Logo Allmyblog
Logo Allmyblog
Lien de l'article    

DOVENDOSI

Batteries d’ordinateur portable Asus | Replacement batterie pour Asus - batterie-portable-asus.com
Contacter l'auteur de ce blog

5 DERNIERS ARTICLES
- Battery for Dell Studio 1537
- Battery for Apple A1406
- Battery for Apple A1406
- Battery for ASUS A75VD
- Batterie pour Dell Inspiron 1000
Sommaire

CALENDRIER
LunMarMerJeuVenSamDim
0102
03040506070809
10111213141516
17181920212223
24252627282930
31
<< Juillet >>

BLOGS FAVORIS
Ajouter dovendosi à vos favoris
 Battery for Apple 13 inch MacBook Air Alerter l'administrateur Recommander à un ami Lien de l'article 

The attackers uploaded a malware file on Classic Shell page which was downloaded approximately 300 times. We removed the file in several minutes and we changed all passwords for all services we had.They were greedy meaning that they targeted the largest projects listed on FossHub: Audacity and Classic Shell. We reacted promptly for Audacity installer but for Classic Shell, several hundred users were able to download the malware infected version.Several hours later, we noticed the attackers were able to gain access through an FTP account and we decided to shut down the main server immediately to prevent any further infection/damage.We are currently in the process of reinstalling everything, change all access rights, passwords and run up under new security rules. I would like to say that we “apologize” but I would lie not to admit it is the worst day ever for me (personally) and all FossHub team members.Classic Shell developer Ivo Beltchev is advising anyone unsure of their downloads to check for the security certificate: the authentic version will show Beltchev as a verified publisher, while the malicious build will show up in Windows as coming from an unknown publisher.Team Audacity, meanwhile, said: "For about 3 hours on August 2, 2016, our download server was serving a hacked copy of Audacity that contained malware. This was due to hackers obtaining the password of one of our developers and using it to upload the malware.

"We are a community of developers, documentation writers, support and help people, not a commercial outfit with a dedicated security team with strong security protocols."We did not have the right safeguards in place, namely, to monitor external files. We clearly have not been vigilant enough. Over the next few weeks we will be working to become a safer, more secure organization." If we have internet-facing web servers (and other types of server, for that matter) we care about how vulnerable they are to attack. There are loads of services out there that you can use to probe your public-facing systems, and they'll tell you loads of useful stuff about why they might be vulnerable. But of course they're only useful if you understand what on Earth the probe service is telling you.We're going to take a canter through the five flaws that are generally considered the most important in the world of internet-facing servers, courtesy of the most recent list from the Open Web Application Security Project, better known as OWASP, explain what each of them actually means, and point at how you can protect yourself.There are various types of “injection” attack – the one I see most is the SQL injection. These attacks happen when you've been sloppy (or you've failed to realise how defensive you ought to have been) in writing the code that sits behind your website and interprets what's sent to it from forms and the like.

Imagine you run a directory services website; the user enters a surname and your back-end code searched for that name and returned the results using a simple query. Imagine we'd entered the name “Smith”, and it capitalised the string, pulled it into the query and ran it:Perfectly valid query to many databases – multiple queries strung together separated by semicolons will be executed in turn. So as long as there's a table called “users”, this will try to delete it. The intruder won't care about what the SELECTs do – just that the query set is valid and doesn't get thrown out by the parser so that the DELETE gets executed.Injection attacks are easy to mitigate: most Web programming systems have functions that will sanitise input strings (e.g. by converting, a ' into a double '' so it's guaranteed to be treated as a data character instead of being allowed to form part of a command), and if your database allows parameterised queries then use that too. And don't run the database connection under a user ID that has permission to delete stuff it shouldn't. So long as the raw string can't get executed by the database, you're good. (Incidentally, this string conversion is called “escaping” the special characters such as quotation marks. Ask Mr. Google about “escaping SQL strings” and he'll elaborate for you).

If your website has a mechanism for users to log in in order to access some of the content, you'll probably use some kind of “session ID” that gets passed between the browser and the server. When the user logs in the server issues a unique session ID, and the browser passes that in with every subsequent request. Often the ID will be passed in the query itself:That's fine in principle, but you need to be careful at the server end. You'll usually have a table in your site's back-end database recording current session IDs, and will remove a session when the user hits the “Log out” button. But if they just quit the browser instead of logging out, someone else could fire it up later and land right back in their session if the session is still considered current at the server end.There's no hard and fast solution (which is why you often see big notices saying “MAKE SURE YOU LOG OUT IF YOU'RE ON A PUBLIC PC” on sites) but you can at the very least have a function that throws away sessions after a few minutes of disuse. This doesn't help if the illicit user gets in quickly, but it's a start.I'm surprised this wasn't number 1 in the OWASP list as it's the one I see most, but at least it's in the top five. The “cross site” bit is all about the attacker being able to inject something into a particular site that causes innocent users unwittingly to access a different site.

Imagine you host an online forum: people write comments and they're published on the site. But what if the comment has a chunk of JavaScript secreted in it alongside the innocent-looking message:The innocent user's browser will execute the script – and bearing mind that JavaScript can do all kinds of powerful funky stuff the chances are that this will involve connecting to the intruder's server and sending sensitive data that could be used against the genuine user.You've probably spotted that this type of attack is similar to the SQL injection we looked at earlier: so to protect yourself you simply need to ensure that you're escaping any user input so that it doesn't just blindly get whacked into the system and treated as valid code.You wouldn't present a web page that includes back-end information in the query, would you? For example if a user logs in and his internal account ID is 1029345:You do? Hmm, I wouldn't. But if you insist, presumably you do some validation so the user can't just change the account number and see someone else's details:You'd be surprised that this type of daftness exists, but it does. How to avoid it? Use unique, randomised session IDs, never include internal identifiable Ids (account numbers, seqential identifiers, etc) in browser exchanges like this, and verify access permissions with every single page request.

  Aucun commentaire | Ecrire un nouveau commentaire Posté le 04-07-2017 à 04h34

 Battery for ASUS G73S Alerter l'administrateur Recommander à un ami Lien de l'article 

This one covers a vast range of possible system issues, and in the OWASP context it's not actually restricted to configuration in its literal sense because the category also includes problems with out-of-date software (which may have security bugs that are fixed in later releases). The three genuinely configuration-related issues I've seen most over the years are:Leaving diagnostic messages enabled on the server. For instance in an out-of-the box PHP installation you can generally point the browser at http://www.mysite.com/phpinfo.php – which dishes up all the gory information about your server, OS version, database version, PHP version … everything an intruder needs in order to look up your vulnerabilities via Google. Excessive permissions on back-end systems – usually databases. As with the SQL injection example earlier, the connection from your Web server into the back-end system must have the minimum possible privilege so if someone manages to execute (say) a SQL injection that deletes data it's rejected due to a lack of permissions. FireEye has admitted that a snafu involving its email filtering technology meant harmless messages were shuffled off to quarantine for no good reason.

The glitch persisted for around two hours during during Monday morning before the problem was resolved, as a statement by the security vendor supplied to El Reg explains.At approximately 10am BST Monday 1 August, FireEye became aware of an issue with a newly released version of the Security Content in its Email Security products that caused certain non-malicious emails to be temporarily quarantined. A new version of Security Content was released in under two hours, limiting impact and resolving the issue for customers automatically.FireEye deploys rapid updates to Security Content in order to quickly mitigate emerging campaigns, and we will continue to improve our testing and review prior to release.El Reg heard of the “computer says no” issue from a reader – who asked to remain anonymous – and complained that FireEye “crippled email globally for all their customers running email protection”, a comment that doubtless stemmed from understandable personal frustration.

Black Hat video Car hackers Charlie Miller and Chris Valasek have again hacked a 2014 Jeep Cherokee, this time by physically linking a laptop to commandeer its steering and kill the brakes.The duo have captured the hack to be presented at Black Hat Las Vegas this week in video proof-of-concept demonstrations.The compromise requires attackers to be physically present in order to compromise the car.However Miller confirmed this writer's suggestion that the attacks could be carried out using a concealed device which either contains automated and timed commands, or with remote attacks over a wireless link.Such a feat which Miller says were "most definitely" possible could be considered a vector for targeted, albeit over-engineered, assassination.The localised attack is similar to other CAN bus attacks in which researchers have popped locks, compromised steering, and brakes.There are legitimate uses for tapping CAN buses that have spawned companies which manufacture products that tap into the ports in order to display detailed fuel consumption and engine data to drivers, for example.

In one of the proof-of-concept videos Miller sits in the back of the Jeep with a lead connecting his laptop to the CAN bus above the dashboard. Valasek cruises at low speed through a cornfield road until Miller causes the steering wheel of the Jeep to lock 90 degrees to the right sending it off road.The attack affects the same Jeep which was patched after the duo remotely hacked it last year killing the engine during a live demonstration on US highway I-64. The pair attacked the Jeep's electronic control units disabling one by sending it into a maintenance mode and using another to send spoofed commands.Cruise control speed can also be set but drivers can quickly regain control by tapping brakes. The pair say they've penned a paper, to be revealed at Black Hat, in which they recommend vehicle manufacturers should better lock down CAN buses. To help auto-makers along, the pair have built an intrusion detection system that can detect their attacks. Black Hat Neil Wyler and Bart Stump are responsible for managing what is probably the world’s most-attacked wireless network.The two friends, veterans among a team of two dozen, are at the time of writing knee deep in the task of running the network at Black Hat, the security event where the world reveals the latest security messes.

The event kicks off with three days of training, then unleashes tempered anarchy as the conference proper gets under way.Wyler, better known as Grifter (@grifter801), heads the NoC – the network operations centre – at Black Hat, an event he has loved since he was 12 years old. “I literally grew up among the community,” he says.Wyler's day job is working for RSA's incident response team while Stumper is an engineer with Optiv, but their Black Hat and DEF CON experience trumps their professional status. Wyler has worked with Black Hat for 14 years and DEF CON for 17 years, while Stump has chalked up nine years with both hacker meets.Together with an army of capable network engineers and hackers, they have operated two of the few hacker conference networks that delegates and journalists are advised to avoid.Rightly so; over the next week the world’s talented hacker contingent will flood Las Vegas for Black Hat and DEF CON, the biggest infosec party week of the year. The diverse talents – and ethics – of the attending masses render everything from nearby ATMs to medical implants potentially hostile and not-to-be-trusted.

Some 23 network and security types operate the Black Hat NoC and are responsible for policing that particular conference's network, which they helped create. Come August each member loosens the strict defensive mindset they uphold in their day jobs as system administrators and security defenders to let the partying hackers launch all but the nastiest attacks over their network.“We will sit back and monitor attacks as they happen," Wyler tells The Register from his home in the US. "It's not your average security job."The crew operates with the conference din as a background, sometimes to cheers as speakers pull off showy hacks or offer impressive technical demos in rotating shifts. In the Black Hat NoC, some laugh, some sleep, and all work in a darkness broken by the glow of LEDs and computer screens. Their score is a backdrop of crunching cheese Nachos, old hacker movies, and electronic music."Picture it in the movies, and that's what it's like," Stump says, commiserating with your Australia-based scribe's Vegas absence. "It'll be quite a sight, you'll be missing something."

  Aucun commentaire | Ecrire un nouveau commentaire Posté le 04-07-2017 à 04h42


Historique : 04-07-2017
 

SYNDICATION
 
Fil RSS 2.0
Ajouter à NetVibes
Ajouter à Google
Ajouter à Yahoo
Ajouter à Bloglines
Ajouter à Technorati
http://www.wikio.fr
 

Allzic en direct

Liens Commerciaux
L'information à Lyon
Retrouvez toute l'actu lyonnaise 24/24h 7/7j !


L'information à Annecy
Retrouvez toute l'actu d'Annecy 24/24h 7/7j !


L'information à Grenoble
Retrouvez toute l'actu de Grenoble 24/24h 7/7j !


Application Restaurant
Restaurateurs, demandez un devis pour votre application iPhone


Fete des Lumières
Fête des lumières : vente de luminaires, lampes, ampoules, etc.

Votre publicité ici ?
  Blog créé le 11-07-2016 à 05h33 | Mis à jour le 25-07-2017 à 07h49 | Note : Pas de note