You enter the page, rate the seller according to a number of criteria... and that's pretty much it. But! By doing so, you leave an entry on the seller's page, which contains your username, the name of the item you bought, its price, and the purchase date. Visit a page of any seller, and you'll see all information about their customers: names, purchases, prices, and dates of the purchases.
June 29, 2012
eBay. What Did Your Neighbor Buy?
You enter the page, rate the seller according to a number of criteria... and that's pretty much it. But! By doing so, you leave an entry on the seller's page, which contains your username, the name of the item you bought, its price, and the purchase date. Visit a page of any seller, and you'll see all information about their customers: names, purchases, prices, and dates of the purchases.
June 27, 2012
Web vulnerabilities. Unbelievable becomes obvious
In the course of penetration testing, security audit and other services rendered by Positive Technologies in 2010 and 2011, the company’s experts collected security statistics of more than a hundred corporate web applications. It was applications under consideration, not business card sites. E-Government websites, I-Bank systems, mobile operators' self-service portals, and other items became the objects of the research.
Having analyzed the results, we could finally answer the perennial questions of information security:
• How many websites are infected with malware?
• Which CMS is securer: commercial, open-source or a self-developed one?
• Which is the securest among Java, PHP and ASP.NET?
• Is it a myth or reality to comply with the PCI DSS requirements?
Some of the answers to these questions surprised us, we must say. See details under the cut.
Having analyzed the results, we could finally answer the perennial questions of information security:
• How many websites are infected with malware?
• Which CMS is securer: commercial, open-source or a self-developed one?
• Which is the securest among Java, PHP and ASP.NET?
• Is it a myth or reality to comply with the PCI DSS requirements?
Some of the answers to these questions surprised us, we must say. See details under the cut.
June 26, 2012
Customizing Blue Screen of Death
It's Turned Blue! Is It OK?
BSOD is a response of the kernel to a non-recoverable exceptional situation. If you see it, something really unpleasant has happened.
Kernel environment sets numerous restrictions to a programmer's freedom of actions: consider IRQL, synchronize access to shared variables, don’t spend much time in an ISR, and verify any data from the "userland"... If any of the rules is broken, you'll get a real reproof filled with template phrases in a standard VGA mode with lousy coloring.
BSOD is a response of the kernel to a non-recoverable exceptional situation. If you see it, something really unpleasant has happened.
Kernel environment sets numerous restrictions to a programmer's freedom of actions: consider IRQL, synchronize access to shared variables, don’t spend much time in an ISR, and verify any data from the "userland"... If any of the rules is broken, you'll get a real reproof filled with template phrases in a standard VGA mode with lousy coloring.
June 21, 2012
Peculiarities of a New Windows TCP/IP Stack

Any self-respecting network scanner should be able to detect an operating system used on the host being scanned. The more parameters it uses for this purpose, the more accurate the result is. For example, Nmap employs a wide range of metrics: various TCP metrics (the timestamp values behavior, re-ordering TCP options), IP metrics (an algorithm for a packet order number calculation, processing of IP packet flags) and other metrics.
June 20, 2012
SCADA Security: How To Stay Alive
Hardly could have anyone imagined a couple of years ago that viruses would jump to the real world bringing power capable of attacking whole production systems and breaking down machines and industrial plants, let alone stealing data and interrupting software operations. It might seem inconceivable: networks on plants are usually separated from public and internal networks, software and hardware are distinct from those used in common networks; moreover, all processes are strictly regulated and closely controlled...
And still, when it comes not to a single hacker but a group of professionals in SCADA, skilled hackers and engineers, most probably endorsed by a state, everything gets possible.
And still, when it comes not to a single hacker but a group of professionals in SCADA, skilled hackers and engineers, most probably endorsed by a state, everything gets possible.
June 9, 2012
June 8, 2012
Vulnerability in Nginx Eliminated

Vladimir Kochetkov, a Positive Research expert, has detected severe vulnerability in Nginx under Windows.
When it comes to Windows platforms, there are many ways of gaining access to one and the same file, some of which were not considered by nginx developers. Nginx versions for Windows (from 0.7.52 to 1.2.0 and 1.3.0 included) proved vulnerable to bypassing security restrictions. The vulnerability enabled an attacker to redirect HTTP requests to certain URL bypassing the rules set in the location directives of the web server configuration.
Subscribe to:
Posts (Atom)