Author Topic: A complete security overhaul needed; we do not have much time left....  (Read 682 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31856
  • malware fighter
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian
« Last Edit: November 07, 2019, 10:11:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 41879
  • 59 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: A complete security overhaul needed; we do not have much time left....
« Reply #1 on: November 07, 2019, 10:32:40 PM »
It isn't all doom and gloom and the world isn't going to end in a few years as some seem to feel.
Free avast! Security Seminar: https://goo.gl/kh3cqR  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1903 64bit, 8 Gig Ram, AvastFree 19.6.xxxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Online =Snake=

  • ..... minden elfelejtettem.
  • Massive Poster
  • ****
  • Posts: 4197
Re: A complete security overhaul needed; we do not have much time left....
« Reply #2 on: November 07, 2019, 10:33:30 PM »
Hi!

I think everybody here in this Avast forum should do his/her duty and help, that Avast will overcome with the help of all of the forum members!

I don't write this like other posts! This is very serious !!!!!

=Snake=
Main: AMD LE1620, W7ult SP1 | MS-7091, P4, XP pro SP3 || AMD_Athlon 1800+ (W7ult SP1 + XP pro SP3, FFesr 45.9, TB 45.8, CC 5.11)|
Laptops: Acer Aspire V5-591G, W10 Home[x64] v1809 (Build 17763.437) | HPI_2020M, W8.1 pro[x64] | Amilo Xi2428, W8.1 pro | MD95400, W7ult SP1 | MD97400, XP pro SP3|
FFesr 68.2.0[NS,ABP,AOS],TB 68.2.1,MCS,CC 5.63,MBAM,MBAE,ASB 77.1,FW (W7+XP): CIS 3.14[FW,D+],AV (W7+XP): Avast Free 2015.10.4.2233|

Offline Luukjr

  • Full Member
  • ***
  • Posts: 148
Re: A complete security overhaul needed; we do not have much time left....
« Reply #3 on: November 07, 2019, 10:35:12 PM »
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian

Hoi Damian,

I share your concern, but the digital world is too complex for 99.9% of the world's population to arm itself effectively against all the calamities it entails. Even for me it is too complex.
The good news is that many are trying to arm themselves against it.  Forums like Avast's are therefore indispensable.

groet'n uut Grunn  ;)
OS: Windows 7 Home Premium 64-bit SP1
Soft: Avast Premium Security  / Avast Cleanup / Malwarebytes Premium 4.0.4

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31856
  • malware fighter
Re: A complete security overhaul needed; we do not have much time left....
« Reply #4 on: November 07, 2019, 11:38:48 PM »
Hi Luukjr and bob3160,

I am not saying all is doom and gloom. Just see what Brendan Eich did to give his Brave browser extended protection against fingerprinting. Read: https://github.com/brave/browser-laptop/wiki/Fingerprinting-Protection-Mode

Brendan Eich, the man and developer, who gave us JavaScript during the previous century, wrought in just 10 days.
A nice legacy, but also a royal way in for miscreants, and what an abuse came unto us later, and so we needed the unique solution produced by Giorgio Maone with his script blocker, No Script.

Now every power user and those, that know how to toggle it, will use uMatrix for script blocking and uBlock Origin as an adblocker of choice.

With website security and best policy implementation, very much so with PHP-driven CMS like Word Press, Magento etc. we still have a very long way to go to make it basically more secure. We cannot blame amateurs using WYSIWYG software to build their insecure websites (insecure libraries, using even left code that will never be patched or updated, etc. etc.).

Very bad, seen in this light, is the fact that those that have relative knowledge do not count in the game, and those that lack this fundamental security knowledge, like CEO's and manager take all the important decisions. They'd rather go for a "licked looking" website than a secure one.

So security often is a last resort issue, then when bad things are bound to happen (the proverbial manure hitting the propellors),
there is a bill to be paid in the end. The stakeholders are not interested, it is not their world.

So now we come to speak of the grave dangers formed by extended monopolistic global mono-cultures like Google's with browsers (all browser engines are now Google driven). Google will call the shots, also where protocol are made up and will curve the bends to what is good for their core business, and we all know what that is. That is not always good for security and privacy, folks. No. it is not.

But we will have to give this situation we find ourselves in attention and consider solutions, else there will not be much left we can do about the whole situation and it will be out of our hands soon.

polonus
« Last Edit: November 07, 2019, 11:45:01 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2675
  • Volunteer
Re: A complete security overhaul needed; we do not have much time left....
« Reply #5 on: November 07, 2019, 11:53:49 PM »
L.S.

Just one the many symptoms, just one example - webserver vulnerable to Poodle over TLS, Goldendoodle, Zombie Poodle, Sleeping Poodle, 0-length OpenSSL, Open SSL padding Oracle flaw, client-initiated insecure renegotiation, ROBOT, Heartbleed, Open SSL CSSflaw, non-compliant with HIPAA guidances, No CAA record, No support for TLSv.3, CloudFlare monopoly on DoH, etc. etc. etc.

12 years of analyzing 3rd party cold reconnaissance website security all-sorts made me come up with the conclusion, that we urgently need a complete security overhaul of  the Interwebz, else I fear we will have it only on the terms of global surveillance corporationalism, and end-users will neither have any privacy left nor solid security.

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)

P.S. Proof of all this for malware laden applications in Google Play Webshop:
https://developers.google.com/android/play-protect/app-defense-alliance 
ESET, Lookout and Zimperium have to come to the rescue, it's all hands on deck for Google.

Damian

Hoi Damian,

I share your concern, but the digital world is too complex for 99.9% of the world's population to arm itself effectively against all the calamities it entails. Even for me it is too complex.
The good news is that many are trying to arm themselves against it.  Forums like Avast's are therefore indispensable.

groet'n uut Grunn  ;)

It's not that it's too complex to understand, it's that people don't put out the time to understand. Polonus also raises a good point regarding CEOs, especially those of small and medium size businesses. CEOs often see the short term future of their company. "I can't spend a million dollars to outfit my applications, network, website and invest in employee training to latest security standards!" This is becoming more abundantly clear as businesses opt to pay for ransomware insurance. You're treating a symptom, not solving the underlying problem. What they don't realize the the long term pain of losing your trust with clients, data etc is 99% of the time going to cost you more long term then short term. I would suggest that perhaps, rather then paying for data loss insurance, it's better to contract a reputable firm to implement SIEM software like QRadar, LogRhythm, or similar. You boost your cyber security stance (well... ideally), enhance customer trust in your product(s)/service(s), and should no longer require data loss insurance.

Hell, contract a certified pentester to break into a network to point out vulnerabilities (and take action on it)! They might need a kick in the ass to get it done, but it's necessary to do. Don't get me wrong, there are some technologically inclined stakeholders that actively push for enhanced cyber security (I know a few!), but they're too few.

Edit: It's also worth noting that an Internal IT Department should ALWAYS have a DR plan in place. DR plan includes items like onsite backups, and offsite backups in a firesafe (firesafe not being limited to just fires, but also digital attacks, flooding, surges, or any other means of severely tampering with data, other digitally or physically.) If you don't have the resources to do so (S3, Glacier, DeepArchive, Google, Microsoft.. the list goes on), again, contract it.

(Amazon Pricing Information)
« Last Edit: November 08, 2019, 04:22:43 AM by Michael (alan1998) »
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31856
  • malware fighter
Re: A complete security overhaul needed; we do not have much time left....
« Reply #6 on: November 08, 2019, 11:53:48 AM »
L.S.

Stakeholders (the factual owners of Big Data IT corporations) don't give a hoot about the individual end-user's interests.
To the contrary as Twitter stops showing politically driven messages this immedeately has an averse effect on the markets,
markets are coming down.

The more we ignore end-user interests and demands, they think, the better it will be for our total investment revenue.

Investors act in a more and more aggressive way to-day, because banks won't give them any money anymore.
So they have to make their money elsewhere. Then they have to put the blame somewhere else.
When you observe all this, you have to conclude this cannot go on forever.

When the crash is gonna come and who will get hit, it's all a question of time.
Gonna be somewhere between some tough stakeholder and the masses, it is gonna being played out,
that is why we need a complete security overhaul, to minimize the aftermath negative results.

They cannot make their narrative go round anymore and say everything will be all right.
Your narrative as a stakeholder is to fail miserably eventually. Wiil the world miss them?

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

polonus a.k.a. Damian
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2675
  • Volunteer
Re: A complete security overhaul needed; we do not have much time left....
« Reply #7 on: November 08, 2019, 08:26:07 PM »
I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

I have to disagree with that, to an extent. It's not that we believe everything shown to us on a screen. On average, young people tend to be more technologically inclined then older generations (and a large part of that is because we grew up with it.) We tend to be more conscious of links we're clicking, what websites we visit etc. I'll make this clear as well - our generation is not perfect. Our generation overshares their personal lives, which can easily lead to Social Engineering attacks (Pet names, place of birth, etc). It would be interesting to know what the age skew is like for Phishing attacks, based on age range. (I have contacts that might actually be able to provide real world representations of that information... My University's IT Architecture Director co-founded a cyber security company specializing in educating students, faculty and staff on cyber threats. Though, they're expanded their business to include other companies as well.)

Consider this >> https://www.theguardian.com/technology/2019/jan/10/older-people-more-likely-to-share-fake-news-on-facebook
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline digmor crusher

  • Full Member
  • ***
  • Posts: 195
Re: A complete security overhaul needed; we do not have much time left....
« Reply #8 on: November 09, 2019, 03:11:28 AM »
L.S.

Stakeholders (the factual owners of Big Data IT corporations) don't give a hoot about the individual end-user's interests.
To the contrary as Twitter stops showing politically driven messages this immedeately has an averse effect on the markets,
markets are coming down.

The more we ignore end-user interests and demands, they think, the better it will be for our total investment revenue.

Investors act in a more and more aggressive way to-day, because banks won't give them any money anymore.
So they have to make their money elsewhere. Then they have to put the blame somewhere else.
When you observe all this, you have to conclude this cannot go on forever.

When the crash is gonna come and who will get hit, it's all a question of time.
Gonna be somewhere between some tough stakeholder and the masses, it is gonna being played out,
that is why we need a complete security overhaul, to minimize the aftermath negative results.

They cannot make their narrative go round anymore and say everything will be all right.
Your narrative as a stakeholder is to fail miserably eventually. Wiil the world miss them?

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen,
without thinking for themselves or analyse what they do or what's it is all about.
Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

polonus a.k.a. Damian

Oh its going to crash alright, whether its climate change, the internet going down, Trump starting a nuclear war, food shortages, pollution, whatever, unless man changes its ways very soon the Earth is going to be one miserable little rock to live on. Not going to happen as far as I"m concerned, we got 10-15 years to fix it, mankind is too hooked on money, wars etc, so we are doomed.

Offline bob3160

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 41879
  • 59 Years of Happiness
    • bob3160 Protecting Yourself, Your Computer and, Your Identity
Re: A complete security overhaul needed; we do not have much time left....
« Reply #9 on: November 09, 2019, 11:27:39 AM »
Amazing to see all these negative doom and gloom outlooks.
The glass is still half full even if many see it as half empty. :)
Free avast! Security Seminar: https://goo.gl/kh3cqR  -  Important: http://www.organdonor.gov/ -- My Web Site: http://bob3160.strikingly.com/ - Win 10 Pro v1903 64bit, 8 Gig Ram, AvastFree 19.6.xxxx, How to Successfully Install Avast http://goo.gl/VLXdeRepair & Clean Install https://goo.gl/t7aJGq

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31856
  • malware fighter
Re: A complete security overhaul needed; we do not have much time left....
« Reply #10 on: November 09, 2019, 01:32:08 PM »
Hi bob3160,

I am not spreading doom and gloom, I hold on to technical facts of websites all over the place,
that do not fit minimal security standards. As webservers do not.
As CloudFlare gives you less security for your money,  but prospers mightily from selling all of your data,
gathered in the mean time, about all do and are set out to do. We call that surveillance economy.
The weight of the pyramid is being felt below, it squeezes some folks.  ;D

Then now read here:  https://www.exploit-db.com/exploits/36942  Then check here: https://webhint.io/
Then study this: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
And finally hope all is being cleansed, themes and plug-ins updated and upgraded, version patches applied.
Settings secure, so any scriptkiddie with some brain cannot shodan and dazzlepod you up to hack ye.

That is the situation we have to change with education, not dumbing down masses of end-users,
so they cannot even find out anymore what's gonna bite them.
Better services at lower costs, better quality settings, additional layers like header security settings.
Google, keeping their app store clean, like the old heroes did in Greece of old.

That is what I am on about, not general Armageddon or whether they will find a red heifer in time for the third temple.

It is just small everyday security thingies, patches, retirement of vulnerable code, left code not to forget,
just simple everyday items. But they rather choose to let it rot. Have a good week, bob3160.
Good we have avast.

Damian aka polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online =Snake=

  • ..... minden elfelejtettem.
  • Massive Poster
  • ****
  • Posts: 4197
Re: A complete security overhaul needed; we do not have much time left....
« Reply #11 on: November 09, 2019, 02:25:45 PM »

It is just like with the Antartic ice-plateau, it will eventually break and melt away.
We are in muddy waters, folks, we sure are.

You can go into denial, close your eyes to reality, but it won't go away by itself.
It is gonna get worse and worse, both institutional cybercrime and the normal variants will.

I see some hope for the toddlers to-day between their bowl of porridge, nappies, and reality.
The present generation is too dumbed down and lost, they just believe all, that is shown to them from a screen, without thinking for themselves or analyse what they do or what's it is all about.

Food for AI, that what they will be in the end.

That is why Google already have started to make them young kids part of their plans for the digital future.

I agree with this, but I'll not be alive, when this will come true and everybody, who doesn't care now, is stupid and will not be able to stop all this nonsense! Then it will be too late!
 >:(  :(
=Snake=
Main: AMD LE1620, W7ult SP1 | MS-7091, P4, XP pro SP3 || AMD_Athlon 1800+ (W7ult SP1 + XP pro SP3, FFesr 45.9, TB 45.8, CC 5.11)|
Laptops: Acer Aspire V5-591G, W10 Home[x64] v1809 (Build 17763.437) | HPI_2020M, W8.1 pro[x64] | Amilo Xi2428, W8.1 pro | MD95400, W7ult SP1 | MD97400, XP pro SP3|
FFesr 68.2.0[NS,ABP,AOS],TB 68.2.1,MCS,CC 5.63,MBAM,MBAE,ASB 77.1,FW (W7+XP): CIS 3.14[FW,D+],AV (W7+XP): Avast Free 2015.10.4.2233|

Offline Michael (alan1998)

  • Massive Poster
  • ****
  • Posts: 2675
  • Volunteer
Re: A complete security overhaul needed; we do not have much time left....
« Reply #12 on: November 09, 2019, 03:40:59 PM »
Hi bob3160,

I am not spreading doom and gloom, I hold on to technical facts of websites all over the place,
that do not fit minimal security standards. As webservers do not.
As CloudFlare gives you less security for your money,  but prospers mightily from selling all of your data,
gathered in the mean time, about all do and are set out to do. We call that surveillance economy.
The weight of the pyramid is being felt below, it squeezes some folks.  ;D

Then now read here:  https://www.exploit-db.com/exploits/36942  Then check here: https://webhint.io/
Then study this: https://www.wordfence.com/docs/how-to-clean-a-hacked-wordpress-site-using-wordfence/
And finally hope all is being cleansed, themes and plug-ins updated and upgraded, version patches applied.
Settings secure, so any scriptkiddie with some brain cannot shodan and dazzlepod you up to hack ye.

That is the situation we have to change with education, not dumbing down masses of end-users,
so they cannot even find out anymore what's gonna bite them.
Better services at lower costs, better quality settings, additional layers like header security settings.
Google, keeping their app store clean, like the old heroes did in Greece of old.

That is what I am on about, not general Armageddon or whether they will find a red heifer in time for the third temple.

It is just small everyday security thingies, patches, retirement of vulnerable code, left code not to forget,
just simple everyday items. But they rather choose to let it rot. Have a good week, bob3160.
Good we have avast.

Damian aka polonus
From the Exploit-DB vuln.

Quote
2. Vulnerability timeline
----------------------------------

- 04/05/2015: Identified in version 1.5.8 and contact the developer company
by twitter.
- 05/05/2015: Send the details by mail to developer.

- 05/05/2015: Response from the developer.
- 06/05/2015: Fixed version in 1.6

Exactly as it should be. I'm assuming this occurred by DD/MM/YYYY. 2 days to find, contact and patch an exploit is pretty decent!
*Volunteer*.
Tier I SOC Analyst; Threat Hunter; Digital Forensics (no cert); HTB Competitor; Pentester (no cert).

4th Year BCS Student @ The University of New Brunswick.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 82189
  • No support PMs thanks
Re: A complete security overhaul needed; we do not have much time left....
« Reply #13 on: November 09, 2019, 07:51:20 PM »
Amazing to see all these negative doom and gloom outlooks.
The glass is still half full even if many see it as half empty. :)

In all honesty as an end user, I just can't get excited about this.  It is essentially it is outside of our control, other than continue to do as I'm doing right now, prepare for the worst and hope for the best :)
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.8.2393 (build 19.8.4793.541) UI-1.0.415/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31856
  • malware fighter
Re: A complete security overhaul needed; we do not have much time left....
« Reply #14 on: November 09, 2019, 10:07:14 PM »
Dear DavidR & bob3160 and others,

There is one thing that all of the end users can do and that is fully update, upgrade and patch their OS, software programmes,
everything installed there with the latest upgrades, updates & patches that comes with all of their devices.

What a gigantic difference toward overall security this simple act could make.
Also all IT staff everywhere should be in for this simple solution with their webserver software,
their website CMS, themes and plug-ins, their jQuery libraries and provider and router software.

Let us do this from Silicon Valley and Silicon Forest to everywhere in Mainland China v.v.

We should do this all over the globe and call it a certain day "Avast Global Update & Patch Day",
and celebrate fresh gained overall security.

It is also a very respectful thing to do towards all the bright minds that are trying to keep us safe and more secure every day.

polonus
« Last Edit: November 09, 2019, 10:09:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!