トリコロールな猫/セキュリティ

思いついたことをぼちぼち書いてます。

20140417 セキュリティ情報まとめ

本日のまとめ

Heartbleed関連

シマンテックの安達徹也氏(Trust Servicesプロダクトマーケティング部上席部長)によると、攻撃の難易度という観点では、パスワードやクレジットカード番号の方は比較的簡単に窃取できるのに対し、秘密鍵はハードルが比較的高いという。

カナダで初の逮捕者

DNSキャッシュポイズニング関連

Androidアイコン改ざん

LaCie

LaCie (now owned by Seagate) had been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusionsoftware. In response, Seagate said it had engaged third-party security firms and that its investigation was ongoing, but that it had found no indication that any customer data was compromised.

パーソナルデータ検討会

医療機器における情報セキュリティに関する調査(2013年度)

標的型攻撃

Microsoft Threat Modeling Tool 2014

Smartphone Anti-Theft Voluntary Commitment

The tool will enable the user to remotely wipe data from the phone and render it inoperable in case the phone is stolen or lost. Furthermore, the tool will prevent reactivation without user's permission (including factory reset attempts), but it will allow the authorized user to reverse the inoperability and restore data in case the phone is recovered.

脆弱性・アップデート情報

Redmineにおけるオープンリダイレクトの脆弱性

単発記事

Hackers attempt to BLACKMAIL plastic surgeons • The Register

A spokesman for the clinic told El Reg that the "perpetrator" compromised its systems after exploiting flaws in its website inquiry form. All sorts of personal information including potential clients’ names, addresses, dates of birth, contact details as well as details information about the type of cosmetic procedure they were inquiring about was exposed as a result of the breach.

BBC News - Galaxy S5 fingerprint scanner hacked with glue mould

SRL created its hack by lifting a real fingerprint from a smartphone screen and then carrying out a fairly elaborate process to create a mould out of glue and graphite spray. This was then swiped across the sensor that sits in the phone's home button.

The plot to kill the password | The Verge

Last Friday, Samsung's new Galaxy S5 arrived with an unexpected and underhyped feature. Like the iPhone 5S, it came with a fingerprint reader, but this reader plugs directly into PayPal, which in turn connects you to dozens of different payment systems. It’s a clever trick: instead of a password, all you need is a fingerprint, carrying you through the entire web. If it catches on, soon you won’t need a password at all.

パスワードをやめて指紋認証にしようという話。

WhatsApp Flaw leaves User Location Vulnerable to Hackers and Spy Agencies - The Hacker News

WhatsApp fetches the location and thumbnail (an image) from the Google Map service to share it as the message icon, but unfortunately WhatsApp downloads this image through an unencrypted channel from Google that could be sniffed during a Man-in-the-middle attack, as shown in the video demo.

Google Admits that It Reads your Emails - The Hacker News

Last year, Google was accused of its illegal interception of all electronic communications sent to Gmail account holders and using the gathering data to sell and place advertisements in order to serve related ads to its users. Practically, the more information you let Google collect about you, the more accurate its adverts become.

エドワード・スノーデン氏も愛用、超匿名OS「Tails」とは? : ギズモード・ジャパン

TailsはTorで接続経路を匿名化し、PGPでメールや文書を暗号化し、パスワード管理システムのKeePassXとチャット暗号化用プラグインのOff-the-Record(OTR)を使っています。

あとで読むかも