*** The Security News Thread ***

[harrybarracuda]

Researchers at Princeton University have found that over 480 globally popular websites are keylogging data and sending it to third-party servers. Some of the most popular and heavy-trafficked websites in the world were found running third-party scripts called "session replay" scripts, that can track users' every letter typed and every click and more which in turn were sent to third-party servers across the globe.


The researchers' revelations indicate the invasive extent to which users' online activities are tracked. In the first instalment of a series titled "No Boundaries", researchers from Princeton's Center for Information Technology Policy (CITP), said even in instances where users have visited a site to fill an online form, but left it incomplete and abandoned it, every single letter typed is recorded.


The researchers studied seven of the most popular session replay firms - FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar, and the highly popular Russian search engine Yandex. The study's findings revealed that at least one of the firms' scripts is being used by 482 of the world's top 50,000 sites, according to Alexa's ranking.


Click here to check out the list of websites using session replay scripts.


What is session replay?


According to the researchers, "session replay" scripts are commonly used by companies to help them understand how their customers are using the firms' sites. However, instead of recording general statistics about users' behaviour, the scripts record and can also replay entire individual browsing sessions. The researchers say the scripts are often found on pages where users input their sensitive information, including passwords, credit card data and medical condition.


"These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers," the researchers said in a blog.


Motherboard reported that firms like Fullstory that provide such user-tracking software, also design tracking scripts that allow companies to connect a user's real identity with the data collected. This means, by using such software, companies can see a user linked to a specific name and/or email.


"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording," the researchers added. "This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes."


Motherboard reported that the researchers are concerned about companies using session scripts being vulnerable to targeted hacks, especially given how hackers would likely consider them high- value targets. In case of Yandex, Smartlook and Hotjar, which run HTTP instead of the more secure and encrypted HTTPS pages, researchers believe hackers could launch a man-in-the-middle attack to "extract all of the recording data".


Fortunately, users can block session replay scripts using the popular ad-blocking tool AdBlock Plus. As a result of the revelations brought to light by the Princeton University researchers, AdBlock Plus issued an update to block all session replay scripts.

Your every keystroke is recorded by over 480 of the most popular websites in the world

[Dragonfly]

A very useful tech actually, a few tech startup in our investment portfolios are using those things

great tech, fuck the security warnings

[baldrick]

great tech

for exploiting lusers - great idea to allow exfiltration of your personal data to third party companies

your investments skills , like your IT skills , will prove to you and everyone else soon enough that this idea is sh1t that will be circumvented or sites using it will be ostrascised

proxy through archive.is , archive.li archive.eu will not have any of this crap running on your machine - expect plugins to detect and bypass automatically soon

offsite javascript is always a total security hazard

[harrybarracuda]

for exploiting lusers - great idea to allow exfiltration of your personal data to third party companies

your investments skills , like your IT skills , will prove to you and everyone else soon enough that this idea is sh1t that will be circumvented or sites using it will be ostrascised

proxy through archive.is , archive.li archive.eu will not have any of this crap running on your machine - expect plugins to detect and bypass automatically soon

offsite javascript is always a total security hazard

Don't be misled Baldrick.

Buttplug read something on someone's desk while he was emptying the bins.

[Dragonfly]

it's very convenient to see and analyze what users are doing,

that tech is spreading fast, everyone wants to know how UX is effective and that tool delivers

it has been around for a while and it's perfectly legitimate for a website to run it, I don't see AV blocking it, or else they would get sued

[harrybarracuda]

it's very convenient to see and analyze what users are doing,

that tech is spreading fast, everyone wants to know how UX is effective and that tool delivers

it has been around for a while and it's perfectly legitimate for a website to run it, I don't see AV blocking it, or else they would get sued

So fucking sue them then, dickhead.



Fortunately, users can block session replay scripts using the popular ad-blocking tool AdBlock Plus. As a result of the revelations brought to light by the Princeton University researchers, AdBlock Plus issued an update to block all session replay scripts.

[Dragonfly]

no big deal, most people don't use AdBlock Plus, at least the ones you want on your website, not the Indian dickheads like you

as long as it's not the AV firms, we are fine !!!

[harrybarracuda]

no big deal, most people don't use AdBlock Plus, at least the ones you want on your website, not the Indian dickheads like you

as long as it's not the AV firms, we are fine !!!

Yeah, thought so, you're full of shit as usual.

[Dragonfly]

hey you are the filthy Indian, not I

[harrybarracuda]

hey you are the filthy Indian, not I

I don't think you even get that high on the pay grade, you weird stalker.

[Mr Earl]

When Butters met Harry....
go ahead Harry put some butter on your finger!

[harrybarracuda]

When Butters met Harry....
go ahead Harry put some butter on your finger!

Careful Mr. E, you don't want to attract his attention, he might start PM'ing you for a meet.

[Dragonfly]

hey harry, you have a new boyfriend ? he loves Trump as much as I do

[harrybarracuda]

hey harry, you have a new boyfriend ? he loves Trump as much as I do

Good, maybe he'll fuck you up the arse then.

[harrybarracuda]

Either Uber's accounting & auditing is shite or the CEO should be the one taking the fall.

Actually, looking at it, he did.

What about the CFO though?

Uber Chief Security Office Joe Sullivan and the lawyer reporting to him were fired after paying hackers $100,000 to cover up a massive data breach from October 2016, the company’s CEO confirmed on Tuesday, Bloomberg writes. The ride-service provider was hacked after two cyber criminals acquired the login credentials of the Amazon Web Services account that stored Uber’s data.

The data breach affected Uber clients and drivers from around the world, but the victims and regulators were never informed. Hackers stole names and drivers’ license numbers of some 600,000 drivers in the US, and personal information of 57 million account holders, such as names, email addresses and mobile phone numbers. They did not get into the corporate systems or infrastructure, nor did they steal information related to trip location history, credit card numbers, bank account numbers, Social Security numbers or dates of birth, confirmed Uber CEO Dara Khosrowshahi.

“None of this should have happened, and I will not make excuses for it. While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes,” Khosrowshahi said. “We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.”

Former Uber CEO Travis Kalanick was informed of the breach in November 2016, during a separate federal investigation by the Federal Trade Commission for privacy violations.
Uber ensures the stolen information has been destroyed. At the moment of writing, no evidence of fraud or misuse has been detected. Affected accounts are monitored and will receive extra fraud protection.

https://hotforsecurity.bitdefender.com/blog/uber-chief-security-officer-fired-after-massive-data-breach-cover-up-19246.html

[harrybarracuda]

Did Intel leave a huge security hole in your brand new PC?

By Darren Allan4 hours ago

Skylake or later processors are affected by a range of flaws

There’s a huge and extremely worrying range of flaws in newer Intel processors which could allow hackers to take full control over the relevant machines – with millions of PCs potentially affected.

After a severe exploit was uncovered by Mark Ermolov and Maxim Goryachy, Moscow-based security experts who work for Positive Technologies Research, Intel has admitted that some 10 vulnerabilities exist in the Intel Management Engine, Trusted Execution Engine and Server Platform Services.

As mentioned, these flaws can be leveraged to remotely execute commands, take control of machines and pilfer precious data, and they affect all of Intel’s Core series of processors from Skylake (6th-generation) onwards, including the firm’s latest 8th-gen CPUs.

Many Xeon as well as Atom, Pentium and Celeron processors are also hit by these gremlins. Intel lists the full details of chips which are affected here, and also offers a detection tool to check whether your system is subject to these gaping holes (although note that the utility is designed for businesses, not consumer users).

As Ars Technica reports, the majority of the vulnerabilities (six of them) affect the Intel Management Engine, an independent subsystem on the firm’s processors which Intel says is designed for remote admin, but which has long been criticized as a potential backdoor in some quarters.

Minix mayhem

There’s been a lot of controversy about the Management Engine of late, because it was found to run a version of Minix – a ‘mini-Unix’ OS originally created by Andrew Tanenbaum for educational purposes, but apparently adapted by Intel for its processors.

Much of the controversy has bubbled around the fact that the user has no access to this Minix OS, yet it has full access to the host PC, as Network Worldpointed out earlier this month. And this has long been feared as a big security risk – and now proven so with the discovery of these exploits that can be executed via the Management Engine.
This really is quite mind-boggling stuff, topped by the fact that even Tanenbaum, the creator of Minix, didn’t realize that Intel was using his OS inside its chips in such a manner (according to Maxim Goryachy).

Naturally, there’s a big scramble underway to patch the vulnerabilities, and Intel suggests that affected users should check for new firmware from their PC manufacturer.

Lenovo is apparently going to have patched firmware rolling out tomorrow, with Dell working on the problem as well, but there’s no ETA regarding the latter’s patch. Other PC manufacturers are doubtless beavering away, too (you would hope).

Meanwhile, in the broader picture going forward, it’ll be interesting to see how Intel fights the flames which will doubtless be raging around the issue of exactly what is going on inside the firm’s CPUs when it comes to the Management Engine.

Modern operating systems and processors should be built to be increasingly secure, of course, but this is clearly a huge step backwards for Intel on the security front.

Did Intel leave a huge security hole in your brand new PC? | TechRadar

[OhOh]

eah but that's Swahili to a lot of people. I think it's important to keep it really simple so that people like Albert, ENT and OhOh can understand it.

I'm going for the lowest common denominator.

Here's me thinking it was a bondage thread. 'arry I struggle with English. Don't try and confuse me with Swahili, is that a new browser for Windows 10?

Doesn't the government here provide security?

[harrybarracuda]

Here's me thinking it was a bondage thread.

The defence rests its case, m'lud.

[harrybarracuda]

DNS resolver 9.9.9.9 will check requests against IBM threat database

Group Co-founded by City of London Police promises 'no snooping on your requests'

By Richard Chirgwin 20 Nov 2017 at 06:58

The Global Cyber Alliance has given the world a new free Domain Name Service resolver, and advanced it as offering unusually strong security and privacy features.

The Quad9 DNS service, at 9.9.9.9, not only turns URIs into IP addresses, but also checks them against IBM X-Force's threat intelligence database. Those checks protect agains landing on any of the 40 billion evil sites and images X-Force has found to be dangerous.

The Alliance (GCA) was co-founded by the City of London Police, the District Attorney of New York County and the Center for Internet Security and styled itself "an international, cross-sector effort designed to confront, address, and prevent malicious cyber activity."

IBM's helped the project in two ways: back in 1988, Big Blue secured the 9.0.0.0/8 block of 16 million addresses, which let it dedicate 9.9.9.9 to the cause.

The Alliance, which oversees the initiative, said the other partner, Packet Clearing House, gave the system global reach via 70 points of presence in 40 countries.

It claimed users wouldn't suffer a performance penalty for using the service, but added it plans to double the Quad9 PoPs over the next 18 months.

GCA, which did the development work, also coordinated the threat intelligence community to incorporate feeds from 18 other partners, “including Abuse.ch, the Anti-Phishing Working Group, Bambenek Consulting, F-Secure, mnemonic, 360Netlab, Hybrid Analysis GmbH, Proofpoint, RiskIQ, and ThreatSTOP.”

The organisation promised that records of user lookups would not be put out to pasture in data farms: “Information about the websites consumers visit, where they live and what device they use are often captured by some DNS services and used for marketing or other purposes”, it said. Quad9 won't “store, correlate, or otherwise leverage” personal information.

Google makes the same promise for its 8.8.8.8 DNS service, saying: “We don't correlate or combine information from our temporary or permanent logs with any personal information that you have provided Google for other services.” However, most home users accept the default configuration for their ISP, each of which will have its own attitude to monetising user data.

GCA also said it hoped the resolver would attract users on the security-challenged Internet of Things, because TVs, cameras, video recorders, thermostats or home appliances “often do not receive important security updates”.
If you're one of the lucky few whose ISP offers IPv6, there's a Quad9 resolver for you at 2620:fe::fe (the PCH public resolver). ®

https://www.theregister.co.uk/2017/1..._dns_resolver/

[harrybarracuda]

But it's OK because Apple is *really* secure....

If you own a Mac computer and run the latest version of Apple’s operating system, macOS High Sierra, then you need to be extra careful with your computer.

A serious, yet stupid vulnerability has been discovered in macOS High Sierra that allows untrusted users to quickly gain unfettered administrative (or root) control on your Mac without any password or security check, potentially leaving your data at risk.

Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter “root” into the username field, leave the password blank, and hit the Enter a few times—and Voila!

In simple words, the flaw allows an unauthorized user that gets physical access on a target computer to immediately gain the highest level of access to the computer, known as “root,” without actually typing any password.

https://vulners.com/thn/THN:47FC768D...n=browserPopUp

[Dragonfly]

Group Co-founded by City of London Police promises 'no snooping on your requests'

right

Discovered by developer Lemi Orhan Ergin on Tuesday, the vulnerability only requires anyone with physical access to the target macOS machine to enter “root” into the username field, leave the password blank, and hit the Enter a few times—and Voila!

got to try it on a mactard

[harrybarracuda]

Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser
2017-11-29 22:19:00
Reporter Swati Khandelwal
Modified 2017-11-30 0955




Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.


Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies.


After the world’s most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.


However, websites using such crypto-miner services can mine cryptocurrencies as long as you’re on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.


Unfortunately, this is not the case anymore.


Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.


How Does This Browser Technique Work?


According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft’s Windows computer.


From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.


Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.


“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself,” Jérôme Segura, Malwarebytes’ Lead Malware Intelligence Analyst, says in the post. “Closing the browser using the “X” is no longer sufficient.”


To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.


You can also have a look at the animated GIF image that shows how this clever trick works.


This technique works on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.


How to Block Hidden Cryptocurrency Miners


If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.


More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.


Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.


For this, you can contact your antivirus provider to check if they do.


Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.


Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.


No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

https://vulners.com/thn/THN:AC3A8FB7...n=browserPopUp

[Dragonfly]

Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser
2017-11-29 22:19:00
Reporter Swati Khandelwal
Modified 2017-11-30 0955




Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.


Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies.


After the world’s most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.


However, websites using such crypto-miner services can mine cryptocurrencies as long as you’re on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.


Unfortunately, this is not the case anymore.


Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.


How Does This Browser Technique Work?


According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft’s Windows computer.


From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.


Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.


“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself,” Jérôme Segura, Malwarebytes’ Lead Malware Intelligence Analyst, says in the post. “Closing the browser using the “X” is no longer sufficient.”


To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.


You can also have a look at the animated GIF image that shows how this clever trick works.


This technique works on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.


How to Block Hidden Cryptocurrency Miners


If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.


More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.


Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.


For this, you can contact your antivirus provider to check if they do.


Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.


Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.


No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

https://vulners.com/thn/THN:AC3A8FB7...n=browserPopUp

nice,

[Dragonfly]

According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft’s Windows computer.

actually my favorite porn sites are doing exactly the same thing while I wank

so wanking is now profitable business thanks to porn Cryptos mining,

[harrybarracuda]

actually my favorite porn sites are doing exactly the same thing while I wank

so wanking is now profitable business thanks to porn Cryptos mining,

Why bother commenting Buttplug?

Everyone knows you're a wanker already.