摘要: 转载业界大牛SuperHei的一篇文章,原文地址在http://hi.baidu.com/hi_heige/blog/item/7144a8a0746b1680471064af.html 看来有竞争的地方就有口水啊,国内是这样,国外也差不多.... 最近ch...
转载业界大牛SuperHei的一篇文章,原文地址在http://hi.baidu.com/hi_heige/blog/item/7144a8a0746b1680471064af.html
看来有竞争的地方就有口水啊,国内是这样,国外也差不多....
最近china google aurora等关键词语很火,老外还是很善于走8挂路线的,随便点什么事情都可以策到一起抄做一把,且不说‘aurora’这个0day的效果怎么样?有没有那么大的威力?我们先看看hp的安全频道的一个blog:http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx 其实这个事情和hp根本就没什么联系,但是hp成功的利用了这个事件....
China
We have known for a long time that China is engaged in actively sponsoring espionage. However, the focused targeting of private business is a newer, more sophisticated and lucrative threat. These spear fishing attacks are intensely researched and aimed at top level executives, and will become more common as time passes.
In a directly related point, consider the curious appearance of a new website called iiScan. This service (based in China) offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.
Wow. This service sounds like an overwhelmingly bad idea. It doesn’t take much to imagine all the things that could go wrong in this scenario, even if the Chinese government didn’t directly fund targeted attacks, IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released. Can you say ‘Beijing Cocktail’?
It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.
由于CHINA关键词,联系出iiscan,因为iiscan是NOSEC的产品,然后NOSEC是中国的公司。他们blog的大意是说iiscan有可能是gov支持的‘钓鱼’站,用来收集各大使用者的漏洞,然后还可以通过发送带有恶意代码的pdf报告来攻击,另外还可以搜集email发垃圾邮件钓鱼什么的.....
杂一看有点莫名其妙,不多你看到这个blog的标题应该就明白了,原来hp旗下有个webinspect ,一切都很清楚了,这个类似于360推出的免费杀毒服务,hp急了!!!!!!????
从上面的yy可以看的出来,hp还是很厉害的,因为他们抓住了做在线服务的一个软肋,那就是客户的数据安全问题,比如这个iiscan的在线扫描,使用者会担心扫描后的结果被暴露(因为漏洞响应需要一段时间)。 我以前也有类似产品的构想,但是由于这个也就放弃了.... 希望nosec在辟谣的同时,可以考虑下这个问题的... 🙂
