2008年10月24日, 微软发补丁修危急漏洞 影响所有Windows版本。微软在MS08-067号安全公告(“KB958644”)中警告称,这一缺陷存在于Server服务中,黑客可以利用一个经过特别设计的远程过程调用请求执行任意代码。
建议大家迅速行动,在Windows服务器、各个版本桌面机的补丁系统、反病毒、防火墙和IPS系统等做好紧急处理。 Read more…
读到下面这则Gartner发布的分析报告,一丝凉意从心里悄悄地弥漫到周围。金融风暴之IT冬天要来了吗?中国的IT会怎么样?IT安全有会怎样?从新闻上来,华为在国内超低价拿下中国电信C网大合同,又刚刚在北美加拿大斩获无线大单,而中兴也在海外收颇丰。联想作为中国公司全球化的先锋,最近负面消息不断 – 股价下跌,分析公司下调预期,裁员,不一而足。从数字上看似乎已经在开始体会金融风暴的冷风,但是CFO也讲了,这也正是业务拓展的机会啊,该出手时还是要出手。
扯远了,回来说Gartner和IT。 Read more…
2008年10月16日,Gartner如期推出了今年对于2009年前十位最重要的战略性技术的瞻望和预测。以下是我的不算翻译的一个翻译,希望方便大家的阅读分享。
1 虚拟化 Virtualization。 虚拟化这个词已经流行了较长一段时间了,还有更早些的按需(On-demand)计算。大概五年前,我刚刚加入CA后一个月,还特地赶到CA在美国的总部,参加了一次管理按需计算的Workshop和培训。时光荏苒,白驹过隙,当下服务器厂商已经将虚拟化功能技术特色作为重要的售前方案元素来推荐和比较。
2 云计算 Cloud Computing。按照Gartner的描述,云计算具有以下几个关键特征:a 将容量能力按照服务交付;b 服务的交付高度可扩展并充满弹性;c 使用互联网技术和技巧来开发和交付服务;d 用以对外部客户交付服务的设计。可以认为,设计之初就具备的高度弹性和扩展性是“云计算”能够带来的最大收益。 Read more…
In a recent survey by RSA, a fact was discovered that insiders dodge security for productivity. I agree that it’s very common at a company that workers and employees share a computer or share some accounts. It might be a not-bad compromise for a non-critical and non-sensitive IT environment in order to cost saving. Anyway, in most cases, it violate best practice and should be corrected.
SecurityFocus报道了一种新型的基于web的攻击方式 – clickjacking。简单说是一种通过web显示与用户实际看到的内容不一致的浏览器缺陷,来引导用户点击或者输入攻击者想要的动作或内容。像按钮、图像、表单、链接等都可能被用来实施这种攻击。通过巧妙地设计,攻击者可以通过点击劫持,可以操控被害者的摄像头和麦克风。并且根据报道,当前的集中主流的浏览器,像IE, Chrome, Safari, Opera等都不能幸免。而当前Firefox3.0上的一个插件 – NoScript可以帮助保护避免这种攻击。
发明者Hansen and Grossman给这种攻击方式取了这个名字Clickjacking – 点击劫持,也很形象,一种欺骗性的hijacking。它比简单的基于域名欺骗的网络钓鱼更有隐蔽性和欺骗性。
Google到毒霸博客上有一篇很好的报道。下面是一些摘录:
简单的说Clickjacking是一种攻击,是一种新型的WEB方式攻击。上面所涉及到的“Flash Player漏洞”,其实只是Clickjacking安全漏洞一种表现形式。
Clickjacking翻译可以将他拆成click-jacking来理解,click是点击的意思(鼠标点击),jacking应该是劫持的意思(hijacking的缩写?不得而知)。联起来翻译就是“点击劫持”。这里也涉及到了Clickjacking的说法,他们把“Clickjacking”叫做“UI redress vulnerabilities(界面伪装漏洞 )”,这个解释也许更能描述清楚这个漏洞的情况。
在一个已经公布clickjacking的Demo演示程序中我们不难发现clickjacking的内涵。
在 你可控制的页面A内有一个iframe,iframe的src链接到另一个域的页面B。设置这个iframe的CSS样式的透明度为0,并设置其 CSS样式的z-index比页面A的其他元素的z-index大。这个iframe的width与height值都设置为足以保证用户可以点击到其中内 容(页面B的内容)的大小。然后在页面A上放置一些按钮、链接等可以欺骗用户点击的元素,这些元素在iframe之下(z-index值决定),并恰好与 iframe的页面B内的关键元素在同一个位置。于是当用户被欺骗去点击页面A内的这些元素时,实际上点击了页面B内的关键元素。至于页面B内的关键元素 是什么,大家想想便知,比如:删除按钮、添加按钮、单选框、请求链接等等。再加上一些社工技巧,这类攻击方式可以进行得非常巧妙。这种攻击基于DHTML 技术,用到了iframe,而且这样的攻击方式不一定需要JS。
其实这样的欺骗很早就有了,同样这里罗列出了三种(onMouseUpJacking,FormJacking,SubmitJacking)点击劫持的方法。
如果黑客精心设计clickjacking攻击页面,网页访客进行常规的鼠标点击行为或者无意间的鼠标点击行为,都会有可能点击会激发背后的隐形身影,而这隐形身影包括下载木马或者其他等行为(打开摄像头等)。
The new version 2.0 of ZdStatistics is released at Oct.14. I upgraded this plugin this morning and found a lot of fantastic new features!
This is a major release. The below is from its official blog:
- All charts are now using Google Vizualisation instead of OpenFlashChart. Why did I decide to do that kind of change ? Mainly because of compatibility issues and the “ajaxy” part of the chart that led to “undefined” data. – see these screenshots
- Better spam detection, using spamhaus.org (or any other provider as it’s an option). This will prevent the system to record known spammers as visitors.
- Blacklist of IPs is now much more human readable. btw, if you want to be sure it works, empty all textarea fields, then reactivate the plugin, it will reset to default values.
- Outgoing links ! Yes you’re not misunderstanding, it now records all outgoing links. Track where your readers are going while reading your blog.
- Geolocalization will now display Google maps with visible points for location visiting your blog.
- CSV Export of any page
Further, at the Key words tab, Chinese words are displayed normally, not %E4%F5, blah blah. It’s a great improvement for Chinese wordpress bloggers.
在我们国庆节期间,2008年10月1日,PCI安全标准委员会PCI-SSC在其官方网站发布了最新数据安全标准PCI-DSS版本v1.2. PCI-DSS的官方网页目前可以下载到最新的1.2版本的PDF和DOC文件。目前官方网站只有英文版可以下载,联系组织者Shawn说,简体中文版在翻译中,应该很快可以发布,和大家见面。
另外同时发布还有1.2版本相对于1.1版本的更改。按照官方网站的消息,v1.1版本还将继续有效至今年年底,也就是2008年12月31日。
总体来说,新版本变化不是很大。下面是12个要求的主要变化总结,希望对大家有所帮助。
要求1:Install and maintain a firewall configuration to protect cardholder data
主要变化是对于防火墙和路由器的内审周期从每个季度调整为至少每六个月,以方便企业组织定制。
要求2:Do not use vendor-supplied defaults for system passwords and other security parameters
主要变化是删除了关于“禁止SSID广播”的描述。将其留给企业组织自己决定。事实上不少企业组织使用广播SSID来提供Guest VLAN等服务。
Read more…
The debut of China Internet Security Forum was made at Shanghai at September 20, 2008. It was a two-day workshop, hosted by CISRG (China Information Security Research Group) and Antiy Labs. CISRG is an active China-based security organization. It has a very lovely logo – a little footprint. Antiy Labs is famous of its capability of virus research and anti-virus products.
Unlike most of other security conferences and forums that were organized by government or their agencies, ISF 2008 is mostly a workshop of security practitioners and advocates. So the air and topics are very fresh and technological. 
It’s pity that I didn’t find opportunity to attend this workshop. However, fortunately, Billy shared to me his vivid and absorbing whole-view report about this event. Here it is.
This workshop had a wide range of topics, covering from Vista security, wireless security, antivirus, to security operations, security penetration testing, and etc.
It’s great that CISRG shared out the presentation of this forum. The documents are downloadable at this link.
It’s very exciting to get the login page of https://imo.im. It’s amazing. It’s a web-based multi-client instant messager. At this moment, it can support MSN, Yahoo, AIM / ICQ, Google Talk, MySpace, and Skype. Yes, and Skype.
I used my MSN account to do the first ride. It has multiple crisp and slim windows embeded in the webpage, one small window for a session. The login and chatting are very responsive. It support Chinese (double byte characters) very well.
Then I began to test Skype. The Skype login is quite fast. It works! I am wondering how these guys simulate a Skype client to login. You know two years ago it became top news when somebody re-engineered the Skype protocol and developed their own Skype-compatible client.
I know imo.im is using SSL. However, before users are rushing to transfer to imo.im, they must solve security concerns. That’s far away to convince users at its security. For example, how they handle the user data, including the account information, password, and chat history. Actually when I recommend imo.im to one of my friends, I was told that he did not want to test this because he didn’t want to exposure his account information.
All in all, this is my first ride with imo.im. Its user experience is by far better than previous web IMs. In addition, it supports Skype. It’s great plus. However, there is a long way for them before users are convinced to drop their trational GUI IM clients.
It’s exciting to fing more and more nice and elegant themes released. I just changed my blog theme to ElegantBox. Just as its name reflects, it’s very elegant. Meanwhile, it support Postviews and Tags just out of box.
I don’t have time to read the change log of WordPress 2.6.2. It might be a quick fixing update. Any way, I downloaded and installed it. Hope everything going well.
The below charts are worldwide distribution of malcode and DDoS attacks by Arbor networks.
The first one is a set of major malcode distribution points for May, 2008, by country, while the second one is who are hosting the DDoS attack botnets (these are the controlling servers, NOT the attacking bots). This is the number of attacks commanded by hour by server country.
It seems that too much malcode and DDoS attackes are originated from China. If this data is true, it betrays that China ISPs and government should do more to clean the network. Meanwhile, this means a great security market potential at China, even though the security market volume is relatively very small at this moment (less than 2B$ per year)
今天在检查sbin.cn上面的文件时,偶然间发现了网站被植入了一个webshell,看了一下时间大概是一个星期前的事情了。一边心中有些郁闷,一边做一些清理工作,把密码都换了一遍,希望没有入侵得很深。
大家知道sbin.cn是个在Bluehost上面的虚拟主机,于是我就想搜索一下关于bluehost的安全性问题。结果让人喜忧参半。
其中一则新闻称Bluehost的CEO Matt Heaton的博客(http://mattheaton.com/)在二月份两度被黑,文章的作者还安慰性的同时举例说美国副总统戈尔的网站也被人黑过。如此看来,或者Bluehost的安全性不够理想,或者Bluehost的IT Security Team把VIP们的网站给忽略了,没有特别保护。
另一个网络帖子是一个国外网友的,他论述了他的安全观点,如何保护信用卡信息,给出了一些忠告,同时他提出Bluehost是PCI符合的,换句话说Bluehost在信用卡信息保护方面达到了PCI的安全要求。这样,或许我的信用卡信息还没有被人在买卖。
5月30日,NIST(美国技术标准局)推出了一个用于对安全配置进行打分的草案,其全称是:NIST IR-7502 DRAFT The Common Configuration Scoring System (CCSS) 。
CCSS是用于对有关软件安全配置问题(Issue)的特征和影响提供的一个标准测量集合。CCSS可以帮助企业组织在解决安全问题时做出正确的决定,另外,它还可以提供数据以便对主机的安全状况进行量化的评估。从体系上看,CCSS借鉴了CVSS,但是针对软件的安全配置问题做了特别调整(CVSS专注于软件缺陷和漏洞)。我们知道,一个软件系统的安全性,不仅仅是软件本身的安全问题,很大程度上还决定于安装、配置和运行管理。
据报道,NIST还计划扩展CCSS,将环境度量也包含进来。点击下载原文。
After years of rumors, the final picture of China telco re-org got announced today. It’s somewhat the same as the gossip inside the circle.
China Netcom(CNC) will be merged into China Unicom to be the new China Unicom. Meanwhile, The “C” and “G” networks of China Unicom will be splitted, while the “C” part will be merged into China Telecom. China Railcom (CRC) will be merged into China Mobile(CMCC).
The executives of the new companies are also mentioned:
This re-grouping is interlocked with the 3G licenses. It’s said that the new CMCC will get TD-SCDMA, while new CUC will get WCDMA, and CT will get CDMA2000.
It’s interesting to watch back to what I summarized the evolvement of China telecommunication industry in the past 10 years.
This morning the great news is announced – Lenovo has a great fiscal year. Some financial detailed could be found at the official financial report. The below news report by Melinda Peer is also very worthy of your reading.
Slower consumer spending dampened sales of personal computers in the U.S., but Lenovo barely felt it thanks to higher shipments to emerging markets.
China’s largest personal computer maker said Thursday that fourth-quarter demand grew fastest in its Europe, Middle East and Africa region, where shipments jumped 30.0% in the fourth quarter. The segment offset weak demand in the U.S. where consumers have cut back on spending, which spells trouble for U.S. tech companies that haven’t fostered strong overseas growth.
Lenovo, which bought the personal computer division of IBM (nyse: IBM – news – people ) in 2005, reported sales of $1.3 billion in its core Chinese market, an increase of 18.0% from 2007′s fourth quarter. The country’s sales accounted for 34.0% of Lenovo’s fourth-quarter sales. Read more…
Recent Comments