Author Topic: Musings about my volunteer website security scan experiences....  (Read 36044 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #15 on: March 03, 2015, 06:24:19 PM »
What the tracker tracker gave here: http://szybki.fakt.pl
url   scheme   host   path   type   query   aid   cid   date   patterns   objects   name   affilition
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   google-analytics\.com\/(analytics\.js|urchin\.js|ga_exp\.js|ga\.js|u\/ga_debug\.js|u\/ga_beta\.js|u\/ga\.js|cx\/api\.js|collect)   http://www.google-analytics.com/ga.js   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   \/?__utm\.   http://www.google-analytics.com/r/__utm.gif?utmwv=5.6.3&utms=1&utmn=360433009&utmhn=www.fakt.pl&utme=8(4!variant)9(4!Fakt%20reactivation)&utmcs=UTF-8&utmsr=1024x768&utmvp=400x300&utmsc=32-bit&utmul=en-us&utmje=0&utmfl=-&utmdt=Gwiazdy%2C%20Wydarzenia%2C%20Filmy%2C%20Sport%20-%20Fakt.pl&utmhid=1904198816&utmr=-&utmp=%2F&utmht=1425403101138&utmac=UA-4033697-1&utmcc=__utma%3D158728749.1147822484.1425403101.1425403101.1425403101.1%3B%2B__utmz%3D158728749.1425403101.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmjid=1416442177&utmredir=1&utmu=qSAAAAAAAAAAAAAAAAAAAAAE~   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      37   443   2015-03-03 18:19:47   (\.googlesyndication\.com\/simgad\/|\.googlesyndication\.com\/pagead\/|partner\.googleadservices\.com\/gampad\/)   http://pagead2.googlesyndication.com/pagead/show_ads.js   Google Adsense   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      41   257   2015-03-03 18:19:47   (\.doubleclick\.net|g\.doubleclick\.net)   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   DoubleClick   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      93   66   2015-03-03 18:19:47   (facebook\.com\/connect|facebook\.com\/v2\.0\/connect)   http://static.ak.facebook.com/connect/xd_arbiter/rFG58m7xAig.js?version=41#channel=f273b4f26c&origin=http%3A%2F%2Fwww.fakt.pl   Facebook Connect   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      93   66   2015-03-03 18:19:47   connect\.facebook\.net   http://connect.facebook.net/pl_PL/sdk.js   Facebook Connect   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \.hit\.gemius\.pl   http://onet.hit.gemius.pl/fpdata.js?href=www.fakt.pl   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \/?xgemius\.js   http://ocdn.eu/static/mastt/xgemius.js   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      464   2806   2015-03-03 18:19:47   facebook\.com\/(v2\.0\/)?(plugins|widgets)\/.*\.php   http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fwww.facebook.com%2Ffaktpl&locale=pl_PL&send=false&layout=button_count&width=130&show_faces=false&action=like&colorscheme=light&font=arial&height=21&appId=260859193942272   Facebook Social Plugins   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      605   174   2015-03-03 18:19:47   platform\.twitter\.com\/widgets   http://platform.twitter.com/widgets.js   Twitter Button   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      609   457   2015-03-03 18:19:47   (\.adform\.net|\.adformdsp\.net)   http://track.adform.net/adfserve/?bn=5643036;srctype=4;ord=%5Btimestamp%5D   Adform   
http://szybki.fakt.pl   http   szybki.fakt.pl      widget      615   2382   2015-03-03 18:19:47   (\.google\.com\/buzz\/api\/button\.js|apis\.google\.com\/js\/plusone\.js|apis\.google\.com\/js\/platform\.js)   https://apis.google.com/js/platform.js   Google+ Platform   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      642   677   2015-03-03 18:19:47   atemda\.com   http://p73.atemda.com/impressionlink.ashx?cipl=l9LafwOETCTkFe0sbgrKMsxZaQ%2fj0%2bVg%2b2lbgaAE5jYcaVav6E5Jxymu520mDjJtdkPOh4lAcfCSxDhPv34RdH5RiT4mXw58D02AMfd%2fXTI%3d&etp=RASP_FAKT-top&cb=403178055   AdMeta   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      2160   355   2015-03-03 18:19:47   googleads\.g\.doubleclick\.net\/pagead\/viewthroughconversion   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   Google Dynamic Remarketing   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      13   81   2015-03-03 18:19:47   google-analytics\.com   http://www.google-analytics.com/ga.js   Google Analytics   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      37   443   2015-03-03 18:19:47   (googlesyndication\.com|googleadservices\.com|2mdn\.net)   http://pagead2.googlesyndication.com/pagead/show_ads.js   Google Adsense   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      41   257   2015-03-03 18:19:47   doubleclick\.net   http://googleads.g.doubleclick.net/pagead/viewthroughconversion/972452827/?value=0&label=AT7fCI3luQIQ2-fZzwM&guid=ON&script=0   DoubleClick   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      609   457   2015-03-03 18:19:47   adform\.net   http://track.adform.net/adfserve/?bn=5643036;srctype=4;ord=%5Btimestamp%5D   Adform   
http://szybki.fakt.pl   http   szybki.fakt.pl      analytics      313   381   2015-03-03 18:19:47   \.gemius\.pl   http://onet.hit.gemius.pl/fpdata.js?href=www.fakt.pl   Gemius   
http://szybki.fakt.pl   http   szybki.fakt.pl      ad      642   677   2015-03-03 18:19:47   \.atemda\.com

Interesting tracking facts.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #16 on: March 04, 2015, 01:23:13 PM »
Para-Noid says users have to learn to look before they leap - alwats, and he is right. I wondered why certain https-everywhere re-writes will create undreamt of possibilties for devious user tracking.
Read through this posting first: https://forum.avast.com/index.php?topic=167274.0 and see the added attached report of what tracking goes on on that Dutch zimbra webmail website.
Para-Noid asked me to post a heads-up on this insecurity here. And so I did.
I had to combine some of my insights and do some research to be aware of such threats. I remember our forum member, DavidR, always warning about the risks involved with the https-only scheme. I then stumbled on the re-writes from HTTPS Everywhere's Atlas to make http pages fit https-only and combined what I uri I found in the re-writes with the results of the tracking the trackers tool results. And then it dawned upon me. There are additional risk factors with all recent weakness found up in the SSL protocol and encryption -Poodle and Freak and so on.
Let us proceed with an example here. Combine the info from: https://www.eff.org/https-everywhere/atlas/domains/  with results here: https://tools.digitalmethods.net/beta/trackerTracker/
See the attached results. So be aware of trackers where you least expect them.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #17 on: March 04, 2015, 06:20:26 PM »
What added tracking the trackers scan results brought on various script versions and according vulnerabilities (version info) and other CMS weaknesses and evental abuse: https://forum.avast.com/index.php?topic=167317.msg1190378#msg1190378

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Para-Noid

  • Avast Evangelist
  • Starting Graphoman
  • ***
  • Posts: 6711
  • Trust only what you test yourself!
Re: Musings about my volunteer website security scan experiences....
« Reply #18 on: March 04, 2015, 06:51:39 PM »
There is definitely a need for anti-tracking add-ons like Ghostery and ad blockers such as AdBlock Edge in Firefox or uBlock in Chrome.
Many people use NoScript in Firefox or ScriptNo in Chrome. Using link scanners such as "Scan URL with" (Firefox) before clicking is also wise. Check then click.

It's all about security.
Dell Inspiron, Win10x64--HP Envy Win10x64--Both systems Avast Free v17.9.2322, Comodo Firewall v8.2 w/D+, MalwareBytes v3.0, OpenDNS, Super Anti-Spyware, Spyware Blaster, MCShield, Unchecky, Vivaldi Browser and, various browser security tools.

"Look before you leap!" Use online scanners before you click on any link.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #19 on: March 04, 2015, 06:54:06 PM »
Do not forget Avast Online Security!

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 46295
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #20 on: March 05, 2015, 11:16:36 PM »
Do not forget Avast Online Security!

pol
;) ;D ;)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, AvastOmni 21.6, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #21 on: March 06, 2015, 03:34:21 PM »
Read about your browser fingerprinting: http://akademie.dw.de/digitalsafety/your-browsers-fingerprints-and-how-to-reduce-them/
You might have seen my tracker tracker scan reports recently, I also have some extensions in Google Chrome to warn me there: HTTP Switchboard, SPOF-O-Matic, Ghostery, Disconnect, canvasFingerPrintBlock, StopFingerprinting, uBlock, and naturally AVAST! Online Security. It is always handy to have script blocking like NoScript and RequestPolicy in firefox, and ScriptSafe and HTTP Switchboard in Google Chrome.
For instance a script like script type="text/javascript" src="//tags.bkrtx.com/js/bk-coretag.js could be a possible Frontend SPOF - and moreover it is a pop-up virus - you do not want to connect to it with your browser.
Read: http://blog.qisupport.com/tags-bkrtx-com-bk-coretag-js-pop-virus-removal-steps/

As I said befor on these forums a decent adblocker like uBlock for instance (or for conventionalists ABP) is a must also to keep all sort of website malcode at bay. What you aren't able toclick, cannot infest you, right?

polonus
« Last Edit: March 06, 2015, 03:35:56 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #22 on: March 08, 2015, 01:26:05 AM »
This Dutch news site does not have known trackers were identified by Netcraft: http://toolbar.netcraft.com/site_report/?url=Nu.nl
But it does do tracking on ads, analytics and also checks on opt outs for webbeacons.
Possible front en SPOF 95% -> htxp://cts.snmmd.nl/service/js/nunl/home/
Script blocker blocks - service.nu.nl
The web beaqcons are to be avoided: https://www.mywot.com/en/scorecard/beacon.krxd.net

See my track tracker report results - do not open links given there inside a browser -
data just for security and track blocking research purposes

pol
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 46295
  • 61 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: Musings about my volunteer website security scan experiences....
« Reply #24 on: March 09, 2015, 07:53:24 PM »
I'll let Avast do the scanning for me. :)
Free avast! Security Seminar: http://bit.ly/2N1eaR2  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 11 Pro v21H2 64bit, 16 Gig Ram, 1TB SSD, AvastOmni 21.6, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #25 on: March 09, 2015, 11:00:52 PM »
Hi bob3160,

I also let avast do the resident av scanning and also use Avast protection inside the browser with Avast Online Security. ;D
But the additional ssl scanners are just to check for specific issues when you do "third party cold reconnaissance scanning" of (potential) suspicious or malicious websites like I do. That is not a "hobby" for everyone, but there are some connoisseurs here on the forums who are into this as well, like my good forum friends Pondus, mchain, Eddy and many many more. All with one aim only to enhance and improve avast detection. And that is why and for whom I give these links. Just like to mention the efforts of our forum friend Oliver in the "virus and worms" to find detection for examples of an evolving threat just lately performed through rogue windows uninstall executables, executables  that were malware re-engineered by highly dangerous malcreants or should I say savvy cybercriminals.
We must be glad we have such security research students amids us that give their best for the protection of all of our userbase and beyond.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #26 on: March 09, 2015, 11:16:23 PM »
I hope the following site is being blocked by an extension for you: htxps://banner.easyspace.com/
No valid host name: Valid Host Names      Not matched   *-.iomart.com
-iomart.com - Extended Validation (EV) Not Installed
SSL certficate is using SHA-1 algorithm that expires after 2015. You should re-issue your SSL certificate as SHA-2 to avoid padlock warning in Chrome - ERROR: The secure URL you submitted was redirected to:
htxp://banner.easyspace.com/ - website: banner.easyspace.com is not listed in the certificate.
Done. Total pages crawled: 1
No issues found

Pages failed to crawl (error returned from the server):
htxps://banner.easyspace.com/
htxps://banner.easyspace.com/

Update your certificate chain.
Your certificate chain is valid, but some older browsers may not recognize it. To support older browsers, download and install the missing intermediate certificate.

Transaction Protection
CNAME IS MISMATCH
SSL Issuer: RapidSSL CA
SSL Expires: 2016-12-30 21:03:34 UTC 

I get ERR_BLOCKED_BY_CLIENT

Funny that Avast Online Security gives this site as a safe website.
There are other issues reported here about their sneaky adware springboard ways: http://www.sitepoint.com/forums/showthread.php?53374-Easyspace-com-Scandalous

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #27 on: March 10, 2015, 12:08:38 AM »
Here you have them all these malicious IPs and neatly sorted every 15 minutes:
http://www.e-fensive.net/malware.pests

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #28 on: March 15, 2015, 06:32:18 PM »
Just established that WOT does canvas fingerprinting from their website: Prevented a script on htxps://www.mywot.com from capturing the following 32px × 32px canvas:
What tracking WOT does? Mainly ad tracking, see attached file.
Poosible Frontend-SPOF from fonts.googleapis.com  twice.
Facebook Connect = Facebook Tracker and Google Analytics tracking is being blocked in the browser for me as is the canvas fingerprinting (fonts.googleapis.com).

pol

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33374
  • malware fighter
Re: Musings about my volunteer website security scan experiences....
« Reply #29 on: March 15, 2015, 07:18:06 PM »
See also http://www.cookiechecker.nl/check-cookies.php?url=https%3A%2F%2Fwww.mywot.com&cache=false
What you normally block via ScriptSafe, view: https://www.uploady.com/download/Bw68Kvl86Wc/XYwYZnUPZq52Gn76
See also on the wot.api -> http://xss.cx/2011/09/15/ghdb/dork-xss-reflected-cross-site-scripting-cwe79-capec86-javascript-injection-example-poc-report-apimywotcom.html
Cool cookiepedia: http://cookiepedia.co.uk/cookie/679473
Cookiesearch has: mywot.com
Jan 25, 2015
Name
SESSf6ce7e3db235723091e59a653e7d96f2
Domain
.mywot.com
Expires
Jan 25, 2016 at 12:23 PM
Value
sfe05b4tkpbf7sp2kp94h95765

polonus
« Last Edit: March 15, 2015, 07:23:49 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!