Author Topic: Tests and other Media topics  (Read 301701 times)

0 Members and 1 Guest are viewing this topic.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44099
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #345 on: March 01, 2016, 05:20:34 PM »
A new serious vulnerability has been found for the SSL protocol, named DROWN - Decrypting RSA using Obsolete and Weakened eNcryption - Read on it here: https://www.drownattack.com/
And test for it here online: https://test.drownattack.com/
So what attacks will await us next, we had POODLE, Heartbeat, HEARTBLEED, and now we have DROWN.
One-third of all HTTPS websites open to DROWN attack!

polonus

Bad news for us: https://test.drownattack.com/?site=forum.avast.com
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #346 on: March 01, 2016, 05:46:21 PM »
I go for bob's results, as they come confirmed here:
https://test.drownattack.com/?site=https%3A%2F%2Fwww.avast.com%2Findex
Quote
Results for com/index
We have not identified any vulnerable servers matching this name. It’s possible that our scans missed something, or that there are vulnerable devices behind your firewall. For such devices, we recommend using our client-side scanning software.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3651
Re: Tests and other Media topics
« Reply #347 on: March 01, 2016, 05:52:16 PM »
I go for bob's results, as they come confirmed here:
https://test.drownattack.com/?site=https%3A%2F%2Fwww.avast.com%2Findex
Quote
Results for com/index
We have not identified any vulnerable servers matching this name. It’s possible that our scans missed something, or that there are vulnerable devices behind your firewall. For such devices, we recommend using our client-side scanning software.

polonus

Theres a patch already released for SUSE and SUSE based systems :)

There are 3 patches released: https://download.suse.com/Download?buildid=urp9l5AblyY~

Just as an example.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #348 on: March 01, 2016, 06:29:21 PM »
Hope server admins will implement these, as I still see a lot of vulnerable server around.
Also strange why a netcraft tool does not flag for DROWn attack.
Mind that the online test may just be an indication, there is false positives on detected servers
and clean servers that may be found vulnerable in the end.
Together with the cookies MONSTER your security, even with encryption - http://www.theregister.co.uk/2015/09/25/cookies_monster_your_security/
we have quite some insecurity of the protocol.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3651
Re: Tests and other Media topics
« Reply #349 on: March 01, 2016, 06:33:31 PM »
Hope server admins will implement these, as I still see a lot of vulnerable server around.
Also strange why a netcraft tool does not flag for DROWn attack.
Mind that the online test may just be an indication, there is false positives on detected servers
and clean servers that may be found vulnerable in the end.
Together with the cookies MONSTER your security, even with encryption - http://www.theregister.co.uk/2015/09/25/cookies_monster_your_security/
we have quite some insecurity of the protocol.

polonus

https://blog.cloudflare.com/the-drown-attack/
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #350 on: March 08, 2016, 06:19:21 PM »
Test a website for SRI hashes as here with a random example: https://sritest.io/#report/5c1788c0-9ac2-4832-9874-9fba8e76c4ca
And then in case of a SRI hash missing generate that SRI Hash: https://www.srihash.org/
Example:  [script] <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js" integrity="sha384-EaUkI/FiMJtEXWAl0dCczvbFvjfzsIF1UNKGJvu9p5JIG71Kih7/kQJvYbBL7HOn" crossorigin="anonymous"></script> [-script]

Enjoy, my good friends, enjoy,

Damian

P.S. on crossorigin re: http://docs.trackjs.com/tracker/tips.html
« Last Edit: March 08, 2016, 06:25:05 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #351 on: March 21, 2016, 01:32:13 PM »
Test your non-existent privacy on apps like WhatsApp just to be aware of it all the time you are online:
https://maikel.pro/blog/en-whatsapp-privacy-options-are-illusions/
AdDetector and AdNetworkDetector apps also give you a less intrusive insight of what you share with their servers and
with facebook that owns WhatsApp with a Saudi Prince as it´s largest stakeholder.
Privacy options do work, but probably not as user intented, so as you are the product. ;)
It is a over a billion dollar business model.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #352 on: March 23, 2016, 06:54:02 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #353 on: March 25, 2016, 07:22:24 PM »
List of Certificate Authorities that Google does not trust: https://www.certificate-transparency.org/known-logs
One easy method is to visit your site in Chrome and then click on the green padlock, "Connection" tab and then look for text indicating whether the site is "publicly auditable".  If you see text showing that the site is, that means that your server is returning SCT responses to Chrome.  On some platforms Chrome will additionally display a link to view "Transparency Information".

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #354 on: March 25, 2016, 08:33:47 PM »
Chrome is predicting where you could go. Go herein the Chrome browser and see for yourself: chrome://predictors/
You see your whole prefetch history. This omnibox functionality could be somewhat of a privacy concern,
read here: http://jordan-wright.com/blog/2014/12/18/chrome-tracks-every-key-typed-into-omnibox/

polonus
« Last Edit: March 26, 2016, 12:56:10 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 44099
  • 60 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Tests and other Media topics
« Reply #355 on: March 26, 2016, 02:15:51 AM »
Chrome is predicting where you could go. Go herein the Chrome browser and see for yourself: chrome://predictors/
You see your whole prefetch history. This omnibox functionality could be somewhat of a privacy concern,
read here: http://jordan-wright.com/blog/2014/12/18/chrome-tracks-every-key-typed-into-omnibox/

polonus
Strange that the article said that this setting was enabled by default ???
Here's my setting and I certainly haven't change a setting I don't even know exists.
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1909 64bit, 24 Gig Ram, 1TB SSD, AvastOmni 20.7.xxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #356 on: March 29, 2016, 12:39:51 AM »
Hi bob3160,

Thanks for checking for us  ;)

Another test: http://mobify.site/results/http%3A%2F%2Fsandbox.onlinephpfunctions.com%2F
An example from a scan to test whether a website is fit for Mobile or should be adopted.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #357 on: April 25, 2016, 05:29:11 PM »
Check whether your email address or username have been compromised: https://haveibeenpwned.com/
Should you change your password? Read here: http://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#25385bbd4e8e
But this checking site itself does not seem secure (PHISHING): htxps://shouldichangemypassword.com/   known cloudfront abuse!
It just comes with a meagre T-Status...
while this seems the proper check site for that: https://breachalarm.com/

And again polonus wants to remark: "What is security on the Interwebs, according to us here that educate towards a better and more secure website security standards, like Pondus, Steven Winderlich, Eddy and several others - we can only say security is relative. Look here: https://securityheaders.io/?q=breachalarm.com  scores a very meagre R-Status and following the redirect to the https page there we will get a D-Status: https://securityheaders.io/?q=https%3A%2F%2Fbreachalarm.com%2F  This all for what that is worth.
And here we do not reach any further than an F-Status: https://sritest.io/#report/b71813c2-9458-4bde-8c40-b564a60de8cf

So whatever you do on the Interwebs be fully aware of the fact  that generally speaking it is a rather insecure place with software that  often has not been implemented/updated and patched right and has been weakened and holed on purpose to suit those parties best that wanna earn from your clicks or store your metadata for general surveillance purposes, not speaking of all the cybercriminals with bad intentions.

To come to a slightly more secure Internet a lot of work still needs to be done and a lot of education towards such goals may be necessary. Good if this posting served this goal to make you all a little bit more aware of the actual (in)security status of where you surf. Be on top of it feeling secure and not in the role of a serf. Keep your visors up and go with Avast's protection.

polonus (volunteer website security analyst and website error-hunter)

« Last Edit: April 25, 2016, 05:59:30 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3651
Re: Tests and other Media topics
« Reply #358 on: April 25, 2016, 05:41:10 PM »
Check whether your email address or username have been compromised: https://haveibeenpwned.com/
Should you change your password? Read here: http://www.forbes.com/sites/adamtanner/2014/04/14/these-sites-tell-which-of-your-accounts-have-been-hacked/#25385bbd4e8e

polonus

Have my GMail account breached by the Avast Forum hack and Malwarebytes hack Forum, even tho on the latter one i didnt even know i have an account there at all.
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32688
  • malware fighter
Re: Tests and other Media topics
« Reply #359 on: April 25, 2016, 06:27:21 PM »
This is sort of proof  that what we claim here about insecure or potentially insecure websites is true: http://www.theregister.co.uk/2016/04/19/google_80000_sites_breached/

Often it is that website software is not secured in a proper way or the cocktail of security measures and securing code is hampering overall security or rather will lead to less security if a cocktail of the wrong layered security measures has been implemented. There a lot of webmasters/webadmins that still are not aware how to properly condition website security - (user enumeration enabled, directory listing enabled, no security headers implemented, https security not properly implemented, outdated or even left  (inline) javascript code installed, iFrame insecurity, sql/xss insecurity, servers speaking out too loud, BEAST, POODLE, DROWN, SHA1 vulnerablity, PHP exploits etc. etc.

When are we going to properly train these people that should keep their visitors secure, and/or demand they have been properly trained and then we also have to go against those parties that profit from the general overall insecurity and therefore will not complain nor wanna change that existing situation soon.

polonus
« Last Edit: April 25, 2016, 06:34:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!