During the last two years, you could often see Edward Snowden’s name in the news about Information Security. Thanks to the disclosures made by this former contractor of the US Intelligence Agency, all of us now know that the National Security Agency (NSA) possesses the necessary means for the total mobile surveillance of citizens. But we don’t really know much about the way this surveillance is organized. We are going to take a look at some details of the technologies the NSA use.
I have recently read an interesting article about a team of researchers that downloaded and parsed the Android Playmarket. Then they analyzed hundreds of thousands of applications regarding the presence of secret tokens and passwords. Since the result of their work concerned the analysis of decompiled code under Android only, I decided to write about a research I did a year ago. I performed it not for Android only, but also for iOS applications.
What is DDoS Attack? As per Wikipedia, denial-of-service (DoS) or distributed denial-of-service (DDoS) attack is an attempt to make a machine or network resource unavailable to its intended users. (adsbygoogle = window.adsbygoogle || []).push({}); In this small post I would like to show a few useful commands to use if someone is experiencing a DDoS attack. In my case, there is an nginx as a front-end server. The access log format looks like this:
A month and a half ago chr13 discovered how to DDoS someone with the help of Google Spreadsheet, and now he applied such a method to Facebook Notes. And it worked! Operating procedure is absolutely the same as in Google Spreadsheet: Create a list with «unique» «photos»: ... Write a note with the help of m.facebook.com. The service will cut the note after some fixed length.
Participants of the OpenBSD project, that have developed the system of the same name and also different tools such as OpenSSH, OpenBGPD, OpenNTPD and OpenSMTPD, began a LibreSSL project. It is a cleared from odd codes, easier version of OpenSSL. Theo de Raadt, the founder and the manager of OpenBSD and OpenSSH projects said that they have managed to get rid of approximately 90 000 code lines at C and 150 000 lines of the content on the whole.
What can be stolen by attacker Private key of the TLS server, private key of the TLS client (if the client is vulnerable), cookies, logins, passwords and any other data that are shared between the server and his clients. And you don’t need to monitor the communication path, you just can send a specially formed batch and this can not be detected in server’s logs. Vulnerability is bidirectional: if a vulnerable client connects up with attacker’s server, he can read the client’s activity memory.