Перейти к содержанию
View in the app

A better way to browse. Learn more.

IT2B - Технологии разведки для бизнеса

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Защита конфиденциальных данных и анонимность в инт

Featured Replies

Опубликовано

еще информация - если баян (датирована июлем 2007 года), прошу простить

 

Коротко -ФБР-овцы, выслеживая e-mail-"террориста", установили подозреваемому своего специального трояна CIPAV.

На основании собранных им доказательств, человек получил срок... :smile2: Программа собирала разные данные - IP, посещаемые URL ит.д.

Так как человек пользовался в качестве прокси взломанным сервером в Италии, его не могли вычислить другими способами.

Собранные трояном данные посылались через Интернет на сервер ФБР (вторая ссылка)

С помощью социальной инженерии его заставили открыть сообщение с программой якобы от знакомого в социальной сети Myspace :smile14:

В будущем году в ФБР на такие программы выделено 220000 USD...

 

_ttp://blog.wired.com/defense/2007/07/fbi-spyware-rev.html

 

FBI agents trying to track the source of e-mailed bomb threats against a Washington high school last month sent the suspect a secret surveillance program designed to surreptitiously monitor him and report back to a government server, according to an FBI affidavit obtained by Wired News.

 

The court filing offers the first public glimpse into the bureau's long-suspected spyware capability, in which the FBI adopts techniques more common to online criminals.

 

The software was sent to the owner of an anonymous MySpace profile linked to bomb threats against Timberline High School near Seattle. The code led the FBI to 15-year-old Josh Glazebrook, a student at the school, who on Monday pleaded guilty to making bomb threats, identity theft and felony harassment.

 

In an affidavit seeking a search warrant to use the software, filed last month in U.S. District Court in the Western District of Washington, FBI agent Norman Sanders describes the software as a "computer and internet protocol address verifier," or CIPAV.

 

Sanders wrote that the spyware program gathers a wide range of information, including the computer's IP address; MAC address; open ports; a list of running programs; the operating system type, version and serial number; preferred internet browser and version; the computer's registered owner and registered company name; the current logged-in user name and the last-visited URL.

 

The CIPAV then settles into a silent "pen register" mode, in which it lurks on the target computer and monitors its internet use, logging the IP address of every computer to which the machine connects for up to 60 days.

 

Under a ruling this month by the 9th U.S. Circuit Court of Appeals, such surveillance -- which does not capture the content of the communications -- can be conducted without a wiretap warrant, because internet users have no "reasonable expectation of privacy" in the data when using the internet.

 

_ttp://www.wired.com/politics/law/news/2007/07/fbi_spyware

The Washington case unfolded May 30, when a handwritten bomb threat prompted the evacuation of Timberline High School in Lacey, Washington. No bomb was found.

 

On June 4, a second bomb threat was e-mailed to the school from a Gmail account that had been newly created under the name of an innocent student. "I will be blowing up your school Monday, June 4, 2007," the message read. "There are 4 bombs planted throughout Timberline high school. One in the math hall, library hall, main office and one portable. The bombs will go off in 5 minute intervals at 9:15 AM."

 

In addition, the message promised, "The e-mail server of your district will be offline starting at 8:45 am."

 

The author made good on the latter threat, and a denial-of-service attack smacked the North Thurston Public Schools computer network, generating a relatively modest 1 million packets an hour. Responding to the bomb threat, school administrators ordered an evacuation of the high school, but, once again, no explosives were found.

 

That began a bizarre cat-and-mouse game between law enforcement and school officials and the ersatz cyberterrorist, who e-mailed a new hoax bomb threat every day for several days, each triggering a new evacuation. Each threat used the same pseudonym, but was sent from a different, newly created Gmail account to complicate tracing efforts.

 

On June 7, the hoaxer started issuing threats through other online mediums. In his most brazen move, he set up a MySpace profile called Timberlinebombinfo and sent friend requests to 33 classmates.

 

The whole time he was daring law enforcement officials to trace him. "The e-mail was sent over a newly made Gmail account, from overseas in a foreign country," he wrote in one message. "Seeing as you're too stupid to trace the e-mail back lets (sic) get serious," he taunted in another. "Maybe you should hire Bill Gates to tell you that it is coming from Italy. HAHAHA. Oh wait. I already told you that it's coming from Italy."

 

As promised, attempts to trace the hoaxer dead-ended at a hacked server in Grumello del Monte, Italy. The FBI's Seattle Division contacted the FBI legal attaché in Rome, who provided an official request to the Italian national police for assistance. But on June 12, perhaps fed up with the mocking, the FBI applied for and obtained a search warrant authorizing the bureau to send the CIPAV to the Timberlinebombinfo MySpace profile.

 

Court documents reveal the search warrant was "executed" June 13 at 5:49 p.m. Though the CIPAV provided a wealth of information, Glazebrook's IP address would have been enough to guide the FBI to the teen's front door.

 

John Sinclair, Glazebrook's attorney, says his client never intended to blow anything up -- "it was a prank from the get-go" -- but admits he hacked into computers in Italy to launder his activities, and that he launched the denial-of-service attack against the school district's network.

 

Glazebrook was sentenced Monday to 90 days in custody, and given credit for 32 days he's spent behind bars since his arrest. When he's released he'll be on two years' probation with internet and computer restrictions, and he's been expelled from high school. The teen is being held at the Thurston County Juvenile Detention Center, where he will serve out his sentence, says Sinclair.

Изменено пользователем Vinni

  • Ответов 55
  • Просмотры 25,1т
  • Создана
  • Последний ответ

Топ авторов темы

Опубликовано

более свежая информация о вреде социальных сетей для анонимности :smile3:

 

_ttp://www.securitylab.ru/news/310425.php

_ttp://fuzzing.ru/blog/2007/12/25/xss-uyazvimosti-v-livejournalcom/

 

iveJournal или Живой Журнал - один из самых популярных интернет-ресурсов в мире, оказался уязвимым к межсатовому выполнению сценариев.

 

На сайте fuzzing.ru сообщается о наличии нескольких уязвимостей в ЖЖ, которые позволяют злоумышленнику выполнить произвольный HTML код и код сценария в браузере жертвы в контексте безопасности сайта LiveJournal.com.

 

* На LiveJournal.com используется уязвимая версия Web сервера Apache. Злоумышленник может с помощью специально сформированного HTTP запроса произвести XSS нападение.

* Также сообщается об ошибке проверки входных данных в параметре usejournal в сценарии update.bml. Злоумышленник может, с помощью специально сформированной ссылки, выполнить произвольный код сценария в браузере жертвы в контексте безопасности уязвимого сайта. Примеры использования:

 

http://www.livejournal.com:80/update.bml?u...urnal=>”> <script%20%0a%0d>alert(document.cookie)%3B</script>

 

http://www.livejournal.com:80/update.bml?u...urnal=>’> <script%20%0a%0d>alert(document.cookie)%3B</script>

 

http://www.livejournal.com/update.bml?usejournal=–> <script%20%0a%0d>alert(document.cookie)%3B</script>

 

SecurityLab рекомендует всем пользователям Живого Журнала с осторожностью посещать ссылки, ведущие на сайт LiveJournal.com.

 

  • 3 недели спустя...
Опубликовано

еще пример из жизни - двое колумбийцев устанавливали в течение трех лет кейлоггеры на компьютеры в отелях и крали пароли и номера кредитных карт...

 

--Man Pleads Guilty to Data Theft from Hotel Computers

(January 9, 2008)

Colombian engineer Mario Alberto Simbaqueba Bonilla has pleaded guilty

to charges of conspiracy, fraud, and identity theft for placing

keystroke logging software on hotel business center computers and

stealing personally identifiable information. Simbaqueba Bonilla stole

more than US $400,000 in a three-year period by installing the software

on computers at hotels in the US and in other countries. Simbaqueba

Bonilla is believed to have an accomplice, Nelya Alexandra Valero, who

is still at large. He could face between seven and 10 years in prison

when he is sentenced in March.

http://www.miamiherald.com/news/breaking_n...ory/372940.html

[Editor's Note (Pescatore): Three problems here: (1) the computers put

in business centers for public use *should* be completely locked down

so no software can be used but (2) business should *not* assume that is

being done, because it obviously isn't, so (3) if you are *still*

allowing reusable passwords to be used for remote access, your business

*is* going to be hit by password stealing, whether from business center

computers, employee home PCs or employee's checking email from their

personal iPhones and the like.

(Skoudis): We really need to educate our employees about the risks of

public kiosks and computers. They are completely unsafe. Tell

employees to assume that anything they type into a public computer is

accessible to everyone. Passwords for access to an enterprise or its

applications should _never_ be entered into such systems.

(Northcutt): Keep in mind the another way they collect information on

you in hotels is the hotel Internet Service Provider:

http://www.sans.edu/resources/securitylab/...ick_privacy.php ]

Опубликовано

а вот еще "веселая" статистика (из того же SANS NewsBytes) - оказывается многие компании передают своим разработчикам живые данные своих клиентов для тестирования их программ. :smile13: Интересно, а как с этим обстоят дела в России? :smile10:

 

--Companies Use Customer Data in Development and Testing

(January 10, 2008)

A study commissioned by Compuware and conducted by the Ponemon Institute

found that more than 75 percent of German companies use customer data

in software development or application testing. In the US, 69 percent

of companies use customer data in testing, followed by the UK (58

percent) and France (43 percent). Companies presume that because the

data are not being used in a live scenario, there is no risk of

exposure. Customer data used in the testing process can include names,

credit card numbers, Social Security numbers (SSNs) and other sensitive

information. Sixty percent of companies that outsource application

testing share sensitive data with those contractors. A large number of

companies do not have clearly established policies about who is

responsible for test data security. The statistics are based on

responses from 2.368 IT professionals in Germany, the US, the UK, and

France.

http://www.heise.de/english/newsticker/news/101593

[Editor's Note (Pescatore): There are plenty of data obfuscation

products out there to create safe test databases out of live customer

databases. The data safety side of secure development life cycles

definitely needs to be emphasized. This is one area where the federal

government and FISMA have pushed requirements out to government

contractors to protect such data.

(Skoudis): I'm surprised the number is so low. When we perform

assessments, the vast majority of the companies we work with tell us

that they use customer data in test environments, even greater than the

75% of this survey.

(Schultz): Using customer data in development and testing shows blatant

disregard for the welfare of customers. The fact that security

considerations appear to be largely overlooked only compounds the

problem.

(Honan): The high percentage of European companies using information in

this way is disconcerting as these companies could be in breach of the

European Data Protection legislation as personal data belonging to

customers can only be used for the purposes the customer agreed to when

submitting their details.

(Shpantzer): This problem also extends to researchers who use live

medical and social welfare data. Here's one recent example we reported

on in Newsbites, there are many, many more.

http://www.marinecorpstimes.com/news/2007/...exposed_070726/]

 

 

 

Опубликовано

а вот эссе от Брюса Шнейера (_ttp://www.schneier.com/crypto-gram-0801.html) о том, как легко установить личность человека по частичным данным о нем. Например, по ZIP-коду, полу и дате рождения можно установить 216 миллионов американцев, а половина американцев может быть установлена по полу, дате рождения и городу, в котором живет человек. :smile3:

 

Using public anonymous data

from the 1990 census, Latanya Sweeney found that 87 percent of the

population in the United States, 216 million of 248 million, could

likely be uniquely identified by their five-digit ZIP code, combined

with their gender and date of birth. About half of the U.S. population

is likely identifiable by gender, date of birth and the city, town or

municipality in which the person resides. Expanding the geographic scope

to an entire county reduces that to a still-significant 18 percent. "In

general," the researchers wrote, "few characteristics are needed to

uniquely identify a person."

 

Stanford University researchers reported similar results using 2000

census data. It turns out that date of birth, which (unlike birthday

month and day alone) sorts people into thousands of different buckets,

is incredibly valuable in disambiguating people.

 

This has profound implications for releasing anonymous data. On one

hand, anonymous data is an enormous boon for researchers -- AOL did a

good thing when it released its anonymous dataset for research purposes,

and it's sad that the CTO resigned and an entire research team was fired

after the public outcry. Large anonymous databases of medical data are

enormously valuable to society: for large-scale pharmacology studies,

long-term follow-up studies and so on. Even anonymous telephone data

makes for fascinating research.

 

On the other hand, in the age of wholesale surveillance, where everyone

collects data on us all the time, anonymization is very fragile and

riskier than it initially seems.

 

Like everything else in security, anonymity systems shouldn't be fielded

before being subjected to adversarial attacks. We all know that it's

folly to implement a cryptographic system before it's rigorously

attacked; why should we expect anonymity systems to be any different?

And, like everything else in security, anonymity is a trade-off. There

are benefits, and there are corresponding risks.

Для публикации сообщений создайте учётную запись или авторизуйтесь

Account

Navigation

Поиск

Поиск

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.