Archive

‘General Discuss’ 分類過的Archive

Flash zero-day(CVE-2010-1297) used in mass injections

2010年6月13日 Mars 1 則評論

In recent days, the vulnerability of flash(CVE-2010-1297) has been used for drive-by download. Therefore, many websites are injected by malicious links such as  (hxxp://2677.in/yahoo.js), and those comprised webistes are intruded by automatic mass injection tools.   

Mass Injections   

TOMTOM WebSite is injected by Malicious link

In most cases, hackers are faster than vendors, so it gives them a great opportunity to build a strong BotNet and be able to control more victims. :(    

The following flow chart shows the attacking path of Zero-Day.     

閱讀全文…

Categories: Exploits, General Discuss, Malware Research Tags:

Chip and PIN is Broken

2010年2月15日 Mars 1 則評論
Pin and Chip bypass the pin code
Pin and Chip bypass the pin code

EMV is the dominant protocol used for smart card
payments worldwide, with over 730 million cards in circulation.
Known to bank customers as “Chip and PIN”, it is used in
Europe; it is being introduced in Canada; and there is pressure
from banks to introduce it in the USA too. EMV secures
credit and debit card transactions by authenticating both the
card and the customer presenting it through a combination of
cryptographic authentication codes, digital signatures, and the
entry of a PIN. In the following paper  that describe and demonstrate a
protocol flaw which allows criminals to use a genuine card
to make a payment without knowing the card’s PIN, and
to remain undetected even when the merchant has an online
connection to the banking network. The fraudster performs a
man-in-the-middle attack to trick the terminal into believing
the PIN verified correctly, while telling the issuing bank that
no PIN was entered at all.

Research Paper from Cambridge .UK
Categories: General Discuss Tags:

網路就像是一部沒有煞車系統的汽車

2009年12月28日 Mars 尚無評論

隨著科技不斷進步,網路提高了人們通訊的效率與社會的便利,但也直接改變了民眾的日常生活,例如:手機無線上網、全民瘋Facebook開心農場、Plurk、Twitter微型網誌的出現等;現今的網路發展就像是一個沒有煞車系統的汽車,本身安全性的欠缺,如又遇到不良駕駛,當然會衍生許多資訊安全與犯罪問題,例如:個資外洩、網路詐騙、網路洗錢,駭客入侵等資安事件。

Categories: General Discuss Tags:

保護資料你我有責

2009年12月28日 Mars 尚無評論

近年最夯的資安話題之一「資料外洩問題」,到了此時仍無法獲得有效控制,至今不管是國內或國外、政府或民間單位,幾乎每個月仍有不少資料外洩之新聞報導;另由於駭客攻擊手法之轉型,例如:由本機(Client)入侵轉變為攻佔網站(Web)、由病毒感染(Virus)轉變為間諜程式植入(Spyware)、由執行檔(EXE)改以各種文件(DOC、PDF、SWF)夾帶惡意程式等手法進入使用者電腦,如果人們使用電腦之安全習慣沒有改變(業務家辦、開啟來路不明信件、連結等),而在現有掃描與偵測技術無法有效的阻擋此類攻擊下,許多公司企業資料外洩的情況還是會陸續上演,雖目前電腦處裡個人資料保護法未規範八大行業以外之機關,然如因未妥善保管民眾之個人資料而外洩,除造成客戶觀感不佳外,所流出的資料亦是難以收回。

Categories: General Discuss Tags: