, , , ,

At AppSec USA in New York City this week, I had a fun time acting as host and moderator for the game show, “Wait, wait… don’t pwn me!” I thought it would be fun for you to see the questions that the panelists, and the audience, had to deal with within the hour. All of the questions came from news within the past week, which shows the sad state of affairs overall when it comes to application security in the wild.

Listen to the full recording of the session (Questions from the show listed below)

Bragging rights and the monogrammed OWASP flask went to Space Rogue. Hopefully, we can continue the contest at the next conference. Until then, try your luck with the actual questions we put to the panelist and audience.

Wait Wait Panel at AppSec USA 2013

Audience Limerick Challenge  (Audience member)

There once was a site that was stupid.
It failed when its system got rooted.
It was love at first byte
On this match making site
When black hats shot arrows through (Cupid)

Online dating service Cupid Media has been compromised exposing more than 42 million accounts including password unencrypted in plain text. Brian Krebs reported that the  data was found on the same servers as records stolen form Adobe and other organizations.

He really didn’t need a fat modem
What he used was seen as a token
With the things that he took
The government shook
And to Russia ran little boy (Snowden)

The system was built to ensnare
But the public was quick to despair
Because it’s a brick
Especially when sick
And you’re in need of (ObamaCare)

Bluff the Listener (Audience member)

Panelist each read a story. Audience member guesses which one is true

True or False

A Boston composer created a dance production based upon Anonymous, the hacker group.

It’s not everyday you see a dancers illustrating the formation of a botnet, or the damage done by a DDoS attack, with a flourish of modern dance movements, the frenetic sounds of electro-acuoustic beats and a classical musical ensemble. Yet that’s precisely what a Boston composer and NY choreographer have done to tell the story of the subversive online community Anonymous, through a unique dance production that premiered last weekend.

Pasted from <http://www.forbes.com/sites/parmyolson/2013/11/18/dance-production-brings-anonymous-to-the-stage/>

True or False

“You can’t have your privacy violated if you don’t know your privacy is violated” — US Congressman Mike Rogers

“You can’t have your privacy violated if you don’t know your privacy is violated, right? Maybe the fact that we haven’t had any complaints come forward with any specificity arguing that their privacy has been violated clearly indicates – in 10 years – clearly indicates that somebody must be doing something exactly right.” — US Congressman Mike Rogers


True or False

The NSA insists that transparency hurts Americans’ privacy because they, the NSA, aren’t looking at it anyway.

Answer: True
Robert Litt, the general counsel for the Office of the Director of National Intelligence, said that it would have a “privacy diminishing effect” if intelligence officials were forced to review every piece of data vacuumed up under its internet and phone surveillance programs. “Attempting to make this determination would require the intelligence community to research and review personally identifying information solely for the purpose of complying with the reporting requirements, even if the information has not been determined to contain foreign intelligence,” they argued. “Such an effort would conflict with our efforts to protect privacy.” Litt, while addressing the panel, added that such a requirement “would perversely” undermine privacy.

Pasted from <http://www.wired.com/threatlevel/2013/11/nsa-transparency-effect/>

This Week’s News

Questions from the week’s news. Panelists earn 2 points for each correct answer.

1- What Bletchley Park code breaker from World War II, died this week at the age of 92

Answer: Mavis Batey

Mavis Batey was a British student of 19, midway through her university course in German Romanticism, when she was recruited for a top-secret assignment during World War II. “This is going to be an interesting job, Mata Hari, seducing Prussian officers,” she recalled thinking years later. “But I don’t think either my legs or my German were good enough because they sent me to the Government Code and Cipher School.” Her code-breaking helped the Allies cripple the Italian navy in 1941 and assisted the 1944 Normandy invasion.


2 – What did Github do this morning in response to a brute force attack that resulted in compromised accounts?
Answer: Banned weak passwords

Popular source code repository service GitHub has recently been hit by a brute-force password-guessing attack that successfully compromised some accounts. GitHub plans to implement additional rate-limiting measures and will no longer allow users to log in with “commonly-used weak passwords” such as password1 and iloveyou2. But they will still allow password2 and iloveyou3.


3 – Google announced yesterday that it had upgraded all of its SSL certificates. What did the upgrade do?
Answer: Increased the RSA key length of 2048 bits

Google said Monday the move from 1024-bit RSA, announced in May, was completed a month ahead of schedule and the company would start issuing the longer keys immediately.  The upgrade was in response to a report by The Washington Post that the NSA had found a way to bypass the company’s security in collecting user data. Google was livid, responding “Not in MY house you don’t” as they changed all the locks on their doors, adding larger throw bolts.


4 – What company did Facebook try to buy for $3 billion dollars, only to get rejected by its 23 year old owner?
Answer: SnapChat

The real question is: what the hell is SnapChat and why would I even pay $3 for it.

5 – E-Sports Entertainment , an online gaming company, settled a complaint this week for $350,000. At issue was the company’s installation of what on subscribers computers?
Answer: Secret bitcoin mining

E-Sports sells a $6.95-a-month subscription service to play online games such as Counter Strike and Team Fortress 2. Co-founder, Eric Thunberg, and a software engineer, Sean Hunczak, were accused of installing bitcoin “mining” software on 14,000 computers in New Jersey and elsewhere in the U.S., creating a botnet.

6 – Google added two major technologies to its Patch Reward program this week. What are those two platforms?
Answer: Android and Apache

Google added Android and Apache to open source security rewards program. The firm announced an overhaul to its security patch policies last month, offering white hats up to $3,133 for fixes.  “The goal is very simple: to recognise and reward proactive security improvements to third-party open-source projects that are vital to the health of the entire internet,” said Michal Zalewski, security engineer for Google.

Tie Breaker – CEO Marissa Mayer announced that Yahoo will be doing what in response to the NSA tapping into their systems?
Answer: Encrypt Traffic Between Data Centers

Yahoo CEO Marissa Mayer says that the company will encrypt traffic between its data centers by March 2014. The announcement follows revelations that the NSA has been tapping in to unencrypted connections between data centers belonging to several large tech companies. Mayer wrote, “Yahoo has never given access to our data centers to the NSA or any other government agency. Ever.” Yahoo also plans to move to apply SSL to all its websites and to use SSL encryption by default on Yahoo Mail.


Bluff the Listener (Audience member)

Panelist each read a story. Audience member guesses which one is true

True or False

There is now an iPhone app called Driplet for your showerhead that beeps when you use too much water. 

Answer: True
Driblet is a new smart water meter. It tracks how much water a person uses in the shower and beeps to warn when they’re approaching a preset limit. There’s also (of course) an iPhone app for seeing the usage and temperature data. The idea is that this will help consumers save water, both for the health of the planet and their pocketbook.  Save water, save the planet, save money, and lots of other happy happy touchy feely stuff.


True or False

The website Assassination Market is a crowdfunding service that lets anyone anonymously contribute Bitcoin towards a bounty on the head of any government official

Answer: True

Kuwabatake Sanjuro has created a kind of Kickstarter for political assasinations. Assassination Market’s rules specify that if someone on its hit list is killed–and yes, Sanjuro hopes that many targets will be–any hitman who can prove he or she was responsible receives the collected funds.<http://www.forbes.com/sites/andygreenberg/2013/11/18/meet-the-assassination-market-creator-whos-crowdfunding-murder-with-bitcoins/>

True or False

Hollywood studios are urging theater operators to crack down on in-theater camcording with the deployment of night-vision goggles?

Answer: TrueNight-vision goggles, low-light binoculars and security cameras.<http://www.wired.com/threatlevel/2013/11/mpaa-theater-security/>

Lightning Fill in the Blank  (first to answer gets 2 points)

Quick, fill in the blank, news headlines

  1. “According to an article at Medium, what company has seen a huge drop-off in demand for its hardware in emerging markets, which the company blames on fears about the NSA using American hardware to spy on the rest of the world. .
    Answer: Cisco
  2.  Recently, Silk Road has been in the news. What is Silk Road?
    Answer: Online black market to purchase illegal drugs
  3.  Who was arrested and charged with managing the Silk Road’s web site while collecting 10s of millions of dollars in BitCoin as payment?
    Answer: Ross Ulbricht
    Ross Ulbricht held 144,000 bitcoins allegedly collected from his Web-based black market for drugs known as the Silk Road–nearly $100 million at today’s exchange rates.
  4. What is Ross Ulbricht’s Silk Road handle/name?
    Answer: Dread Pirate Roberts
  5. Who has pledged over $1m bail for the release of Ross Ulbricht?
    Answer: Family and friends
  6. Which Internet Explorer browser version has a DoS vulnerability – 6, 7 or 8
    Answer: All of them.
  7. Which company received the Best Risk Management Solution award at the Adam Smith Awards 2013
    Answer: Microsoft
    Microsoft Treasury, which manages somewhere in the neighborhood of $80 billion for the software company, received the the Best Risk Management Solution award at the Adam Smith Awards 2013 from TreasuryToday magazine. The award was given for Microsoft’s initiative to implement automated matching of FX option post-trade confirmations with its banks using Misys Confirmation Matching Service (CMS).
  8. Luxembourg’s data protection authority cleared what company of data protection violations related to the U.S. National Security Agency’s Prism spying program.
    Answer: Microsoft
    The data protection authority, CNPD, was investigating Skype and Microsoft’s alleged cooperation with the NSA. Both companies have their European headquarters in Luxembourg..
  9. On November 18, 2013, the US Supreme Court declined to review NSA phone spying case. Why?
    Answer: The Supreme Court declined to review the order without explaining why.
  10. Which parliament is considering not sharing any data with the United States
    Answer: The European Parliament
    The European Parliament will not approve any data sharing deal with the U.S. unless E.U. citizens have judicial redress when their personal data is transferred to the country, a European politician said Tuesday.
  11. Six people were arrested for the theft of $45million from where?
    Answer: ATMs
    Six more alleged participants were arrested Monday in a US$45 million global ATM fraud, including one man who was photographed stuffing $800,000 into a suitcase, federal prosecutors in New York said. The defendants are alleged to be part of a New York cell that used bogus payment cards to withdraw millions of dollars from more than 100 ATMs in a matter of hours, according to the U.S. Attorney’s Office for the Eastern District of New York.
    Pasted from <http://www.networkworld.com/news/2013/111913-six-more-arrested-in-breathtaking-276087.html?source=nww_rss>
  12. In October, who revealed that hackers were able to steal the source code for some of its products and access the records of almost 3 million users after breaking into its systems.
    Answer: Adobe

Not My Job (Audience member)

An audience member is asked three questions. Two correct answers wins the prize.

Where did the word ‘pwn’ come from?

Answer: The letter ‘p’ is next to the letter ‘o’ on the keyboard. ‘pwn’ is a mistyping of ‘own’ as in, “I will own you”.

How do you get things removed from Facebook after you’re dead?

Answer: You will need to provide a birth and death certificate, and prove that you are the lawful representative of the deceased. Hardly a pleasant or high priority task.


A new technology related to credit cards was released last week called “Coin”. What does “Coin” do?
Answer: Stores all of your credit cards on a single card.

Digital payment startup Coin is offering a technology that allows phones to be used to arrange payments. It stores information from users’ credit cards. Users swipe their cards through the Coin device, then take pictures of the front and back of the card. The Coin device locks if it’s away from users’ phones for more than 10 minutes, or if the phone has run out of power.


Lightning Fill in the Blank (first to answer gets two points)

  1. Hackers exploited a flaw in what company’s software to launch a rash of electronic break-ins against government agencies  that began last December, then left “back doors” to return to many of the machines as recently as last month.
    Answer: Adobe Systems
  2. On Monday, Hackers claim they used zero-day vulnerability to breach on what support forum software
    Answer: vBulletin
    A group of hackers claim to have exploited an undocumented vulnerability in the vBulletin Internet forum software in order to break into the MacRumors.com and vBulletin.com forums.
  3. The estimated 860,000 users of what popular web forum have been told to change their passwords immediately after hackers successfully compromised an admin account in order to steal personal and login data.
    Answer: MacRumors
  4. What well known MIT Professor and linguist said “Fight back against NSA spying or be ‘complicit’”.
    Answer: Noam Chomsky
    “The difference with the totalitarian states is the citizens couldn’t do a lot about it,” in contrast to the U.S., he added. “If we do not expose the plea of security and separate the parts that are valid from the parts that are not valid, then we are complicit.”
  5. Mobile botnets are on the rise and cybercriminals are using  what Cloud Messaging service as a conduit for sending data from command-and-control servers to malware.
    Answer: Google
    The latest weapon in criminals’ arsenal is GCM, which enables them to send short messages in the JSON format to instruct malware on Android devices. JSON, or JavaScript Object Notation, is an open standard format that uses human-readable text to transmit data from a server to Web applications.
  6. Google released emergency security updates for Chrome in order to patch critical vulnerabilities demonstrated Thursday by a security researcher at which competition?
    he Mobile Pwn2Own hacking competition.
  7. The creators of a Web-based attack tool called Angler Exploit Kit have added an exploit for a known vulnerability in what Microsoft’s application?
    Answer: Silverlight browser plug-in
    According to an independent malware researcher who uses the pseudonym Kafeine, aside from Java and Flash Player, Angler EK is now also targeting Silverlight, a runtime environment for rich Internet applications developed by Microsoft.
  8. Michael Wilson, a 24 year old Miramar, Fla. man, admitted in a November 2012 guilty plea that while working as a financial services representative for Memorial Hospital’s Urgent Care Center in Pembroke Pines, Fla.  He illegally sold what?
    Answer: He sold tax refund fraudsters 400 patient IDs. He also acknowledged using patient IDs to file multiple fraudulent tax returns himself through Intuit’s TurboTax site.
  9. Anonymous Hacktivist Jeremy Hammond Sentenced to 10 Years in Prison for doing what?
    Answer: The 28-year-old Chicagoan pleaded guilty earlier this year to hacking the servers of Strategic Forecasting, Inc., where he wiped out files and databases and stole 5 million private email messages and 60,000 customer credit card numbers.
    Pasted from <http://www.wired.com/threatlevel/2013/11/hammond-sentence/>
  10. In the Jeremy Hammond case, who was Sabu?
    Informant Hector Xavier Monsegur a.k.a. “Sabu”
    In his statement Hammond claimed FBI informant Hector Xavier Monsegur a.k.a. “Sabu” assisted and encouraged the use of “zero day exploits” against various governments.
    Pasted from <http://news.firedoglake.com/2013/11/15/jeremy-hammond-sentenced-to-10-years-notes-sabu-and-fbi-helped-him-hack-foreign-governments/>
  11. Where is AVAR Conference being held next month (India)
    Answer: India
    The 16th Association of Anti-Virus Asia Researchers International Conference 2013 is in Chennai, Tamilnadu, India, the largest Asia Pacific conference on anti malware. Previously held the AVAR conference in Japan, China, Australia and this year we come back to India for the second time.
  12. The U.S. National Security Agency and the Department of Homeland Security have threatened legal action to block the sale of what, that ridicules these two powerful government agencies.  
    Answer: T-shirts
    The U.S. National Security Agency and the Department of Homeland Security have threatened legal action to block the sale of T-shirts that ridicule these two powerful government agencies.  But the T-shirt designer says NSA and DHS are the ones breaking the law by assaulting free speech, a pillar of democratic society. One T-shirt calls the NSA the “only part of the government that actually listens.”

So… how did you do?