Tests and other Media topics

polonus · 2017-11-01T15:21:48.000Z

Do you consider bitcoin mining on your cycles worse than ads?

Some have it blocked by a good ad-blocker, some with anti-mining extensions.

What are the privacy implications of such a miner?

Flagged as malcode here: https://urlquery.net/report/6c776095-c1f1-4442-afc3-4d297841c802
3 to flag: https://www.virustotal.com/nl/url/b0827282045e14fe7538f204e94e13fe2491f653ed59369e5d8414feeb50e3e7/analysis/1509548406/

Some arnings here, but no tracking: https://privacyscore.org/site/33952/ (No HSTS,
server is vuln. to Lucky13 and BEASt & DROWn atatcks, no secure client renegotiation set, no security headers set).

F-status and reco mmendations: https://observatory.mozilla.org/analyze.html?host=coinhive.com

No issues on the mining script itself, but overflow to: Results from scanning URL: -https://static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js
Number of sources found: 92
Number of sinks found: 24 → -static.xx.fbcdn.net/rsrc.php/v3/y2/r/184G4bWm-rw.js benign

polonus (volunteer website security analyst and website error-hunter)

P.S. And when there are blockchains, there could be malware round the corner:
https://securelist.com/tales-from-the-blockchain/82971/

Damian

polonus · 2017-11-02T13:50:15.000Z

What are the privacy implications of this webproxy?

Are webproxies that privacy friendly, I think not by necessarily.

http://toolbar.netcraft.com/site_report?url=https://whoer.net
Comes witrh the Cloudflare related insecurities…ssl380088.cloudflaressl.com
Cert. installed correctly: Chain installation:
2 certificates found: RSA and ECC.
No HSTS enabled. SSL/TLS compression: Not Enabled
Heartbeat (extension): Not Enabled

F-garde status and recommendations: https://observatory.mozilla.org/analyze.html?host=whoer.net

3 vulnerable libraries detected: http://retire.insecurity.today/#!/scan/3ccbbb2afaa1871f0fb292e8931723efc456d0f2132388d83efc464a1ff152ef

No third party cookies - 6 third party requests: http://www.cookiechecker.nl/check-cookies.php?url=https://whoer.net/webproxy

Issues with sources and sinks: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwhoer.net%2Fwebproxy

Tracker tracker and bug issue report: see attached

Finally the beta privacy score: https://privacyscore.org/site/33961/

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-11-07T10:52:58.000Z

Next to tor, tails and whonix there are different ways to help end-users to protect their last little bits of Internet privacy
with a bit of added anonimity.

Also one looks for new ways like the block chain technology that keeps Bitcoin secure, a decentralised solution against the overpowering intrusion of Big Brother Surveillance State’s oversight forces.

A new scheme when the going gets narrow is https://mysterium.network/:

Open Sourced Network allowing anyone to rent their unused Network traffic, while providing a secure connection for those in need.

Hopefully network tld has been properly set to recognize that site’s software.
Connection fail here: https://gcm.tlsfun.de/check.php?host=mysterium.network
Connection failed. Host has either no HTTPS or does not support GCM.

See how succesful they are: https://privacyscore.org/site/34025/json/
and https://privacyscore.org/site/34025/ PHP/5.5.9-1ubuntu4.21 with twelve vulnerabilities.

Retirable: http://retire.insecurity.today/#!/scan/c989f46450eddf925f09fc10ca4880608fd09dca1b83216db50cbf3b5373b3ac

Externally Linked Host Hosting Provider Country

-news.bitcoin.com CloudFlare United States

-bitconnect.co CloudFlare United States

-www.cryptocoinsnews.com CloudFlare United States

-github.com GitHub United States

-techannouncer.com GoDaddy.com, LLC United States

-www.linkedin.com LinkedIn Corporation United States

-mvp.mysterium.network DigitalOcean Netherlands

-goo.gl Google United States

-www.sarunas-savickas.com OOO NPO Relcom Lithuania

-www.subscribepage.com CloudFlare United States

-twitter.com United States

-www.the-blockchain.com CJ2 Hosting&Development Netherlands

-www.digitaljournal.com Digital Journal, Inc. United States

-lt.linkedin.com LinkedIn Corporation United States

-medium.com CloudFlare United States

-cointelegraph.com CloudFlare United States

Please, do not fence us in further!

polonus

polonus · 2017-11-10T16:49:07.000Z

Just stumbled upon this news:
→ https://gwillem.gitlab.io/2017/11/07/cryptojacking-found-on-2496-stores/

Coinhive cryptominer activity going on on over 2500 hacked Magento webshop websites.
Re: https://twitter.com/gwillem/status/928033303466266626

I hope users stop this by using a decent adblocking or scriptblocking extension or a miner blocker extension.

Willem de Groot added this to his software here: https://github.com/gwillem/magento-malware-scanner/pull/157

One could scan a Magento CMS webshop site also here: https://www.magereport.com/

It would be better when browser developers brought a general broader solution to this problem inside the browser,
so users could be alerted to this abuse and eventually block mining through a site they visit.

As long as this has not been realised, we have to fence for ourselves,

polonus

polonus · 2017-11-10T17:26:57.000Z

A attack scenario we could distill from the Coin Hive cryptojacking signatures developed by Willem de Groot comes for Magento webshop sites with amasta.biz vulnerable code. Read: https://support.hypernode.com/knowledgebase/how-to-protect-magento-from-amasty-product-feed-local-file-disclosure/

Rule:

@@ -648,6 +673,8 @@ ZXZhbChiYXNlNjRfZGVjb2RlK
aHR0cDovL3Bhc3RlYmluLmNvbS9yYXcv
account-mage.su/
air-frog33.pw/
+aleinvest.xyz/
+alemoney.xyz/
amasty.biz/
analiticoscdn.com/
animalzz921.pw/

Example https://www.magereport.com/scan/?s=+UNDERARMOUR.COM

polonus

polonus · 2017-11-19T21:40:49.000Z

Working the Cipscis - Fallout - Scriptvalidator for errors that not always come up with other methods:

Example code taken from

line 39 towards line 45 here: https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.paperkrane.com&ref_sel=GSP2&ua_sel=ff&fs=1

Working out this standard with function tooltips

< / script >
40: < !-- /all in one seo pack →
41: < link rel=‘stylesheet’ id=‘contact-form-7-css’ href=‘-http://www.paperkrane.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=4.0.3’ type=‘text/css’ media=‘all’ />
42: < link rel=‘stylesheet’ id=‘cpsh-shortcodes-css’ href=‘-http://www.paperkrane.com/wp-content/plugins/column-shortcodes/assets/css/shortcodes.css?ver=0.6.6’ type=‘text/css’ media=‘all’ />
43: < link rel=‘stylesheet’ id=‘blahlab-theme-grid-css’ href=‘-http://www.paperkrane.com/wp-content/themes/paperkrane/assets/stylesheets/standalone/grid.css?ver=4.1.20’ type=‘text/css’ media=‘all’ />
44: < link rel=‘stylesheet’ id=‘blahlab-external-googlefonts-css’ href=‘-http://fonts.googleapis.com/css?family=Droid+Serif%3A400%2C400italic|Droid+Sans&ver=4.1.20’ type=‘text/css’ media=‘all’ />
45: < link rel=‘stylesheet’ id=‘blahlab-theme-style-css’ href=‘-http://www.paperkrane.com/wp-content/themes/paperkrane/assets/stylesheets/standalone/style.css?ver=4.1.20’ type=‘text/css’ media=‘all’ />

all links inside the validation broken, because of:
https://urlquery.net/report/6380f772-ee76-42f8-99ff-34728fc03f6f (suspicious code detected).

Always into this because of (in)security aspects of code, because of polonus’s interest in voluntarily website security analysis and website error-hunting, and always looking for new angles to come up with,

Damian

P.S.

A parser-blocking, cross site (i.e. different eTLD+1) script, htxp://www.google-analytics.com/ga.js, is invoked via document.write. The network request for this script MAY be blocked by the browser in this or a future page load due to poor network connectivity. If blocked in this page load, it will be confirmed in a subsequent console message. See https://wXw.chromestatus.com/feature/5718547946799104 for more details.

Courtesy Google Chrome’s developer console.
on my Greasemonkey json script - reported

Uncaught SyntaxError: Unexpected end of JSON input
at JSON.parse ()
at XMLHttpRequest.xhr.onreadystatechange

pol

polonus · 2017-11-25T12:59:09.000Z

You could check here whether your browser is vulnerable: https://mineblock.org/
I get:

If the miner doesn't start, your browser is safe! Can't start miner. Your browser is safe!

The baddies are listed here: http://www.badbitcoin.org/thebadlist/

Bad Bitcoin i.m.o. is a big ponzi-like blockchain scam scheme, like the Black Tulip hype in the days of our Dutch painter Rembrandt, moreover the bitcoin value now halves every three years and over a few decades all present bitcoins will be mined.

When you wanna block mal-ads, you certainly wanna block bad-bitcoin-mining as well,
a good adblocker and scriptblocker combination will keep you safe from bitcoin mining scripts-
uBlockOrigin together with uMatrix.

polonus

polonus · 2017-11-25T21:59:02.000Z

Check how privacy (un)friendly is a webproxy:

Beta-testing: https://privacyscore.org/site/34967/

Here we see issues: https://threatintelligenceplatform.com/report/proxy-de1.toolur.com/sCpTixZZn6

Here we found 3 problems: https://mxtoolbox.com/domain/proxy-de1.toolur.com/

F-grade status and recommendations: https://observatory.mozilla.org/analyze.html?host=proxy-de1.toolur.com

polonus (volunteer website security analyst and website error-hunter)

P.S. What strikes us in the results of this proxy website example as insecure, is that the webproxy site does offer https, but does not automatically defaults to it from http!
Secondly it serves up sub-secure ciphers and furthermore the server is vulnerable to Poodle, while also the nameserver has version info proliferation: 9.9.4-RedHat-9.9.4-51.el7 (so one could check for vuln. and exploits, which attackers could do).
Also a warning goes for undesired redirects!

Damian

polonus · 2017-11-30T21:52:55.000Z

Interesting resources on BGP Security and Routing: http://moo.cmcl.cs.cmu.edu/~dwendlan/routing/

Check site example: https://ip.rst.im/dig/internal.akamaistream.net.

Later we found via another check: as21342/moas
Rate - 4.0 ; 2 Router Leaks ; 54 MOAS ; 532 dDos amplifiers

Now that sitevet dot com also as AS bad history resource has disappeared, we have to look out servers not overreach quotes and sources thus disappear for researchers.

Linkrot is the worst enemy of a volunteer website security analyst and website error-hunter like little old me,

polonus

polonus · 2017-12-01T22:24:34.000Z

Because of recent and present threats to BGP security and the cold cyber-war,
Russia is planning to eventually set up it’s own Internet only in BRICS countries.

Read here: https://www.theregister.co.uk/2017/12/01/russia_own_internet/

Here a map of the Root Server Technical Operations Assn: http://www.root-servers.org/

Then the root files: https://www.iana.org/domains/root/files

But there also new innovative solutions like blockstack coming: https://github.com/blockstack/atlas

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-12-03T23:02:47.000Z

New Panopticlick scan launched:

https://www.eff.org/deeplinks/2017/11/panopticlick-30

See: https://panopticlick.eff.org/

Is your browser blocking tracking ads? ✓ yes
Is your browser blocking invisible trackers? ✓ yes
Does your blocker stop trackers that are included in the so-called “acceptable ads” whitelist? ✓ yes
I just changed my profile using the canvas fingerprint extension.

Current canvas noise hash
#14afxxxxxxxxxxxxxxx3244bxx0271
Last changed: December 4 00:01

polonus

system · 2017-12-05T23:27:46.000Z

is your browser block tracking ads? partial protection. Considering my ad blocker is adblock plus, it might be true
is your browser blocking invisible trackers? partial protection. So firefox built in tracking protection is not enough.
Firefox uses disconnect.me tracking list, @_@ i really need a plugin/addon for this huh.
Does your browser stop trackers…acceptable ads. ? no. same answer with my previous one.
Does your browser unblock third parties…Do not track? no. I set my browser to always block third party trackers.
Does your browser protect you from fingerprinting? your browser has a unique fingerprint.

Full result of browser fingerprinting:
screen size is wrong.
no timezone, undefined plugin details
system fonts is wrong, there are fonts missing on the list
user agent: firefox 52, no im using firefox 57

polonus · 2017-12-10T16:04:26.000Z

Nice new scanner outlay for Cymon - Search Threats.

Example of a randowm IP search result:
https://app.cymon.io/search/ip/209.202.252.95

Enjoy my good friends, enjoy

P.S. Missed completely here: https://www.virustotal.com/#/url/4f5f0accd4fc42fcd4c51851d77c980eaa6f0016aea08de65e3cf3cbb0da9853/detection

Can be combined with these results: https://ransomwaretracker.abuse.ch/ip/209.202.252.95/
and these: https://www.scumware.org/report/209.202.252.95.html

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-12-11T16:18:24.000Z

Some signs of computer compromise:

Your AV is disabled and you did not do this yourself.

You get a ransom message and it does not go away after restarting your computer.

You get frequent pop-ups at a time.

Your online passwords do not work anymore and you did not change them.

An unapproved software starts to download suddenly, and you did not allow it to do so.

Your websearches in your browser are redirected.

Your browser suddenly has a new toolbar added.

You are sending spam to friends on social media for instance , and you did not do that yourself.

Your mouse suddenly starts to move all by itself.

Conclusion all could be signs of an infested computer or someone hacking into it.

polonus

polonus · 2017-12-12T21:26:09.000Z

Is your server secure against a 19 year old revived crypto attack threat, called by the name of ROBOT?
Background read (facebook has been patched): https://www.theregister.co.uk/2017/12/13/robot_tls_rsa_flaw/

Read: https://robotattack.org/

Check: https://robotattack.org/check/?h= (h give domain name with www and without).

Test also added here now: https://testssl.sh/

Here: https://github.com/RUB-NDS/TLS-Attacker

Here: https://github.com/tomato42/tlsfuzzer

and here: https://dev.ssllabs.com/

Vulnerable server admins are advised to install available updates or whenever possible disable TLS RSA encryption functionality.

How this could have been kept under the detection radar for that long (19 years) is so far unknown,
but again makes the infrastructure an even more insecure theater.

polonus (volunteer website security analyst and website error-hunter)

polonus · 2017-12-18T22:12:06.000Z

Checked here: https://www.detectadblock.com/

It said that I am allowing ads, good for me.

I have an anti-adblock-solution of sorts running under my Tampermonkey user-script extension,
called Anti-Adblock Killer | Reek and it does a great job for me.

When I meet an adblocker blocker I can choose to block their ads and visit the site via a webproxy anyway.

Else the risk of getting any (3rd party) mal-ad-code is too great a risk in my opinion to even considering lifting my adblocker.

polonus (volunteer website security analyst and website error-hunter)

polonus · 2018-01-02T16:17:48.000Z

Test your browser against password manager leak:
https://senglehardt.com/demo/no_boundaries/loginmanager/
this as webtrackers follow internet-users via password managers.

polonus

polonus · 2018-01-02T23:09:24.000Z

Tested IP here: https://www.perfect-privacy.com/check-ip/

Results OK for

HTTP metadata does not contain any suspicious information
HTTP_VIA - empty -
HTTP_CLIENT_IP - empty -
HTTP_CLIENT_IP (DNS) - empty -
HTTP_FROM - empty -
HTTP_X_REAL_IP - empty -
HTTP_X_FORWARDED - empty -
HTTP_X_FORWARDED_FOR - empty -
Java disabled
Flash diabled

polonus

polonus · 2018-01-08T20:59:21.000Z

Check here your Spectre CPU vulnerability

http://xlab.tencent.com/special/spectre/spectre_check.html

Enjoy, my friends, enjoy,

polonus

DavidR · 2018-01-08T21:20:04.000Z

polonus post:539:

Check here your Spectre CPU vulnerability

http://xlab.tencent.com/special/spectre/spectre_check.html

Enjoy, my friends, enjoy,

polonus

I had thought this would actually be a CPU check for vulnerability, as per the ‘bold text.’

However, this would be browser check and not a CPU check.

Announcements