Author Topic: Tests and other Media topics  (Read 577138 times)

0 Members and 2 Guests are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #375 on: September 06, 2016, 12:22:02 PM »
OCSP stapling decreases the load on a PKI infrastructure's OCSP server by attaching a signed OCSP response to the target in a TLS connection. In addition it creates a more secure/private session since the CA doesn't know that your browser is accessing a given site. Some people have compared this behavior to Kerberos. The Chrome team has decided that they plan to remove CRL and regular OCSP checks, but they haven't disabled OCSP stapling. Other than the client side check: check website here: https://observatory.mozilla.org/analyze.html?host=

Test OCSP stapling in your browser here: http://www.vpnhosting.cz/ocsp/

Most windows type browsers support in. I have it therefore enabled.
Info credits go to Jaromir Kuba.

Have a nice day,

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: September 06, 2016, 12:25:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #376 on: September 07, 2016, 11:45:43 PM »
A comma-test,

The circumvention of DNS and the host file by Microsoft by hard-coding some three dozen IPs in the OS, since XP SP2 and their out of industry standards, is a bad idea for quite a couple of reasons. It is ill or not documented.  So we definitely need the Avast Firewall to mitigate this peaking nose of the camel.

With their kerberos-like authentication validation this makes they can deny whatever user access to their platform and services whenever MS or an restrictive government choose to do so.

Ultimately this could lead to a development of a device platform that offers a user experience of a mix of something between a web TV and an XBox.

Alas Google does likewise. Do the comma test here: http://www.benedelman.org/hardcoding/commatool.html
and read about their hard-coded algorithms: http://www.benedelman.org/hardcoding/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #377 on: September 08, 2016, 12:42:17 AM »
Technical reasons why hard-coding IPs is a bad idea:
IP addresses should not be hardcoded
squid : S1313
Hardcoding an IP address into source code is a bad idea for several reasons:
a recompile is required if the address changes
it forces the same address to be used in every environment (dev, sys, qa, prod)
it places the responsibility of setting the value to use in production on the shoulders of the developer
Noncompliant Code Example
String ip = "127.0.0.1";
Socket socket = new Socket(ip, 6667);
Compliant Solution
String ip = System.getProperty("myapplication.ip");
Socket socket = new Socket(ip, 6667);  info credits SonarQube.

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #378 on: September 09, 2016, 01:39:01 PM »
In the light of all data-breaches recently and the once AOL privacy debacle we show that privacy may not actually exist:
http://www.aolstalker.com see search results and sponsored lisings.
An eye-opener to how little privacy u have,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48512
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #379 on: September 09, 2016, 02:57:45 PM »
In the light of all data-breaches recently and the once AOL privacy debacle we show that privacy may not actually exist:
http://www.aolstalker.com see search results and sponsored lisings.
An eye-opener to how little privacy u have,

polonus
And how long have I been stressing that same point ???
May may think you're hiding but, someone will always find you.
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #380 on: September 09, 2016, 11:09:07 PM »
Hi bob3160,

You are right, as the use of the browser or client, as some call it actually, is free only because it is one big tracking and ad-launching machine for big data-vendors (your very private data included). So they want insight into and sell all that you do online, all that you have posted online, you all gave it away when you agreed to that in order to use their free service(s). You have paid with your data.

Do not put/do something online that may one day come to bite you back. And keep at the back of your mind always what I sketched out in the previous alinea. The Internet never forgets and you will never know who may have access to what you have posted.

Forewarned is forearmed.

your avast forum friend,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #381 on: September 21, 2016, 05:16:32 PM »
To see it in perspective.
What google knows about you
:
What you think according to google- profile: http://www.google.com/settings/ads/
Where you have been according to google - location:  https://maps.google.com/locationhistory
What you searched for: https://www.google.com/history/
All the vids on Utube: https://www.youtube.com/feed/history/search_history
Apps and your google data: https://security.google.com/settings/security/permissions
All your googled meta-data: https://www.google.com/takeout

Hope you stay aware of what they do...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 48512
  • 64 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #382 on: September 21, 2016, 09:49:42 PM »
Very interesting and revealing.
Emphasizes the point: Hiding is futile
Free Security Seminar: https://bit.ly/bobg2023  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v22H2 64bit, 16 Gig Ram, 1TB SSD, Avast Free 23.5.6066, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq -- My Online Activity https://bit.ly/BobGInternet

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #383 on: September 23, 2016, 11:52:15 AM »
Has someone hacked in on my private Wifi Network?

Checking the devices shown on your wifi connection, use the small tool from the remarkable Israeli developer, Sofer, Nir:
Wireless Network Watcher, then check the found MAC-addresses here: http://www.coffer.com/mac_find/

Enjoy,

polonus

P.S. Read here why I posted here what I posted: https://forum.avast.com/index.php?topic=191140.msg1339902#msg1339902

Nice proggie to detect rogue DHCP servers on your network: http://www.symantec.com/connect/downloads/detect-rogue-dhcp-servers-network

Damian
« Last Edit: September 23, 2016, 11:17:44 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #384 on: September 29, 2016, 12:19:02 AM »
CSP Evaluator
Google has come up with a great tool to check on CSP -
Google uses the CSP evaluator for assets including its Cloud Console, Photos, History, and Maps Timeline among others,
and will expand the list.

It resides here: https://csp-evaluator.withgoogle.com/

So I could not refrain from trying it out, as polonus is into volunteer website security on an almost daily basis.

Enjoy, my friends, enjoy!

Checking on this site: http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fwww.axiscorner.com%2F&useragent=Fetch+useragent&accept_encoding= e.g. -https://plus.google.com/u/1/b/108271385407869247047/+Axiscorner-Architecture-Rendering-Service/about” rel=”publisher

We get two high severity findings: clearcheck
Directive "check" is not a known CSP directive.
expand_more
errorscript-src [missing]
script-src directive is missing.
expand_more
errorobject-src [missing]
Missing object-src allows the injection of plugins which can execute JavaScript. Can you set it to 'none'?
expand_more

Legend

X errorHigh severity finding
errorMedium severity finding
help_outlinePossible high severity finding
removeDirective/value is ignored in this version of CSP
help_outlinePossible medium severity finding
clearSyntax error
info_outlineInformation
checkAll good

Blocked by Netcraft as an XSS attack: Blocked URL: -http://www.domxssscanner.com/scan?url=https%3A%2F%2Fplus.google.com%2Fu%2F1%2Fb%2F108271385407869247047%2F%2BAxiscorner-Architecture-Rendering-Service%2Fabout%22%3EAxis+Corner+Reviews%3C%2Fa%3E+Here%21%3Cscript+type%3D%22application%2Fld%2Bjson%22%3E+%7B++%22%40context%22%3A+%22http%3A%2F%2Fschema.org%2F%22%2C++%22%40type%22%3A+%22Br

Google also released the CSP Mitigator to help administrators apply custom CSP policy to applications and to better understand the impact of enabling CSP including highlighting parts that may break. -> https://chrome.google.com/webstore/detail/csp-mitigator/gijlobangojajlbodabkpjpheeeokhfa

I certainly hope security researchers will benefit from this addition to their toolchest,

polonus (volunteer website security analyst and website error-hunter)
« Last Edit: September 29, 2016, 12:31:36 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #385 on: September 29, 2016, 05:58:55 PM »
And of course this cannot be established by just one scan.
Read: https://content-security-policy.com/
Also test whether your browser can handle it: https://content-security-policy.com/browser-test/

The observatory project scan may also help you: https://observatory.mozilla.org/

And then we see that even security scan sites may be not be quite secure in these respects, example here:
https://observatory.mozilla.org/analyze.html?host=www.scumware.org

Already presented this, also handy in this repect:  http://cyh.herokuapp.com/cyh

Also nice to have this extension to check a site: https://chrome.google.com/webstore/detail/recx-security-analyser/ljafjhbjenhgcgnikniijchkngljgjda

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #386 on: October 01, 2016, 01:31:30 PM »
Generate your Content Security Policy header with this online generator.
Do it here: http://cspisawesome.com/

And another one for domain: https://report-uri.io/home/generate

polonus

P.S. If you would create some CSP like this
Quote
content="default-src * 'unsafe-inline' 'unsafe-eval'"
,
that would really make your website really very insecure. I trust you would not do a thing like that defining,
so an attacker would have an easy job injecting malcode into your site. (info credits go to StackOverflow's Schlaus)
and this would even be worse allowing everything everywhere:
Quote
default-src *; style-src * 'unsafe-inline'; script-src * 'unsafe-inline' 'unsafe-eval'; img-src * data: 'unsafe-inline'; connect-src * 'unsafe-inline'; frame-src *;
(info credits go to StackOverflow's Amold Roa).

Damian (volunteer website security analyst and website error-hunter)
« Last Edit: October 01, 2016, 02:37:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #387 on: October 03, 2016, 05:34:17 PM »
Website are capable of tracking you onlne even after you have cleansed your browser.

Reasearch two unpatched flaws that can be exploited to track Millions of Internet users, allowing malicious website owners:
List Building: To compile a list of visited domains by users, even if they have cleared their browsing history
Tracking Cookies: To tag users with a tracking cookie that will persist even after they have deleted all cookies
These two Browser Fingerprinting techniques abuse HTTP Strict Transport Security (HSTS) and Content Security Policy – new security features already built into Mozilla Firefox and Google Chrome, and expected to make their ways to other mainstream browsers in near future.
(info credits the Hacker News)  Read example: https://github.com/MicrosoftEdge/static-code-scan/issues/100

Check for yourself: https://zyan.scripts.mit.edu/sniffly/

Polonus found out that the HTTPS Everywhere extension and uMatrix can intervene with Sniffly, but not fully protect against such threats.

Compare scanning here: https://panopticlick.eff.org/

pol
« Last Edit: October 03, 2016, 06:28:18 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #388 on: October 03, 2016, 11:40:00 PM »
Above we presented CSP, but remember CSP is an security overlayer . We should depend always on other mechanisms like employing frameworks with strict contextual escaping for generating markup, we use the X-frame-options header to protect against clickjacking are asure that resources on secure pages are fetched over HTTPS.

As mentiond one of the three CSP vulnerabilities is clickjacking. Let us check for clickjacking vulnerability here: https://www.lookout.net/test/clickjack.html  and here: http://online.attacker-site.com/html5/ClickjackingTester/

Server request can become blocked by an extension.  Mind that many Chinese ASP websites have clickjacking warnings.
Check also with: https://asafaweb.com/

A warning gives:
Quote
Overview
Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An "X-Frame-Options" header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn't look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus
« Last Edit: October 04, 2016, 12:17:15 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33885
  • malware fighter
Re: Tests and other Media topics
« Reply #389 on: October 06, 2016, 12:19:36 AM »
While testing some code inside DOM XSS Scanner evaluated it with jsunpack and got an error
Results from scanning URL: -https://static.xx.fbcdn.net/rsrc.php/v3/y7/r/FEr7rZpxSFw.js

due to undefined is not valid JSON, so the function is working properly. Info Credits: StackOverflow's  Djechlin
(This because JSON does not have a value = NULL).

Kicked up error:
Quote
script
     info: [script] 127.0.0.1/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable JSON
     error: undefined function JSON.stringify
  When you bug-check code, you are bound to find bugs.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!