through and change your passwords as well and assume that your accounts have already been compromised (as awful as that sounds).

 

CNET advises that you should check your financial statements over these next few days in order to ensure that your privacy is still intact and that your financial accounts have not been compromised. A hacker that has accessed a bank server, for instance, has likely snagged information regarding recent credit card activity.

3. What Passwords Should I Change?
Mashable has recently launched a list of the sites that you should strongly consider changing your passwords on, including:

  • Facebook
  • Tumblr
  • Google & Gmail
  • Yahoo & Yahoo Mail
  • Amazon Web Services
  • GoDaddy
  • Intuit (TurboTax)
  • Dropbox
  • LastPass
  • OKCupid
  • SoundCloud
  • WunderlistContinue Reading

Major Security Loophole in an Estimated Two-Thirds of Web Servers

Lock backgroundIf you haven’t already heard, today brought a huge piece of security news to the tech world.

Researchers reported that an estimated 66% of the world’s servers have been affected by a real world crypto bug that could expose all types of sensitive data. This hits everything from online retailers, to banks who offer online banking – you name it.

According to Dan Goodin of ARS Technica, the defect is in the cryptographic software library an estimated two-thirds of Web servers use to identify themselves to end users and prevent the eavesdropping of passwords, banking credentials, and other data:

The warning about the bug in OpenSSL coincided with the release of version 1.0.1g of the open-source program, which is the default cryptographic library used in the Apache and nginx Web server applications, as well as a wide variety of operating systems and e-mail and instant-messaging clients. The bug, which has resided in production versions of OpenSSL for more than two years, could make it possible for people to recover the private encryption key at the heart of the digital certificates used to authenticate Internet servers and to encrypt data traveling between them and end users. Attacks leave no traces in server logs, so there’s no way of knowing if the bug has been actively exploited. Still, the risk is extraordinary, given the ability to disclose keys, passwords, and other credentials that could be used in future compromises.

‘Bugs in single software or library come and go and are fixed by new versions,’ the researchers who discovered the vulnerability wrote in a blog post published Monday. ‘However this bug has left a large amount of private keys and other secrets exposed to the Internet. Considering the long exposure, ease of exploitations and attacks leaving no trace this exposure should be taken seriously.’

Continue Reading

4 Security Lessons From the Great Bitcoin Bug

bitcoinThink twice before trusting us with your personal information…said no 21st century business ever. Whether it’s the swipe of a card at a local convenience store, or that social media app you always find yourself on, using software that could potentially compromise your information is the norm, not the exception.

We’d go insane if we worried about every single transaction that could lead to identity theft or a depleted bank account. So instead, we put our trust in the technical leadership of brands to avoid these disasters on our behalf. Most of the time, there’s nothing to worry about. Most of the time.

Mt.Gox, the world’s largest Bitcoin (digital currency) exchange, recently lost track of 740,000 Bitcoins, resulting in a projected $350 million dollar loss after hackers allegedly planted a bug into the system. Here’s the scoop:

“In its announcement on Monday, Mt. Gox said that a bug in the Bitcoin software made it possible for someone to use the Bitcoin network to alter transaction details to make it appear that a Bitcoin transfer had not taken place when, in fact, it had.”

Mt.Gox reportedly handled about 80% of the world digital currency! Trading and withdrawals were halted, and users returned to a blank page on their website, and the “cryptocurrency” industry is now dealing with a major blow to its validity. There are lessons to be learned from this heist into the Bitcoin network, both for software developers and for consumers alike. Here are four, in no particular order:

Lesson 1: If a system can be hacked, it will be hacked. Someone will always try to get their hands on valuable information. Whether it’s the stealing of credit card numbers directly, or the selling of emails and passwords on the internet, criminal hacking is a business – a very big business in fact. So stealing Bitcoins (a currency stored in virtual wallets and not backed by any country’s currency) and exchanging them for another currency? An internet thief’s dream come true. The same is true for any company really: If there is sensitive data to be had, it’s only a matter of time before someone goes looking for it.

Continue Reading