Author Topic: Tests and other Media topics (Read 497758 times)

polonus · « **Reply #420 on:** December 22, 2016, 05:45:55 PM »

Thanks, bob3160, for reacting.

Have a Great Christmas ye all and stay cyber-secure!
-> https://www.youtube.com/watch?v=LNvejfhF958

Damian

polonus · « **Reply #421 on:** December 29, 2016, 12:32:10 AM »

When you run your own flaw of dhcp daemon on your windows home network, you certainly wanna know it is no sniff,
so test it here: http://files.thecybershadow.net/dhcptest/ (allowed for private and personal networks only).
Re: https://github.com/CyberShadow/dhcptest
I used Vladimir Pantileev's windows version: http://blog.thecybershadow.net/2013/01/10/dhcp-test-client/
v0.5 with a Win64 build: http://files.thecybershadow.net/dhcptest/dhcptest-0.5-win64.exe

enjoy,

polonus

polonus · « **Reply #422 on:** January 01, 2017, 01:55:47 AM »

Firefox will get protection against font fingerprinting.

When you do not have java and silverlight plug-ins installed, you should not be too overtly afraid about uniquely being followed
via font fingerprinting.

Userts of Linux could use fluxfont: https://github.com/da2x/fluxfonts

Font fingerprinting seems obsolete, read: https://browserleaks.com/fonts
When testing I get all question marks for my browser

JS Fonts (unicode)
Fingerprint   ?
Report   ?
JS Fonts (classic)
Fingerprint   ?
Report   ?
Flash Fonts
Fingerprint   ?
Report   ?

Canvas fingerprinting I blocked via a specific extension for that.

But there are some other issues to worry about: https://amiunique.org/faq

Do not use a browser when you do not want to be traced. To-day the formula is as simple as that.

Privacy = no Internet....period.

Do you not believe us, test it out here: https://amiunique.org/fp

Another issue to get worried about in 2017 when you live inside the EU.
Read it as I am probably still allowed to use a link: https://juliareda.eu/2016/12/10-illegal-things/
Just ponder about the implecations of this not for big corporations but just for you and me,
the average user of the Interwebs. (see attached image)

polonus

polonus · « **Reply #423 on:** January 10, 2017, 03:55:54 PM »

NoScript alerts for javascript in tor browser and why third party tracking blocking makes browsing faster.

Here we have an alert cause by script from this tag link's javascript: -http://tags.bkrtx.com/js/bk-coretag.js
helped here: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fd1z2jf7jlzjs58.cloudfront.net%2Fp.js
for this vid link: -http://www.infoworld.com/article/2612716/hacking/video--how-to-hack-php-sites-with-sql-injection.html
opened with tor browser.

Consider: SRI rapport: https://sritest.io/#report/5f5cd7c1-40fb-4fe3-be12-735ab291c089
Insecure tracking from:
-www.googletagmanager.com
-p.typekit.net
- comScore
-jsonip.com
-shaaaaaaaaaaaaa.com
-www.infoworld.com
-fonts.staticworld.net
-a.postrelease.com
- t.zqtk.net
-i-dge.staticworld.net
-core0.staticworld.net
-tags.bkrtx.com BlueKai
- core3.staticworld.net
-trends.revcontent.com
- Parse.ly
- ak.sail-horizon.com
- pixel.staticworld.net

See: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fd1z2jf7jlzjs58.cloudfront.net%2Fp.js
and producing errors here: http://www.domxssscanner.com/scan?url=http%3A%2F%2Ftags.bkrtx.com%2Fjs%2Fbk-coretag.js hosted via -a104-95-76-57.deploy.static.akamaitechnologies.com

This is due to BlueKai tracking, which produced an issue with ABP as it was very hard to block for ad-blockers.

These scripts come best blocked by https://github.com/mozilla/blok
tor development should give this software a look....

The results of the tracking reprort:
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   (stags|tags)\.bluekai\.com   -http://tags.bluekai.com   BlueKai
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   bkrtx\.com\/js\/   -http://tags.bkrtx.com/js/bk-coretag.js   BlueKai
-http://tags.bkrtx.com/js/bk-coretag.js   -http   tags.bkrtx.com   /js/bk-coretag.js   tracker      116   31   2017-01-10 15:47:48   bluekai\.com   -http://tags.bluekai.com   BlueKai

The reach of trackers to over 21 million pages of 350,000 unique sites, so if you turn up security slider in tor-browser for this code that you'd block anyway, your browsing gets faster and you won't miss anything out.
Such tracking code could also lead to unwanted pop-ups and browser hijacker objects you'd rather like to be without.

For background reading: http://www2016.net/proceedings/proceedings/p121.pdf (source: cliqz)

And where tracking protection created problems for firefox, especially with facebook tracking (yes facebook is a mass media tracking device) : https://bugzilla.mozilla.org/showdependencytree.cgi?id=1101005&hide_resolved=1

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #424 on:** January 10, 2017, 06:54:02 PM »

But be aware, my good friends, insecurity lures everywhere and could be around every corner: http://retire.insecurity.today/#!/scan/e5f3453ae57ebde51a9a0be770075324c12ec4c4820a87f55f8a1207da9c529d
and universal XSS threat for https://www.htbridge.com/websec/?id=c0eb5653d7c5b0277ef5a899beee70c79186df4e90c91de738ac9ca4e77e11e2
Not safe internal CRM website -https://gillii.torproject.org/ ( imagine with authstealer.js?).
Re: http://toolbar.netcraft.com/site_report?url=https://gillii.torproject.org

pol

polonus · « **Reply #425 on:** January 23, 2017, 02:55:07 PM »

Did you check your Content Security Policy? at https://csp-evaluator.withgoogle.com/
Even the most secure sites may have some weaknesses.
Let us look at the settings for https://observatory.mozilla.org/
Like here:

Quote

default-src 'none';
connect-src https://api.ssllabs.com https://hstspreload.org https://http-observatory.security.mozilla.org https://securityheaders.io https://tls.imirhil.fr https://tls-observatory.services.mozilla.com https://www.htbridge.com;
font-src 'self' https://fonts.gstatic.com;
frame-ancestors 'none';
img-src 'self';
script-src 'self';
style-src 'self' https://fonts.googleapis.com

Quote

content-security-policy

default-src 'none'; connect-src https://api.ssllabs.com https://hstspreload.org https://http-observatory.security.mozilla.org https://securityheaders.io https://tls.imirhil.fr https://tls-observatory.services.mozilla.com https://www.htbridge.com; font-src 'self' https://fonts.gstatic.com; frame-ancestors 'none'; img-src 'self'; script-src 'self'; style-src 'self' https://fonts.googleapis.com, upgrade-insecure-requests; block-all-mixed-content

Possible medium security issue:

Quote

checkimg-src
expand_more
help_outlinescript-src
expand_more
help_outline'self'
'self' can be problematic if you host JSONP, Angular or user uploaded files.

checkstyle-src

Help Icon
Click the icons in the tables below for a more detailed explanation.

HTTP security headers

Name

Value

Setting secure

content-security-policy

Cache-control header not returend..
Page meta security headers not set securely. Form autocomplete-settings: scantron-form HTML form not secure.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #426 on:** January 27, 2017, 03:36:04 PM »

Some more sites to check (blocked) IP: https://www.threatminer.org/host.php?q=
And see SSL Server Security Tests at work in real time: https://www.htbridge.com/ssl/

polonus

polonus · « **Reply #427 on:** February 02, 2017, 09:58:38 PM »

It could be interesting to establish what kind of security layers have been implemented for a specific website.

This apart from how the confidentiality of a site has been guaranteed, HTTPS has been implemeted correctly.
Apart from this we always have to harden and protect servers from known server exploits, wrong security settings and
against targeted phishing and malware attacks (but we have avast there, haven't we

).

We should be particularly aware of mail servers, that banners aren't speaking too loud about versions used, but pinging certain mailservers without version info will produce them anyway. So test non-invasively via banners and functional tests
for what ESMTP functions are being supported (when we find no transport encryption support this means that all will be transported in clear txt over the Internet). Some Firewalls and Outdated Security Policies will only support pure SMTP,
meaning less attack but lack of transport encryption of sorts.

Also read here: https://blog.qualys.com/ssllabs/2016/09/06/is-http-public-key-pinning-dead

What was being tested?

- Qualys SSL labs score?
- High Tech Bridge HTTPS score?
- High Tech Bridge web security score?
- HTTPS implemented?
- DNSSEC implemented?
- HTTP Strict Transport Security Policy implemented?
- Weak cyphers support?
- CSP implemented?
- Unknown jQuery security updates?
- HTTPOnly Security not being set for cookie?
- live-Twitter Javascript code?
- Google Analytics active?
- Live Google advertising?
- Live Google Javascript Code?
- Type HTTP redirect?
- Wildcard Certificate or many domain names in certificate?
- Extended Validation Certificate?
- Certificate Transparency Certificate?
- Perfect Forward Security supported?
- HSTS Preloading vulnerability?
- X-Frame Options implemented
- X-Powered by Header?
- Autocomplete set at password field (now obsolete)?
- Same Site Protection not set for cookie?
- Publication of Technical Info?
- Client-Initiated-Secure-Renegotiation supported?
- Subresource Integrety (SRI) implemented?
- TLS 1.0 supported?
- Vulnerable to BEAST attack?
- Vulnerable to DROWn attack?
- OCSP Alert Sample configured?
- Public-Key-pinning implemented? (see link, seems dead now)
- X-XSS-Protection implemented?
- X-Content-Type-Options implemented?

Scan proposal info - info credits go out to security researcher, Sijmen Ruwhof.

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #428 on:** February 24, 2017, 04:46:10 PM »

Were you vulnerable to Cloudbleed?

Check with this extension: https://chrome.google.com/webstore/detail/cloudbleed-bookmark-check/egoobjhmbpflgogbgbihhdeibdfnedii/related

Does a website have CloudFlare: http://www.doesitusecloudflare.com/
Then check that website's SRI hash security status here: https://sritest.io/

polonus (volunteer website security analyst and website error-hunter)

polonus · « **Reply #429 on:** February 24, 2017, 06:59:07 PM »

In my particular case checking for cloudbleed-bookmark I found:

Quote

The following bookmarked sites may have been affected by Cloudbleed:

sritest.io
securityheaders.io
codefromthe70s.org
hetrixtools.com
yehg.net
cyberwarzone.com
adguard.com
downuptime.net

polonus

polonus · « **Reply #430 on:** February 25, 2017, 04:41:40 PM »

With the above list results in mind, we can then check here: http://cloudflarelistcheck.abal.moe/
So for instance adguard.com was affected. Then also check here: https://cloudbleedcheck.com/?domain=
Constant updates of list: https://github.com/pirate/sites-using-cloudflare/blob/master/README.md

pol

polonus · « **Reply #431 on:** March 16, 2017, 12:44:11 PM »

Word Press security checks we (Eddy, others and little old me) often perform here:
https://hackertarget.com/wordpress-security-scan/

Check for retirable jQuery libraries can be performed here: retire.insecurity.today/#
Same origin sri-hash issues: https://sritest.io/#
Additionally perform a scan here: https://sitecheck.sucuri.net/
and here: http://www.domxssscanner.com/scan?url=
Also test here for DNS issues and whether (hosting) name server versions are being exposed:
http://www.dnsinspect.com/
Get the test status results here: https://observatory.mozilla.org/
and here for cert issues: cryptoreport.websecurity.symantec.com

When we have all these third party combined test results we can start to secure the website built with Word Press as a CMS. First we start to mitigate the threats detected and then harden the system.

Mind you most important are your data. This should be cared for like good ripening wine.

An application can be easily be rebuilt any time, so consider application restore to the freshness of fish,
fish should always be red at the gills.

Update and patch, folks, always and continuously!

Even WordPress security suggestion sites could be suspicious like: -https://yoast.com/wordpress-security/

In a following posting I will suggest some steps you can take to better secure your Word Press website
and to harden it against abuse.

polonus (volunteer website security analyst and website error-hunter)

bob3160 · « **Reply #432 on:** March 16, 2017, 02:19:39 PM »

https://bob3160.wordpress.com/

polonus · « **Reply #433 on:** March 16, 2017, 10:51:37 PM »

German government officials warn against 20.000 vulnerable cloud environments

Check your cloud environment with that vulnerable software here:

https://scan.owncloud.com/

and here:

https://scan.nextcloud.com/

See this would be followed up and you could end such problems for the future:
https://en.wikipedia.org/wiki/General_Data_Protection_Regulation#Sanctions

Those that endanger the data of users, should be presented with a bill for the inconveniece
and not put up the social community with their costs and losses,
and keep all the profits to themselves.

polonus

polonus · « **Reply #434 on:** March 17, 2017, 01:17:08 PM »

WordPress hardening - About username & password.

A nice tool for creating safer passwords for your WordPress CMS re: https://tools.arantius.com/password
and this one: https://strongpasswordgenerator.com/
and additionally this generator: https://www.random.org/strings/

A bad username/password combination is insecure. Do not use admin (make a new account named administrator) and passwords that can be revealed through brute forcing. Use a random name for your user base.
Never use the name of the website, use capitals, small characters, numbers and special characters.
Remember you could use spaces in between with password, so create a password sentence, like
"1 c@n M8K3 ^ l33t pa$$w0Rd".

Installatron is a good tool to create a random username and password. Change your password often, make it good, secure and random. Your users should do like wise, use Norton Password Generator or Strong Password Generator: https://identitysafe.norton.com/password-generator/

User Enumeration is not available
It was not possible to easily enumerate usernames from the user ID's. This is a good thing, as it can add difficulty to brute force password attacks if the username is not able to be determined.

It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Only the first two user ID's were tested with this scan, use the Nmap NSE enumeration scripts (use your own Nmap installation or try the adanced membership option ) to discover additional user ID's.

polonus (volunteer website security analyst and website error-hunter)