Showing posts with label security. Show all posts
Showing posts with label security. Show all posts

Sunday, November 23, 2008

Z-Blog URL Redirect Security Affected Spam Attacks

Z-Blog system contain a security issue that allows spam attack to Wikipedia by using url redirect.

The design of Z-Blog anti-spam encrypts the URL before redirect it. The name of the redirected file is c_urlredirect.asp. With the parameter of this page Z-Blog kann redirect to various pages. Sorrowfully the used encryption is very simple. One just need to put the odd characters together. With this methode blackhat SEO manipulates redirects from other Z-Blog websites to call its own website. Thus even if the original address is listed on the blacklist by Wikipedia, the manipulated redirect would still work and be used as spam.

The solution for this problem is not easy. The most simple way is to delete c_urlredirect.asp. But this method would also prevent the blogger himself make redirects.

Source . thanks for Wing translation

Saturday, September 20, 2008

MSN and Gtalk Local Password Hacking

I have to tell the true that local password of MSN & GTalk can be easily hacked. You can even find the local password directly by using a hack tool named MessenPass. This means it is high risky if you save the password of MSN or GTalk in the local PC.

MessenPass can be used to get the passwords for the current logged-on user on your local computer, and it works if you chose the remember your password in one of the above programs.

Password hashing is a way of encrypting a password before it's stored so that if local computer gets into the wrong hands, the damage is limited. Hashing is nothing new - it's been in use in Unix system password files since long before my time, and quite probably in other systems long before that.

A hash (also called a hash code, digest, or message digest) can be thought of as the digital fingerprint of a piece of data. You can easily generate a fixed length hash for any text string using a one-way mathematical process. It is next to impossible to (efficiently) recover the original text from a hash alone. It is also vastly unlikely that any different text string will give you an identical hash - a 'hash collision'. These properties make hashes ideally suited for storing your application's passwords. Why? Because although an attacker may compromise a part of your system and reveal your list of password hashes, they can't determine from the hashes alone what the real passwords are.

We've established that it's incredibly difficult to recover the original password from a hash, so how will the application know if a user has entered the correct password or not? Quite simply - by generating a hash of the user-supplied password and comparing this 'fingerprint' with the hash stored in your user profile, you'll know whether or not the passwords match.