Avast WEBforum

Other => General Topics => Topic started by: polonus on November 07, 2019, 10:03:52 PM

Title: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 07, 2019, 10:03:52 PM
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: bob3160 on November 07, 2019, 10:32:40 PM
It isn't all doom and gloom and the world isn't going to end in a few years as some seem to feel.
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: =Snake= on November 07, 2019, 10:33:30 PM
Hi!

I think everybody here in this Avast forum should do his/her duty and help, that Avast will overcome with the help of all of the forum members!

I don't write this like other posts! This is very serious !!!!!

=Snake=
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: Luukjr on November 07, 2019, 10:35:12 PM
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian

Hoi Damian,

I share your concern, but the digital world is too complex for 99.9% of the world's population to arm itself effectively against all the calamities it entails. Even for me it is too complex.
The good news is that many are trying to arm themselves against it.  Forums like Avast's are therefore indispensable.

groet'n uut Grunn  ;)
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 07, 2019, 11:38:48 PM
Hi Luukjr and bob3160,

I am not saying all is doom and gloom. Just see what Brendan Eich did to give his Brave browser extended protection against fingerprinting. Read: https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode

Brendan Eich, the man and developer, who gave us JavaScript during the previous century, wrought in just 10 days.
A nice legacy, but also a royal way in for miscreants, and what an abuse came unto us later, and so we needed the unique solution produced by Giorgio Maone with his script blocker, No Script.

Now every power user and those, that know how to toggle it, will use uMatrix for script blocking and uBlock Origin as an adblocker of choice.

With website security and best policy implementation, very much so with PHP-driven CMS like Word Press, Magento etc. we still have a very long way to go to make it basically more secure. We cannot blame amateurs using WYSIWYG software to build their insecure websites (insecure libraries, using even left code that will never be patched or updated, etc. etc.).

Very bad, seen in this light, is the fact that those that have relative knowledge do not count in the game, and those that lack this fundamental security knowledge, like CEO's and manager take all the important decisions. They'd rather go for a "licked looking" website than a secure one.

So security often is a last resort issue, then when bad things are bound to happen (the proverbial manure hitting the propellors),
there is a bill to be paid in the end. The stakeholders are not interested, it is not their world.

So now we come to speak of the grave dangers formed by extended monopolistic global mono-cultures like Google's with browsers (all browser engines are now Google driven). Google will call the shots, also where protocol are made up and will curve the bends to what is good for their core business, and we all know what that is. That is not always good for security and privacy, folks. No. it is not.

But we will have to give this situation we find ourselves in attention and consider solutions, else there will not be much left we can do about the whole situation and it will be out of our hands soon.

polonus
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: Michael (alan1998) on November 07, 2019, 11:53:49 PM
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian

Hoi Damian,

I share your concern, but the digital world is too complex for 99.9% of the world's population to arm itself effectively against all the calamities it entails. Even for me it is too complex.
The good news is that many are trying to arm themselves against it.  Forums like Avast's are therefore indispensable.

groet'n uut Grunn  ;)

It's not that it's too complex to understand, it's that people don't put out the time to understand. Polonus also raises a good point regarding CEOs, especially those of small and medium size businesses. CEOs often see the short term future of their company. "I can't spend a million dollars to outfit my applications, network, website and invest in employee training to latest security standards!" This is becoming more abundantly clear as businesses opt to pay for ransomware insurance (https://www.zdnet.com/article/ransomware-cyber-insurance-payouts-are-adding-to-the-problem-warn-security-experts/). You're treating a symptom, not solving the underlying problem. What they don't realize the the long term pain of losing your trust with clients, data etc is 99% of the time going to cost you more long term then short term. I would suggest that perhaps, rather then paying for data loss insurance, it's better to contract a reputable firm to implement SIEM software like QRadar, LogRhythm, or similar. You boost your cyber security stance (well... ideally), enhance customer trust in your product(s)/service(s), and should no longer require data loss insurance.

Hell, contract a certified pentester to break into a network to point out vulnerabilities (and take action on it)! They might need a kick in the ass to get it done, but it's necessary to do. Don't get me wrong, there are some technologically inclined stakeholders that actively push for enhanced cyber security (I know a few!), but they're too few.

Edit: It's also worth noting that an Internal IT Department should ALWAYS have a DR plan in place. DR plan includes items like onsite backups, and offsite backups in a firesafe (firesafe not being limited to just fires, but also digital attacks, flooding, surges, or any other means of severely tampering with data, other digitally or physically.) If you don't have the resources to do so (S3 (https://aws.amazon.com/s3/), Glacier (https://aws.amazon.com/glacier/), DeepArchive, Google (https://cloud.google.com/storage/archival/), Microsoft (https://azure.microsoft.com/en-ca/product-categories/storage/).. the list goes on), again, contract it.

(Amazon Pricing Information (https://aws.amazon.com/s3/storage-classes/#____))
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 08, 2019, 11:53:48 AM
L.S.

Stakeholders (the factual owners of Big Data IT corporations) don't give a hoot about the individual end-user's interests.
To the contrary as Twitter stops showing politically driven messages this immedeately has an averse effect on the markets,
markets are coming down.

The more we ignore end-user interests and demands, they think, the better it will be for our total investment revenue.

Investors act in a more and more aggressive way to-day, because banks won't give them any money anymore.
So they have to make their money elsewhere. Then they have to put the blame somewhere else.
When you observe all this, you have to conclude this cannot go on forever.

When the crash is gonna come and who will get hit, it's all a question of time.
Gonna be somewhere between some tough stakeholder and the masses, it is gonna being played out,
that is why we need a complete security overhaul, to minimize the aftermath negative results.

They cannot make their narrative go round anymore and say everything will be all right.
Your narrative as a stakeholder is to fail miserably eventually. Wiil the world miss them?

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

polonus a.k.a. Damian
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: Michael (alan1998) on November 08, 2019, 08:26:07 PM
I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

I have to disagree with that, to an extent. It's not that we believe everything shown to us on a screen. On average, young people tend to be more technologically inclined then older generations (and a large part of that is because we grew up with it.) We tend to be more conscious of links we're clicking, what websites we visit etc. I'll make this clear as well - our generation is not perfect. Our generation overshares their personal lives, which can easily lead to Social Engineering attacks (Pet names, place of birth, etc). It would be interesting to know what the age skew is like for Phishing attacks, based on age range. (I have contacts that might actually be able to provide real world representations of that information... My University's IT Architecture Director co-founded a cyber security company specializing in educating students, faculty and staff on cyber threats. Though, they're expanded their business to include other companies as well.)

Consider this >> https://www.theguardian.com/technology/2019/jan/10/older-people-more-likely-to-share-fake-news-on-facebook
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: digmor crusher on November 09, 2019, 03:11:28 AM
L.S.

Stakeholders (the factual owners of Big Data IT corporations) don't give a hoot about the individual end-user's interests.
To the contrary as Twitter stops showing politically driven messages this immedeately has an averse effect on the markets,
markets are coming down.

The more we ignore end-user interests and demands, they think, the better it will be for our total investment revenue.

Investors act in a more and more aggressive way to-day, because banks won't give them any money anymore.
So they have to make their money elsewhere. Then they have to put the blame somewhere else.
When you observe all this, you have to conclude this cannot go on forever.

When the crash is gonna come and who will get hit, it's all a question of time.
Gonna be somewhere between some tough stakeholder and the masses, it is gonna being played out,
that is why we need a complete security overhaul, to minimize the aftermath negative results.

They cannot make their narrative go round anymore and say everything will be all right.
Your narrative as a stakeholder is to fail miserably eventually. Wiil the world miss them?

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

polonus a.k.a. Damian

Oh its going to crash alright, whether its climate change, the internet going down, Trump starting a nuclear war, food shortages, pollution, whatever, unless man changes its ways very soon the Earth is going to be one miserable little rock to live on. Not going to happen as far as I"m concerned, we got 10-15 years to fix it, mankind is too hooked on money, wars etc, so we are doomed.
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: bob3160 on November 09, 2019, 11:27:39 AM
Amazing to see all these negative doom and gloom outlooks.
The glass is still half full even if many see it as half empty. :)
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 09, 2019, 01:32:08 PM
Hi bob3160,

I am not spreading doom and gloom, I hold on to technical facts of websites all over the place,
that do not fit minimal security standards. As webservers do not.
As CloudFlare gives you less security for your money,  but prospers mightily from selling all of your data,
gathered in the mean time, about all do and are set out to do. We call that surveillance economy.
The weight of the pyramid is being felt below, it squeezes some folks.  ;D

Then now read here:  https://www.exploit-db.com/exploits/36942  Then check here: https://webhint.io/
Then study this: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
And finally hope all is being cleansed, themes and plug-ins updated and upgraded, version patches applied.
Settings secure, so any scriptkiddie with some brain cannot shodan and dazzlepod you up to hack ye.

That is the situation we have to change with education, not dumbing down masses of end-users,
so they cannot even find out anymore what's gonna bite them.
Better services at lower costs, better quality settings, additional layers like header security settings.
Google, keeping their app store clean, like the old heroes did in Greece of old.

That is what I am on about, not general Armageddon or whether they will find a red heifer in time for the third temple.

It is just small everyday security thingies, patches, retirement of vulnerable code, left code not to forget,
just simple everyday items. But they rather choose to let it rot. Have a good week, bob3160.
Good we have avast.

Damian aka polonus
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: =Snake= on November 09, 2019, 02:25:45 PM

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen, without thinking for themselves or analyse what they do or what's it is all about.

Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

I agree with this, but I'll not be alive, when this will come true and everybody, who doesn't care now, is stupid and will not be able to stop all this nonsense! Then it will be too late!
 >:(  :(
=Snake=
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: Michael (alan1998) on November 09, 2019, 03:40:59 PM
Hi bob3160,

I am not spreading doom and gloom, I hold on to technical facts of websites all over the place,
that do not fit minimal security standards. As webservers do not.
As CloudFlare gives you less security for your money,  but prospers mightily from selling all of your data,
gathered in the mean time, about all do and are set out to do. We call that surveillance economy.
The weight of the pyramid is being felt below, it squeezes some folks.  ;D

Then now read here:  https://www.exploit-db.com/exploits/36942  Then check here: https://webhint.io/
Then study this: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
And finally hope all is being cleansed, themes and plug-ins updated and upgraded, version patches applied.
Settings secure, so any scriptkiddie with some brain cannot shodan and dazzlepod you up to hack ye.

That is the situation we have to change with education, not dumbing down masses of end-users,
so they cannot even find out anymore what's gonna bite them.
Better services at lower costs, better quality settings, additional layers like header security settings.
Google, keeping their app store clean, like the old heroes did in Greece of old.

That is what I am on about, not general Armageddon or whether they will find a red heifer in time for the third temple.

It is just small everyday security thingies, patches, retirement of vulnerable code, left code not to forget,
just simple everyday items. But they rather choose to let it rot. Have a good week, bob3160.
Good we have avast.

Damian aka polonus
From the Exploit-DB vuln.

Quote
2. Vulnerability timeline
----------------------------------

- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.

- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6

Exactly as it should be. I'm assuming this occurred by DD/MM/YYYY. 2 days to find, contact and patch an exploit is pretty decent!
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: DavidR on November 09, 2019, 07:51:20 PM
Amazing to see all these negative doom and gloom outlooks.
The glass is still half full even if many see it as half empty. :)

In all honesty as an end user, I just can't get excited about this.  It is essentially it is outside of our control, other than continue to do as I'm doing right now, prepare for the worst and hope for the best :)
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 09, 2019, 10:07:14 PM
Dear DavidR & bob3160 and others,

There is one thing that all of the end users can do and that is fully update, upgrade and patch their OS, software programmes,
everything installed there with the latest upgrades, updates & patches that comes with all of their devices.

What a gigantic difference toward overall security this simple act could make.
Also all IT staff everywhere should be in for this simple solution with their webserver software,
their website CMS, themes and plug-ins, their jQuery libraries and provider and router software.

Let us do this from Silicon Valley and Silicon Forest to everywhere in Mainland China v.v.

We should do this all over the globe and call it a certain day "Avast Global Update & Patch Day",
and celebrate fresh gained overall security.

It is also a very respectful thing to do towards all the bright minds that are trying to keep us safe and more secure every day.

polonus
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: DavidR on November 09, 2019, 10:40:01 PM
Quote from: polonus
Dear DavidR & bob3160 and others,

There is one thing that all of the end users can do and that is fully update, upgrade and patch their OS, software programmes, everything installed there with the latest upgrades, updates & patches that comes with all of their devices.

What a gigantic difference toward overall security this simple act could make.
<snip>

Yes, but that isn't what your original post (and or some or the replies) are saying.

It borders on we're all doomed.
Title: Re: A complete security overhaul needed; we do not have much time left....
Post by: polonus on November 10, 2019, 12:58:54 AM
I have said, that is what end-users should do and if all end-users globally would do so, this would have a definite impact.

Then what I have said initially is a conclusion I slowly and surely developed over the twelve years of diving into 3rd party cold recon website security here mainly in the V&W section. It dawned slowly upon me by seeing thousands and thousands of websites that were, where website security is concerned, so-to-say effectly "under par".

Most of these websites did not reach a mere F-grade status, an occasional C-grade, some A and A+. All the PHP-based CMS driven websites with user-enumeration and directory listing enabled, making it easy enough for average hackers to compromise such sites.

Then where developers are under enormous time pressure to deliver and security is a last resort issue. Then the devastating influence of certain almost global mono-cultures, like the one Google over time has created almost globally.

Summa sumarum it created just that feeling of gloom and a bit of despair with me, just simply because I see things go in a worse direction, I see little overall improvement. All such postings in the virus and worms and what did it bring us in the form of retired vulnerable libraries, left code to be retired, improved and extended security header security layers. Did it stop developers cut and paste code from github, weaknesses and flaws included. It educated a few, but it all comes too little and too late and too far in between.

OK, we now have more websites with better secured connection, thanks Google Safebrowsing, but more that has gone out of sight into the cloud. CloudFlare has become an important global data player.

But as a conclusion, when you close your eyes to it, the problems behind all this, won't go away. The pink elephant, that no-one wants to mention is there, and is not going to leave the room.

Small example of everyday analysis, I hate to see such vulnerabilities for an Apache Guacamole webserver in Kassel in Germany for instance, when an OP laments of his website being injected by malcreants:
ils.com/vulnerability-list/vendor_id-4 -> https://www.shodan.io/host/5.9.88.114

I see this neverending circus everyday. That is why I am waiting for a tiny bit of positive news, better security education for website developers and pentesters. Less managers to decide, most of them without any relative knowledge, how to dodge additional security expenses. Can you imagine why I feel like this, and still not have given up on those, that will come here for recommendations, advice and help.

Damian aka polonus