Tejeddine Mouelhi
  • Home
  • My blog
  • My publications
  • About my research
  • Java programs
  • Pictures
  • pagex

Google under attack from China

1/14/2010

0 Comments

 
A sophisticated attack against Google coming from china. It is  interesting to see how this was done.
It was based on phishing and on installing malware on victim computer to access to their gmail attack. The victims are chinese human right activists. And they were able to access two gmail accounts.

Update.
A demo of the attack using Metasploit tool can be watched here.



0 Comments

Is it possible to trust the compiler ?!

9/2/2009

0 Comments

 
An interesting post from veracode blog about trusting compilers.
To sum up the issue is that kaspersky and F-Secure labs published a sample of a new kind of viruses that target compilers in order to modify them to make them inject malicious code when compiling sources.
The overall approach is interesting. However, as I have posted in response to the post.
It is clear that compilers cannot be trusted anymore. However, I don't think that it is hard to detect that the compiler is malicious.
An easy and simple way would be to take a simple program, say the HelloWorld program and a compiled version, a trusted one. For this, the binary code should be reviewed (this is possible, even manually because the code is simple).
Then we compare the compiled version we get using the compiler (to be tested) with the other 'trusted one'.
No need to go with complex binary analyses, as suggested by Chris's paper.

0 Comments

CWE/SANS Top 25 Most Dangerous Programming Errors

2/16/2009

0 Comments

 

CWE/SANS published a recent report on the most dangerous programming errors, that developers should be aware of. This report is very interesting, and worth reading.
Developers really lack knowledge about security.
In addition, I think that pointing out the most dangerous errors is a good step forward toward  informing the SE community about security issues.

About this subject, i put a comment on veracode security blog.
I argued about the methods security companies are using, which include only two diffrent solution; which are: automated tools for detecting flaws AND security expert manual code audit. Well, that will work to a certain degree but i thing that is not good enough.
I will not go further because my comment is available in their blog entry.

0 Comments

    Author

    Dr. Tejeddine Mouelhi
    Expert in IT security & security/software testing

    View my profile on LinkedIn

    Archives

    April 2020
    August 2018
    June 2016
    July 2015
    July 2013
    October 2012
    March 2012
    November 2011
    May 2011
    April 2011
    July 2010
    April 2010
    January 2010
    November 2009
    September 2009
    August 2009
    May 2009
    March 2009
    February 2009

    Categories

    All
    All
    Application Security
    Funny
    Research
    Security Blog
    Worth Reading

    RSS Feed

Powered by Create your own unique website with customizable templates.
  • Home
  • My blog
  • My publications
  • About my research
  • Java programs
  • Pictures
  • pagex