[prev in list] [next in list] [prev in thread] [next in thread] 

List:       qubes-users
Subject:    Re: [qubes-users] Re: How to mitigate against copying of CSS-hidden text then pasting it into a term
From:       haaber <haaber () web ! de>
Date:       2018-09-30 6:48:09
Message-ID: 68227ec7-89fa-5782-63eb-9513bd60dd7f () web ! de
[Download RAW message or body]


> > On this page[1] there's the text "ls -lat" which if you copy then paste in your \
> > terminal, you're actually pasting this whole thing instead: 
> > ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne \
> > 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo \
> > -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep \
> > 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking \
> > ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### \
> > (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo \
> > -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to \
> > track my IP' ls -lat
> > 
> > I guess one mitigation would be setting a sudo password, even in VMs?.
> > Qubes has no password for sudo by default.
> > 
> > What else can be done? Thoughts?
> > 
> > If using uMatrix, uBlock Origin and NoScript, all with blocking all by default, \
> > the page only requires allowing (2 pieces of) CSS from www.blogger.com for this \
> > to be completely hidden: ie. you think you copied "ls -lat", but assuming you \
> > don't Ctrl+Shift+C it too AND look at the size of the copied text in the \
> > notification(575 bytes instead of 7), you won't notice anything abnormal, until \
> > pasted in the terminal. 
> > If not allowing even the CSS, then there's something visible on the left when "ls \
> > -lat" is selected(actually when the space in-between is selected) which gives it \
> > away. I attached the 3 pictures for this case. 
> > (Not attaching screenshot for when allowing (only) CSS from www.blogger.com \
> > because it's obvious that it looks normal and you can't see the hidden text.) 
> > [1] https://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html
> > 
> Well, one mitigation (albeit rather annoying one) would be to type the visible \
> command manually instead of copying and pasting it into the terminal 
If you use the "qubes hardening" ideas develloped by Chris (here on the 
list), you should still be reasonably protected, even when you are 
"caught" like this. See 
https://github.com/tasket/Qubes-VM-hardening/issues/2 Additionally, to 
my point of view   you should use a "browser-VM" that is used for nothing 
else than (unsafe) browsing, separated from an online-banking-vm with 
limited internet acces (via firewall rules). etc.   Bernhard

-- 
You received this message because you are subscribed to the Google Groups \
"qubes-users" group. To unsubscribe from this group and stop receiving emails from \
it, send an email to qubes-users+unsubscribe@googlegroups.com. To post to this group, \
send email to qubes-users@googlegroups.com. To view this discussion on the web visit \
https://groups.google.com/d/msgid/qubes-users/68227ec7-89fa-5782-63eb-9513bd60dd7f%40web.de.
 For more options, visit https://groups.google.com/d/optout.


[prev in list] [next in list] [prev in thread] [next in thread]