EP042 - In-security Podcast

EP042 – Bloaty and the Superfish
Music provided by: Denis Kreynin https://soundcloud.com/denis-kreynin

Greetings & Banter
MR ROBOOOOOOTTTTT!!!! Season 2 starts very soon. It’s so good. Forgot to mention this during the podcast so you, dear shownotes reader, get an exclusive: At Least Two Dead After Inmates Released Early From Washington Prison Due To Computer Glitch – CrimeFeed Computer glitch releases prisoners! Just like Mr Robot, but without the hacking… Maybe

Last episode we assigned homework; installing the known vulnerable Mutillidae suite and manually doing SQL injection. We produced a video showing our attempts at getting this to work, which you can view on YouTube here. There are many more ways to do SQL injection so if you come up with some other interesting ways let us know!

Projects & Homework
This week’s homework is to use the Mutillidae purposefully vulnerable web server you created last week and do Cross Site Scripting (XSS) attacks against it. Try your hand at both persistant and reflective XSS attacks.

Topic for this week: Bloatware
Bloatware, Shovelware, crapware… Whatever you want to call it, it’s the applications that piggybacks on other applications / systems and bogs down your computing device. It can range from annoying to super uncool.

Introduction: How Computer Manufacturers Are Paid to Make Your Laptop Worse This is an old but interesting article on the concessions computer manufacturers are making. Also interesting stats on the Microsoft Signature “performance improvements” by not having shovelware in there already.

IE toolbars ahoy!

Not just computers: Less nefarious example is how Google Paid Apple $1 Billion to Keep Search Bar on iPhone – Bloomberg
And when it gets bad you get something like this: Trojan adware hits budget Androids – and some well-known aps

And the $4 cell phone: < a href='https://www.androidauthority.com/4-dollar-freedom-251-smartphone-sketchy-674506/'> is apparently sketchy as heck. also Tracking down India’s $4 smartphone | The Verge

Bloatware Banished: Windows 10 Eliminates the Need to Ever Reinstall Windows on New PCs Microsoft has a quick fix for windows 10 crapware ladened systems

Just an example that shows this is mainstream, here’s an article on the attempted extortion of the Ottawa Hospital , how pervasive the attack was, and their response in comparison to another hospital that was struck.

Superfish: Very nasty advertising friend to watch everything you do and sell ads to you

XPS 27 All-in-One Details | Dell Check the privacy section. I think thou doth protest too much

Dude, You Got Dell’d: Publishing Your Privates – Blog – Duo Security Duosecurity publishes details on Dell\’s certificate fiasco

Sloppy Security Software Exposes Dell Laptops to Hackers Some scary attack scenarios

Response to Concerns Regarding eDellroot Certificate Dell\’s response

Samsung Windows Laptop Owners Urged To Download Fix To MitM Vulnerability | Threatpost | The First Stop For Security News More of the same… Completely compromise a Samsung laptop due to crapware
.