HackDig : Dig high-quality web security articles for hackers

#HackerKast 29: China DDoS Github, IAB endorses SSL use in ads, Cisco praising Adblock, SEA hacks Bluehost and more, Goo

2015-04-04 04:10

Hey Everybody! Welcome to this weeks HackerKast!

First story we talked about this week was the latest DDoS attack on GitHub which was coming from China this time. The fact that it was a DDoS wasn’t the interesting bit, it was the method of DDoS we were focusing on. Turns out, the avenue of attack here seemed an awful lot like Jeremiah and my BlackHat research on “Million Browser Botnet”. The attackers were utilizing Baidu analytics JavaScript to force unknowing browsers to constantly reload two specific GitHub pages. Of course, this is slightly different than ad network delivery but the concept is pretty much the same. The other scary part is that the attacking browsers were only about 1% of the Baidu analytics traffic, if this was ramped up a significant amount then who knows what it would’ve looked like.

Next, in a related ad network story, we talked about the IAB writing a blog post announcing they would encourage all their members and partners to utilize SSL properly. This got a chuckle from us because the advertising industry is advocating security. If this would happen, SSL everywhere would be one step closer to being feasible without breaking ad networks. This would’ve stopped China from Man-in-the-Middling these ads and injecting anything into them.

Also related, Jeremiah touched on a post put out by Cisco praising ad blocking to combat drive by malware downloads. We all got a laugh out of this as we’ve been saying it for years so for somebody like Cisco to say it is funny. None of us are against the idea of advertising completely, but it is dangerous on the Internet.

Back to the hacking, Robert talked about the Syrian Electronic Army hacking the umbrella company that owns BlueHost, Justhost, Hostgator, and more. Due to a few VPN hacks, the SEA is claiming they got access to the administrator panels on all of these shared hosting providers, and in turn their customers. This was a hacktivism motivated event due to these shared hosting providers hosting the Islamic State websites which the SEA is against. We wrapped up this topic with some thoughts on overall shared hosting security, seems to us like a big single point of failure on the web.

In other hacking news, a creative bounty hunter found some fun XSS recently and displayed it in a fun way. This researcher found an XSS bug in Google that not only worked on the .com domains but actually worked on *every* Google TLD around the world. This led them to create a YouTube video called “Google XSS World Tour” with some fun classical music and an ever redirecting browser demonstrating the XSS working on many international Google domains. One bug to rule them all… or something like that…

Last, we talked about a PHP file upload vulnerability that was found this week. Seems there is a core PHP function called move_uploaded_file which is vulnerable to a clever bug which avoids file type validation. With just the addition of a null byte at the end of your file name, you can upload any file type you’d like and execute malicious code on the PHP web server. With a quick search on GitHub for move_uploaded_file, we get 245,006 results of code using this vulnerable function.

Screen Shot 2015-04-02 at 6.37.50 PM

Thanks for listening! Check us out on iTunes if you want an audio only version to your phone. Subscribe Here
Join the conversation over on Twitter at #HackerKast
or write us directly @jeremiahg, @rsnake, @mattjay

Resources:
Syrian Electronic Army Hacks BlueHost, Justhost, Hostgator, Fastdomain, Hostmonster to go after Islamic State
Cisco recommends Adblock & Ghostery to combat malvertising
Google XSS World Tour
China’s Man-on-the-Side Attack on GitHub
Adopting Encryption: The Need for HTTPS
Exploiting PHP Upload Forms

Notable stories this week that didn’t make the cut:
Google to drop China’s CNNIC Root Certificate Authority after trust breach
Obama Declares War on Foreign Hackers
AllCrypt Hacked Using Brute Force and Password Reset
The old is new, again. CVE-2011-2461 is back!
Instagram API Bug Could Allow Malicious File Downloads
DEA Charged with Being Mole for Silkroad


Source: siarp-ocsic-sda-ni-esu-lss-sesrodne-bai-buhtig-sodd-anihc-92-tsakrekcah/moc.cestahetihw.golb

“#HackerKast 29: China DDoS Github, IAB endorses SSL use in ads, Cisco praising Adblock, SEA hacks Bluehost and more, Goo”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Tools

Tag Cloud