Author Topic: Tests and other Media topics  (Read 307259 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #360 on: May 01, 2016, 02:40:23 PM »
Interesting link on "bad ISPs": https://wiki.vuze.com/w/Bad_ISPs
So ISPs that seems to frustrate various P2P-ing users.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #361 on: May 01, 2016, 04:39:44 PM »
MS gonna alert against weak SHA-1 weak cryptographic algorithms in IE and Edge: https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/
Check on sha-1: https://shaaaaaaaaaaaaa.com/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #362 on: June 04, 2016, 10:34:00 PM »
Folks, two DNS tests, Wildcard domains DNSSEC resolver test, to test whether you can connect to all websites: http://0skar.cz/dns/en/
and a check whether your ISP resolves all the domain names you request, so they know all you do on the Interwebs: https://www.dnsleaktest.com/
click on extended test and wait for the results. Whenever you find your ISP DNS in that list it means you are in their dragnet.  ::)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline mchain

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 5416
  • Spartan Warrior
Re: Tests and other Media topics
« Reply #363 on: June 06, 2016, 09:35:24 PM »
Folks, two DNS tests, Wildcard domains DNSSEC resolver test, to test whether you can connect to all websites: http://0skar.cz/dns/en/
and a check whether your ISP resolves all the domain names you request, so they know all you do on the Interwebs: https://www.dnsleaktest.com/
click on extended test and wait for the results. Whenever you find your ISP DNS in that list it means you are in their dragnet.  ::)

polonus
I would think attached below would show such dragnet behavior:
Windows 10 Home 64-bit 1909 Avast Premier Security version 20.1.2397 (build 20.1.5069.559) UI version 1.0.460.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #364 on: July 08, 2016, 07:17:31 PM »
Found some issues here: https://forum.avast.com/index.php?topic=188252.0
and then thought to myself how this could work out for the the client (e.g. in the browser)
and stumbled upon this test site: https://tlsfun.de/  source: Hanno Böck
like this one for example: https://sslelement.hboeck.de/
and various other test scans.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #365 on: August 23, 2016, 04:00:52 PM »
All browser extensions that exist are not capable of masking the uniqueness of your identifiable browser, not even via a webproxy of sort.
Going under in the herd is your best option. Good Adobe Flash will be left, because it uniquely identiefies your browser and your native client, wdevine content desription module and Wdevine adapter, Time Zone, User Agent are known.
Your browser has a unique fingerprint and that could be linked to your browsing.
JS-accessible browser objects like navigation and screen makes your browser detectable in every detail.

Test here: https://panopticlick.eff.org  and then here for canvas fingerprint: https://www.browserleaks.com/canvas
When I have javascript disabled, e.g. via a webproxy I get:
JavaScript Disabled — Canvas element is part of HTML5 and is accessible via JavaScript API
Canvas Support in Your Browser
Canvas (basic support)   ?
Text API for Canvas   ?
Canvas toDataURL   ?
Database Summary
Unique User-Agents   109000
Unique Fingerprints   4875
Your Fingerprint
Signature   N/A
Found in DB   N/A

But then probly the webproxy logs have these details.

Now folks let us generate our own online UUID (universally unique identifier)  with this generator: https://www.uuidgenerator.net/
and https://www.guidgenerator.com/online-guid-generator.aspx

What is a Version 1 UUID?
A Version 1 UUID is a universally unique identifier that is generated using a timestamp and the MAC address of the computer on which it was generated.

Also use: https://www.uuidgenerator.net/version4

What is a version 4 UUID?
A Version 4 UUID is a universally unique identifier that is generated using random numbers. The Version 4 UUIDs produced by this site were generated using a secure random number generator.

0186afb4-e911-47de-89da-ea0c4e0a72ee
a48c5abb-b750-4591-a9d6-40dab0338aa4
34a94f63-5653-409a-bf22-0fb758f2c794

enjoy,

polonus

P.S. Do go down in the noise produced by this extension to mask your canvas fingerprinting,
 use Canvas Defender extension for firefox and chrome:
https://chrome.google.com/webstore/detail/canvas-defender/obdbgnebcljmgkoljcdddaopadkifnpm/related

D
« Last Edit: August 23, 2016, 09:04:39 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #366 on: August 23, 2016, 10:42:15 PM »
Misconfiguration and mistakes in configuring and managing DNSSEC servers may help exploitation via DNS reflection attacks, responding to a feature DNS "ANY" query providing all sort of info on the domain.

Such poorly configured DNSSECservers could amplify attacker's traffic by 28.9 times.

"ANY" requests should be filtered out and put abuse-detection mechanism in place. Source:  Richard Chirgwin on The Register.

Hence we test: http://dnssec-debugger.verisignlabs.com/server78.bertina.us
and re-test: http://dnsviz.net/d/

Re example: http://dnsviz.net/d/server78.bertina.us/dnssec/
error: bertina.us zone: The server(s) were not responsive to queries over TCP. (185.88.153.173)

enjoy,

polonus (volunteer website security analyst and website error-hunter)

P.S. Nice system to check: https://bintray.com/rafaeljusto/deb/shelter
Online check semver: http://jubianchi.github.io/semver-check/
Given the version you entered:

The next major release will be 2.0.0
The next minor release will be 1.1.0
The next patch release will be 1.0.1

Damian
« Last Edit: August 24, 2016, 02:24:00 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
« Last Edit: August 26, 2016, 12:21:59 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #368 on: August 26, 2016, 01:49:18 PM »
But to truely discern about insecure versus secure setting,
one has to know how to configure according best practices,
and what third party choices one should make.

For instance for __cfduid cookie from Cloudflare,

not with proper settings like here:

Cookie security options (2 cookies)

Quote
Secure cookies: Warning

Requested URL: https://www.security.nl/ | Response URL: https://www.security.nl/ | Page title: Security.NL | HTTP status code: 200 (OK) | Response size: 58,066 bytes (gzip'd) | Duration: 645 ms
Overview
Cookies served over HTTPS but not flagged as "secure" may be sent over an insecure connection by the browser. Often this may be a simple request for an asset such as a bitmap file but if it's on the same domain as the cookie is valid for then it will be sent in an insecure fashion. This poses a risk of interception via a man in the middle attack.

Result
It looks like a cookie is being served over HTTPS without the "secure" flag being set (name : value):

__cfduid : d35d12748d6////////////6e3c478281472209606

Unless the cookie needs to be sent over an insecure connection, the "secure" flag should always be set to ensure it can only be sent with an HTTPS request.

Then it seems it cannot be disabled as it is a tracking cookie for CloudFlare to decide who is trusted/non-trusted.

Read: http://webmasters.stackexchange.com/questions/59226/disable-cfduid-cookie-from-cloudflare

Verdict: Host-only attribute insecure.

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #369 on: August 27, 2016, 01:54:43 PM »
For a lot of sites that should, like for instance banking sites, we often find that the content security policy (CSP) header is not being set. This makes the website vulnerable to scripting injections (often reflected XSS via swf objects).

CSSStyleSheet insert Rule()" not permitted. Why? -stylesheet originates from other (sub)domain and cannot run from script (as sandbox blocks). CSP does not permit 'unsafe.inline' for 'style-src' (and no nonce and/or hash set to be validated) so the whole style-tag is not permitted.

CSP prevents that non-trusted sources be trusted (developer-set).

CSP also blocks marketing-pixels and tag-manager will not function properly and directly for new pixel domains
(good actually in a sys-admin position/view against aggressive marketing overlords,
so they cannot overrule good-sensed security *).

* But not all cloudhosting parties support CSP headers. Bad example here is Cloudfront.

Just some musings of mine to point out the importance of decent best policy security header implementation.

polonus (volunteer website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #371 on: August 27, 2016, 11:44:33 PM »
Here for a random example, I check observatory results against Recx Security Analyzer extension results: https://observatory.mozilla.org/analyze.html?host=frontpage.fok.nl

HTTP Security Header returned cache-control no-cache with a warning, not according best policies.
Only access-control.allow.origin OK
allowallcookies, sessid and -cfduid Host-only attribute not returned, screen cookie HTTP only attribute not returned.

Quote
HTTP/1.1 200 OK
Date: Sat, 27 Aug 2016 20:53:27 GMT
Content-Type: text/html; charset=iso-8859-15
Connection: keep-alive
Set-Cookie: __cfduid=d5f6938f885ca343e19e68ad17de5c9fe1472331207; expires=Sun, 27-Aug-17 20:53:27 GMT; path=/; domain=.fok.nl; HttpOnly
Set-Cookie: token=83aec9f5940a64e2d1ad98c16e8a2234; path=/; domain=.fok.nl
Cache-Control: no-cache, must-revalidate
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Set-Cookie: vc=1; expires=Sat, 27-Aug-2016 20:56:27 GMT; path=/; domain=.fok.nl; httponly
Vary: Accept-Encoding
Server: cloudflare-nginx
CF-RAY: 2d9269c06bb621c8-EWR

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #372 on: September 04, 2016, 07:38:11 PM »
An intelligent scan to perform for -www.modxcloud.com tested at
Quote
Domain Name: =www.modxcloud.com
URL Tested: -https://www.modxcloud.com
Number of items downloaded on page: 92

   Valid Certificate found.
   Certificate valid through: Sep 8 22:26:55 2017 GMT
Certificate Issuer: StartCom Ltd.
SSL Protocols Supported: TLSv1 TLSv1.1 TLSv1.2
   Total number of items: 92
Number of insecure items: 1
Insecure URL: -http://fonts.googleapis.com/css?family=Oxygen:700,400
Found in: -https://cdn3.modxcloud.com/assets/components/markdowneditor/css/cards.css

   Secure calls made to other websites:
-cdn5.modxcloud.com is valid and secure.

-cdn1.modxcloud.com is valid and secure.

-cdn2.modxcloud.com is valid and secure.

-cdn3.modxcloud.com is valid and secure.

-cdn4.modxcloud.com is valid and secure.

-use.typekit.net is valid and secure.

-ajax.googleapis.com is valid and secure.

Check at https://www.whynopadlock.com/check.php

Confirmed here: -https://www.modxcloud.com
Detected libraries:
jquery - 1.7.2 : (active1) -https://ajax.googleapis.com/ajax/libs/jquery/1.7.2/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
1 vulnerable library detected

Blocked by scriptblocker = -https://assets.customer.io/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #373 on: September 04, 2016, 08:50:28 PM »
Also insecure tracking there:
100% of the trackers on this site could be protecting you from NSA snooping.
Tell modxcloud.com to fix it.

 All trackers
At least 10 third parties know you are on this webpage.

 -cdn1.modxcloud.com
 -use.typekit.net
 -Google
 -cdn5.modxcloud.com
 -cdn2.modxcloud.com
 -cdn3.modxcloud.com
 -cdn4.modxcloud.com
 -Segment.io
 -modxcloud.com
-cdn.embedly.com  -cdn.embedly.com
Legend
 Tracker could be tracking safely if this site was secure.
 Tracker does not support secure transmission.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: Tests and other Media topics
« Reply #374 on: September 05, 2016, 09:42:07 PM »
Just went over this session hijacking description info: http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/

Then stumbled upon these bug patterns list: http://resources.infosecinstitute.com/session-hijacking-cheat-sheet/

Time for a web cookies scan: https://webcookies.org/

Testing and extensions: https://www.owasp.org/index.php/Testing_for_cookies_attributes_(OTG-SESS-002)

Bookmarklet: javascript:alert('Cookies stored by this host or domain:\n\n' + document.cookie.replace(/; /g,'\n'));

Oh, but you wanted the results for this forum site, OK? -> https://webcookies.org/cookies/forum.avast.com/2999337

Server vulnerable to OpenSSL CCS attack  :o
Dubious as
Quote
SSL-encrypted websites and servers are still secure. The vulnerabilities that were discovered are in the software itself and not in the Certificate Authorities or SSL/TLS protocols. Once the patches are applied, your systems are secured against the vulnerabilities revealed by the OpenSSL Development team today.
quote info digi cert.

polonus
« Last Edit: September 06, 2016, 11:26:37 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!