ESET Nod32 Antivirus | Antispyware | Console d administration
Chercher :
Newsletter :  
Revues :
- Presse
- Presse FR
- Vidéos
- Twitter
- Secuobs



Abonnez vous � Nessus Professional Feed !

Sponsors :

Sommaires :
- Tendances
- Failles
- Virus
- Concours
- Reportages
- Acteurs
- Outils
- Breves
- Infrastructures
- Livres
- Tutoriels
- Interviews
- Podcasts
- Communiques
- Commentaires

Revue Presse:
- Tous
- Francophone
- Par mot clé
- Par site
- Le tagwall


Top bi-hebdo:
- Ensemble
- Articles
- Revue
- Videos
- Twitter
- Auteurs

Articles :
- Par mot clé
- Par auteur
- Par organisme
- Le tagwall


Videos :
- Toutes
- Par mot clé
- Par site
- Le tagwall


Twitter :
- Tous
- Par mot clé
- Par compte
- Le tagwall


Commentaires :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques

Secumail :
- Secunia
- Full Disclosure
- Bugtraq
- DailyDave
- Vulnwatch
- Vulndiscuss
- FunSec
- Focus-IDS
- WebAppSec
- Security-Basis

RSS/XML :
- Articles
- Brèves
- Commentaires
- Revue
- Revue FR
- Videos
- Twitter
- Secunia
- Full Disclosure
- Bugtraq
- DailyDave
- Vulnwatch
- Vulndiscuss
- FunSec
- Focus-IDS
- WebAppSec
- Security-Basis

RSS SecuObs :
- sécurité
- exploit
- windows
- microsoft
- réseau
- attaque

RSS Revue :
- security
- microsoft
- windows
- hacker
- attack
- network

RSS Videos :
- vmware
- security
- virus
- biometric
- windows
- lockpicking

RSS Twitter :
- security
- linux
- botnet
- attack
- metasploit
- cisco

RSS Comments :
- Breves
- Virus
- Failles
- Outils
- Tutoriels
- Tendances
- Acteurs
- Reportages
- Infrastructures
- Interviews
- Concours
- Livres
- Communiques

RSS OPML :
- Français
- International

Abonnez vous � Nessus Professional Feed !


Revue de presse francophone :
- Vigilance - gunzip exécution de code via Huffman
- Vigilance - gunzip exécution de code via LZW
- Vigilance - Noyau Linux déni de service via NFS
- Triton de Websense la sécurité unifiée
- L'Internet des objets doit encore apprendre à interpréter
- Alvin et les Chipmunks contre les Majors
- Frédéric Renard, Arkeia Software la virtualisation, un enjeu à ne pas louper
- CERTA-2010-ACT-011 Bulletin d'actualité numéro 011 de l'année 2010 19 mars 2010
- CERTA-2010-AVI-128 Multiples vulnérabilités dans CA ARCserve Backup 19 mars 2010
- CERTA-2010-AVI-129 Vulnérabilité dans IBM DB2 Content Manager 19 mars 2010
- Jouer à prédire, c'est déjà collaborer
- Dans les sondages, indiquer sa progression ne motive pas forcément
- Nouveau firmware pour la gamme UTM de ZyXEL
- SXSW décryptage de notre futur digital
- Gilles Polart-Donat, Alixen la valeur du libre n'est pas que dans sa gratuité

Dernier articles de SecuObs :
- VASTO une extension Metasploit dédiée à l'exploitation des infrastructures virtuelles
- Hogger automatise la création des tables d'attributs Snort à partir des scans Nmap
- Edenwall obtient une subvention de la DGA
- Imposter 0.9 une plateforme de phishing ciblant les navigateurs Web
- Une faille dans l’implémentation RSA de OpenSSL
- Flint un scanner pour simuler, vérifier et nettoyer les règles de filtrage
- SET 0.4.1 - Social Engineering Toolkit - une plateforme de Social Engineering
- 100 000 dollars pour le Pwn2own 2010
- Un botnet qui rapporte gros
- Webraider offre un reverse shell contre une simple injection SQL

Revue de presse internationale :
- Researcher Who Helped Take Down Waledac Talks Crimeware
- Feds Seek 25-Year Sentence for TJX Hacker
- Madoff's Programmers Indicted
- TypeWith.me Live Text Document Collaboration
- Tim The Tool Man Taylor s dream ride
- The Current State of the Crimeware Threat
- Public Figures Protest Digital Economy Bill in Open Letter
- XSSer Automate your XSS Injections
- Validating your validation.
- Tech Thoughts Daily Net News March 20, 2010
- H Security LiMux project management, We were nave
- Washington Post Dismantling of Saudi-CIA Web site illustrates need for clearer cyberwar policies Elite U.S. military computer specialists, over the objections of the CIA, mounted a cyberattack that
- Silicon Exclusive - Next-generation super ID card on the cards for 2012
- Krebs On Security Naming and Shaming Bad ISPs
- The New York Times One on One - Christopher Poole, Founder of 4chan

Annuaire des videos
- IBM Virtual Server Security for VMware
- Avast AntiVirus 4 8 Professional with Life Time Keygen
- Comodo 4 Internet Security Review and Tests Part 1
- Root Kit Hacker Defender aufsp ren
- Remove a Virus Worm Spyware Adware Rootkit or Potentially Unwanted
- Xmas Special Crypto Encryption Protect Your Sensitive Data
- User Rights Management For Databases
- Hacking Websites You think you are secure
- Security12 Introduction Ep 01
- CAPeD Calm Audio controlled Personalized Display
- Business Logic Automatons Friend or Foe Amichai Shulman
- Shmoocon 2010 Cyborg Information Security Defense Against the Dark Arts 2 5
- Shmooncon 2010 Detection of rogue access points using clock skews does it really
- RSA Conference USA 2010 Defeating the Enemy The Road to Confidence 2
- Shmoocon 2010 Infrastructural Weaknesses in Distributed Wireless Communication Services 2 6

Revue Twitter
- experimenting with msfencode some more. How many iterations are enough damnit :-/
- @pmelson Will try to combine several encoders without destroying the payload
- RT @Carlos_Perez: installing XenDesktop, SVMM, vCenter, ESX, Hyper-V and much more in lab to research some ideas for new meterpreter scripts
- Protect Yourself from Phishing Scams. http://bit.ly/9RRtGo
- RT @bonky: metasploit's decloaking engine- shows how to get real IPs despite a user's proxies-http://decloak.net/ #proxies
- RT @SocialMediaSec: Social Media Security Podcast 11 ? Google Buzz, Geostalking, Twitter?s Phishing Filter http://bit.ly/9K4kas
- RT @SecurityBSides: RT @canoetech: Stakes Raised At CanSecWest Vancouver 2010 http://bit.ly/a7WNRW
- IT Audit Checklist: DNS Audit Checklist - http://bit.ly/8ryUny
- RT @atarii: RT @mikkohypponen Yes, that just *might* work... http://i.imgur.com/hxxYn.jpg [license plate SQL injection for speed cameras...]
- RFID Users Don't Care: The reality is that most end users don't know?or care?how an RFID tag or sensor communicate... http://bit.ly/ai8EGX

Mini-Tagwall
Revue de presse : security, microsoft, windows, hacker, attack, network, vulnerability, google, exploit, malware, internet, remote, iphone

+ de mots clés pour la revue de presse
Annuaires des videos : vmware, security, virus, biometric, windows, lockpicking, password, botnet, metasploit, tutorial, attack, crypt, linux

+ de mots clés pour les videos
Revue Twitter : security, linux, botnet, attack, metasploit, cisco, defcon, phish, exploit, google, inject, server, firewall

+ de mots clés pour la revue Twitter



Top bi-hebdo des articles de SecuObs
- Apprendre à parler Skype pour mieux le faire taire !
- Une faille dans l’implémentation RSA de OpenSSL
- Imposter 0.9 une plateforme de phishing ciblant les navigateurs Web
- VASTO une extension Metasploit dédiée à l'exploitation des infrastructures virtuelles
- Keimpx un outil d'audit pour les réseaux Microsoft Windows
- SET 0.4.1 - Social Engineering Toolkit - une plateforme de Social Engineering
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Edenwall obtient une subvention de la DGA
- Comment changer un mot de passe perdu pour un compte WINDOWS
- Webraider offre un reverse shell contre une simple injection SQL

Top bi-hebdo de la revue de presse
- Sun Ray interception de données des DTU
- How to Jailbreak iPhone 3.1.3 IPSW with PwnageTool 3.1.5
- Dev Team Confirms iPhone 3.1.3 IPSW Jailbreak
- Rozlyn Papa sex tape rumours lead to malware
- FREE Kaspersky Internet Security 2010 Activation Code Valid for 6 Months
- installer backtrack 4 [tuto]
- Nouveau dictionnaire WPA Livebox
- IIS 6 may stop responding after you install Microsoft update KB 973917
- La Face cachée de Facebook
- Téléchargements Ados de mal en pis

Top bi-hebdo de l'annuaire des videos
- Comment creer un server botnet!!!!(Réseau de pc zombies)
- vSphere 4 0 update 1 VMware Update Manager and EMC PowerPath VE
- Ettercap Tutorial Man In The Middle Arp Attack
- Shmoocon 2010 Firetalks SHODAN for Penetration Testers 1 2
- install MacOSX Snow Leopard in Windows PC using Vmware Workstation as virtual machine
- Blaze botnet in action www opensc ws
- Windows XP Pro SP3 in VMWare off iSCSI Target using gPXE over 802.11n
- Running Wireshark on Mac OS X 10 6 Snow Leopard
- Avast Internet Security 5 0 396 Final Free Full Download Licensed with Serial Key
- Ch0ry Euro iPhone 3G 3GS 30 Hack WIFI key

Top bi-hebdo de la revue Twitter
- How to secure a Cisco router http://ping.fm/FkG7O
- RT @manicode: Very interesting Java ESAPI-like library coming out of Apache : http://bit.ly/9poefg
- Wirshark + SSH = Wireshark Remote Capturing - http://www.howtoforge.com/wireshark-remote-capturing (via @welias)
- Nessus Scan through a Meterpreter Session (demo) http://vimeo.com/10203481 #PaulDotCom #nessus #meterpreter
- Nux Keylogger 0.0.1 http://packetstormsecurity.org/filedesc/nuxkeylogger0.0.1.c.html
- Collection of security checks for Linux http://bit.ly/a7IH7m
- RT @FrikiFeeds: The newbie's guide to hacking the Linux kernel | TuxRadar Linux http://dlvr.it/6sQp
- Exploit for Apache mod_isapi = 2.2.14 Dangling Pointer (CVE2010-0425) vulnerability ported to Metasploit http://bit.ly/ctDQjk
- Discoverer: Automatic Protocol Reverse Engineering from Network Traces #pdf http://ow.ly/1gHd1
- New Weblog Post -- Finding Malware on your network via cached DNS entries http://bit.ly/ajpcmU

Top des articles les plus commentés
- [Metasploit 2.x – Partie 1] Introduction et présentation
- Microsoft !Exploitable un nouvel outil gratuit pour aider les développeurs à évaluer automatiquement les risques
- Webshag, un outil d'audit de serveur web
- Les navigateurs internet, des mini-systèmes d’exploitation hors de contrôle ?
- CAINE un Live[CD|USB] pour faciliter la recherche légale de preuves numériques de compromission
- [Renforcement des fonctions de sécurité du noyau Linux – Partie 1] Présentation
- Microsoft Gazelle, mini-OS virtuel basé sur MashupOS pour une navigation Web sécurisée par isolation
- Yellowsn0w un utilitaire de déblocage SIM pour le firmware 2.2 des Iphone 3G
- Nessus 4.0 placé sous le signe de la performance, de l'unification et de la personnalisation
- GreenSQL un proxy MySQL pour filtrer les requêtes SQL et contrer les injections

Being first to do something doesnt automatically make it proprietary even if the first is Microsoft
Les derniers commentaires publiés sur SecuObs (1-5):
- ESRT @ChrisJohnRiley @carnal0wnage - Exploiting hard filtered SQL Injections
- Malicious Code Evolution from IE Zero-Day Exploit Code
- Google Releases Skipfish Application Security Scanner
- ESRT @securityninja - Burp Suite Tutorial - Repeater and Comparer Tool
- ESRT @dinodaizovi - New metasploit blog post - analyzes the first public Perm
Si vous voulez bloquer ce service sur vos fils RSS
Si vous voulez nous contacter ou nous proposer un fil RSS

Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]
S'abonner au fil RSS global de la revue de presse


Being first to do something doesnt automatically make it proprietary even if the first is Microsoft

Par Security
Le [2009-06-29] à 14:29:47


Présentation : Somebody has to be first Recently Microsoft came up with a solution, supported natively in IE8, to protect against clickjacking attempts. Apparently some folks have einstein-duh decided that because Microsoft has a history of implementing proprietary solutions that this one, too, must be proprietary. These same folks must also have very little understanding of today?s web application architectures, as they declared the solution pretty much useless based on some pretty poor assumptions regarding the implementation of said solution. As noted in the Register, ?some critics have contended the protection [X-FRAME-OPTIONS custom HTTP header] will be ineffective because it will require millions of websites to update their pages with proprietary code.? Where to start, oh where to start? --------------------------------------------------------------------- JUST WHAT DICTIONARY WERE THEY USING? --------------------------------------------------------------------- Proprietary implies usable only by a certain subset of products: those endorsed by the creator of the ?proprietary? solution. Proprietary implies peculiar to a specific technology. Proprietary implies closed. Proprietary means things like ActiveX, which only work properly on a Windows ie8-logoplatform. Proprietary means keeping the implementation secret so no one else can implement it. Microsoft implemented a solution based on a custom HTTP header. A header, I might add, that anyone using any browser running on any platform is quite capable of seeing. A header that can be easily handled by any other browser developer, if they so choose, to implement similar behavior. A header based on accepted standards. A custom HTTP header can be interpreted by any browser if it so chooses as well as intermediaries capable of intelligently handling HTTP. The speedy support via NoScript for X-FRAME-OPTIONS proves the solution is hardly ?proprietary? and not applicable to just Microsoft?s solution. The term proprietary is often considered synonymous with Microsoft but in this case calling the solution proprietary is simply the result of a bad habit apparently difficult for some to break. Unlike the use of other truly proprietary solutions in the browser ? like XMLHTTPRequest object before it was widely adopted as a ?standard? ? custom HTTP headers are about as innocuous as you can get. Their existence neither hinders nor helps browsers that don?t support it and it does absolutely no harm to applications or the user-experience to carry it along even to clients that will see no benefit from it. And if the developers of those browsers/clients decide to support it, the existence of such headers will immediately provide a benefit. --------------------------------------------------------------------- OH YEAH ? ABOUT THAT OTHER ASSUMPTION YOU MADE? --------------------------------------------------------------------- ??it will require millions of websites to update their pages with proprietary code.? Excuse me while I decide whether to laugh or have a conniption fit at this one. This assumption shows a decided lack of understanding of architecture. While it?s certainly true that one way to support the use of X-FRAME-OPTIONS is to update web applications (let us not fall into the trap of digressing into an argument over the use of the term ?pages? and ?code? to describe an application?) there are are other, less disruptive, solutions. The organizations that are most likely to be the subject of a clickjacking attack are financial institutions, retailers, and perhaps social networking sites. It seems likely that these folks have built out an architecture capable of scaling and assuring availability of their sites. If you think not true, consider how often you?ve attempted to visit one of those sites and not been able to do so. Exactly. They?re smart people; they?ve built out an environment that almost certainly involves intermediaries (load balancers, application firewalls, application switches, application delivery controllers, proxies, etc?) that do other forms of application layer inspection and, perhaps, manipulation. They have other things to worry about, after all, like data leak prevention and content filtering and stopping SQLi and other nasty attacks from destroying their critical applications. So they?ve likely already got an intermediary in place that?s capable of easily adding a custom HTTP header on the way out the door. As I previously noted in Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox folks can use network-side scripting solutions to effortlessly insert the custom header as necessary without modifying code. If an application is comprised of say, an average of ten pages (I?m low-balling the estimate, I know that, but you can do the math on your own applications yourself), then this solution is 10 times more efficient than modifying the associated code. And network-side scripting solutions are likely already in place at most organizations that are likely to be targeted by clickjacking attacks. So all they have to do is write a little script and voila! This ?proprietary, ineffective? solution starts working. Then they encourage customers to upgrade to IE8 or install the proper version of NoScript and, well, the Internet is safe again (at least for about 2.71828182845904523536 or ?e? seconds). --------------------------------------------------------------------- FIRST DOESN?T MAKE IT PROPRIETARY, IT JUST MAKES IT FIRST --------------------------------------------------------------------- Just because an organization comes out with a solution first doesn?t automatically make it proprietary, unless they?ve already patented it and in that case, well it?s a whole different ball game. Microsoft saw a problem, decided on a solution, and implemented it. What should be noted is that they did it in a way that made it possible for other browser vendors to take advantage of the same constructs to implement a similar solution. They used a custom HTTP header that?s portable and browser and operating system agnostic when they could have found any number of other, truly proprietary ways to solve this problem. I?ve been down on Microsoft and its products in the past but in this case the software giant doesn?t deserve the negativity involved with calling this a proprietary solution. This is a far sight better than the framekiller options available today and it certainly doesn?t require the amount of work implied by these ?critics? to leverage the solution. Follow me on Twitter []View Lori's profile on SlideShare[] [] []friendfeedicon_facebook AddThis Feed Button Bookmark and Share Technorati Tags: MacVittie,F5,proprietary,clickjacking,IE8,firefox,noscript,solutions,english,definition,browsers,HTTP,headers,intermediaries,web application,architecture,application delivery,web,internet,blog,web 2.0 Related blogs et articles: * Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox * Hypertext Transfer Protocol ? HTTP/1.1 RFC 2616 * Picard and Dathon at El-Adrel * Jedi Mind Tricks: HTTP Request Smuggling * Why not network-side pre-fetching? * How to brandalize your content with network-side scripting * I am in your HTTP headers, attacking your application []

Les mots clés de la revue de presse pour cet article : microsoft
Les videos sur SecuObs pour les mots clés : microsoft
Les mots clés pour les articles publiés sur SecuObs : microsoft
Les éléments de la revue Twitter pour les mots clé : microsoft



AddThis Social Bookmark Widget



Les derniers articles du site "Security" :

- iPhone will be first mobile device to fall at Pwn2Own 2010
- Malicious Advertising Threatens the Popular Ad-supported Business Model
- There's Privacy Then There's Privacy
- vsftpd HTTP lunacy
- Impressions from the RSA 2010 USA Conference
- Classmates.com settles suit over misleading e-mails
- 0-day exploits for IE flaw another reason to switch to IE 8
- Medicine, Taxation, and Identity in Cyberspace
- etc Another botnet takes a beating as Kazakh ISP Troyak is taken offline, temporarily disabling most of the command-and-control servers for the Zeus network.
- Bad employee 12pourcents knowingly violate company IT policies



S'abonner au fil RSS global de la revue de presse
Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

Si vous voulez bloquer ce service sur vos fils RSS :
 - avec iptables "iptables -A INPUT -s 88.191.75.173 --dport 80 -j DROP"
- avec ipfw et wipfw "ipfw add deny from 88.191.75.173 to any 80"
- Nous contacter par mail





Les derniers commentaires publiés sur SecuObs (6-25):
- ESRT @iagox86 @hdmoore - Using Metasploit to Locate and Exploit the Energizer
- ESRT @innismir - New Weblog Post -- Finding Malware on your network via cache
- Sniffing with Wireshark as a Non-Root User
- Focus on MacNikto v1.1.1
- New Google Chrome v4.1.249.1036 released, fixes multiple security vulnerabili
- ESRT @opexxx @synopsi - Remote stack overflows
- ESRT @postmodern_mod3 @tmm1 - memprof now displays stack frames and threads
- ESRT @_MDL_ @gollmann - Locking botnet agents to specific victim systems in o
- CsFire 0.4.1 autonomously protects against dangerous or malicious cross-domai
- Seccubus v1.4.1 - Nessus 4.2 compatibility release
- ESRT @JGamblin @threatpost - Hackers say they will definitely break into an A
- ESRT @hdmoore @iagox86 - Weaponizing dnscat - first version of dnscat shellco
- iWep PRO 1.1.3 Released
- FireCAT v1.6.2 updated with Framework Detector
- ESRT @opexxx - FireCAT v1.6.2 updated with BackendInfo
- sipwitch 0.7.4
- Oracle XDB FTP service UNLOCK buffer overflow exploit that spawns a reverse s
- XSSploit XSS scanner multiplatfom v0.5 available
- Network forensics in IRB xtractr Ruby gem
- GreenPois0n Possible Jailbreak Software for iPad OS 32


SecuToolBox :

Mini-Tagwall des articles publiés sur SecuObs :

Archives Failles Secunia :
- SA38989 Fedora update for tar
- SA38988 Fedora update for cpio
- SA38921 SUSE update for OpenOffice_org
- SA38971 Multi Auktions Komplett System id_auk SQL Injection Vulnerability
- SA38945 Ubuntu update for audiofile

Archives Mailing Full Disclosure :
- Full-disclosure Claude Mercier/CLSC-CHSLD BVLV/Reg03/SSSS est absent(e).
- Re: Full-disclosure Fingerprinting Paper with Laser
- Full-disclosure Vulnerability Httpdx v1.5.3b
- Full-disclosure CA20100318-01: Security Notice for CA ARCserve Backup
- Re: Full-disclosure Fingerprinting Paper with Laser

Archives Mailing Bugtraq :
- announcing skipfish, an automated web app security scanner
- Vulnerability Httpdx v1.5.3b
- IBM Lotus 6.x HTTP Response Splitting Vulnerability
- There are lost of xss vul in PHPWind v6.0 !
- CA20100318-01: Security Notice for CA ARCserve Backup
- SECURITY DSA-2018-1 New php5 packages fix null pointer dereference

Mini-Tagwall de l'annuaire video :

Mini-Tagwall des articles de la revue de presse :

Mini-Tagwall des Tweets de la revue Twitter :