Tests and other Media topics

[polonus]

Some resources to check malware sites on.
This website no longer found active, was reported here as with generic malware:

https://otx.alienvault.com/indicator/hostname/www.stocktagfiles.com/

https://www.scumware.org/report/52.48.70.144.html

https://sitecheck.sucuri.net/results/www.stocktagfiles.com

https://www.securityhome.eu/malware/malware.php?mal_id=18398464835769f37b8669a6.43334630

https://minotr.net/detail?md5=1700ed9864bf36f580fd6efbaf1e40b0

https://www.threatcrowd.org/ip.php?ip=52.42.20.109

polonus

[polonus]

In firefox we have the beautiful Calomel extension.
But how to check beyond the green padlock inside Google Chrome,
we find the source via Control+Shift+I

How to check certificates under Google Chrome:

1. Go to the website you wanna check the certificate for
2. Push the F12 button
3. Within the window that has opened up, go to the small tab "Security"
4. Click then the button to View Certificate   (info credits go to Vixen).

Later you can check additonally:
https://cryptoreport.websecurity.symantec.com/checker/
and/or https://www.ssllabs.com/ssltest/
and https://www.digicert.com/help/
or here https://threatintelligenceplatform.com/

polonus

[polonus]

Where is your Internet connected out?

Where does the cloud take your packets?

See: https://www.peeringdb.com/asn/63949  (example for FOSCAM etc.)

Interesting background read from Chris Baker: https://dyn.com/blog/who-controls-the-internet/

polonus

[polonus]

Actual security related info.

Nonces that eventually aren't real "number onces". Such nonces seems to be a risk.
So time to implement additional security header security and check on https sites for "nonces".

An example of secure nonces we see here for example: https://gcm.tlsfun.de/check.php?host=www.terracotta.org

Collected 3 GCM nonces from www.terracotta.org

aa0015c9df6c8a46
aa0015c9df6c8a47
aa0015c9df6c8a48

NOT VULNERABLE

This host uses a counter starting with a random value (probably OpenSSL). This is secure.

For a detailed background read our paper: Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. More supplemental information is in our Github repository.

Enjoy, my good friends, enjoy,

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Certificate transparency for avast webforum according to the netcraft report:

Certificate transparency   
Signed Certificate Timestamps (SCTs)

Source   Log   Timestamp   Signature Verification
Certificate   Google Pilot
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA=   2015-03-10 16:54:10   Success
Certificate   Google Aviator
aPaY+B9kgr46jO65KB1M/HFRXWeT1ETRCmesu09P+8Q=   2015-03-10 16:54:10   Success
Certificate   DigiCert 1
VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0=   2015-03-10 16:54:10   Success

Verify here: https://www.chromium.org/Home/chromium-security/certificate-transparency

polonus (volunteer website security analyst and website error-hunter)

[polonus]

In part experimental and results should be taken cum grano salis (with a grain of salt):
mozilla ssh_scan api reults in a dockerized way (all other forms are too abuse-prone, so you risk to become blocked),

Scan a sites privacy score (beta) here: https://privacyscore.org/site/33642/  (as an example we took avast forum site scan).
source code -> https://github.com/mozilla/ssh_scan_api
Avast forum site results as json: https://privacyscore.org/site/33642/json/

3rd party embeds, 3rd party trackers,
4 issues on unreliable encryption - HSTS and HSTS pre-loading not installed, not using Public Key pinning.
No check on mixed content and no check for CSS attempts and ticketbleed (experimental).
No protection found against LOGJAM attacks. More unreliable checks issues...

Another lesson to be learned about optimal website security,

polonus (volunteer website security analyst and website error-hunter)

[polonus]

Recent research has established that working a feature rich browser will set you out uniquely,
and this means an enhanced privacy risk.
Read: https://today.uic.edu/bloated-browser-functionality-presents-unnecessary-security-privacy-risks 
Info source: Peter Snyder.

You can check the uniqueness of your browser here: https://amiunique.org and https://amiunique.org/fp

If we break up the identifying factors, just a tiny bit of profiling is given off by my browser user agent.
Over 30% comes because of the browser header, that I send to the server.
Another 14% leaks through the way my browser processes decoded content.
A tiny bit of what I give away is through the language(s) I use (Dutch and Polish).
0,22% comes from used plug-ins and that is contradictory to above findings,
but detail of the individual plug-ins speak loudly with over 75% to set me out uniquely against all other browsers.
And do not forget the 33% by the adblocker I use.

Therefore the much liked uBlock Origin adblocker by our forum users,
is still "in it's teens" and needs further development. It will break a lot of sites.

By far the best plug-in that works to the contrary and makes you less unique by heaps is good old "Request Policy",
and here our good forum member, DavidR, was right all the way. You need not convince us any further, DavidR!

Well the use of NoScript or uMatrix is also advisable, allthough not always the unsavvy know what and how to toggle properly.

In these days of dwindling privacy or as Americans say: "Privacy that no longer exists" you have less unique browsers,
one is the Brave browser, developed by the inventor of javascript, without plug-ins and all in the browser
with a one profile for all (except for canvas and other fingerprinting). Brave as browser app a must on android!

On the other site of the scope we have the nonsensical gimmick Browzar browser, I would not recommendate.

Finally to be less outstanding withing the big browser monoculture of Big Blue, firefox and Google's chrome,
I would go for a Japanese browser like Sleipnir as one with this browser has a lesser attack surface on the Western Hemisphere.

polonus (volunteer website security analyst and website error-hunter)

[DavidR]

Well it was able to tell what virtually every browser gives, which browser and version you are using, your OS and version, plus your language, but that isn't going to get them very far in identifying the user.

EDIT: Whilst this is all well and good, you do have to selectively allow certain sites or you won't see all content.

[polonus]

Reported by Lukasz Olejnik this privacy threat: https://blog.lukaszolejnik.com/privacy-of-web-request-api/
Source:  https://www.theregister.co.uk/2017/10/06/another_w3c_api_exposing_users_to_browser_snitching/

Info credits for reporting go to Bitwiper.

A scala of browser privacy scanners: http://www.malwarehelp.org/online_browser_security_and_privacy_scanners.html
like for instance: https://www.leader.ru/secure/who.html  and extended: https://do-know.com/privacy-proxy-test.html?

Even explains I am in a FVEY country - the Netherlands, also extra private internal IPs are given. 2 CPU cores detected.

polonus

[polonus]

L.S.

All hope's not gone - the answer towards a totall loss of privacy
and against centralised snooping on all of your Interwebs interactions =
Decentralised VPN powered by blockchain,
an innovative development, read here: https://mysterium.network/

The clock is solwly ticking the last remnants of your Internet data integrity away,
with Google now also phasing out their public key pinning policy,
who will be making up the logs to check certs transparancy against?

polonus

[polonus]

Do you consider bitcoin mining on your cycles worse than ads?

Some have it blocked by a good ad-blocker, some with anti-mining extensions.

What are the privacy implications of such a miner?

Flagged as malcode here: https://urlquery.net/report/6c776095-c1f1-4442-afc3-4d297841c802
3 to flag: https://www.virustotal.com/nl/url/b0827282045e14fe7538f204e94e13fe2491f653ed59369e5d8414feeb50e3e7/analysis/1509548406/

Some arnings here, but no tracking: https://privacyscore.org/site/33952/  (No HSTS, 
server is vuln. to Lucky13 and BEASt & DROWn atatcks, no secure client renegotiation set, no security headers set).

F-status and reco mmendations: https://observatory.mozilla.org/analyze.html?host=coinhive.com

No issues on the mining script itself, but overflow to: Results from scanning URL: -https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js
Number of sources found: 92
Number of sinks found: 24 -> -static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js benign

polonus (volunteer website security analyst and website error-hunter)

P.S. And when there are blockchains, there could be malware round the corner:
https://securelist.com/tales-from-the-blockchain/82971/

Damian

[polonus]

What are the privacy implications of this webproxy?

Are webproxies that privacy friendly, I think not by necessarily.

http://toolbar.netcraft.com/site_report?url=https://whoer.net
Comes witrh the Cloudflare related insecurities...ssl380088.cloudflaressl.com
Cert. installed correctly: Chain installation:
2 certificates found: RSA and ECC.
No HSTS enabled. SSL/TLS compression: Not Enabled
Heartbeat (extension):  Not Enabled

F-garde status and recommendations: https://observatory.mozilla.org/analyze.html?host=whoer.net

3 vulnerable libraries detected: http://retire.insecurity.today/#!/scan/3ccbbb2afaa1871f0fb292e8931723efc456d0f2132388d83efc464a1ff152ef

No third party cookies -  6 third party requests: http://www.cookiechecker.nl/check-cookies.php?url=https://whoer.net/webproxy

Issues with sources and sinks: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwhoer.net%2Fwebproxy

Tracker tracker and bug issue report: see attached

Finally the beta privacy score: https://privacyscore.org/site/33961/


polonus (volunteer website security analyst and website error-hunter)

[polonus]

Next to tor, tails and whonix there are different ways to help end-users to protect their last little bits of Internet privacy
with a bit of added anonimity.

Also one looks for new ways like the block chain technology that keeps Bitcoin secure, a decentralised solution against the overpowering intrusion of Big Brother Surveillance State's oversight forces.

A new scheme when the going gets narrow is https://mysterium.network/:

Open Sourced Network allowing anyone to rent their unused Network traffic, while providing a secure connection for those in need.

Hopefully network tld has been properly set to recognize that site's software.
Connection fail here: https://gcm.tlsfun.de/check.php?host=mysterium.network
Connection failed. Host has either no HTTPS or does not support GCM.

See how succesful they are: https://privacyscore.org/site/34025/json/
and https://privacyscore.org/site/34025/  PHP/5.5.9-1ubuntu4.21 with twelve vulnerabilities.

Retirable: http://retire.insecurity.today/#!/scan/c989f46450eddf925f09fc10ca4880608fd09dca1b83216db50cbf3b5373b3ac

Externally Linked Host   Hosting Provider   Country

-news.bitcoin.com   CloudFlare   United States

-bitconnect.co   CloudFlare   United States

-www.cryptocoinsnews.com   CloudFlare   United States

-github.com   GitHub   United States

-techannouncer.com   GoDaddy.com, LLC   United States

-www.linkedin.com   LinkedIn Corporation   United States

-mvp.mysterium.network   DigitalOcean   Netherlands

-goo.gl   Google   United States

-www.sarunas-savickas.com   OOO NPO Relcom   Lithuania

-www.subscribepage.com   CloudFlare   United States

-twitter.com      United States

-www.the-blockchain.com   CJ2 Hosting&Development   Netherlands

-www.digitaljournal.com   Digital Journal, Inc.   United States

-lt.linkedin.com   LinkedIn Corporation   United States

-medium.com   CloudFlare   United States

-cointelegraph.com   CloudFlare   United States

Please, do not fence us in further!

polonus

[polonus]

Just stumbled upon this news:
-> https://gwillem.gitlab.io/2017/11/07/cryptojacking-found-on-2496-stores/

Coinhive cryptominer activity going on on over 2500 hacked Magento webshop websites.
Re: https://twitter.com/gwillem/status/928033303466266626

I hope users stop this by using a decent adblocking or scriptblocking extension or a miner blocker extension.

Willem de Groot added this to his software here: https://github.com/gwillem/magento-malware-scanner/pull/157

One could scan a Magento CMS webshop site also here: https://www.magereport.com/

It would be better when browser developers brought a general broader solution to this problem inside the browser,
so users could be alerted to this abuse and eventually block mining through a site they visit.

As long as this has not been realised, we have to fence for ourselves,

polonus

[polonus]

A attack scenario we could distill from the Coin Hive cryptojacking signatures developed by Willem de Groot comes for Magento webshop sites with amasta.biz vulnerable code. Read: https://support.hypernode.com/knowledgebase/how-to-protect-magento-from-amasty-product-feed-local-file-disclosure/

Rule:

@@ -648,6 +673,8 @@ ZXZhbChiYXNlNjRfZGVjb2RlK
 aHR0cDovL3Bhc3RlYmluLmNvbS9yYXcv
 account\-mage\.su\/
 air\-frog33\.pw\/
+aleinvest\.xyz\/
+alemoney\.xyz\/
 amasty\.biz\/
 analiticoscdn\.com\/
 animalzz921\.pw\/

Example https://www.magereport.com/scan/?s=+UNDERARMOUR.COM

polonus