Tag Archives: password

各家 Session Replay 服務對個資的處理

Session Replay 指的是重播將使用者的行為錄下來重播,市面上有很多這樣的服務,像是 User Replay 或是 SessionCam。 這篇文章就是在討論這些服務在處理個資時的方式,像是信用卡卡號的內容,或是密碼的內容,這些不應該被記錄下來的資料是怎麼被處理的:「No boundaries: Exfiltration of personal data by session-replay scripts」,主要的重點在這張圖: 後面有提到目前防禦的情況,看起來目前用 adblock 類的軟體可以擋掉一些服務,但不是全部的都在列表裡。而 DNT 則是裝飾品沒人鳥過: Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security, Service, WWW|Tagged , , , , , , , , , , , , |Leave a comment

iOS App 的釣魚

在「iOS Privacy: steal.password - Easily get the user's Apple ID password, just by asking」這邊作者示範了怎麼釣魚:直接模擬 iOS 的系統視窗跟使用者要密碼。 看了只有「操」... 目前想的到的 workaround 只有在看到類似的視窗時跳回主畫面,透過 Settings 裡確認?

Posted in Computer, Murmuring, Network, Security, Telephone|Tagged , , , , , , , , , , , |1 Comment

Yahoo! 的資料外洩數量超過之前公佈的十億筆,上升到三十億筆

Oath (Y! 的新東家,Verizon 持股) 發表了新的通報,外洩數量直接上升到 3 billion 了:「Yahoo provides notice to additional users affected by previously disclosed 2013 data theft」。 也就是當時所有的使用者都受到影響: Subsequent to Yahoo's acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following … Continue reading

Posted in Computer, Murmuring, Network, Privacy, Security|Tagged , , , , , , , , , , |Leave a comment

超過三億筆的密碼 (Hash 過的)

Troy Hunt 放出三億筆 SHA1 hash 過的密碼讓大家研究:「Introducing 306 Million Freely Downloadable Pwned Passwords」。 他引用了 NIST 新的草案中對密碼的建議,阻擋已知外洩的密碼: 檔案可以在「I been pwned? Pwned Passwords」這邊下載。

Posted in Computer, Murmuring, Network, Privacy, Security, Service, Social|Tagged , , , , , , , , , , |Leave a comment

歡樂的 md5crypt 密碼...

作者寫了一篇關於以前在 WHOIS 記錄上看到一串 $1$ 開頭的 md5crypt 密碼 XDDD:「I mean, why not tell everyone our password hashes?」。 Now the fields are filtered but this is a reasonably recent change. Prior to July 2015 the hashed passwords were shown to anyone who … Continue reading

Posted in Computer, Murmuring, Network, Security|Tagged , , , , , , , , , , |Leave a comment

重設密碼 + Social Engineering

在「The password reset MitM attack」這邊看到 PRMitM (Password Reset Man-in-the-Middle) 這樣的攻擊,原始論文在「The Password Reset MitM Attack」這邊可以取得。 用圖說明基本版的攻擊方式: 另外列出了各大站台的狀態: 以及各家簡訊的文字,可以發現不是每一家都有把產品的名稱寫上去: 這方法好有趣啊... XD

Posted in Computer, Murmuring, Network, Security, Service, WWW|Tagged , , , , , , , , , , , |1 Comment

利用手機的 sensor 取得 PIN 碼

把 side-channel information 配合上統計方法就可以達到 74% 的正確率:「Phone Hack Uses Sensors To Steal PINs」。 透過 browser 的 javascript 就可以拉出這些資料,然後利用這些資料去猜你的手機 PIN 碼: Researchers from U.K.-based Newcastle University created a JavaScript app called PINlogger.js that has the ability to access data generated by the … Continue reading

Posted in Browser, Computer, Firefox, GoogleChrome, Hardware, Murmuring, Network, Programming, Safari, Security, Software, WWW|Tagged , , , , , , , , , , , , , , , , , |Leave a comment

用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. 方法是掃 … Continue reading

Posted in Computer, Murmuring, OS, Security, Software, Windows|Tagged , , , , , , , , , , , , , , , , |Leave a comment

透過手機螢幕上的餘熱猜測 PIN 碼

利用手機螢幕上的餘熱分析可能的 PIN 碼:「Heat traces left by fingers can reveal your smartphone PIN」,在輸入完 PIN 碼的 30 秒內的準確度都還是很高 (80%): The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate … Continue reading

Posted in Computer, Hardware, Murmuring, Security, Telephone|Tagged , , , , , , , , , , |Leave a comment