Job hunting sites that spy on you? Or "just" compromised?

Discussion in 'privacy problems' started by Gullible Jones, Jan 15, 2016.

  1. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    So today I took a look at CyberCoders, on my workstation. (Debian Stable x64, Iceweasel, uBlock Origin configured to block all third-party content by default.)

    About a second after the website rendered, the workstation's webcam turned on for a few seconds. Around the same time, the workstation's outbound firewall blocked a bunch of ICMPv6 pings.

    After unplugging the webcam, I tried to log in, and was met with an invalid cert SSL error. Needless to say, I did not log in.

    ...

    Looking at the logs of my external firewall, I only see stuff going out to CyberCoders domains during that time. Which is as it should be, since uBlock was blocking all the other embedded stuff. But needless to say I'm a bit rattled.

    I see two possibilities.

    1) CyberCoders was compromised, and I got to see some kind of watering hole attack. This makes me quite unahppy, seeing as I'd spent five hours last night cleaning up after another compromise.

    2) More sinister: CyberCoders deliberately takes a snapshot of you when you go to their site, and the SSL error was a coincidence. This seems less likely, but cannot be discounted, and the idea makes me even less happy than the previous one; not in the least because I've already gotten some interviews through CyberCoders.

    ...

    Needless to say, I am quite interested in hearing what people have to say about this. And in the mean time I will stick with other job sites. :eek:

    Oh, pro tip: make sure your firewall is logging the packets it lets through, not just those it blocks. You may be unpleasantly surprised what you see.
     
  2. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    408
    iceweasel 38.5? Were your "peerconnection" and related prefs @default (permissive) values, or were you operating under the belief that "all that webRTC and camera stuff is (cough) disabled, via prefs"?

    So... what did you see? What in the logged content surprised you? And why are you now speculating?
    FWIW, I hit their hompage, skimmed the page viewsource content and inspected the externally loaded js scripts... and found nothing nefarious. Maybe the site is no longer compromised. Maybe you are a person-of-interest and "done been MITMed, by BigBro". Maybe the code triggering the webcam snap is only included for logged in users (makes sense, eh).

    Aren't you chompin' at the bit to determine whether the unexpected webcam activation is repeatable?
    Did you observe in the logged packets, that an outbound transmission of an imagefile or video stream (even if it's solid black, due to lens cover) occurred?
     
  3. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    a) Relax
    b) I get your point
    c) You don't have to be a jerk about it
    d) I find it fascinating that the one reply I get is borderline insulting

    BTW, no it was not reproducible. And no, I'm not in the habit of running a packet sniffer full-time on my network.

    Edit: OTOH I think something's still up, because the last 2-3 days of my firewall logs have just disappeared. And I mean *only* the firewall logs, not any other system logs on the firewall machine; and I don't even have log rotation configured. Sigh.
     
    Last edited: Jan 18, 2016
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,031
    Firewall logs "disappeared"? What sort of firewall? Maybe something's broken. And maybe it's safest to nuke it and reconfigure.

    I thought about checking the site. But nothing that I run even has a webcam. Let alone the VMs that I would have used.
     
  5. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    It's pfSense, and on further searching this turns out to be me being an idiot and not looking at the settings. pfSense uses circular log files defaulting to 500KB size, which is not nearly sufficient... Duh. I've upped the log size. :ouch:

    Re the webcam incident, the ICMPv6 seems to be unrelated - it's some zeroconf rubbish that Avahi does, basically. I had scripted my desktop setup on Debian, and didn't realize the package selection dragged in Avahi.

    I still have no idea what the deal with the webcam was, though.:(

    Edit: seriously, sorry for all the alarms. Like I said, I was already cleaning up after a definite compromise. My laptop had been making connections to really iffy BitTorrent sites last week, and trying to open UPnP holes in the firewall; and I don't even use BitTorrent. I am perhaps still a bit on edge.
     
  6. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    408
    Sincerely, I didn't intend to offend you, Jones.
    Based on our exchanges here across a span of years, I expected we were kindred spirits or or something.
    Maybe in my old age Asperger's Syndrome is kicking in. Rereading my earlier post, I suppose "done been MITMed, by BigBro" came across as sarcasm rather than "hot damn! caught 'em in the act! Let's bust this thing wide open!"

    Explaining my frame of reference might help to clarify my interest in this thread. Years back, I was "in that space" (online jobs/recruiting) so am painfully aware of the questionable (slimy) practices among sites operating in that space. An example, not specific to the topic at hand: Accounts of "job providers" at a given site are often handed out without even a perfunctory vetting process. Before registering with a given site as a jobseeker... if you register as a prospective "provider" you'll probably discover that, without supplying 'credentials', your provider account can access hella wealth of seekers' supplied details (schools attended, past employers...).
    You could still examine the embedded scripts to see if any camera oriented (or webrtc) code is present.

    ps:
    When I initially read Jones' description, my immediate though was this:
    a "jobs site" would serve as a perfect frontend honeypot for a BeEF injection operation
    https://github.com/beefproject/beef
     
    Last edited: Jan 19, 2016
  7. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @inka

    Hey, sorry for the overreaction on my part. Seriously. My bad. :(

    I'm not surprised, re: your experiences at staffing companies. I've seen some pretty dubious stuff myself.

    Govt. MITM stuff didn't really occur to me - sure it's a possibility, but I would expect Uncle Sam not to attract my attention with a bad SSL cert. Might be giving them too much credit though.

    OTOH, it definitely struck to me that someone might try to run a malware operation piggybacked on an IT job site. That would be a fantastic way to snag sysadmin credentials.

    ...

    One other thing. I looked at the kernel logs on the workstation, and noticed that the webcam was redetected by udev around the time it went on. And it does light up sometimes when first plugged in. Might just be a rubbish webcam with dubious soldering somewhere, or something. Maybe.

    The invalid SSL cert, on the other hand, seems like a bit much. But I wasn't able to reproduce that, either. And I don't think my DNS should be easily hijacked or anything like that, the way I've set things up...
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
  9. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The TLAs hunt sys admins do they not? And they needn't even MITM if they've got the cert. private key, which would not be a big stretch for some of the smaller sites given their inadequate security.

    A sad reflection of our times.
     
  10. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @deBoetie I didn't know that actually. Sigh. Nice to know I'm a target just by virtue of my career path. :( But yeah, I figured any TLA would have the private key. Especially as the security is awful (see the SSLLabs results).

    In other news, it's been a week and I still haven't seen anything new and nasty going through my firewall...

    (Which reminds me, I need to test the router for the new FreeBSD Ping of Death attack. Grr.)
     
  11. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    The evidence was from the Snowden leaks regarding some internal NSA documents titled "I hunt sys admins" - of course you'll doubtless be reassured to know that “Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of.” Nevertheless, a tasty target because: “Who better to target than the person that already has the ‘keys to the kingdom’?”

    Real life includes GCHQ attacks on Belgacom sys admin staff. They used the Quantum Insert to attack them via LinkedIn pages (which I guess is related to job hunting sites).

    To the extent that it encourages better practices amongst those with the keys do the kingdom - including TFA and airgapped and single-purpose systems, that's good.

    Do you have a link for the new ping of death attack? - I assume it would affect pfsense.
     
  12. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,461
    @deBoetie Thank you. (And also ewww.)

    The stuff on the attack can be found here:
    http://blog.ptsecurity.com/2016/01/severe-vulnerabilities-detected-in.html

    I don't think mine should be vulnerable, because I have IPv6 disabled on all interfaces. Hard to tell though. I've been trying to reproduce it with nmap, and not gotten anywhere.

    I will say though, that the existence of such... basic bugs, does not make me enthusiastic about FreeBSD's kernel code quality.
     
Loading...