Tests and other Media topics

[polonus]

Hi bob3160,

Indeed, bob3160. It is not so much they track and collect (y)our data. They apparently are sitting on loads and loads of data.
More interesting is the answer to "To do what?". Sell it to the highest bidder and that can be both commerce and your government.
Hopefully it does not land in some form at the wrong competitor's or the wrong state agent's desks.

It is not so much they do it, it is more end-users being aware that this is going on inside their browsers "at the other side of their screens" and that 7/24/365 all year round, when and where they are mostly unaware of it. OK when they asked you to participate so they could come up with interesting ads at your doorstep, as the flyer-boy did in the past.

And then you always have adblockers and script-blockers to stem out he worst of it.   

Thing for us here is that ads sometimes come malware-laden and then you like to cling to that ad-blocker of choice,
no matter how many times you are begged to take these ad-blocking-visors down.
Or with a pay wall you stop visiting such a nagging page altogether.

polonus

[polonus]

Do not fall for a PHISH? Normally avast and avast secure browser and avast browser extension will keep you from visiting existing PHISHING websites, but we can also scan or be alerted.
Over 5.000 plus PHISHING sites reported every day here: https://openphish.com/
And recent submissions here: https://www.phishtank.com/
Cert Transparency and find a PHISH before it finds you: https://certstream.calidog.io/ https://phishfinder.io/

polonus

[polonus]

Brave New World scenario: biohackers encoded computer malware inside DNA.
Read: https://www.wired.com/story/malware-dna-hack/

Time to explore some common ways of obfuscation malcreants use from day to day:
Read: https://medium.com/@bromiley/malware-monday-obfuscation-f65239146db0

The tools: https://turgensec.com/Obscurity/Obscurity.html

Forewarned is forearmed,

polonus

[polonus]

Many of us, sitting at home now, have ample time on our hands to test, lint and fuzz JavaScript code:
Explore online tools at: https://webtoolkitonline.com/

Very interesting for those into JavaScript  security and all others that take an interest in the subject.

Just an example from a Vulners Webscanner extension loaded content.js script,
content.js via Ctrl+Shift+I (inside the browser console).

Let's go. Following the yellow alert triangle we see:
We can us eeither
Javascript Tester online: https://webtoolkitonline.com/javascript-tester.html
Tevens: https://codebeautify.org/jsvalidate  
via de laatste tool ->

Validation of a simple vulners script against regexp->

1   1   1   'console' was used before it was defined.
console.log('[VULNERS] Init');
2   3   1   'v_browser' was used before it was defined.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
3   3   57   'rules' was used before it was defined.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
4   3   56   Unexpected '('.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
5   3   65   Missing space between '=' and '>'.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {
6   3   65   Unexpected '>'.
v_browser.runtime.sendMessage({ action: 'get_regexp'}, (rules) => {

Quite some task but very instructing. Pay attention to certain patterns and learn to recognize those patterns.
You learn to hear the JavaScript grass grow with your ear stuck (stack?) firmly unto the ground. ( } >.

Regards to everyone here. A good week and most of all stay in good health ye all,
Info credits go to luntrus

polonus (volunteer 3rd party cold recon (JavaScript)-security website analyst and website error-hunter)

[polonus]

Seen in the light of COVID-19 precaution measures, we remind that all scans can be  safely run online without any human contact or paperwork. Keep your devices, keyboards and screens clean and away from others.

Scan website security headers. Often malicious website have low scores in this respect,
the following one has a D-score: https://securityheaders.com/?q=https%3A%2F%2Fonedrive.live.com&followRedirects=on

This site is spreading malware, see: https://urlhaus.abuse.ch/url/325253/   

Also consider a bewildering A score here: https://www.immuniweb.com/websec/?id=N1Mnj70i
Compare to: https://webcookies.org/ssl/report/onedrive.live.com/193599

Missing headers:

Missing Headers
Content-Security-Policy   Content Security Policy is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets.

X-Frame-Options   X-Frame-Options tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking. Recommended value "X-Frame-Options: SAMEORIGIN".

Referrer-Policy   Referrer Policy is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

Feature-Policy   Feature Policy is a new header that allows a site to control which features and APIs can be used in the browser.

polonus

[polonus]

Mozilla will bring https-only-mode to Firefox 76.
Read: https://bugzilla.mozilla.org/show_bug.cgi?id=1613063
So test here: https://www.cdn77.com/tls-test
or using tools found here: https://geekflare.com/ssl-test-certificate/

See https-everywhere atlas: https://atlas.eff.org
The static site generator for https-everywhere to be found here: https://github.com/EFForg/https-everywhere-atlas

And accompanying browser cookie dilemma's:
https://nakedsecurity.sophos.com/2015/02/02/anatomy-of-a-browser-dilemma-how-hsts-supercookies-make-you-choose-between-privacy-or-security/

Scan: https://webcookies.org/  &  https://securityheaders.com/?q=

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

The privacy implications of visiting some social media site?
Are we aware of what data we will share with Big Surveillance Data Grab Corporations?

Random example: https://webcookies.org/cookies/www.reddit.com/2247338
1st party cookies 7, css 1 for *reddit.com and 1 script;
*reddit.media.com  with 1 image;
*redditstatic.com css 5, 23 scripts and 1 other.
Consider: http://ssl-checker.online-domain-tools.com/

The results for host reddit.com (IP address 151.101.193.140) on port 443:

Problems Summary
BEAST vulnerability (CVE-2011-3389) is NOT mitigated on server.
Certificate Chain
Main Server Certificate
Subject Name:   *.reddit.com
Subject Data:   O=Reddit Inc., L=San Francisco, S=California, C=US
Alternative Names:   *.reddit.com, reddit.com
Prefix Handling:   Yes (with and without www)
Valid From:   2020-04-06 00:00:00 UTC
Valid To:   2020-10-03 12:00:00 UTC (expires in 6 months)
Key:   RSA 2048 bits (e 65537)
Signature Algorithm:   SHA256withRSA
Fingerprint:   4f476c62b996aaddf5d37b746f9953fc0e9db2d9
Issuer Name:   DigiCert SHA2 Secure Server CA
Issuer Data:   O=DigiCert Inc, C=US
Extended Validation:   No
Certificate Transparency:   Yes
Revocation Information:   OCSP, CRL
Revocation Status:   Not revoked
Weak Debian Key:   No
Self-signed:   No
Trusted:   Yes (Apple, Java, Microsoft, Mozilla)
Chain Certificate #2
Subject Name:   DigiCert SHA2 Secure Server CA
Subject Data:   O=DigiCert Inc, C=US
Valid To:   2023-03-08 12:00:00 UTC (expires in 2 years)
Key:   RSA 2048 bits (e 65537)
Signature Algorithm:   SHA256withRSA
Fingerprint:   1fb86b1168ec743154062e8c9cc5b171a4b7ccb4
Issuer Name:   DigiCert Global Root CA
Issuer Data:   O=DigiCert Inc, OU=www.digicert.com, C=US
Revocation Status:   Not revoked
Weak Debian Key:   No
Self-signed:   No
Certificate Paths
Path #1 (TRUSTED)
1   Sent by server
*.reddit.com
4f476c62b996aaddf5d37b746f9953fc0e9db2d9
RSA 2048 bits / SHA256withRSA
2   Sent by server
DigiCert SHA2 Secure Server CA
1fb86b1168ec743154062e8c9cc5b171a4b7ccb4
RSA 2048 bits / SHA256withRSA
3   In trust store
DigiCert Global Root CA (self-signed)
a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c5436
RSA 2048 bits / SHA1withRSA
Protocol Details
Details
Secure Renegotiation   Unknown
Secure Client-Initiated Renegotiation   Unknown
Insecure Client-Initiated Renegotiation   Unknown
OCSP Stampling   Yes
Strict Transport Security (HSTS)   Yes
Session Resumption (Session IDs)   Yes
Session Resumption (Session Tickets)   Yes
Deflate Compression   No
Downgrade Attack Prevention (TLS_FALLBACK_SCSV)   Yes
Supports Insecure Ciphers   No
Supports Weak Ciphers   No
Common DH Prime   No
Forward Secrecy   Yes
BREACH Vulnerability   No
CRIME Vulnerability   No
OpenSSL CCS Injection   No
Heartbleed Vulnerability   No
POODLE Vulnerability   No
BEAST Vulnerability   Yes
FREAK Vulnerability   No
LOGJAM Vulnerability   No
Supported Protocols and Cipher Suites
TLS 1.2
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   Secure   256   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   No
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   Secure   128   Yes   No   No   No
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   Secure   128   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
TLS 1.1
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
TLS 1.0
Supported   Yes
Cipher Suite   Grade   KeySize   FS   Export   Anon   Preferred
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)   Secure   128   Yes   No   No   Yes
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   Secure   256   Yes   No   No   No
TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   Secure   256   No   No   No   No
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   Secure   128   No   No   No   No
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x0a)   Secure   112   No   No   No   No
SSL 3
Supported   No
SSL 2
Supported   No

Then see: https://urlscan.io/result/7604b6e3-3cb7-4ea1-a6e4-47f28d78fb76
Hosting met recapcha: https://www.shodan.io/host/151.101.117.140/raw

100% of the trackers on this site could be protecting you from NSA snooping for *redditstatic.com,
not secure against snoopers: https://webcookies.org/cookies/www.redditstatic.com/18587196

Security capped at F-status: https://observatory.mozilla.org/analyze/www.reddit.com

Not an ideal situation friends during lock-down Big Brother surveillance out-time, just com and realize these facts.

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

[polonus]

Test Border Gateway Protocol for safety here: https://isbgpsafeyet.com/
Why important?
A BGP hijack occurs when a malicious node deceives another node, lying about what the routes are for its neighbors. Without any security protocols, this misinformation can propagate from node to node, until a large number of nodes now know about, and attempt to use these incorrect, nonexistent, or malicious routes.

For BGP to be safe, all of the major ISPs will need to embrace RPKI. Sharing this page will increase awareness of the problem which can ultimately pressure ISPs into implementing RPKI for the good of themselves and the general public. You can also reach out to your service provider or hosting company directly and ask them to deploy RPKI and join MANRS. When the Internet is safe, everybody wins.

Implementing: https://blog.cloudflare.com/cloudflares-rpki-toolkit/

polonus

[polonus]

To monitor my connections I run Nir Sofer's SmartSniff tool.
Example:
3676   TCP   192.168.U.UU   172.217.17.131   49430   443      -gstaticadssl.l.google.com   https   75  {75 ; 0}   44.304 Bytes  {44.304 ; 0}   47.861 Bytes  {47.304 ; 557}   26.4 KB/Sec   19-4-2020 15:09:34:PPP   19-4-2020 15:09:35:PPP   00:00:01.6VV   XX-xx-xx-xx-xx-xx   zz-zz-zz-zz-zz-zz   (blurred with UPVx&z by me, pol)

Checked here:    https://ipinfolookup.com/172.217.17.36   &  here:  https://www.shodan.io/host/172.217.17.36
& https://www.shodan.io/host/172.217.17.36/raw 
Consider also: https://www.lookip.net/ip/172.217.17.36   &   https://ipinfo.io/172.217.17.36
Discussion here (TLL value related) https://github.com/googlehosts/hosts/issues/321
and https://www.site24x7.com/public/t/results-1577438856577.html    and   https://db-ip.com/all/172.217.17 (Spain,
but actually I connected here: https://db-ip.com/172.217.17.36     =    ams16s29-in-f4.1e100.net

polonus

[bob3160]

My connections are monitored by Avast Omni.

[polonus]

Not arguing with that, bob3160, but that is an all purpose tool, and I am just talking checking on IP connections here.
Re: https://www.projecthoneypot.org/list_of_ips.php
This IP not detected: 69.30.232.50 but flagged here: https://maltiverse.com/ip/69.30.232.50 Spammer
Another one: https://www.fortypoundhead.com/tools_ipcheck.asp
Also good to detect mail policy rule breakers: https://www.abusix.ai/search?q=104.31.75.87
Compare with: https://www.projecthoneypot.org/ip_104.31.75.87

polonus

[polonus]

About combining resources.
Agent Tesla - in the news:
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
Example: https://urlhaus.abuse.ch/url/346766/
On IP: https://www.shodan.io/host/95.163.208.51
Only spamhaus to detect: https://www.virustotal.com/gui/url/16575df43aa87b759e35647d0bfa6779b6f603944d8be878f4ea3ef61d8961f3/detection
Detections: https://www.virustotal.com/gui/ip-address/95.163.208.51/relations
Information resource: https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
and so we have closed this combining resources cycle back to where we have begun.

polonus

[polonus]

 YARA -> read: https://yara.readthedocs.io/en/stable/index.html
and https://virustotal.github.io/yara/  (page is temp. down for maintenance)...
Resources with YARA rules: https://capesandbox.com/analysis/1118/
and
https://malpedia.caad.fkie.fraunhofer.de/

Non-public part: https://github.com/malpedia/feedback/issues
Also, please be aware that not all content on Malpedia is publicly available.
More specifically, you will need an account to access all data (malware samples, non-public YARA rules, ...).
In this regard, Malpedia is operated as an invite-only trust group.

And: https://valhalla.nextron-systems.com/  ->  support.knowbe4.com  & cythereal/threat-intelligence

YARA on VirusTotal: https://support.virustotal.com/hc/en-us/articles/115002178945-YARA
Read: https://securityintelligence.com/signature-based-detection-with-yara/

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

[polonus]

Just starting from an abuse IP and further accompanying info
we could analyze for instance a global intrusion campaign by APT41 state actors below.

Re: https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
blog info on a particular abuse of CITRIX server flaw.
Found in this database: https://www.abuseipdb.com/check/66.42.98.220
and analyzed here: https://www.joesandbox.com/analysis/214068/0/html  (impressive)....
Consider also what was being abused: https://exploits.shodan.io/?q=Citrix

polonus

[polonus]

Yara rule example -> https://capesandbox.com/analysis/2115/
Consider: https://github.com/godaddy/yara-rules/blob/master/emotet.yara
and read: https://blog.malwarebytes.com/security-world/technology/2017/09/explained-yara-rules/

polonus