Tag Archives: security

Git 支援其他 Hash 演算法的進展

Git 用 SHA-1,而 SHA-1 又破的問題使得 Git 開始計畫其他 hash algorithm (「Google 與 CWI Amsterdam 合作,找到 SHA-1 第一個 collision」)。 在「"uchar [40]" to "struct object_id" conversion continues.」這邊可以看到一些動作,先把本來的 uchar[40] 換成一般性的 struct object_id。 Hacker News 上的「The beginning of Git supporting other hash algorithms」也有一些討論可以看。

Posted in Computer, Murmuring, Programming, Security, Software | Tagged , , , , | Leave a comment

檢查瀏覽器是否阻擋不安全的 SSL 連線

在這邊看到可以測試瀏覽器的 SSL 連線,網站在 https://badssl.com/dashboard/ 這邊: OOO, Chrome just added a dashboard to quickly test out whether your network connection's being ruined by inspection: https://t.co/1iVkGnat7A pic.twitter.com/s19RmdzlK5 — Eric Mill (@konklone) March 17, 2017 Google Chrome 都有過,但是 Firefox 與 IE11 都還可以連 dh1024... … Continue reading

Posted in Browser, Computer, Firefox, GoogleChrome, IE, Murmuring, Network, Security, Software, WWW | Tagged , , , , , | Leave a comment

EdgeCast 總算記得要推出 HTTP/2 了...

每次看到 EdgeCast 的業務都會抱怨一下,總算正式公佈了... EdgeCast 的 HTTP/2 預定在 2017/03/31 全面上線:「HTTP/2 Coming Soon to Our Customers with SSL Certificates!」。 由於是逐步上線,有些網站會在 3/31 前就生效 (像是 EdgeCast 的官網): The rollout of HTTP/2 will be gradual, and you may start to see some of your content … Continue reading

Posted in CDN, Cloud, Computer, Murmuring, Network, Security, WWW | Tagged , , , , , , , , , , , | Leave a comment

Ubuntu 12.04 的在 2017 年四月後的後續維護

雖然 Ubuntu 12.04 (Precise Pangolin,一般拿 Precise 當識別代碼) 將會在 2017/04/28 結束五年的維護,而官方也建議大家升級到 14.04 (Trusty Tahr) 或是 16.04 (Xenial Xerus),但總還是會有因為種種因素而升不動的系統... 因為升級有困難而還在使用 12.04 的使用者,Ubuntu 則是提供了商業的維護合約 Ubuntu Advantage:「Introducing Ubuntu 12.04 ESM (Extended Security Maintenance)」。 Desktop 版是 $125/year (最少 50 套),VM 是 $250/year (最少 10 套),Server … Continue reading

Posted in Computer, Linux, Murmuring, OS, Security, Software | Tagged , , , , , , , , | Leave a comment

所以 Netflix 也往 Google Cloud Platform 嘗試了...

看到「Netflix Security Monkey on Google Cloud Platform」這則消息,看起來 Netflix 也往 Google Cloud Platform 在嘗試了。 Netflix Security Monkey 本來是對 AWS 分析,現在則是開始支援 GCP (雖然還在 beta): Security Monkey monitors policy changes and alerts on insecure configurations in an AWS account. While Security Monkey’s main … Continue reading

Posted in Cloud, Computer, GCP, Murmuring, Network | Tagged , , , , , , , , , , | Leave a comment

用 SessionGopher 拉出機器上各種密碼與 Key

同事在 Slack 上提到 fireeye/SessionGopher 這個工具,可以從機器上拉出各種敏感資訊: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally. 方法是掃 … Continue reading

Posted in Computer, Murmuring, OS, Security, Software, Windows | Tagged , , , , , , , , , , , , , , , , | Leave a comment

分析現在還有多少不安全的 JavaScript Library 被使用

在「Thou shalt not depend on me: analysing the use of outdated JavaScript libraries on the web」這邊看到對 JavaScript Library 的研究。 jQuery 沒有什麼疑問的還是最大宗,查了一下應該是 CVE-2011-4969 的影響,對 jQuery 1.6、1.6.1、1.6.2 三個版本有影響。 另外也提到了 hosting 的部份,可以看到 Google Hosted Libraries 還是佔有最高的比率。

Posted in CDN, Cloud, Computer, Murmuring, Network, Programming, Security, Software | Tagged , , , , , , , | Leave a comment

透過手機螢幕上的餘熱猜測 PIN 碼

利用手機螢幕上的餘熱分析可能的 PIN 碼:「Heat traces left by fingers can reveal your smartphone PIN」,在輸入完 PIN 碼的 30 秒內的準確度都還是很高 (80%): The report further revealed that if the thermal image is collected within 15 seconds of a PIN being entered, the technique is accurate … Continue reading

Posted in Computer, Hardware, Murmuring, Security, Telephone | Tagged , , , , , , , , , , | Leave a comment

透過 DNS TXT 傳遞指令的惡意程式

看到「New Fileless Malware Uses DNS Queries To Receive PowerShell Commands」這篇,所以是有人開始這樣惡搞了... Distributed through an email phishing campaign, the DNSMessenger attack is completely Fileless, as it does not involve writing files to the targeted system; instead, it uses DNS TXT messaging capabilities … Continue reading

Posted in Computer, DNS, Murmuring, Network, Security, Spam | Tagged , , , , , , , | Leave a comment

GitHub 決定在 2018/02/01 停用不安全的 HTTPS/SSH 演算法

在「Discontinue support for weak cryptographic standards」這邊訂了日期,2018/02/01 將會關閉: HTTPS 的 TLSv1 與 TLSv1.1 SSH 的 diffie-hellman-group1-sha1 SSH 的 diffie-hellman-group14-sha1 看起來最苦的應該是 Android 4.3 以及更早的版本,以現在的官方數字來看還有 13%+ (Dashboards),這些版本內建的瀏覽器不支援 TLSv1.2,不過另外裝 browser 就還能過...

Posted in Computer, Murmuring, Network, Programming, Security, WWW | Tagged , , , , , , , , , | Leave a comment