URL spoofing - what it is, and what to do about it

Are we alive? We are live the Android apps a bit different, excellent hi everyone and welcome back to Facebook live. We are naked security by Sophos and yeah. We are trying it out. Our Facebook live on an Android, Wow yeah. If you notice any quality difference. I think you may be blinded by populous, but let's hope we've got it right. The lens is a bit different on this. I can, I see myself in the lens compared to an iPhone, so I'll have to get that. Sometimes it's not because Charlotte shouting at me. It'S because I can see myself and I've scared myself. So today's topic is URL spoofing. It is it, it sounds a bit technical duck.

What what is it and why are we talking about it right now? Well, let's, let's take that start at the end, why are we talking about it now? The reason is, there was a big story all over the media last week about a URL spoofing bug that, as apparently was found some time ago in Apple Safari, so it affects Mac users and iPhone users. Also affected Microsoft is, is an edge Microsoft, patched, their browser apple, didn't the bug got disclosed disclosed and the media got all excited and the deal with URL spoofing and why it's important? If, basically, what it means is the URL you see in the address bar in your browser doesn't match the website that it is in the main window.

So, in other words, it's easy to get confused between where you think you are and where you actually are, because the URL in the address bar has been spoofed. To put it simply so: Oh quickly, hi Teresa hello Teresa, it's good to have you back yeah, so duck, I'm guessing that, because Apple just did a round of updates which included releasing iOS 12 that this bug might have got fixed. Oh, so am i that transparent? Why pick it today? Yes, last night at least UK time well this morning I woke up, and there was the fixed iOS. 12 has been released and there's a there's: a safari 12 update for Mac offs for Mac users, and indeed, even though it's a week since its disclosure Apple of now fixed and now Apple.

Unfortunately, I wish they wouldn't do this. They have this official corporate policy, which is keep totally stung about in security, updates that until they're ready now I get there. The idea is you don't want people guessing and speculating? So when you say hey, there was this bug in our product. You tell people when it's fixed, unfortunately, what it meant is that, a week ago, everyone's panicking going well, I wonder: if Apple's ignored this, does it consider this not to be a bug or is there a bug in the work the bug fix in the works? We speculated on naked security last week that the reason that that Apple was probably very close to a fix on fortune didn't say so wish they had.

But, given that the fix is out today for at least four people in the UK, that means we thought it was worth talking about it. Big story, problematic bug last week, all over the news, if you were worried about it and you get the update, you're sorting. Okay, so why is URL spoofing a hot issue in cybersecurity? The address power has an incorrect text in it. Just it's just one line of text, though, so why is it such a big deal? It sounds a bit of a triviality. Doesn'T it there's? The address bars got like you mention it had a typo where you get a document with spelling mistakes, it doesn't completely throw you off, it doesn't stop you making a judgement, but let me show you some.

Let me show you some pictures of why we rely on the address bar now, as I mentioned earlier, the deal is that you've got the main content window of your website, which is basically filled up by what comes from outside untrusted stuff, and then you get the Url the address bar at the top, which is supposed to be the one true sacrosanct place way where you learn where your browser thinks it is so here's a very, very simple contrived example. You can see, there's a web, cervical n dot example and in the content there's some content and I've put in there there's a web form that could be JavaScript. There could be a logo all sorts of stuff in there and everything in the window actually is determined by the person who operates the web server.

So if then, if they, if that's a foreign site, that's pretending to be NS Don example you're relying on the address bar a bit at the very top to actually tell you that you're on the wrong site. So you can imagine if you can make the bit at the top look like what it shouldn't be. That'S very very beneficial if you're a crook trying to do phishing and the theory is that, although the main window in your website and your browser can be can have anything, including fraudulent logos, fake logos, fake content, the address bar is not directly under the control of Anything remote the browser looks after it carefully, so it's the one true place that is supposed to be able to look at to figure out where you are now.

It turns out that they're using JavaScript inside a web page. This is the example of the researcher who found this problem used. He used a JavaScript function, called location, dot assign, and what that does is it says how, after you've rendered one page, it's so by the way, go somewhere else and fetch that page instead, and so in that example, we're basically redirecting to a site called well. The other dot test and what you'd expect is what actually happens in every browser. You want to try this with. If the site exists, you get something that's very similar to what you had before. I'Ve got different content in there, but the content and the address bar change at the same time now, what this research have found is that he could use a URL that was slightly unusual.

Here'S an example of what he did. He took the URL and he added. What'S called a tcp port on the end now normally web services, port 80 for HTTP and port 443 for HTTPS, so he said: go to a site that exists but to a TC people where nobody's listening. That'S like making a phone call to a company. That'S there through a phone exchange, that's working but to an extension where nobody's sitting so nobody answers. So what you'd expect to happen when you, when you tell the browser, hey switch to this new site? What you'd expect is it'll go well, try to connect to the site event, it will timeout that typically takes one to two minutes and during that time, what you expect is you'll, see the old web page and the old URL, and that's what most browsers did except Edge patched a month or so ago and Safari, and so in Safari.

Unfortunately, what you would see is something that looked more like this you'd see the old content, which could be a phishing or a fake site and you'd see the new URL and only after the download timed out. And you got an error message to display with the URL and the content actually line up now I haven't got a picture of this, but on the mobile safari browser on an iPhone, it was even worse because to save space it didn't actually show the colon 8000. So you didn't even realize you're going to a weird part of the site. So what this researcher said is this is a way of having content from one place could be a phishing site and a URL that suggests that you're actually somewhere else.

Even though you're not there yet can I just stop. You had a quick question. Well, first of all, Andy says hello from Mechanicsburg Pennsylvania, maynia, yes, just real Belt. I think from the name. That'S why I assume that's why it's called can expect. In England, we have Colville guess what they used to mind there. Who knows? Who knows so Theresa says so. This has been caught and fixed in most browsers, like Microsoft, edge, Internet, Explorer, Firefox and Chrome and Apple is catching up with fixing this in version 12. That'S basically it now just quickly. Let'S, let's let me just then show that, even though this was kind of a bug and everyone got very excited about it, there are some things that you could have looked for in Safari and you should look for in every browser.

Anyway - and you can see here that, although you've got that, there's that new URL, at least in the non mobile browser - you can see the 8000 - you don't see a padlock because it has make sure connected to the site. So there's no TLS, there's no security certificate. That it's received that it could possibly display and, of course, if you see a website with a webform on it, you shouldn't be putting data in there unless you think you're on a secure site. So that will be warning number one. The weird port of its visible warning number two, and also you see that blue bar other browsers use different visual cues.

That means whatever is happening, something's still loaded. So if you're going to put data into the forum, while a page is still loading, you're kind of putting it into something - that's not complete or but you're, not quite short, it is yeah. So there were already warnings, even in Safari, that the URL, the page is still loading the URL there's a hint that it's what's coming next, what's here now, but as Teresa mentions Apple, have fixed that which means that, if you've done an update, you will now be Okay - and you should still look out for those things that I've mentioned with whatever browser you're using, is there a padlock?

Does it appear still to be loading the content of the page and to be hung up waiting for a timeout? So you don't know what they still look out for those, even if you think the URL on the content actually line up nicely there cues that tell you what the browser's up to what the website, how the website, at the other end is behaving always very useful To know when you're trying to make a security judgment so Teresa says, is it considered a quick and dirty fix to disable javascript in the browser that would fix this particular URL spoofing because it relies on using javascript to make an already rendered page switch out for Another one and some people do switch off javascript or they use a plug-in like no script that selectively blocks JavaScript.

That'S a good solution for many people. The problem is that there are quite a lot of sites that don't work very well. If you turn JavaScript off because they rely on JavaScript to make things like menus, pop-ups, there's links this clicking that clicking menus that pop up and so forth. They rely on JavaScript to make that work so blindly. Blocking JavaScript gives you a very 1990s style of the web, even though it's 2018, so you might find that if you turn off JavaScript altogether, there are a lot of sites that either don't work at all or they just work really clumsily. That'S the problem with using that as a fix and it's why many people don't bother and why many people don't bother running a script manager, because they can be an awful lot of setting up to make sure you're blocking allowing the right scripts on the right side And the wrong scripts on the wrong side.

Of course, if you have an anti-virus software, not that I'm going to plug sauce home, which is, of course as a free version, if you would like to own it, but to use it, although I have just plugged it if you've got an anti-virus program that can Block both content that comes down and websites that your computer connects to sort of home can do both of those things. What that means, you've also got a fighting chance that if you've got some JavaScript that takes you off somewhere, where it shouldn't be, or it tries to load content from a dodgy site and then pretend it's a good site. You won't reach the dodgy site in the first place or if you get dodgy content back, it won't get rendered in your browser.

So that's an alternative way to blocking JavaScript outright is to say what I want to do. Is I want to block content that my antivirus thinks is suspicious and I want to prevent any visit or any content coming at all from sites that I know are putting me in harm's way. That'S a lot of long answer. Yes, controlling JavaScript does deal with this particular bug, so Andy's asked the question is: are you also? He says you know media from any avpd and VB conferences while he was with ICS. I was just wondering if it was that nd, so high n D, so he's he says: don't a lot of anti-malware products to take this type of redirection, usually an online banking protection m in M tax.

Well! Well, yes, or no, that because there's nothing wrong about! Jumping from one site to another, all loading third-party content into a site, and ironically, at least in the UK, many payment pages, when you go there, they actually temporarily jump you off to a content that comes from your bank, which might ask you a question like put In your secret banking code type in the code that appeared on your phone or does some verification with location, you see a banks logo for a bit and then you jump back to the site where actually doing the payment. So this thing about shifting using JavaScript from one site to another and back is actually used in mainstream sites, so unfortunately, just saying well blindly blocking any sort of attempt to redirect from one site to another.

The point is you're supposed to be able to do that. What a browser's not supposed to do is tell you: you've already reached your new destination when it's still showing the old content. That was the very simple bug that Safari had it updated the address bar before it had any content to match it, which meant that things could get out of sync. What other browsers were doing is they were waiting until they'd been an error, and then they would update the address bar and the screen to say, there's been an error at the same time. So we're never in any doubt and that's what that's the change Apple has made to fix this so, and I just want to ask a question of my own: what is an M & M attacked, I guess man in the middle or man in the browser.

What that means is where you you're suddenly on one site, where you're putting in secure data, what, if you're, not actually going to that site? What, if there's somebody else, that's actually intervening like a proxy grabbing your content and looking at it now, the good news is, if you're, using HTTPS secure sites. You should get some kind of warning, because the imposter site that you're being redirected to won't be able to come up with the right web certificate compared to say your bank or whatever, and you also get what's called a man in the browser attack, which is where You get some kind of JavaScript or plugin inside the browser that actually, instead of block instead of trying to snoop on content, while it's in transit, where in the middle it could be.

If you can actually intercept the traffic at the very end, either at the start or the end, obviously it has to be decrypted there. It has to be decrypted at the server, so the server knows what you're trying to ask for, and it has to be decrypted inside your browser so that you can actually so that it can actually display it, and that's a man in the browser attack same idea. What somebody's doing is, somewhere between your screen, the outside surface of your screen, if you like, and the processing on the server that there's somebody you shouldn't be, there is trying to listen in, they can either do it in the middle man in the middle attack, MIT M, which is when they're snooping on the network, or they can do it in the browser where they actually see the stuff after it's been decrypted.

So when you see MIT M or MIT B, that's what those things mean great so back to URL spoofing. Yes, from Don hello Don, he says how would we get John slashed Jill public to learn to realize what to look for so as to protect themselves from issues? Well, one. We actually write about things, whether directly or indirectly, about things like URL, spoofing, email, address, spoofing, dodgy links in emails; things like that regularly on naked security. For exactly that purpose. We feel that this is not a it's, not a game that we've lost to the cyber crooks. If we just keep reminding people what to look for, then a people have never given this a thought will improve in security and be because the crooks keep changing their game every time we are par as they try and alter theirs.

It means that you people can keep sort of in sync with what the latest attacks are. So we regularly do articles on naked security wet like the one we did for this particular bug where we we fill them up, not just with a description, but we actually put pictures in sequence that show you. This is what will happen when things are going well. This is how you compare it with what happens when things are going badly and our idea is trying to alert people where to look in their browser where to look on the screen. What things to look for the kind of tricks that the crooks for what to do with emails, what not to do with emails and so forth, and so Rob Klein.

That is a shameless plug for naked security. I'Ll stop cause! That'S what I was hoping for. So Rob Klein is really shocked that no one has commented on your awesome t-shirt yet. Well, it is an awesome t-shirt and you too can own one just like it. By going to shop so fast calm - or let me be more formal, HTTP colon, slash, slash shops, office, calm and you can get t-shirts, cool socks, cool, be nice, you can even buy high-end bicycles, but that's not why most people go there. Those are just to kind of they were used by they're, used by some salespeople in a race that we participated in an event that we participated in.

We figured you might like them, but the t-shirts all this and many more other cool slogans like malware is a dish best served. Never, for example, all their. I think so. Rob'S actually asked a question as well. He says: are there times that HTTP isn't really doing the job and are there ways to know? Oh, that is the very open question and they're, usually when you're faced with HTTP web certificates trickery. What usually happens you may see, for example, if you go into a coffee shop and they've got free Wi-Fi and what they do. Is they let you connect to their network and there's no password on the network, but the first time you try and go anywhere.

They basically redirect you to a fake site and the fake site is their login. Their captive portal and their captive portal says: hey. You can't go to Bing com search engine, yet you have to fill in this form and of course, to do that. They have to pretend that their Bing comm for one web page and they can't put the right certificate of you'll, get a certificate warning. So they claimed to be Bing calm, but they don't have the right certificate signed in the right way. So often when you go to a site, that's presenting a bogus web certificate, it's pretty obvious, because no so-called certificate authority issue web certificates will let just anybody have a website to say Microsoft, Commerce, office, karma Bing, calm or whatever it is so one protection is, if You get a warning that says: there's something wrong with a web certificate a couple of years ago.

Loads of people would let their certificates expire or they put the wrong name in, because it was all too hard and we got in the habit of going our certificate warning. Who cares it's only a website and you'd click through and if you're unlucky, your browser would remember that so next time the crooks have got, you won't get the warning again. So if you get a web certificate, security certificate warning, do not ignore it. They are there for a purpose, the other trick. Obviously, this is much harder to deal with what happens if a certificate authority somebody signs web certificates goes rogue and they agree. They agree to sign a certificate for the wrong person.

It'S very difficult to deal with that, but usually it's reasonably infrequent and when it happens, it's all over the news. So keep your eyes open and watch out for web certificate authorities that can no longer be trusted. Okay, that's great and then one final, very quick question for you: don't what should Mac and iPhone users do now well get the update Apple of traditionally been very good at getting updates out fast and people tend to accept them, and since I'm in a hurry, because I know we're over time. I have now botched things up on the phone and what do they say more haste, less speed. Well, while you look at that, I'm going to tell you that Andy says his wife stole his saw for socks.

They are in high demand that doesn't count as stealing does it. If you, if you're, mrs. where's your clothes, that's just you just have to go with that. Yeah, you, okay! So what do you do on on a Mac? Click on me, click on the Apple icon and go about Mac software update and wait to see if there's anything make sure that you probably get them automatically. But it's worth having a check and if you aren't on the list yet because that will stagger the updates. You could jump the queue by saying on to update now same on an iPhone or iPad. You go to what is it settings general software update and after the updates you'll see something like that.

So you see there Safari 12. That'S got the bug fix for this. An iOS 12 for the iPhone that update includes a brand new version of Safari, with this bug fix and while you're about it getting loads of other security updates and feature updates to so you might as well. Do it because the crooks now know what things have? What bugs existed in iOS 12, I owe s11 and Safari 11 before the update was out, so don't be the low-hanging fruit I get out there and get those updates. That'S great. Thank you. Duck has ways for your wisdom and thanks everyone for commenting and question and your questions and you have any more questions for duck or the team pop them in the comments box know we always check after the video has finished and until next time,