Si en connectar a una WiFi es mostra un missatge indicant que hi ha una actualització disponible per al sistema operatiu o una aplicació… sospiteu. Pel que indica un avís del FBI sembla ser una nova via per a la distribució de malware:
Recently, there have been instances of travelers' laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available.
http://exploit-exercises.com/ recull màquines virtuals amb exercicis, documentació i reptes per a practicar tècniques utilitzades en atacs contra sistemes i programes informàtics, augment de privilegis, anàlisi de vulnerabilitats, desenvolupament d'exploits, depuració, enginyeria inversa…
El proper dia 11, a Monte Porzio Catone (Itàlia), conferència sobre el manuscrit Voynich en ocasió del centenari del seu descobriment: «Voynich 100: A Hundred Years from the Re-discovery at Villa Mondragone».
A Hundred Years from the Re-discovery at Villa Mondragone
Un equip d'investigació israelià ha descobert una nova forma d'identificar els usuaris, per la forma en que acostumen a moure el ratolí: «User identity verification via mouse dynamics»
Identity theft is a crime in which hackers perpetrate fraudulent activity under stolen identities by using credentials, such as passwords and smartcards, unlawfully obtained from legitimate users or by using logged-on computers that are left unattended. User verification methods provide a security layer in addition to the username and password by continuously validating the identity of logged-on users based on their physiological and behavioral characteristics.
We introduce a novel method that continuously verifies users according to characteristics of their interaction with the mouse.
The contribution of this work is threefold: first, user verification is derived based on the classification results of each individual mouse action, in contrast to methods which aggregate mouse actions. Second, we propose a hierarchy of mouse actions from which the features are extracted. Third, we introduce new features to characterize the mouse activity which are used in conjunction with features proposed in previous work.
The proposed algorithm outperforms current state-of-the-art methods by achieving higher verification accuracy while reducing the response time of the system.
Un nou projecte per avaluar la qualitat dels llocs web amb SSL, SSL Pulse, no dibuixa un panorama molt encoratjador: el 75% dels llocs són vulnerables a l'atac BEAST i únicament un 10% dels llocs poden qualificar-se com a pròpiament segurs.
There is quite a bit of alarming data in what the project has gathered, and one of those pieces of information is that more than 148,000 of the sites surveyed are vulnerable to the BEAST attack, which was developed by researchers Juliano Rizzo and Thai Duong and disclosed last year. Their attack uses what's known as a chosen-plaintext attack against the AES implementation in the TLS 1.0 protocol and enables them to use a custom tool they wrote to steal and decrypt supposedly secure HTTPS cookies. The attacker can then hijack the victim's secure SSL session with a site such as an e-commerce site or online banking site.
The BEAST attack is complex, but it's a serious concern and the fact that three quarters of the top sites that the project surveyed are still vulnerable to the attack is troubling. Sites can protect against the attack by implementing mitigations in their TLS 1.0 deployments, including configuring their servers to only use the RC4 cipher during TLS 1.0 or SSL 3.0 sessions.
Al lloc web del projecte es pot verificar la qualitat del certificat per a qualsevol URL.
