Planet Zuda podcast 6: Some Open Source Code is like Poisoned Food & Rise Of Mac Malware

Posted on March 14, 2018March 14, 2018Categories cyber security, information security, podcast, podcasts, technologyTags , , , , , , , , , , , , ,

Some open source code is like food poisoning by getting food off the road from a random person. It will make you puke your brains out is a good analogy to explain how insecure the majority of the code written by individuals is and how you can lose everything. Other open source code from companies is more along the lines of getting food from a food truck, which is a company and the majority of companies try to deliver a safe product and not one that is the equivalent of food poisioning.

Macintosh Malware is on the rise. In 2017 Macintosh malware rose 270 percent in one year. If anyone tries to tell you Macintosh is bullet proof, they are wrong.

Podcast Cyber security & Technology news: Binance phishing scam & Oculus Rift Fixed

Posted on March 8, 2018April 9, 2018Categories cyber security, information security, oculus rift, podcast, technologyTags , , , , , , , , ,

Binance, a cryptocurrency exchange has responded to claims that they were hacked and show that it was in fact a clever phishing scam, not a hack. Oculus rift, which we discussed yesterday has fixed their issue making oculus rift headsets work again.

United Nations & Lack Of Cyber Security

Posted on March 7, 2018March 8, 2018Categories cyber security, information securityTags , , , , , ,

Today we will be covering the United Nations hacks that haven’t gotten the level of publicity that they deserve both in this article and on our podcast. In recent years we reported a compromise in the United Nations site and we can say per our experience that calling the United Nations to report their site has been hacked is no pleasant task. Per our experience their initial response was a polite way of saying you may be arrested, but once they realized we didn’t hack them, we just spotted that the site had been hacked we were transferred to the IT guy who seemed to be in a panic. Like any organization, the United Nations should implement  proper cyber security vetting for the code they use. This includes having the code that they currently have in use go through a third party audit and have the security updated. They should also have all their programmers learn secure development practices, and audit all third party code that they use on their website.

So is the United Nations using proper cyber security measures? It doesn’t seem to be the case, since the United Nations hasn’t been hacked just once this year, the most recent known United Nations hack was Feburary 4th, 2018. The United Nations was also hacked several times in January, 2018 as as shown here on January 28th, January 16th, January 15th, January 14th and six times in 2017 just on Open Bug Bounty alone.

These aren’t the only times the United Nations has been hacked and was publicly documented. Zone-h, a site for archiving defaced websites has two archived instances of the United Nations being hacked in 2008 and in 2006.

While the United Nations has been hacked more than anyone would want, it is important to take into consideration the gigantic size of the United Nations site with multiple sub domains. It certainly does not appear that there has been a review of all their code in years. The best solution would be for them to have a full security audit, get rid of old sub-domains they no longer need, and make their code easier to maintain through multiple tools that are available.

Unfortunately, our conclusion based on the public information about the United Nations site right now, is that they are not a safe website per our companies policies of what are acceptable risks. Being hacked for the last 12 years with no significant appearance that we can see of improved cyber security certainly does not seem like a safe website to us, but it is ultimately up to the user to decide the risk level they want to take when using a website.

IOTA Security is flawed — IOTA security hole disclosure

Posted on February 9, 2018April 17, 2018Categories information security, iota

Updated with the dates reported and more clarity.

Updated to reflect timeline of events.

Updated to explain different ways to disclose security holes and which method we followed.

Since we are dedicated to security, let’s dive into IOTA. IOTA is an alternative crypto currency to bitcoin. There are over 1500 alternative crypto currencies, but IOTA stood out among many of them. Before we go further we want to disclose that Planet Zuda is an advisor to on the security of their crypto currency coin. We also discovered what could be critical flaws in the IOTA wallet if properly exploited.

What is IOTA?

IOTA is a public ledger of internet of things devices, developed for companies to easily track the data their internet of things devices generate. Unlike most coins it does not use the blockchain, instead they developed something similar called tangled. Tangled was designed to solve many issues wrong with crypto currencies, like bitcoin charging up to $26 per transaction. IOTA has no transaction fees among other improvements. The duetsche bank said that IOTA solves the failures in current blockchain technology.

IOTA has multiple large corporations now called participants using IOTA, including Microsoft . These participants used to be called partnerships, at least by the press and a misleading Microsoft partnership image that was on the IOTA site. The press started reporting everyone working with IOTA as partnerships. Unfortunately, per our knowledge IOTA did not try to say they weren’t partnerships until the media did some digging and discovered that none of the companies had a partnership, they are simply participants testing the IOTA technology.

An MIT related research team discovered security vulnerabilities in their cryptography and published them. While the founders wanted their cryptography improved they didn’t seem to understand who’s who in the world of cryptography. They seemed to put everyone in cryptography, even those who are very well known as amateurs if they spoke up about the MIT vulnerability research on IOTA cryptography. To their credit months later IOTA hired a cryptography company to help them out. Unfortunately, cryptography is not the only part of security.

This author publicly criticized IOTA and their lack of security on Twitter, causing one of their co founders to almost instantly pull me into private chat where I said everything in private chat would be made public. I wanted to help them improve their software, but in my opinion their team didn’t seem serious about security at the time, so I moved on.

Per our knowledge around October 20th IOTA was hacked and millions of dollars were stolen from their users, which to their credit they’ve recently started to pay back. I held on to my IOTA after the hack because the price crashed. We offered to help them after they suffered a ddos disruption.

They wanted to know what security holes we had discovered for free, so On November 25th we freely shared a flaw in their wallet with a function that works almost exactly like the php function called htmlspecialchars that they call escapeHTML. Unfortunately, they use this in an area of their code called .format. This means any input that is malicious and doesn’t contain “<>”&’ will succeed. At the time we published this, everything we can see shows that this issue has not been fixed.

One example of code that may bypass their security function is the JavaScript: tag. So, javascript:alert(document.String.Charfromcode(88,87)) could potentially work and would be an exploit if it was written properly and put in the correct vulnerable areas, which are the transactionhash and transactionbundle per our analysis. If you wrote the right code it could potentially end up on all the wallets and steal the users crypto currency. One professional view of a member of my team slightly conflicted with these findings, because they only did a code audit and didn’t notice one area that was used with user supplied input. All professional views were shared with IOTA.

Here is a snippet of the escapeHTML function in question from github, unfortunately this is throughout a lot of the program, this is just one section.

String.prototype.escapeHTML = function() {return String(this).replace(/[&<>"'\/]/g, function(s) {return __entityMap[s];”
UI.format = function(text) {return String(text).escapeHTML();}

The most recent demonstration of an IOTA security issue is when IOTA did not automate seed generation into their wallet. This lead people to use online websites to generate a seed. What is a seed and why is this important, you ask? A seed in layman terms in this case is your fingerprint protecting all of your crypto currency, in this case all of your iota. One website asked for users wallet address and generated their seed giving the attackers everything they needed due to the way IOTA had designed the wallet that many people use.

It can not be emphasized enough that people losing their money due to using online websites is because IOTA didn’t offer a service to automatically generate the seed within the app. The only other option was for people to write the computer code to generate their own seed offline, which the majority of people aren’t able to do.

We review a lot of programs for free and inform the companies of the issues. This gives the company time to fix the issues we reported and lets the researcher disclose them instead of just disclosing them and then informing the company. Both are acceptable ways to disclose security holes.

To conclude when we did our independent review of their code and informed IOTA of the issues we found for free that it needs a lot of improvements.

How To Tell If Your Site Might Be Hacked

Posted on January 3, 2018Categories information security

You don’t have to be an expert to be able to tell if your site has been hacked, so listed below are possible ways to see if you have a hacked site.

  • Your site traffic suddenly plummets for no known reason. If your site is hacked, this is due to services, like Google flagging your site as dangerous.
  • Your site has pages you didn’t put there and have information you wouldn’t want on your site. If you are the only person who is supposed to have access to your site, then you were most likely hacked.
  • Your search results in Google have words you didn’t put there that have nothing to do with your site. You most likely were hacked.

Those are just a few ways to see if your site has been hacked without any expertise in reviewing code, but by this point it is too late, since you’ve already been hacked. Preventing hacks from happening is the best solution and that is by hiring professional security companies, like ourselves.