Vulnerabilities

Don’t really know where to put this but the journalist barton gellman’s new book on ed snowden is being excerpted in various places and it makes for fascinating and frightening reading. The takeaway being that if you are a state target you’re pretty much screwed no matter how much you think you’re reducing your attack surface. Well, we knew that anyway but the scale of this surveillance apparatus is overwhelming.

2 Likes

The script performs these scans using WebSockets to connect to 127.0.0.1, which is the local computer, on the specified port.

Hm. That’s scanning from inside the router firewall, to ports otherwise not visible to the outside
That’s. Not. Good.

6 Likes

That is worrying. Using the tactics of malware developers to probe your defences. I notice on pale moon and firefox that ublock origin blocks the connection to src dot ebay-us dot com by default so i’m not seeing those port scans in the browser’s network inspector.

2 Likes

FYI: There are thousands of Chrome extensions with so, so many fake installations to trick you into using them

1 Like

It’s not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously

The NSA has raised the alarm over what it says is Russia’s active exploitation of a remote-code execution flaw in Exim for which a patch exists.

The American surveillance super-agency said [PDF] on Thursday the Kremlin’s military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.

1 Like

Anybody know what the deal is with this:

image

Is this a misconfiguration on my end? I’m using a fairly recent build of Opera, I’ve never seen this before on BB.

I’d guess there are resources or embeds leading to HTTP rather than HTTPS links, and that would be what the browser is complaining about.

1 Like

So that would be a matter for @orenwolf, not me?

PM me the error details and your browser version

OK, I did some housecleaning on my browser and it seems to have fixed the problem, so it must have been at my end. That does raise the question of why something on my machine would make Opera think it was serving me insecure material, but for the time being I’m going to chalk it up as one of those things.

Browsers shouldn’t really be allowing arbitrary javascript to open ports against the local machine, or other computers inside the router. That completely fucks up so many security assumptions.

This is a lot bigger than port scanning.

For example, I have SQL Server running on this machine. It has a listening server port to allow access from the Pis on my LAN. I’ve never really worried about locking that down tight, because the router doesn’t allow access to that port from outside. It would require a sneaky trojan running inside the firewall.

But then along comes some clever dick who thinks that’s a neat feature to add to the browser…

Someone could write a low-level SQL Server driver in JS, then when I surf to their site and it loads the script into the browser, it opens a socket to SQL Server, connects to a command/control socket out on the Internet, and has complete access with all the local permissions. (The router doesn’t block outgoing connections.) eta: They might have problems with authentication, but they could always fish for defaults, or find some other way around that. They shouldn’t even be allowed to try.

And that’s just one port. I haven’t bothered to check what other server ports Windows has listening in a long time because it’s kind of a lost cause: block all access from the Internet and move on.

Browsers need javascript, and javascript needs to open sockets to make all the nice modern stuff like websockets work, but allowing arbitrary cross-domain sockets, especially to the local machine, is a big “HACK ME!” sign on the browser.

eta: Oh good, with Firefox, the teachers are wearing condoms.

(A very old page, but top of the search results. Hopefully there’s something newer.)

4 Likes

Looking at what they’re saying about uBlock, it’s tackling the problem from the wrong end: blocking certain sites from doing this, when the fix needs to block all sites from doing this. (Because there will always be a bad actor that you don’t know about.)

4 Likes

Before seeing this mentioned the other day, I would have lost a bar bet by insisting that it just wasn’t possible from any sane browser. And that if it ever had been, it was likely an ActiveX issue that was fixed so many moons ago.

2 Likes

I know, right?

It’s been a hole for ages, but I assumed that they’d actually fixed it by now. Instead, it looks like they only patched it to block access to known ports as they were abused. (e.g. hijacking someone’s browser to connect to an SMTP email server to send spam.)

This reminds me of when people were moving from dial-up to always-online ADSL connections, and I had to emergency contact a friend.

“You have to lock down your computer right away, and close a few ports to the Internet.”
“Why is that?”
“Because I’ve just mounted your C drive over the Internet.”

Ugh, I don’t really want to jump into this rabbit hole, but I guess I have to.

6 Likes

Phucking with phirewall configs was NOT on my itinerary toady.

2 Likes

IoS devices and UPnP are security risks! Shock!

3 Likes

Researchers unmask Indian ‘infosec’ firm to reveal hacker-for-hire op that targeted pretty much anyone clients wanted

Canada’s Citizen Lab laboratory has uncovered a hacks-for-hire phishing operation targeting anyone from political activists and oligarchs to lawyers and CEOs that hit more than 10,000 email inboxes over seven years.

They need to raid them and crack open their clients list.

The report said a large cluster of targeted individuals and organizations were involved in environmental issues and had campaigned against ExxonMobil, the US oil producer. They included the Rockefeller Family Fund, the Climate Investigations Center, Greenpeace, the Conservation Law Foundation, and the Union of Concerned Scientists. Exxon declined to comment before “reviewing the full report.”

I’m sure that Exxon will be getting back to them Real Soon Now.

3 Likes

It’s going to be like a whole bunch of mini Y2K bombs going off, especially hitting devices that never get updates.

5 Likes

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download.

Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records.