AWS Lightsail makes it (too) easy to fire up a new server, install an application, and let it loose on the Internet.  You have to learn somewhere and that's as good as any place but let's do a little housecleaning on the default apache2.conf file.  

If we scan our stock apache server, we get some errors:

+ Server leaks inodes via ETags, header found with file /, fields: 0xb3
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The site uses SSL and the Strict-Transport-Security HTTP header is not defined.
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type

Read more: Nikto Apache Findings

“We’ve updated our Terms of Service and our Privacy Policy”

I’m sure we’ve all seen at least a dozen or so of these types of messages over the last month.  The majority of the changes were brought on by the General Data Protection Regulation (GDPR) which is essentially a framework for the collection and usage of personal information gathered within the European Union.

Couple that with the recent revelations of Facebook’s massive data collection, and subsequent breach, and more people are starting to think about their privacy.

Read more: Privacy and the Tor Browser Bundle

In my last post, I talked about a mail tracking service which uses essentially the same technique that an anti-phishing service would use.  You embed a hosted object on a server and when the message is opened, the object will render.  When the object is rendered some function on the other side is looking for that callback. 

The setup --

We need a single white pixel hosted on a webserver with a valid SSL certificate.  With Let’s Encrypt, we can add a free SSL certificate to any server.  You could try it without the SSL certificate but I think the call out to HTTP would cause a problem.  I haven’t gone through the steps of testing this without HTTP, it was more of an exercise of how quickly as easily this could be to setup something functional.

Read more: Anatomy of a Mail Tracker

This is For Educational Purposes Only.  

WordPress controls approximately 60% of the Content Management System (CMS) market.  The majority of the websites we develop and manage are running WordPress.  With 60% of the market running a single product, it makes a lot of sense to focus attacks on WordPress.  Odds are pretty good you'll be able to recycle work which is why I started thinking about how I would steal WordPress credentials.  

Read more: Wordpress Credential Stealing

I have a vendor that uses a service, mailtrack.io, which embeds a single white pixel into email messages for tracking purposes.  When the message is opened, unbeknownst to you, your mail client will render the white pixel and then I assume mailtrack.io informs the sender that the message was read.   Pretty simple actually and clever.  But I’m watching outbound traffic and I saw the outbound connection to mailtrack.io.  When I opened the source of the email, I noticed the line calling the hosted pixel which clued me into what was happening.

Read more: Blocking Email Trackers

I'm not sure which Windows Update causes this issue but it changes the associations for a number of extensions causing quite the problem.  A system restore failed and I was left to hunt for a solution.  Searching around, I found a number of options but nothing solved the problem until I came across the following Powershell one-liner:

Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}

Read more: TwinUI Default App Association