Author Topic: Tests and other Media topics  (Read 301690 times)

0 Members and 3 Guests are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #225 on: May 21, 2015, 11:05:20 PM »
Hi bob3160,

Geeks or no geeks, it seems general security awareness is at an ever low ebb to-day. As you said it right, bob3160, the common user isn't interested that much. However some parties could do a much better job.. Education is where to start - we let toddlers have a smartphone or tablet very early in life. They can work it before they have even learnt to ride a little bike.

But we have also to eduate others. Users to better protect themselves and  website owners and hosters and server- and CMS-admins to better implement with security at heart. Our modern society as a whole and our very cybersecurity depends on it.

We should not want to tolerate insecure scripting anymore, not tolerate excessive header version info spreading to the world and hackers and attackers alike. No longer tolerate parties not to run latest updates and patches, configure the available header security in a way that is called best practices, not offer encryption from the weak end up, so cybercriminals and government entities can do their self-assigned deals.

Isn't there a better or more noble task for avast support, then to educate with security at heart for a safer and more secure internet. I like to be part of such a benevolent mission and has been in the past years thanks to Avast creating an opportunity to do so and add to user security. Yes and I am a proud Avast user and I have the best deals for Avast and Avast's friends at heart. Let us stand together and on the good side always.

polonus (volunteer website security analyst and website error hunter).
« Last Edit: May 21, 2015, 11:06:58 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44097
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #226 on: May 21, 2015, 11:58:15 PM »
Quote
Education is where to start
I'm now in my 5th year of doing exactly that through the Avast sponsored security presentations. :)
Another way Avast is helping keep computer users secure and a bit more educated. :) The service is also totally free.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #227 on: May 22, 2015, 12:51:49 AM »
We all thank you for that, bob3160!
Users should have such pitch days!
These forums brought us a lot.
I am grateful.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #228 on: May 22, 2015, 02:21:37 PM »
Logjam workaround for firefox:
Until patched you can:

Disable the insecure ciphers here:

(1) In a new tab, type or paste about:config in the address bar and press Enter. Click the button promising to be careful.

(2) In the search box above the list, type or paste ssl3 and pause while the list is filtered

(3) Double-click the security.ssl3.dhe_rsa_aes_128_sha preference to switch it from true to false (this usually would be the first item on the list)

(4) Double-click the security.ssl3.dhe_rsa_aes_256_sha preference to switch it from true to false (this usually would be the second item on the list)

That's it, you can test using: https://www.ssllabs.com/ssltest/viewMyClient.html

Credits go to MozillaZine's jscher2000

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #229 on: May 22, 2015, 04:40:42 PM »
Always surf encrypted via: https://encrypted.google.com/
See: http://toolbar.netcraft.com/site_report?url=https://encrypted.google.com
Issues: https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=encrypted.google.com
Good News! This site is safe from the Logjam attack. It supports ECDHE, and does not use DHE.
IP   Connected   TLS   Insecure DHE_EXPORT   DHE   Chrome
216.58.216.238         No   
Not Supported

ECDHE
2607:f8b0:4009:809::200e      

But vulnerable to Poodle:       Scan results
GOOGLE.COM:443 (216.58.219.206) - VULNERABLE   

Startpage SSL xpi can no longer be installed under Firefox (ESR) 38 : broken .

pol
« Last Edit: May 22, 2015, 04:46:26 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #230 on: May 22, 2015, 07:20:23 PM »
HSTS Preloading: https://scotthelme.co.uk/hsts-preloading/
link article author -= Scott Helme.
https://blog.nvisium.com/2014/04/is-your-site-hsts-enabled.html
It being a double-edged sword: https://www.leviathansecurity.com/blog/the-double-edged-sword-of-hsts-persistence-and-privacy/
Also read here: http://stackoverflow.com/questions/10629397/how-to-disable-http-strict-transport-security
Already included: http://src.chromium.org/viewvc/chrome/trunk/src/net/http/transport_security_state_static.json
Included there is no guarantee for security: -braintreegateway.com -> Warning! This site uses a commonly-shared 1024-bit Diffie-Hellman group, and might be in range of being broken by a nation-state. It might be a good idea to generate a unique, 2048-bit group for the site.
IP   Connected   TLS   Insecure DHE_EXPORT   DHE   Chrome
204.109.13.100         No   Common 1024-bit Prime   ECDHE
The security header configuration for this site also has a lot of issues, see attached.

polonus
« Last Edit: May 22, 2015, 07:30:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #231 on: May 23, 2015, 12:29:19 AM »
Another test site and another test to take:
Safe.

We have examined your OS and browser version information and determined that an active vulnerability test was appropriate. Fortunately, your browser correctly aborted loading our test image upon seeing an invalid ServerKeyExchange message.

https://gotofail.com/#
And here: https://www.howsmyssl.com/
Verdict probably OK - (not tested here: Logjam Vulnerability (Experimental)
Your user agent is vulnerable. Upgrade as soon as possible.
But we do not have an update yet, hurry up Google developers,
because criminals on coffee-shop Wi-Fi networks are also abusing Logjam and not only state actors!

polonus
« Last Edit: May 23, 2015, 12:50:11 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #232 on: May 23, 2015, 03:25:50 PM »
Logjam mitigating efforts and tests: https://news.ycombinator.com/item?id=9574408
Is avast VPN patched? Update your VPN Server: VPN servers that support IKEv1 protocol for encryption should be updated to disable any keysize less than 1024 bits – or better yet, use elliptical curve keys. Organizations should also consider using SSL VPN technology, which is better supported as its underlying OpenSSL is updated regularly against various encryption protocol vulnerabilities.
Read about affected Cloud Services: https://www.skyhighnetworks.com/cloud-security-blog/logjam-exposed-575-cloud-services-potentially-vulnerable-to-man-in-the-middle-attacks/

polonus
« Last Edit: May 23, 2015, 04:05:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #233 on: May 23, 2015, 07:46:26 PM »
In the light of all the recent data breaches it is a good thing to test here:
https://haveibeenpwned.com/
Sometimes one can/could get a "Oh.no catastrophic failure!".

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #234 on: May 25, 2015, 12:55:11 AM »
Still around Freak vulnerability
However, even if your browser is safe, certain third-party software, including some anti-virus products and adware programs, can expose you to the attack by intercepting TLS connections from the browser. If you are using a safe browser but our client test says you’re vulnerable, this is a likely cause.
Test here: https://freakattack.com/clienttest.html
Read: https://freakattack.com/
You can also test here (freak test included) - all not on IE are vulnerable to logjam: https://www.ssllabs.com/ssltest/viewMyClient.html

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #235 on: May 26, 2015, 12:47:18 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44097
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #236 on: May 26, 2015, 01:41:02 PM »
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67274
Re: Tests and other Media topics
« Reply #237 on: May 26, 2015, 10:07:00 PM »
Mine passed too. I must have learned from Bob  :D
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83756
  • No support PMs thanks
Re: Tests and other Media topics
« Reply #238 on: May 26, 2015, 10:18:57 PM »
Check your client against FREAK: https://freakattack.com/clienttest.html
Mozilla config recommendations: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations
Server test: https://www.ssllabs.com/ssltest/

polonus

I haven't changed a thing and mine doesn't fail nor does it pass as the site can't even run the test unless I allow NoScript for the site and allow RequestPolicy (continued) for the three other sites.

Only when I give implicit permission does the test run and complete and record "Good News! Your browser appears to be safe from the FREAK attack. "

This is why I rarely bother with these types of tests because of my locked down setup with NoScript and RequestPolicy it isn't going anywhere to test. The same should be correct for a live incident.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.7.2425 (build 20.7.5568.595) UI-1.0.558/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #239 on: May 26, 2015, 10:46:25 PM »
Hi DavidR,

Only minus here is that for logjam and freak NoScript and RequestPolicy do not protect.
You cannot be protected by neither NoScript nor RequestPolicy against RSA vulnerabilities.
You should be glad that you have checked the test that was provided here, seen in the line of SSL-weakening that is brought about by many a AV https-scan, read from someone who is concerned and where AV https scanning made users vulnerable to FREAK attack as we test: https://blog.hboeck.de/archives/869-How-Kaspersky-makes-you-vulnerable-to-the-FREAK-attack-and-other-ways-Antivirus-software-lowers-your-HTTPS-security.html  link article author = Hanno Bock
Why AV https scanning does not perform certifcate-pinning - why? Read here: https://wiki.mozilla.org/SecurityEngineering/Public_Key_Pinning

polonus (trust what you test yourself)

To read Avast's official reaction from Deborah Salmi: https://blog.avast.com/2015/05/25/explaining-avasts-https-scanning-feature/

D
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!