db – Don's Blog

Author: db

The Sad Case of the ccTLD, the CSP, and the Wildcard

dbPosted on 2020-02-16 Posted in all No Comments

Content-Security-Policy. Make it tight.

Google, allow it to reference your images so they show in the search box.

Wildcards. You can specify the left-side (*.domain) but not the right side (domain.*).

OK, lets look up the list of google domains. I'll let you Bing that. The answer is here.

Huh. That is a lot.

.google.com 
.google.ad 
.google.ae 
.google.com.af 
.google.com.ag 
.google.com.ai 
.google.al
.google.am
.google.co.ao
.google.com.ar
...

Its larger than the probably allowable size of a Content-Security-Policy header. What is one to do? make img-src be *? But then the ad malware wanders in. Pick a few and hope?

Anyone have a suggestion for a best practice?

My content-security-policy has blocked more malicious ads

dbPosted on 2020-02-16 Posted in all 1 Comment

I see a lot of entries for countmake.cool (purposely not linked) in my Content-Security-Policy logs. These are folks who have some malware installed on their desktop, when they surf to my blog, they get redirected and advertising injected. Except that my CSP forbids this (since I don't allow them img-src or script-src permission).

I wrote about this earlier. I'm appalled that such things exist. I'm also saddened that its come to this, a spy-vs-spy one-upmanship games where people like me spend time adding rules to prevent malware writers from taking advantage of folks.

Once again, I'll suggest an action. Head to https://observatory.mozilla.org. Enter a site name that you use. If it doesn't get a great score, write to the owner: get it fixed.

Voice mail security?

dbPosted on 2020-02-09 Posted in all No Comments

Something interesting / disturbing just happened to me. I was trying out my new bluetooth headset to make sure it supported aptX and would pair to two devices. So, while watching a youtube video, i used skype to dial my phone.

Oddly, I got a high-fidelity playback of my voice mail (ironically a bunch of CRA scams). Hmm, but its not from the phone. Its from the PC. Weird.

So I dig in a bit. It turns out that if my caller ID is set to my own phone number, it just assumes its me and starts playing.

Given that caller ID is trivial to spoof, this means there's really no security here.

Anyone else care to try this? I tried on Koodoo if it matters.

I don’t run ads, I don’t serve malware

dbPosted on 2020-01-29 Posted in all 2 Comments

Over on my corporate blog I did a post with more details. But, recently I updated this site's Content-Security-Policy rules. I enabled reporting of errors (expecting none).

To my surprise and chagrin, there were some reports. How? The site that was being blocked rasenalong<dot>com. Huh? Not mine, not my content, I don't use CDN, I don't serve ads.

Turns out that some of you have a malware extension in your browser called LNKR. And, it modifes the page of my site to add a bit of its own JavaScript, which then fetches scuzzy ads and places them on my site.

This was the subject of last night's Chautauqua. I have posted the video (and the slides) if you want to see.

I am appalled. I Can't Even.

I've also posted a shorter lightboard video which talks about this a bit. Go forth and fix your own sites now, please.

Next Waterloo Technology Chautauqua is nigh: who wants to learn about web app/api/site security?

dbPosted on 2020-01-27 Posted in all 1 Comment

Next Waterloo Technology Chautauqua is nigh: who wants to learn about web app/api/site security?

I thought I would share some of the hands-on how-to and learning of hardening some web sites and applications. I posted a bit about this here (and in vid @ bottom).

If you are interested in sharing learning on assessing a web app/api/site for security. How to harden it, showing some of the tools, come on out.

I will then show some of the complex things you can do w/ a Web Application Firewall (WAF) using resty-lua-waf (https://github.com/p0pr0ck5/lua-resty-waf) as an example, if you are stuck with a weak app and no way to fix its code.

Topics:

Content-Security-Policy
XSS-*
Cross Origin Request Sharing
HTTP Strict Transport Security
TLS setup
DNS CAA

Feel free to open https://observatory.mozilla.org/analyze/www.rbcroyalbank.com and be amazed @ the score of 0/100 (F).

Link below for where/when etc.

Waterloo Technology Chautauqua

Kitchener, ON
583 Members

[Chautauqua](https://en.wikipedia.org/wiki/Chautauqua) is a principle of continuous adult education.The seed of this group is a set of people who have worked together on a va...

Next Meetup

Securing a web (site/app/api): hands on!

Tuesday, Jan 28, 2020, 7:00 PM
7 Attending

Check out this Meetup Group →

Alex Leyn on My content-security-policy has blocked more malicious adsRe: spy-vs-spy: ICE and ultimately Black ICE are inevitable (regardless the “electronics” misnomer): https://en.m.wikipedia.org/wiki/Intrusion_Countermeasures_Electronics
Harish Venkatesh Kulkarni on Project lightboard: suggest some topicsAny security solution for IoT devices on the edge of the network as part of IoT router or manager
db on I don’t run ads, I don’t serve malwarehttps://observatory.mozilla.org/analyze/td.com
Moose on I don’t run ads, I don’t serve malwareTd.com B grade as per SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=authentication.td.com&hideResults=on
db on More gadgetry? 0-10V light control for the new officeits bluetooth with no particular antenna. so i would guess line of site no problem @ that distance. i didn't