“Hacker Safe”是ScanAlert公司（已被McAfee收购）为电子商务网站提供的一种安全认证，声称“经Hacker Safe认证的网站足以预防99%以上的骇客犯罪”。但事实似乎并没有如此乐观。

一家专门从事“跨站脚本攻击”（cross-site scripting vulnerabilities）跟踪的网站 XSSed.com就发布了一个62个存在跨站脚本攻击的网站名单，这些网站全部获得了hacker safe的认证。

“跨站脚本攻击”是一项对客户威胁非常大的网站安全漏洞，指的是骇客在网站的某些网页中插入html代码或者客户端脚本，当客户浏览这些网页时，这些代码会自动运行，把客户的网页cookies自动发送给骇客。因此，对于电子商务网站来说，跨站脚本攻击是一种很大的威胁，因为它会窃取客户的银行帐号、信用卡密码等重要信息。

一些博客也报道了经过hacker safe认证的网站存在跨站脚本攻击的问题，请看这里和这里（这两个链接国内需代理）。

ScanAlert公司对这些报道并没有给出正面回应，而只是强调跨站脚本攻击不在hacker safe的认证范围内，而且这种攻击对电子商务网站的服务器不构成威胁，威胁主要是对客户的。

Many ‘Hacker Safe’ Web Sites Found Vulnerable

(via InformationWeek) More than 60 Web sites certified to be “Hacker Safe” by McAfee’s ScanAlert service have been vulnerable to cross-site scripting (XSS) attacks over the past year, including the ScanAlert Web site itself. While the XSS hole in the ScanAlert site and others have been addressed, some apparently have not been, leaving visitors potentially vulnerable to client-side attacks.

Joseph Pierini, director of enterprise services for the ScanAlert “Hacker Safe” program, maintains that XSS vulnerabilities can’t be used to hack a server.Read more.

Tags: 安全,Security by sawyer
No Comments »

InfoWorld报道说，安全门户服务商Fortinet发现一款流行于facebook平台的恶意程序——Secret Crush，由老牌恶意程序制造商Zango出品（国内此链接需代理）。Crush伪装成由朋友推荐的facebook应用，下载后自动安装zango的广告程序。并且诱骗用户继续向其他联系人推荐。据fortinet预测，已经有3%的facebook安装了这个恶意程序，也就是说有超过180万用户。

这个恶意程序是由facebook用户首先发现的，他们发现安装完成之后，它并不具有所声称的社会化功能。Facebook官方至今还未对此表态。

Fortinet的专家们把这类在社群网站间流行的恶意程序称为“malicious widget”，并且认为这只是大规模攻击行动的开始。因为社群网站的用户规模和用户习惯都适合于恶意程序的快速传播，社群网站的用户总是相信来自联系人的推荐。Facebook目前用户规模超过6千万，而Myspace超过2.5亿。

来自另一个安全门户服务商Secure Computing的专家说，互联网安全和使用政策应当包括社群网站、博客、音乐和视频分享网站等新兴的web2.0站点。现在最大的问题是，多数公司还在为传统的安全问题发愁。

Facebook hack fuels Web 2.0 concerns 

(via InfoWorld)Researchers at security gateway vendor Fortinet have uncovered an adware-distribution scheme being carried out on the Facebook social networking site considered to be the first attack propagated on the wildly popular online portal.

Disguised as a legitimate “Secret Crush” request on the site designed to inform Facebook users about other members who find them attractive, the application instead attempts to secretly install an adware program made by Zango after it has been successfully downloaded.Read more.

Tags: 安全,Security, 社群网站web 2.0 by sawyer
No Comments »

Runscanner可以让你知道你的电脑上正在运行的所有程序、服务、自动启动项，还有恶意程序，并且用红色鲜明的标出那些有问题的东西，你可以选择删除或者修复（慎重！）。操作界面见下图，点击看大图。

不过Runscanner郑重提醒大家，在决定做什么之前，最好到相关论坛里，让专家们把把关，看看runscanner的检测报告，因为如果误删的话，可能会导致很严重的问题。也正因为如此，runscanner为用户提供了3种级别，初学模式、典型模式和专家模式。在初学模式里只能检测，下载报告，可是不能采取行动。

Runscanner，免费软件，下载无需安装。使用时慎重！

Runscanner:know what’s going on your pc

RunScanner is a freeware windows system utility which scans your system for all running programs, autostart locations, drivers, services and hijack points.
You can use Runscanner to detect changes and misconfigurations in your system caused by spyware, virusses or human errors.

Be cautious when you what to delete something, it may cause big problem, the best way is going to a expert in a forum, give him or her the scan report and heard his or her advices.

Tags: 安全,Security, 软件,software by sawyer
No Comments »

据瑞典的服务器维护与网站监测公司Pingdom的测算，每天在互联网上发送的垃圾邮件数量达到1.2万亿封，根据每封邮件大小为4.27KB计算，每天互联网空间有512TB被垃圾邮件吃掉。

CyberNet进一步说明，1TB价格是每年250美元，那么一天的垃圾邮件如果放在服务器里不删除的话，就等于吃掉了 12.8万美元！那么一年呢？这也是为什么Google要定期删除垃圾邮件的原因了。

Spam mail eats up 512TB every day!

Pingdom, the Sweeden based website maintaining and monitoring company, has estimated that every single day there are 120million spam emails on the internet, the average size of a spam email is 4.27 KB, so everyday the spam emails eat up 512TB space!

CyberNet calculates a little more, “…the cost of a one terabyte drive is about $250. If you had enough of these to cover the 512 terabytes that are eaten every day, it comes out to $128,000 worth of hard drive space each day! ”

（pic via CyberNet, by Glasbergen）

Tags: 安全,Security by sawyer
No Comments »