ADVISORY: The techniques and tools referenced within this blog post may be outdated and do not apply to current situations. However, there is still potential for this blog entry to be used as an opportunity to learn and to possibly update or integrate into modern tools and techniques.
So, LastPass is one of my favorite applications, and it’s making me more nervous every day. I haven’t lost faith yet, though it was lots more convenient when I had autofill on. LastPass is everywhere this week. Also we’ve got some neat stuff from OnionScanner and one of my favorite subjects “Why you should use an ad blocker.”
LastPass has had a couple of interesting bugs filed about it’s autofill features in web browser extensions. One of these bugs allows for the dumping of credentials to domains based only on an exploitation of the regex that LastPass uses to determine if the user is at a domain for which LastPass has credentials. The lesson learned here is please turn off your autofill. It may require you to put you master password in a lot, but autofill is just dangerous.
The second LastPass bug allows hijacking of a click events and access to RPC. This bug is even worse than the first, it would have allowed an attacker to run scripts, delete files, change master passwords etc. Thankfully it appears that both of these situations have now been resolved.
A few weeks back some Sarah Jamie Lewis posted a neat article about the infrastructure of the “dark web” which she’d created using OnionScan and some data visualization tricks. Neat stuff, it’s an interesting read as to what the infrastructure of a privacy network looks like. Of course lots of people would like to get to scanning and replicating this effort / doing research of their own, which Justin over at AutomatingOSINT has now helped us out with. Justin has created a nice easy step by step tutorial to setting up your own OnionScanner on Digital Ocean and is promising a part two with detail on creating the graphs. If you don’t feel like scanning for yourself, he’s also provided the dataset at the bottom of the first article.
Adblockers run on all my systems, not just because I hate being advertised to and tracked, but also because ads are bad for my computer. I remember thinking way back in the early internet days that if I were to decide I must be a villain I’d definitely try to find a way to infect an ad platform and use it as a delivery vector. I don’t think this was exactly scifi then, I was almost certainly not the first person to have this idea, but now it’s just common knowledge. Nowadays I see people scraping adds off the internet to be analyzed, and I love the internal monologue I get to have when I see my suspicions confirmed when I see an article about just how many of those ads are in fact distributing malware.