I see a lot of entries for countmake.cool (purposely not linked) in my Content-Security-Policy logs. These are folks who have some malware installed on their desktop, when they surf to my blog, they get redirected and advertising injected. Except that my CSP forbids this (since I don't allow them img-src or script-src permission).
I wrote about this earlier. I'm appalled that such things exist. I'm also saddened that its come to this, a spy-vs-spy one-upmanship games where people like me spend time adding rules to prevent malware writers from taking advantage of folks.
Once again, I'll suggest an action. Head to https://observatory.mozilla.org. Enter a site name that you use. If it doesn't get a great score, write to the owner: get it fixed.
Something interesting / disturbing just happened to me. I was trying out my new bluetooth headset to make sure it supported aptX and would pair to two devices. So, while watching a youtube video, i used skype to dial my phone.
Oddly, I got a high-fidelity playback of my voice mail (ironically a bunch of CRA scams). Hmm, but its not from the phone. Its from the PC. Weird.
So I dig in a bit. It turns out that if my caller ID is set to my own phone number, it just assumes its me and starts playing.
Given that caller ID is trivial to spoof, this means there's really no security here.
Anyone else care to try this? I tried on Koodoo if it matters.
Over on my corporate blog I did a post with more details. But, recently I updated this site's Content-Security-Policy rules. I enabled reporting of errors (expecting none).
To my surprise and chagrin, there were some reports. How? The site that was being blocked rasenalong<dot>com. Huh? Not mine, not my content, I don't use CDN, I don't serve ads.
This was the subject of last night's Chautauqua. I have posted the video (and the slides) if you want to see.
I am appalled. I Can't Even.
I've also posted a shorter lightboard video which talks about this a bit. Go forth and fix your own sites now, please.
I thought I would share some of the hands-on how-to and learning of hardening some web sites and applications. I posted a bit about this here (and in vid @ bottom).
If you are interested in sharing learning on assessing a web app/api/site for security. How to harden it, showing some of the tools, come on out.
I will then show some of the complex things you can do w/ a Web Application Firewall (WAF) using resty-lua-waf (https://github.com/p0pr0ck5/lua-resty-waf) as an example, if you are stuck with a weak app and no way to fix its code.