Posts Tagged ‘security’

« Older Entries
Newer Entries »

PayPal Spoof

Tuesday, September 22nd, 2009
PayPal Looks Like Phishing

An email from PayPal: looks like phishing

I had an email from PayPal a while ago. I believe it was sent by some careless staff of PayPal.

PayPal always remind people aware of phishing emails. At the bottom of the email, it says – How do I know this is not a spoof email? Spoof or ‘phishing’ emails tend to have generic greetings such as “Dear PayPal member”. Email from PayPal will always address you by your first and last name.

However, this particular email address me “Dear First Name Last Name”.

Tags: ,
Posted in 杂草 | No Comments »

Email images not showing up in IE8

Saturday, July 18th, 2009

I was asked by someone why on his PC images in html emails were not displayed.

He was using google mail web interface (SSL enabled – Automatically enforce Secure Socket Layer (SSL) connections when your users access Gmail, Calendar, Docs, and Sites) and IE8. I was using the same google mail but Firefox. On my PC the images in html emails could show up. So I thought the problem was with some settings in IE8.

Following this thought I found it was a setting in IE8: Internet Options -> Security -> Custom Level -> Miscellaneous -> Display mixed content. If it was disabled, IE8 would not http content in a page accessed via https. There should be a prompt before IE8 permanently disable it, but I guess few people can understand this security warning.

IE8 mixed content security warning

IE8 mixed content security warning

This security setting is not only affecting email pages, but email pages are most likely being affected, specially marketing emails. Will we see more eshot programmes embedding img src with https?

Tags:
Posted in 小小草 | No Comments »

Bonjour is not virus

Friday, April 24th, 2009
Bonjour bundled with Sarifi

Bonjour bundled with Sarifi

不知道 Bonjour 是怎么进入到我的电脑的,我不用Sarifi已经好多年。我不喜欢Apple的东西,装Sarifi只是为了测试,测试完毕重装系统也没再想着把Sarifi装回来。

第一次注意到 Bonjour 进程的存在着实让我担心了一把,还以为是什么病毒,Google 了一下才知道是 Apple 开发的一个玩意儿才打消了我的顾虑。今天我再次安装Sarifi,里面提到 Bonjour,因为事先跟 Bonjour 有过接触,所以注意到了,拷屏下来告诉初识 Bonjour 的人,Bonjour 是无害的(但我也没意识到 Bonjour 有什么好处)。

Tags:
Posted in 小小草 | No Comments »

轻触米兰

Saturday, April 11th, 2009

在有限的天数内游历尽可能的地方,这种旅游思维还是有很多支持者的。我们的旅游团有一个可选的项目就是用一天时间顺访意大利米兰,结果90%的人都选择去。

我们在报名的时候就选择去米兰,现在想想,倒有些后悔——既然来了瑞士,应该留在瑞士多看几个城市,何必又跑出瑞士去意大利呢?旅游团行程中没安排日内瓦和苏黎世,我们就可以趁今天空档自己去。不过想太多也没用,反正钱已经交了,意大利也没去过。

还没下车,导游提醒说,米兰扒手多,要我们小心钱物。我们想到上个月在巴黎地铁遭遇女扒手的经历(她们偷窃未遂),旅游中就带着小心,或多或少影响了兴致。一个城市要是不能给游客以安全感,那是整个城市的悲哀。

米兰在我眼里没有什么可圈可点的,看了一圈,算是来过了。足球场是应该去看看,可是听说去一趟挺费时间,就作罢了;时尚品牌店满地都是,但是这么贵的价格,不符合我的购物理念(我喜欢 Boxing Day 品牌打折时的那种疯狂),所以啥也没买。

Tags: ,
Posted in 忘忧草 | No Comments »

Solution to chm file error of navigation cancelled or invalid address

Friday, February 13th, 2009

最近我又对 plobe 起了兴趣,找来了一个说明文档竟然是 chm 格式。我这里用了“竟然”,因为 plobe 不是微软的技术,文档编写者却用了微软的 html help。用了微软 html help 也罢了,可它竟然打开后读不了。提示信息是:已取消到该网页的导航,或无效地址。

我试了很多办法,但都不切中要害:

  • 修改区域和语言为中国和中文
  • 注册文件关联
  • regsvr32 某些控件
  • 从微软网站下载 hhupd.exe 来安装
  • 降低 IE 安全级别

结果我的电脑搞得一团糟,还是没解决问题。Google 了好久(google 这回不聪明了,把好的答案藏起来了)最后解决问题的方法是:

在 CHM 文档上右键查看属性 -> 常规 -> 在下面有一个和属性相邻的安全:此文件来自其他计算机,可能被阻止以帮助保护该计算机。 右边有一个解除锁定的按钮。

单击一下 解除锁定 -> 应用 就可以了!

BTW, I found this chm file is not worth opening and reading at all. Does it imply whoever compiles documentation in chm for a non-microsoft technology is silly, and whoever tries to open such a chm is silly as well? I must admit I am silly.

Tags: , ,
Posted in 小小草 | No Comments »

Controversial safe_mode

Wednesday, February 11th, 2009

safe_mode 恐怕是 php 里最有争议的环境参数了。要我说,这个参数名取得就不好,争议就难免了。safe_mode 可以设为 on / off,但并不是说 safe_mode = off 就不安全了。很多 ISP 的 shared hosting 环境下 safe_mode 也是 off 的,godaddy deluxe hosting 就是一例。

光靠 safe_mode = on 是把不住安全关的,反而会限制某些程序的正常运行,比较麻烦。尽管麻烦,尽管我不是 share hosting,但我还是喜欢最大范围内设置 safe_mode = on。

但是由于我习惯性使用 mod_php,最近才意识到 mod_php with safe_mode = on 在 php upload 时无法解决 “先有蛋或是先有鸡” 的问题,因为 apache 试图操作 user1 的目录。为了允许 apache 操作 user1 的目录,必须在 user1 的目录为 group 或 other 提供 write 权限。同理,为了允许 apache 操作 user2 的目录,必须在 user2 的目录为 group 或 other 提供 write 权限。这样一来,就很难隔离 user1 和 user2 之间相互的文件操作。

suexec 对 mod_php 无效,看来只有抛弃 mod_php,改投 FastCGI 门下。

顺便说一下,godaddy shared hosting 把 user1, user2 都归为一组,然后取消 group 读权限,允许 other (apache)读权限,虽然思路很巧妙,但有悖常规思维,通常我会认为 owner 权限 >= group 权限 >= other 权限。godaddy shared hosting 用的就是 FastCGI,不存在“鸡蛋”问题。

Tags: ,
Posted in 小小草 | No Comments »

Samba can share files over internet

Monday, February 9th, 2009

Samba 太强大了,我没想到它可以在公网上共享文件和文件夹,如同在局域网内一样。

如果给 samba server 一个公网 ip,就可以在 internet 上凭着 \\ip 就访问共享文件和文件夹。有点可怕,因为我原先认为 samba 会区别对待局域网内和局域网外用户,不经过一些特别的设置,samba server 不会让 internet 用户用 \\ip 访问共享文件和文件夹。事实不是这样,至少目前 samba 3.2.8 版不是。

同理,如果把 WD Mybook World 建为 dmz,它的 public folder 就暴露给所有 internet users 了。

所以得特别当心,如果想给 samba server internet visible,就不得设置 windows 局域网内共享常见的 guest 无密码访问。

Tags: , ,
Posted in 小小草 | No Comments »

Actinic discounts.fil is giving away secrets

Thursday, February 5th, 2009

I have many good reasons to dislike Actinic. One of the reasons is – as growing up to an Actinic expert, one can also be an Actinic hacker. In other words, Actinic is not nicely secured by the vendor. If an Actinic user wants enhanced security, he / she will work ten times harder to close the security hole.

For example, Actinic does not have online database. Actinic keeps most of data offline, but it must have some data at server side, so itstores data in various files. This is a very doubtful approach. Of course all database software have bugs, but could Actinic file-based data do better than mysql, etc?

Another example, I recently found Actinic stops recognising coupons after an update. During diagnosis, I found discounts.fil under acatalog folder serves as data file for coupon code etc. acatalog/discounts.fil can be accessed by public by default. All promotion secrets are exposed to competitors / customers by analysing this file. Coupon codes are hashed in discounts.fil, and hashing makes all original coupon codes not recognisable. The Actinic perl script does not compare hashed customer input coupon with hashed coupon code in discounts.fil. It compares raw customer input coupon with hashed coupon code in discounts.fil (of course they will not match). This is a bug in Actinic.

I think closing security hole is out of most Actinic users’ capability. What is the point for an advanced Actinic user working so hard on Actinic?

Tags: ,
Posted in 小小草 | No Comments »

A security leak of Godaddy DNS

Saturday, January 24th, 2009

It is not only affecting my account. I think it is a security hole for all Godaddy nameserver users. I explain in dettails -

I have more than one Godaddy account. I manage my domains in account A, and a deluxe linux share hosting with account B. The nameservers of mydomain.com are set up in account A using xxx.domaincontrol.com. mydomain.com has a wildcard A record pointing to my dedicated server. However, in account B, I can add a domain like sub.mydomain.com. Then when I ping sub.mydomain.com, it will ping out 68.178.254.179 or 72.167.232.13 (share hosting server). That means sub.mydomain.com override the wildcard A record in account A. In theory, other Godaddy share hosting user can also hijack anyname.mydomain.com to point to an ip address of theirs.

It is very scary, isn’t it? I assume Godaddy did not setup DNS infrastructure correctly.

Tags: ,
Posted in 小小草 | No Comments »

Email encoder for not being spidered

Monday, December 15th, 2008

我用Email encoder很久了。以前总是去别人网站上运算一下,拿来就用。如今觉得加密算法很多,我应该筛选一下,并作一个适合我自己的常用的工具。

因为跟javascript 字符串加解密有关,我首先找到一段程序,试运行了一下,相当不错,据说还支持中文字符串加密以及中文密码。

function Encrypt(str, pwd) {
if(str=="")return "";
str = escape(str);
if(!pwd || pwd==""){ var pwd="1234"; }
pwd = escape(pwd);
if(pwd == null || pwd.length <= 0) {
alert("Please enter a password with which to encrypt the message.");
return null;
}
var prand = "";
for(var i=0; i<pwd.length; i++) {
prand += pwd.charCodeAt(i).toString();
}
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5));
var incr = Math.ceil(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
if(mult < 2) {
alert("Algorithm cannot find a suitable hash. Please choose a different password. \nPossible considerations are to choose a more complex or longer password.");
return null;
}
var salt = Math.round(Math.random() * 1000000000) % 100000000;
prand += salt;
while(prand.length > 10) {
prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString();
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for(var i=0; i<str.length; i++) {
enc_chr = parseInt(str.charCodeAt(i) ^ Math.floor((prand / modu) * 255));
if(enc_chr < 16) {
enc_str += "0" + enc_chr.toString(16);
}else
enc_str += enc_chr.toString(16);
prand = (mult * prand + incr) % modu;
}
salt = salt.toString(16);
while(salt.length < 8)salt = "0" + salt;
enc_str += salt;
return enc_str;
}

function Decrypt(str, pwd) {
if(str=="")return "";
if(!pwd || pwd==""){ var pwd="1234"; }
pwd = escape(pwd);
if(str == null || str.length < 8) {
alert("A salt value could not be extracted from the encrypted message because it's length is too short. The message cannot be decrypted.");
return;
}
if(pwd == null || pwd.length <= 0) {
alert("Please enter a password with which to decrypt the message.");
return;
}
var prand = "";
for(var i=0; i<pwd.length; i++) {
prand += pwd.charCodeAt(i).toString();
}
var sPos = Math.floor(prand.length / 5);
var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5));
var incr = Math.round(pwd.length / 2);
var modu = Math.pow(2, 31) - 1;
var salt = parseInt(str.substring(str.length - 8, str.length), 16);
str = str.substring(0, str.length - 8);
prand += salt;
while(prand.length > 10) {
prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString();
}
prand = (mult * prand + incr) % modu;
var enc_chr = "";
var enc_str = "";
for(var i=0; i<str.length; i+=2) {
enc_chr = parseInt(parseInt(str.substring(i, i+2), 16) ^ Math.floor((prand / modu) * 255));
enc_str += String.fromCharCode(enc_chr);
prand = (mult * prand + incr) % modu;
}
return unescape(enc_str);
}

转念一想,我把问题搞复杂了,对自己没什么好处。我的Email encoder用得着这么复杂吗?毕竟我想保护的又不是名人的Email address。所以我改用我自己的方式——采用双重url encode,在第二重url encoding时,encode全部字符(含字母和数字)。

Tags: ,
Posted in 大麻草, 小小草 | No Comments »

« Older Entries
Newer Entries »