a - Cyrillic letter "a"
р - Cyrillic letter "r"
р - Cyrillic letter "r"
1
е - Cyrillic letter "e"
.
с - Cyrillic letter "s"
о - Cyrillic letter "o"
м - Cyrillic letter "m"
There is interesting phishing method that is described here. It is also called homograph attack. Many English (Latin) domain names can be represented by Russian (Cyrillic) letters which look almost the same but their character codes (Unicode) are different. So you think you are seeing the legitimate domain name like apple.com, but in reality it is fake name which looks exactly the same as the original name. The only thing I did not fully understand is how they represent latin letter "l" (lower case "L") as there is no similar letter in Cyrillic. I guess they just use "1" (number "one") instead of "l" but it still can be recognized?
a - Cyrillic letter "a" р - Cyrillic letter "r" р - Cyrillic letter "r" 1 е - Cyrillic letter "e" . с - Cyrillic letter "s" о - Cyrillic letter "o" м - Cyrillic letter "m"
0 Comments
We are all aware and afraid of physical and network security vulnerabilities and implementing all kinds of controls to protect against those attacks, but how can we stop broadcast signal? I guess just by turning off the TV or switching to Internet TV (that's what I did already a long time ago).
A new attack that uses terrestrial radio signals to hack a wide range of Smart TVs raises an unsettling prospect—the ability of hackers to take complete control of a large number of sets at once without having physical access to any of them.The proof-of-concept exploit uses a low-cost transmitter to embed malicious commands into a rogue TV signal. That signal is then broadcast to nearby devices. It worked against two fully updated TV models made by Samsung. By exploiting two known security flaws in the Web browsers running in the background, the attack was able to gain highly privileged root access to the TVs. By revising the attack to target similar browser bugs found in other sets, the technique would likely work on a much wider range of TVs. If you are not familiar with Tor yet you should learn about it. In a nutshell, Tor is a system for anonymous Internet browsing. You can install Tor software and browse the Internet anonymously. If you are using Tor along with Bitcoin, you can enjoy the Internet freedom and privacy. This is Kickstarter project which is supposed to create the Tor hardware box. Anonabox should be more safe and convenient than Tor software as it routes all the traffic from your Ethernet connection through Tor network. My first take on Apple Pay security in this article published by VentureBeat. Apple Pay is looking pretty attractive so far from a security perspective. But it’s tokens could be cause for concern... I'll be doing two one-hour book signings at Black Hat USA 2014 and DEF CON 22 conferences in Las Vegas: Black Hat USA 2014: August 6, 2014, 5:30 pm Mandalay Bay Conference Center, Tripwire booth 141 (I'll be doing a short presentation before the book signing) DEF CON 22: August 8, 2014, 11:00 am Rio Hotel & Casino, No Starch Press community table in Vendor Area I just found a list of "PCI myths" on some website about PCI compliance. One of the myths sounds familiar and reasonable, although the explanation (they call it "fact") sounds polite but unconvincing and incomplete: Myth: PCI will make us secure. Fact: Successful completion of a system scan or assessment for PCI is but a snapshot in time. Security exploits are non-stop and get stronger every day, which is why PCI compliance efforts must be a continuous process of assessment and remediation to ensure safety of cardholder data. One more incident with fake website certificates: Turkish Certificate Authority screwup leads to attempted Google impersonation.
The fake certificate was issued by Turkish certificate authority - TurkTrust: After reporting the incident, TURKTRUST discovered it had accidentally issued two intermediate certificates instead of normal site certificates in August 2011, including the one used to sign the fake Google certificate. Visa to launch its "Visa Merchant Data Secure with Point-to-Point Encryption" in 2013:
I think this is confirming the fact that -- despite all the PCI efforts -- P2PE (whether it is PCI approved or not) is the only technology that can provide a real protection for magnetic stripe payment cards. No more technical details are available at this time... Black Hat 2012 security conference starts next week in Las Vegas. I am going to both Black Hat and Def Con. It looks like Black Hat is extremely popular this year: regular room in Caesars Palace hotel, where the conference takes place, costs $900 (normally it is around $100)!
This article references a research paper describing the attack on different types of cryptographic devices including secure tokens such as RSA SecurID. There is one important detail though: the token (or other secure device) must be physically connected to the computer system in order to allow the attack (like RSA SecurID 800 which has USB connector).
I am significantly less worried about the tokens because it looks like most (important) 2 factor authentication keys are just regular devices without physical connectivity such as RSA SecurID 700. After all, the second factor in 2 factor authentication with tokens means "something you have", so if you lose your device (or leave it connected for long time without reason) you already compromise your security anyway. What I am really worried about is the statement about possible attacks on HSM devices which are permanently connected to server side systems and can be compromised using malware such as a worm or trojan with the payload crafted to crack the HSM keys and compromise the host software: "Hardware Security Modules are widely used in banking and similar sectors where a large amount of cryptographic processing has to be done securely at high speed (verifying PIN numbers, signing transactions, etc.). A typical HSM retails for around 20 000 Euros hence is unfortunately too expensive for our laboratory budget. HSMs process RSA operations at considerable speed: over 1000 decryptions per second for 1024 bit keys. Even in the case of the FFF oracle, which requires 12 000 000 queries, this would result in a median attack time of 12 000 seconds, or just over three hours. We hope to be able to give details of HSM testing soon." |
Books
Recent Posts
Categories
All
Archives
September 2024
|