flat assembler
Message board for the users of flat assembler.
 Home   FAQ   Search   Register 
 Profile   Log in to check your private messages   Log in 
flat assembler > Heap > Why we should always disable JS (and flash)

Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next
Author
Thread Post new topic Reply to topic
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

Here we see yet another exploit:

https://github.com/dxa4481/Pastejacking

Quote:
Browsers now allow developers to automatically add content to a user's clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn't want to get ran, and gain code execution.

Sigh, as always, none of this works without JS. No website can be trusted. Even your own personal website can be hacked/hijacked/redirected/etc. so you can't trust it. Without a chance to review the code before it is executed you cannot assure yourself you will never get caught by any previous, current, or future attack vectors.
Post 24 May 2016, 15:52
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6961
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699

new old thing comes after old old thing gone,
Post 25 May 2016, 01:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

JS in your email causes you to become a victim of ransomware.

http://www.scmagazine.com/new-raa-ransomware-written-in-javascript-discovered/article/504029/

So just keep those settings enabled that allow your computer to run unaudited and untrustworthy code, what could possibly go wrong?
Post 20 Jun 2016, 07:28
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

Tracking you with your battery state.

http://randomwalker.info/publications/OpenWPM_1_million_site_tracking_measurement.pdf

Naturally without JS it would never have worked, but, alas, so many sites now require people to enable JS because of course they would. How many more JS wonders await us?
Post 08 Nov 2016, 00:26
View user's profile Send private message Visit poster's website Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 901

Just always treat the browser as if it's foreign code -- in a sandbox, as a different user, with no access to your personal files (in my case, not even to write to the hard disk, only in tmpfs/RAM).

If you do something that you want to remain "secure" (i.e your bank account) and are paranoid like me, simply kill the sandbox processes (or the user's processes), all of them, then remove the sandbox/profile and make a new one (from a saved one that's safe, manually inspected, of course). You don't need VM snapshots. For me it's a two-click process (one to kill & clean, one to relaunch the browser), because I made scripts that do this automatically Smile

Obviously, the bank's site itself could have malicious JS. But then it still has no access to your files etc, so the only thing it can do is steal your password. But what's the point? You already trust their site to keep your password safe and authenticate it properly, so in this case there's no danger unless the site got hacked. In that case you get phished. But if the site got hacked then clearly he can just always "return true" when authenticating a password so that anything works etc...

Also: https://noscript.net/
Post 08 Nov 2016, 15:58
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries


Furs wrote:
Just always treat the browser as if it's foreign code -- in a sandbox, as a different user, with no access to your personal files (in my case, not even to write to the hard disk, only in tmpfs/RAM).

I'm not sure that is enough. It might be necessary but it is not sufficient. Tracking is not just copying your files, it is about watching what you do.

If you search for "bomb making", "how to blow up an aeroplane", and the like, then if you are being tracked you might find someone knocking on your door ready to do you harm. It could be that your research is purely with the intent to help stop such things but when the thugs arrive at your door you won't be able to convince them of that.

It might be your bigoted neighbour that works for the NSA and doesn't like <some_stereotypical_group> that you support and when he notices from your online activity that you support said group he decides to make your life "unhappy".

Without JS enabling people to track you your activity can't be correlated, or at the very least your online activities become more difficult to trace as long as other precautions are followed (like deleting cookies, change the UA string, changing IP address, etc.).


Last edited by revolution on 10 Nov 2016, 13:31; edited 1 time in total
Post 09 Nov 2016, 04:01
View user's profile Send private message Visit poster's website Reply with quote
jazz



Joined: 16 Jul 2016
Posts: 47


Furs wrote:



I'd suggest uMatrix instead. It allows finer control for the rare cases you want a website to allow one certain script.

_________________
invoke Beer
Post 09 Nov 2016, 19:54
View user's profile Send private message Reply with quote
Furs



Joined: 04 Mar 2016
Posts: 901

Interesting, thanks, had no idea of that extension Smile
Post 10 Nov 2016, 13:28
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

And still more fun:

https://www.wired.com/2016/11/wickedly-clever-usb-stick-installs-backdoor-locked-pcs/ wrote:
With that interception point established, the malicious USB device waits for any request from the user’s browser for new web content; if you leave your browser open when you walk away from your machine, chances are there’s at least one tab in your browser that’s still periodically loading new bits of HTTP data like ads or news updates.

And without JS running none of this works. Running active content from untrusted remote computers, what could possibly go wrong?
Post 17 Nov 2016, 15:03
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2124
Location: Usono (aka, USA)


revolution wrote:

If you search for "bomb making", "how to blow up an aeroplane", and the like, then if you are being tracked you might find someone knocking on your door ready to do you harm. It could be that your research is purely with the intent to help stop such things but when the thugs arrive at your door you won't be able to convince them of that.



It's highly unlikely that anyone would actually learn enough via the raw Internet to be able to defuse any bombs. Even if they accidentally learned something useful, the low chances of them being in such situation makes it even more unlikely. Besides, they're more likely to search "bomb defusal" than "making".

But most ordinary searches are probably for song lyrics, book titles, movies, video games, or other banal items. So the spies/crooks/whatever are probably savvy enough to avoid false positives, which waste time and money. (The burritos are coming! The burritos are coming!)


Quote:

It might be your bigoted neighbour that works for the NSA and doesn't like <some_stereotypical_group> that you support and when he notices from your online activity that you support said group he decides to make your life "unhappy".



Unless you personally know of someone who has been persecuted (in your town/city), it's probably a waste of time to worry.

Having said that, I do 110% believe that such jerks exist, but there's not much you can do about it. Just don't do anything foolish (and "don't be overwise!").


Quote:

Without JS enabling people to track you your activity can't be correlated, or at the very least your online activities become more difficult to trace as long as other precautions are followed (like deleting cookies, change the UA string, changing IP address, etc.).



It's impossible to have zero footprint. I'm not saying you can't do minimal cleanups, but obsessive worrying is unlikely to help as much as you think it will. "Pray, hope, don't worry!"
Post 20 Nov 2016, 10:44
View user's profile Send private message Visit poster's website Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries


rugxulo wrote:
It's highly unlikely that anyone would actually learn enough via the raw Internet to be able to defuse any bombs. Even if they accidentally learned something useful, the low chances of them being in such situation makes it even more unlikely. Besides, they're more likely to search "bomb defusal" than "making".

It doesn't matter what one learns or even the exact search terms. Trigger words are enough. Some regimes won't tolerate you insulting the monarch. Other's don't like you questioning their authority. Perhaps bombs was a bad example, but no matter it is the idea that simply finding information can get a person into serious trouble.

rugxulo wrote:
Unless you personally know of someone who has been persecuted (in your town/city), it's probably a waste of time to worry.

Having said that, I do 110% believe that such jerks exist, but there's not much you can do about it. Just don't do anything foolish (and "don't be overwise!").

Actually there is the problem. What you consider reasonable, someone else might consider foolish. Maybe someone is Muslim/Christian/Taoist/Whatever and has to hide it in their community, but their online activity exposes their affiliation.

rugxulo wrote:
It's impossible to have zero footprint. I'm not saying you can't do minimal cleanups, but obsessive worrying is unlikely to help as much as you think it will. "Pray, hope, don't worry!"

I'm not suggesting zero footprint. Just don't make it easy for anyone to follow you around. It is simple to do so why not. We all do stupid things, sometimes by accident. Perhaps some JS from a rogue site made you participate in a DDoS. Maybe you have some pictures of you as a child in the bath and the MS spying dragnet reports you to the police. Whatever it might be we can't always guarantee to be 100% squeaky clean and all times. There is no need to encourage companies like MS to just help themselves to our data whenever they feel like it. We can't predict what they will do with it, how well they guard it, who gets to see it, how immune it is to alteration, or even what they have.
Post 20 Nov 2016, 12:55
View user's profile Send private message Visit poster's website Reply with quote
rugxulo



Joined: 09 Aug 2005
Posts: 2124
Location: Usono (aka, USA)


revolution wrote:
It doesn't matter what one learns or even the exact search terms. Trigger words are enough.



Words alone aren't much grounds for anything. Only someone really stupid would blindly prosecute someone over false trigger words. Real criminals take actions, not mouth off on the Internet, so it's a misuse of limited resources to go after every "offensive" sentence. Patience is a virtue.

If anything, we should totally ignore non-reputable sources, not study them more. (E.g. some YouTubers ignore comments because they are toxic and useless to their profession. What hides behind "constructive criticism" is not a good excuse for anything since it doesn't actively help and is too random and inexperienced to be validated.)


Quote:
Some regimes won't tolerate you insulting the monarch. Other's don't like you questioning their authority.



Freedom of speech isn't really absolute. We already get away with too much unjust speech already. (The general media is especially loud and angry these days, not worth paying attention to, IMO.) I'm not in favor of blanket freedom to insult, slander, detract others. Being in the public eye immediately opens you up to more scrutiny, (rash) judgement and punishment, and other dangers, usually unwarranted.

I hate to indirectly defend draconian actions against (harmless) a-holes, but it's really not fair to propagate (or encourage) every angry and dejected emotion and half-truth. Silence is golden, words must be used carefully, not as an excuse to burn down everyone and everything without good reason (especially without proof).


Quote:

Perhaps bombs was a bad example, but no matter it is the idea that simply finding information can get a person into serious trouble.



But if literally no one around you has been (unfairly) punished, the reasonable assumption is that no one is looking or paying attention to you. So you aren't in danger.


Quote:
Actually there is the problem. What you consider reasonable, someone else might consider foolish. Maybe someone is Muslim/Christian/Taoist/Whatever and has to hide it in their community, but their online activity exposes their affiliation.



Yes, there are some communities and countries with horrible governments and sectarian violence and oppression. Yes, sometimes they need to protect themselves in correspondences. But if you don't live in such a place, it's moot.

Foolish in this sense (opposed to being wise) means to go carrying a gun into a police station (or similar insanity). If you're wise, don't hack into the FBI's computers, yelling at them for xyz offense. Don't put yourself in harm's way on purpose. Don't go burning Korans publicly just because you disagree with it.

You know, don't intentionally go to war with anyone (since it can almost always be avoided), don't burn anyone's house down, don't crucify anyone, etc. The opposite of the vice of wrath is the virtue of patience. The opposite of the vice of pride is the virtue of humility.


Quote:
I'm not suggesting zero footprint. Just don't make it easy for anyone to follow you around. It is simple to do so why not. We all do stupid things, sometimes by accident. Perhaps some JS from a rogue site made you participate in a DDoS. Maybe you have some pictures of you as a child in the bath and the MS spying dragnet reports you to the police. Whatever it might be we can't always guarantee to be 100% squeaky clean and all times.



Very very low odds of anyone trying to prosecute you accidentally. But anyways, the prosecution will fail. Are you worried that prosecution is more painful than full conviction and punishment? There are courts for this kind of thing, and they do often throw out unjust cases. While it could be a minor (or even major) impediment to your life, usually it won't even come to that point without a good reason.

You're a smart amoeba, but most people aren't as smart and as crafty as you are. Don't let your high intellect feed your anxiety (and ignore the angry, braindead media, who only want to stoke the fires with the public). Most people aren't even smart enough, much less have enough power, to do you any harm, whether you deserve it (unlikely) or not.


Quote:
There is no need to encourage companies like MS to just help themselves to our data whenever they feel like it. We can't predict what they will do with it, how well they guard it, who gets to see it, how immune it is to alteration, or even what they have.



You can't stop them. And they don't even know you're alive, you're just random data to them. They don't care what you and I think. Voicing angry opinions publicly in the hope that they will change is a waste of time. No, you don't have to support it, but it's not your decision anyways, and your actions mean very very little (if literally anything) to the situation. They don't need or want your advice, and they can withstand your disapproval. Even a boycott is pointless because they already have more than enough money.
Post 22 Nov 2016, 00:45
View user's profile Send private message Visit poster's website Reply with quote
kerr



Joined: 24 Feb 2016
Posts: 124

Yes, you're right.
but no js and flash Web pages will become not beautiful
Post 22 Nov 2016, 06:33
View user's profile Send private message Reply with quote
jazz



Joined: 16 Jul 2016
Posts: 47

Styling a website is a CSS task. No one has a problem with CSS here.
Post 22 Nov 2016, 08:09
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

Never lose a cookie again.

http://samy.pl/evercookie/
Post 22 Nov 2016, 15:29
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6961
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699

there will emerge a new handicapped javascript language soon, globally and universally used by every browsers,
Post 22 Nov 2016, 23:09
View user's profile Send private message Reply with quote
TmX



Joined: 02 Mar 2006
Posts: 792
Location: Jakarta, Indonesia


Quote:

This is an Javascript exploit actively used against TorBrowser NOW. It
consists of one HTML and one CSS file, both pasted below and also
de-obscured. The exact functionality is unknown but it's getting access to
"VirtualAlloc" in "kernel32.dll" and goes from there.

https://lists.torproject.org/pipermail/tor-talk/2016-November/042639.html



Shocked Confused
Post 30 Nov 2016, 04:25
View user's profile Send private message Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6961
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699

javascript could get you pc hostname,

each and every one pc hostname is quite unique and remain the same forever until they reformat their pc or manually rename them,
Post 30 Nov 2016, 15:57
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 15324
Location: Bigweld Industries

As expected yet another exploit that relies upon JS to do the dirty work.

https://www.bleepingcomputer.com/news/security/new-stegano-exploit-kit-hides-malvertising-code-in-image-pixels/

Blocking ads and/or images would have also worked here, but only because they chose to use ads to deliver the images. A proper fix is to disable JS (and all active content).
Post 07 Dec 2016, 15:31
View user's profile Send private message Visit poster's website Reply with quote
sleepsleep



Joined: 05 Oct 2006
Posts: 6961
Location: ˛                              ⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣⁣ Posts: 6699

oh no! with flash exploits, maybe more zero days in their stronghold, xp, 7, 10 and more zero days, run!!!
Post 08 Dec 2016, 08:03
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9  Next

< Last Thread | Next Thread >

Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2005 phpBB Group.

Main index   Download   Documentation   Examples   Message board
Copyright © 2004-2017, Tomasz Grysztar.