Archive for Security

08.06.05

網路隱私

Posted in Computer, Murmuring, Network, Search Engine, Security at 2:43 pm by gslin

只要給一個 id，或是一個 IP address，在網路上透過 Search Engine，我們可以找到許多小拼圖，然後將這些小拼圖拼湊起來，就可以知道這個人的背景。

News.COM 這篇 Google balances privacy, reach 透過 Google 的 Search Engine，尋找 Google 的執行長 Eric Schmidt 的隱私。利用這個例子，News.COM 的 Elinor Mills 開始說明光是 Google 的 Search Engine 就可以找到這麼多資料，如果 Google 將他手上的資料合併起來分析 (Search History、Gmail、Orkut)，會發生什麼事情？

在 Elinor Mills 寫了這篇文章後，今天他在報導 Google 最近在招主廚的文章 (這是惡搞) Wanted at Google: A few good chefs 最後面這樣寫：

Google could not be immediately reached for comment. (Google representatives have instituted a policy of not talking with CNET News.com reporters until July 2006 in response to privacy issues raised by a previous story.)

於是 Slashdot 上就出現聲援的文章了：Google Blacklists CNet Reporters…

Permalink Comments

08.05.05

「入侵」藍芽耳機

Posted in Computer, Murmuring, Security, Telephone at 8:59 pm by gslin

在 Slashdot 看到的：Injecting Audio Into Insecure Bluetooth Handsets，你可以惡搞有問題的藍芽耳機 :p

Permalink Comments

08.03.05

MGA 又回來了

Posted in Computer, Murmuring, Network, Security, Software at 4:03 pm by gslin

Download Squad 報導了 Microsoft 又修正 MGA 以避免使用者用一行 javascript code 就關掉檢查了：Windows Genuine Advantage back in business。

不過 DLL hack 還是可以用 :p

Permalink Comments

防火硬碟

Posted in Computer, Murmuring, Security at 9:56 am by gslin

Engadget 看到的超神猛防火硬碟，可以防 1000°C 火燒喔，不過容量只有 80GB ~ 100GB XD CMC Solutions’ IEYAS fireproof hard drive safe。

產品可以在「耐火ハードディスク装置」看到 XD

Permalink Comments

撕掉 Mike Lynn 的 slide

Posted in Computer, Murmuring, Network, Security at 5:09 am by gslin

在 Boing Boing 看到的文章：Video of Cisco tearing Mike Lynn presentation out of Black Hat proceedings (PDF，1.9MB，MD5 是 559942447c88086fa1304c38f9d0242c)。

這是大會工作人員 (不確定有沒有 Cisco/ISS 的人) 撕掉大會手冊上 Mike Lynn 所發表 “The Holy Grail: Cisco IOS Shellcode And Exploitation Techniques” 這份投影片的過程 (Quicktime，4.9MB)。

Permalink Comments

07.31.05

個人資料洩漏？

Posted in Computer, Murmuring, Political, Security at 6:58 pm by gslin

Slashdot 在 Govermental Servers Wiped? Never! 報導了澳洲政府在淘汰電腦時沒有把裡面的資料清空就轉售出去…

在原作者 Data Security 101 的網頁上有大量的圖片顯示了這些電腦裡面有哪些東西 - 連裡面的 source code 都有 :p

Permalink Comments

從年初到目前為止，IE 比 Firefox 發生更少安全性問題

Posted in Browser, Computer, Murmuring, Network, Security, Software at 6:03 pm by gslin

Mozillazine 這篇 More Security Flaws in Firefox Than IE This Year 下面的 Pie chart 依據 Secunia 的資料，顯示了今年年初到目前為止 IE 有 9 個與安全性相關的問題，而 Firefox 有 17 個：

如果把程度加上去則是：

至於下面那個「Unfair comparison」就不用看了，沒有人會因為 Firefox 1.x 是第一年就同情他的… 除了 Firefox 親衛隊。

更完整的資料可以在 Vulnerability Report - Microsoft Internet Explorer 6.x 與 Vulnerability Report - Mozilla Firefox 1.x 找到。

Firefox 的 17 個安全性通告中有 15 個已經修正 (Vendor Patched)，有一個部分修正 (Partial Patched) 與一個尚未修正 (Unpatched)：

Firefox Property Manipulation Cross-Site Scripting Vulnerability (Secunia Research has discovered a vulnerability in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.)
Firefox Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, and compromise a user’s system.)
Mozilla / Firefox / Camino Dialog Origin Spoofing Vulnerability (Secunia Research has discovered a vulnerability in Mozilla, Firefox, and Camino, which can be exploited by malicious web sites to spoof dialog boxes.)
Mozilla / Mozilla Firefox Frame Injection Vulnerability (A seven year old vulnerability has been re-introduced in Mozilla and Firefox, which can be exploited by malicious people to spoof the contents of web sites.)
Mozilla Firefox Download Dialog Spoofing Vulnerabilities (Secunia Research has discovered two vulnerabilities in Mozilla Firefox, which can be exploited by malicious people to spoof file types in the file download dialog.) Partial Fix.
Mozilla Firefox Two Vulnerabilities (Two vulnerabilities have been discovered in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks and compromise a user’s system.)
Mozilla Firefox Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks, bypass certain security restrictions, and compromise a user’s system.)
Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability (A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of potentially sensitive information.)
Mozilla Firefox Three Vulnerabilities (Three vulnerabilities have been reported in Firefox, which can be exploited by malicious people to bypass certain security restrictions and compromise a user’s system.)
Firefox “Save Link As…” Status Bar Spoofing Weakness (bitlance winter has discovered a weakness in Firefox, which can be exploited by malicious people to trick users into saving malicious files by obfuscating URLs.)
Mozilla Firefox Image Javascript URI Dragging Cross-Site Scripting (Paul has reported a vulnerability in Mozilla Firefox, which can be exploited by malicious people to conduct cross-site scripting attacks.) Unpatched.
Mozilla / Firefox “Save Link As” Download Dialog Spoofing (Secunia Research has discovered a vulnerability in Mozilla and Mozilla Firefox, which can be exploited by malicious people to trick users into downloading malicious files.)
Mozilla / Firefox / Thunderbird Multiple Vulnerabilities (Details have been released about several vulnerabilities in Firefox, Mozilla and Thunderbird. These can be exploited by malicious, local users to perform certain actions on a vulnerable system with escalated privileges and by malicious people to conduct spoofing attacks, disclose and manipulate sensitive information, and potentially compromise a user’s system.)
Mozilla / Firefox Three Vulnerabilities (mikx has discovered three vulnerabilities in Mozilla and Firefox, which can be exploited by malicious people to plant malware on a user’s system, conduct cross-site scripting attacks, disclose sensitive information, bypass certain security restrictions and compromise a user’s system.)
Mozilla Products IDN Spoofing Security Issue (Eric Johanson has reported a security issue in Mozilla / Firefox / Camino / Thunderbird, which can be exploited by a malicious web site to spoof the URL displayed in the address bar, SSL certificate, and status bar.)
Mozilla / Mozilla Firefox Dialog Overlapping Weakness (mikx has discovered a weakness in Mozilla and Mozilla Firefox, which potentially can be exploited by malicious people to trick users into performing unintended actions.)
Mozilla / Mozilla Firefox Download Dialog Source Spoofing (Secunia Research has discovered a vulnerability in Mozilla / Mozilla Firefox, which can be exploited by malicious people to spoof the source displayed in the Download Dialog box.)

而 IE6 的 9 個安全性問題中，只有三個修正，一個部分修正，而剩下的五個都是尚未修正：

Internet Explorer “javaprxy.dll” Memory Corruption Vulnerability (SEC Consult has discovered a vulnerability in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.)
Microsoft Internet Explorer Dialog Origin Spoofing Vulnerability (Secunia Research has discovered a vulnerability in Internet Explorer, which can be exploited by malicious web sites to spoof dialog boxes.) Unpatched.
Microsoft Internet Explorer “window()” Denial of Service Weakness (Benjamin Tobias Franz has discovered a weakness in Internet Explorer, which can be exploited by malicious people to cause a DoS (Denial of Service).) Unpatched.
Microsoft Internet Explorer Multiple Vulnerabilities (Some vulnerabilities has been reported in Microsoft Internet Explorer, which can be exploited by malicious people to compromise a user’s system.)
Microsoft Internet Explorer Popup Title Bar Spoofing Weakness (bitlance winter has discovered a weakness in Internet Explorer, which can be exploited by malicious people to conduct phishing attacks.) Unpatched.
Internet Explorer/Outlook Express Status Bar Spoofing (bitlance winter has discovered a weakness in Internet Explorer/Outlook Express, which can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs.) Unpatched.
Microsoft Internet Explorer Multiple Vulnerabilities (Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to conduct cross-site scripting and phishing attacks, disclose sensitive information, bypass certain security restrictions, and compromise a user’s system.)
Internet Explorer Global Variables Local File Detection Weakness (Berend-Jan Wever has discovered a weakness in Internet Explorer, which can be exploited by malicious people to detect the presence of local files.) Unpatched.
Internet Explorer FTP Download Directory Traversal (A vulnerability has been discovered in Internet Explorer, which can be exploited by malicious people to compromise a user’s system.) Partial Patched.