Author Topic: SECURITY WARNINGS & Notices - Please post them here (Read 2902439 times)

polonus · « **Reply #4080 on:** September 19, 2015, 12:42:46 AM »

Hi bob3160,

Well it was my pleasure checking and going over the script code there and a reassuring all green for you is not bad at all.
Congratulations.
Well I think you did not expect anything else, really

Damian

Para-Noid · « **Reply #4081 on:** September 19, 2015, 05:51:37 PM »

DNS Hijacks: What to Look For

https://blog.malwarebytes.org/online-security/2015/09/dns-hijacks-what-to-look-for/?utm_source=Gplus&utm_medium=social

“Your PC Is Infected” Round-up…

https://blog.malwarebytes.org/online-security/2015/09/your-pc-is-infected-round-up/?utm_source=Gplus&utm_medium=social

SpeedyPC · « **Reply #4082 on:** September 20, 2015, 07:19:20 AM »

AVG releases transparent privacy policy: Yes, we will sell your data

http://www.zdnet.com/article/avg-releases-transparent-privacy-policy-yes-we-will-sell-your-data/

Quote

AVG will sell the data of its users to third parties in order to keep basic antivirus software free

1234ava · « **Reply #4083 on:** September 20, 2015, 11:42:10 AM »

Quote from: SpeedyPC on September 20, 2015, 07:19:20 AM

AVG releases transparent privacy policy: Yes, we will sell your data

http://www.zdnet.com/article/avg-releases-transparent-privacy-policy-yes-we-will-sell-your-data/

Quote
AVG will sell the data of its users to third parties in order to keep basic antivirus software free

It's interesting how AVG thinks of "copies of files or emails" as "non-personal data" just because they were "marked as potential malware".

Quote

We collect non-personal data to improve our products and services, including:
data concerning potential malware threats to your device and the target of those threats, including copies of files or emails marked as potential malware, file names, cryptographic hash, vendor, size, date stamps, associated registry keys, etc.;
...snip...

http://www.avg.com/us-en/privacy-new#what-do-you-collect-that-cannot-identify-me

And,

"We collect non-personal data to make money from our free offerings so we can keep them free, including:
...snip...
Browsing and search history, including meta data;"

even though they also say

"Sometimes browsing history or search history contains terms that might identify you. If we become aware that part of your browsing history might identify you, we will treat that portion of your history as personal data, and will anonymize this information..."

So, AVG users have to trust AVG that AVG can deem what parts of their browsing history or search history contain terms that might identify them! Good luck with that!

Besides, I never like when a privacy policy uses the word "including...". That begs the question: and what else?

polonus · « **Reply #4084 on:** September 21, 2015, 12:45:17 PM »

199 hacked routers SYNful Knock: http://blog.shadowserver.org/2015/09/21/synful-knock/

polonus

bob3160 · « **Reply #4085 on:** September 21, 2015, 03:10:23 PM »

Nasty URL bug brings Google Chrome to a screeching halt
Simply add "%%30%30" to the end of any URL in chrome and watch it crash.

polonus · « **Reply #4086 on:** September 21, 2015, 03:59:59 PM »

Hi bob3160,

This string abuse works because the browser actually wants this to execute as %25%2530%2530
When I give your string in following directly from "https://ad.nl/" the browser url bar shows: http://caja.appspot.com/#https://ad.nl/%25%2530%2530
and this can be abused because my connection is no longer private, your bug code can be used as privacy error and for stealing credentials like passwords messages , creditcards details etc. Did you notice that, bob3160?

What you do with %%30%30 translated into %25%2530%2530 is a certificate hack and the server certificate no longer matches that URL or v.v. and the use of an older Cipher Suite is being flagged. Did you notice that, bob3160?

We stumbled upon something that could lead to indirect abuse on a large scale. Thank you very, very much for reporting this.
Trying this on the nameserver there: -http://ns1-25.akam.net/%25%2530%2530 and then condider this: 10 red out of 10 red Netcraft risk status. This certainly is an issue that goes beyond a mere Google Chrome browser bug, bob3160, you stumbled on something that needs to be analysed further, my good friend. Here the server just opens the main page: http://www.telegraaf.nl//%25%2530%2530

Damian

bob3160 · « **Reply #4087 on:** September 21, 2015, 04:07:16 PM »

Not something I stumbled upon simply something I'm reporting.
Follow the link I supplied for more information.

polonus · « **Reply #4088 on:** September 21, 2015, 04:10:31 PM »

That link is empty, I get an about:blank
Can you provide us with a working link?
Was it reported 21 hours ago here?: http://www.pcworld.com/article/2984907/security/nasty-url-bug-brings-google-chrome-to-a-screeching-halt.html
And the one that detected it originally: http://andrisatteka.blogspot.com/2015/09/a-simple-string-to-crash-google-chrome.html
The %25%2530%2530 translation that actually could play havoc on some https servers was my experiment here

polonus

bob3160 · « **Reply #4089 on:** September 21, 2015, 04:15:13 PM »

OOPS, it's been corrected.

polonus · « **Reply #4090 on:** September 21, 2015, 04:48:35 PM »

Now when I give in this https://www.security.nl/%2525%252530%252530
1. https://www.security.nl/%2525%252530%252530 Security.NL 57,992 bytes 641 ms
I get here: https://www.security.nl/?welcome
And there are sources and sinks to consider: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.security.nl%2F%252525%25252530%25252530%09
Results from scanning URL: https://www.security.nl/js/dfp.js?1375741199
Number of sources found: 28
Number of sinks found: 11
Results from scanning URL: https://www.security.nl/js/dfp.js?1375741199
Number of sources found: 1
Number of sinks found: 1
Results from scanning URL: https://www.security.nl/js/dfp.js?1375741199
Number of sources found: 122
Number of sinks found: 60
Indeed equalling these results: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.security.nl%2F%3Fwelcome
Interesting and the results on various servers should be established.

This server is further secured against this and I meet a neat 404 error. This is as it should be:
http://www.huffingtonpost.com/%2525%252530%252530
Oh, Noes! A 404! As I approached this locally.
Here the whole page disappears which kicks up a dev/null: http://www.nu.nl/%2525%252530%252530

polonus

Para-Noid · « **Reply #4091 on:** September 22, 2015, 04:13:08 PM »

XcodeGhost malware infiltrates App Store

https://blog.malwarebytes.org/mac/2015/09/xcodeghost-malware-infiltrates-app-store/?utm_source=Gplus&utm_medium=social

Unconventional Malvertising Attack Uses New Tricks

WordPress Malware – Active VisitorTracker Campaign

https://blog.sucuri.net/2015/09/wordpress-malware-active-visitortracker-campaign.html?utm_campaign=WordPress%20Malware%20%E2%80%93%20Active%20VisitorTracker%20Campaign%20Blogpost&utm_medium=social&utm_source=googleplus

Pondus · « **Reply #4092 on:** September 22, 2015, 06:55:57 PM »

Symantec employees fired for issuing rogue HTTPS certificate for Google
http://arstechnica.com/security/2015/09/symantec-employees-fired-for-issuing-rogue-https-certificate-for-google/

polonus · « **Reply #4093 on:** September 22, 2015, 10:22:07 PM »

Another reason to stick to your Adblocker: https://grahamcluley.com/2015/09/forbes-malvertising/
article author - Graham Cluley

Quote

"Malvertising continues to be an attack vector of choice for criminals making use of exploit kits. By abusing ad platforms – particularly ad platforms that enable Real Time Bidding – attackers can selectively target where the malicious content gets displayed."

"When these ads are served by mainstream websites, the potential for mass infection increases significantly, leaving users and enterprises at risk."

polonus

polonus · « **Reply #4094 on:** September 23, 2015, 11:39:10 AM »

Again malvertising campaign: https://blog.malwarebytes.org/malvertising-2/2015/09/malvertising-attack-hits-realtor-com-visitors/

pol