|
 |
dimarts, 4 / octubre / 2005 |
[NewsForge] SSL VPNs and OpenVPN: A lot of lies and a shred of truth. Malgrat el que alguns afirmen, OpenVPN ofereix una de les millors implementacions d'IPSec per a la creació de xarxes privades virtuals, comparant-lo amb altres alternatives existents que no són, ni de bon tros, tan segures.
OpenVPN is able to create and maintain tunnels with at least the level of security found in the best IPsec implementations. This is important. There's a reason people have tolerated IPsec for so long, because it provides the gold standard for device-to-device communication over untrusted networks. OpenVPN matches this standard and takes it a step further.
Many of the so-called SSL VPNs emerging lately tout their "clientless" architecture and claim you can get VPN access using a simple Web browser. This has serious security implications that we've already covered, but it also has feature limitations. Many of these products are just doing port forwarding, Web proxying, or "Webalizing" of protocols on a one-at-a-time basis, not true network extension.
|
21:27 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
Build Security In, un portal amb molta informació sobre seguretat informàtica.
Build Security In is a project of the Strategic Initiatives Branch of the National Cyber Security Division (NCSD) of the Department of Homeland Security (DHS). The Software Engineering Institute (SEI) was engaged by the NCSD to provide support in the Process and Technology focus areas of this initiative. The SEI team will develop and collect software assurance and software security information that will help software developers, architects, and security practitioners to create secure systems.
Només li falta la font RSS.
|
17:18 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
El lloc web SpreadFirefox.com ha estat atacat, aprofitant una vulnerabilitat de TWiki. Aparentment els atacants no van tenir accés a dades sensibles dels usuaris, però la Fundació Mozilla recomana actualitzar les contrasenyes i, en cas que la contrasenya anteriorment en ús es faci servir a algun altre lloc, també es faci el canvi.
Actualment SpreadFirefox.com està fora de servei.
The Spread Firefox Team became aware this week that the server hosting Spread Firefox, our community marketing site, has been accessed by unknown remote attackers who attempted to exploit a security vulnerability in TWiki software installed on the server. The TWiki software was disabled as soon as we were aware of the attempts to access SpreadFirefox.com. This exploit was limited to SpreadFirefox.com and did not affect mozilla.org web sites or Mozilla software.
We have scanned Spread Firefox servers and at this time do not believe any sensitive data was taken, but as a precautionary measure we have shutdown the site and will be rebuilding the web site from scratch. We also recommend that you change your Spread Firefox password and the password of any accounts where you use the same password as your Spread Firefox account. We will notify you again when the site is back up with instructions on how to change your password. (Note: We do use MD5 hashing on the passwords, but MD5 cannot protect all passwords against off-line dictionary style attacks.)
After Spread Firefox was compromised in July, we instituted procedures to ensure that we apply all security fixes to the software running the site (Drupal and PHP) as soon as they become available. Unfortunately, those procedures overlooked the installation of the TWiki software since it is not used by the main Spread Firefox site. When the system is rebuilt, all the software will be audited to ensure that security updates will be applied in a timely manner. We deeply regret this incident and any inconvenience this may have caused you. Sincerely,
Spread Firefox Team
Mozilla Foundation
Per cert, que ningú vegi en aquest atac cap relació amb el debat que hi ha actualment sobre quin navegador és més segur; l'atac ha aprofitat una vulnerabilitat en un producte no relacionat ni amb els navegadors ni amb la Mozilla Foundation.
|
10:52 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[Netcraft] Banks Shitfting Logins to Non-SSL Pages. Una tendència en la banca electrònica: la pàgina de connexió es situa en un entorn sense SSL
After years of training customers to trust only SSL-enabled sites, banks are shifting their online banking logins to the unencrypted home pages of their websites. Although the data is encrypted once the user hits the "Sign In" button, the practice runs counter to years of customer conditioning, as well as the goals of the browser makers. Three of the five largest U.S. banks now display login forms on non-SSL home pages, including Bank of America, Wachovia and Chase, as well as financial services giant American Express.
Web sites are generally reluctant to use "https" on busy home pages, since SSL involves a tradeoff: improved security, but slower response time. Consumers, meanwhile, prefer easy to-remember URLs for their online banking. In placing login screens on non-SSL home pages, banks are trying to have it both ways: fast page loading without the SSL-related performance hit. The login form's "action" URL points to an SSL-enabled https URL.
(...)
This growing practice was criticized by Microsoft in April. "If the login form was delivered via HTTP, there's no guarantee it hasn't been changed between the server and the client," Microsoft's Eric Lawrence wrote on the IE7 blog. "A bad guy sitting on the wire between the two could simply retarget the POST to submit to a HTTPS site that he controls."
|
08:52 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
Per fi!!! Ha arribat el nou teclat per al portàtil. Ja fa uns dies vaig trucar al servei tècnic de Dell doncs tenia seriós problemes amb el teclat: l'espai de vegades funcionava, de vegades inseria dos o tres espais, de vegades no avançava... algunes tecles no acabaven de funcionar correctament, etc.
A Dell em van fer verificar el connector i en veure que el problema persistia, em van dir que m'enviarien un teclat nou. Ha trigat uns quants dies, però per fi ha arribat. Ja l'he canviat i és un món nou... el tacte, a més ha millorat.
És un gust poder tornar a escriure amb total normalitat.
Aquí en mig del canvi:
Per cert, en desmuntar el teclat antic veig que tinc un seriós problema de pèrdua de cabell... Del teclat no ha sortit res d'especial (veure l'article Què mengem quan treballem). Ni restes de pa, patates fregides o cap altre aliment... però centenars (milers) de pels de totes mides.
|
08:22 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[ILoveJackDaniels] mod_rewrite cheat sheet
The mod_rewrite cheat sheet is designed to act as a reminder and reference sheet, listing useful information about mod_rewrite. It includes a list of flags for the RewriteRule and RewriteCond directives, list of server variables, a regular expression guide and several examples of common rules.
Algunes de les coses que trobem són:
- Síntaxi de les expressions regulars
- Codis de redirecció
- Valors de RewriteRUke
- Valors de RewriteCond
- Variables de servidor
- Directives
- Diversos exemples
|
08:10 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[ZDNet India] Microsoft confirms next XP service pack. Microsoft ha confirmat que durant l'any vinent publicarà el Service Pack 3 de Windows XP, encara que no ha confirmat cap detalls sobre els possibles canvis que incorporarà aquesta actualització.
El darrer Service Pack per a Windows XP es va publicar el setembre de l'any passat... amb un retard de més d'un any.
|
08:02 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
[CNN] ISS Launches Vulnerability Management Service. ISS ha començat a oferir un servei gestionat per al control de les actualitzacions de seguretat dels sistemes:
ISS’ new Vulnerability Management Service extends the company’s previous threat scanning service by placing "drones" inside customer networks, said John Wheeler, director of deployment and integration at the Atlanta-based vendor. "ISS has been providing remote scanning services, but it has been a view from the outside," he said. "Now we have both internal and external views."
The service also helps customers assess the risk of vulnerabilities found and determine the return on investment of remediation, allowing them to prioritize remediation based on actual risk to the company, Wheeler said.
|
07:59 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
 [Mobile Pipeline] Quick Review: ZyXEL Wi-Fi Finder And Adapter. Aquest nou detector de xarxes sense fils és un complet sistema autònom que permet identificar l'existència del senyal sense necessitat de disposar de cap ordinador. Mostra tota la informació sobre les xarxes detectades a la pantalla, indicant si és una xarxa oberta o bé tràfic xifrat. Reconeix els protocols 802.11a/b/g. A diferència d'altres models, incorpora una bateria que es carrega a través del port USB.
|
07:48 (# Enllaç permanent) | Comentaris: | Trackback:
|
|
© Copyright 2003-2005 Xavier Caballe.  . Si no s'indica expressament el contrari, el material publicat en aquest weblog es distribueix d'acord amb la llicència Creative Commons. El contingut és responsabilitat única i exclusivament del seu autor i no té cap relació amb les seves activitats professionals.
|
 |
 |
 |
 |
Contingut actualitzat
Categories
Darrers comentaris
Arxiu
Contingut antic
(ja no s'actualitza)
Versions anteriors
d'aquesta pàgina
|
 |
 |
 |
 |
|
