Search the Community

Se poate aduce trafic prin iframe cu referal google?

Am nevoie de un numar gratis romanesc , astfel cand sunt sunat pe numarul ala apelurile sa fie redirectionate pe alt numar indiferent de tara sau regiune . Am cautat pe google dar nu am gasit nimic free, poate ma puteti ajuta voi mersi .

Firefox-maker Mozilla has joined Google in refusing to recognize SSL certificates issued by the China Internet Network Information Centre (CNNIC). This comes after a security biz in Egypt used a CNNIC-issued intermediate certificate to create unauthorized SSL certs that could be used to trick people into connecting to bogus, password-stealing Gmail.com or Google.com websites. Google, and now Moz, are outraged by CNNIC's sloppiness in the case. CNNIC is run by the Middle Kingdom's government, and handles the .cn domain name registry, IP address allocation and other things as well as issuing SSL certificates for encrypted websites via intermediaries. "After reviewing the circumstances and a robust discussion on our public mailing list, we have concluded that CNNIC's behaviour in issuing an unconstrained intermediate certificate to a company with no documented PKI practices and with no oversight of how the private key was stored or controlled was an 'egregious practice' as per Mozilla's CA Certificate Enforcement Policy," the Mozilla security team wrote in a Thursday blog post. As a consequence of the incident, all Mozilla products – including the Firefox web browser and the Thunderbird email client, among others – will be updated so that all CNNIC-based certificates issued on or after April 1, 2015 are considered untrusted. Mozilla said it also plans to ask CNNIC for a comprehensive list of all of its current valid certificates. Any certificates issued before April 1 that are not included on this whitelist will also be subject to potential "further action." The move comes following a similar action by Google, which said on Wednesday that it would stop recognizing the CNNIC certificate authority in a future update to its Chrome browser. As a result of these actions, Chrome and Firefox users who try to connect via encrypted HTTPS to websites that use CNNIC-issued SSL certificates will see alert messages warning them that their connections may not be secure – even for online banks, e-commerce shops, and other sites that manage sensitive information. CNNIC, which manages both China's .cn country code top-level domain and the system of internationalized domain names that contain Chinese characters, issued a declaration on Thursday condemning Google's ban: 1. The decision that Google has made is unacceptable and unintelligible to CNNIC, and meanwhile CNNIC sincerely urge that Google would take users' rights and interests into full consideration. 2. For the users that CNNIC has already issued the certificates to, we guarantee that your lawful rights and interests will not be affected. Mozilla added, though, that CNNIC could regain its standing but only after proving that it could be trusted with the responsibility of managing a root certificate authority. "CNNIC may, if they wish, re-apply for full inclusion in the Mozilla root store and the removal of this restriction, by going through Mozilla's inclusion process after completing additional steps that the Mozilla community may require as a result of this incident," the nonproifit's security team said. Source

Last year at Google I/O developer event, Google launched a limited beta "App Runtime for Chrome" (ARC) project, which now expanded to run millions of Android apps within Chrome browser. Google has released a new developer tool called App Runtime for Chrome (ARC) Welder that allows Android apps to run on Chrome for Linux, Windows, and OS X systems. App Runtime for Chrome (ARC) was an early experiment specifically designed for app developers, but now anyone can download it. Google Chrome's ARC Welder app can now run any of your favorite Android apps like WhatsApp, Candy Crush, Angry Birds, all from your Chrome web browser. ARC welder tool operates via some special runtime implemented using Native Client (NaCl) in-browser binary execution tech. Native Client is a Chrome sandboxing technology that allows Chrome plugins and apps to run at near-native speeds, taking full advantage of the system's CPU and GPU. Google ported complete Android stack to Native Client, allowing Android apps to run on most major operating systems. Google ARC welder tool is based on Android 4.4, but there are some limitations: you can load only one app at a time you have to select portrait or landscape layout you need to choose, whether you want the app to run on phone- or tablet-style. LEARN HOW TO RUN ANDROID APPS IN CHROME:- Install the latest Google Chrome browser. Download and run the ARC Welder app from the Chrome Store. Add third party APK file host. After downloading APK app file to your PC, click Open. Select the mode -> "Tablet" or "Phone" -> in which you want to run your app. Finally, click the "Launch App" button. I have personally tried this tool before writing, and some of my favorite Android apps work pretty well. SOURCE

Google said Thursday that malware infections on Android devices have been cut in half in the past year following security upgrades for the mobile platform. In a security review for 2014, Google said it made significant strides for the platform long seen as weak on security. Android security engineer Adrian Ludwig said in a blog post that the overall worldwide rate of potentially harmful applications installed dropped by nearly 50 percent between the first quarter and the fourth quarter of the year. Ludwig noted over one billion Android devices in use worldwide have security through Google Play "which conducts 200 million security scans of devices per day" and that fewer than one percent of the devices had potentially harmful apps installed in 2014. For those devices which only use Google Play apps, the rate of potentially malicious apps was less than 0.15 percent, Google said. The report noted that Android got several security upgrades in 2014, including improved encryption and better detection tools for malware. Android has long been seen as vulnerable to malware because it is an open platform and many devices run older versions of the mobile operating system. But Google's report said its review "does not show any evidence of widespread exploitation of Android devices." "We want to ensure that Android is a safe place, and this report has helped us take a look at how we did in the past year, and what we can still improve on," Ludwig said. "In 2015, we have already announced that we are are being even more proactive in reviewing applications for all types of policy violations within Google Play. Outside of Google Play, we have also increased our efforts to enhance protections for specific higher-risk devices and regions." Android is used on around 80 percent of the smartphones globally, but its popularity has also made it a magnet for malware. Sursa: Google Says Android Malware Cut in Half | SecurityWeek.Com

Google's Chrome browser will stop trusting all digital certificates issued by the China Internet Network Information Center following a major trust breach last week that led to the issuance of unauthorized credentials for Gmail and several other Google domains. The move could have major consequences for huge numbers of Internet users as Chrome, the world's second most widely used browser, stops recognizing all website certificates issued by CNNIC. That could leave huge numbers of users suddenly unable to connect to banks and e-commerce sites. To give affected website operators time to obtain new credentials from a different certificate authority, Google will wait an unspecified period of time before implementing the change. Once that grace period ends, Google engineers will blacklist both CNNIC's root and extended-validation certificates in Chrome and all other Google software. The unauthorized certificates were issued by Egypt-based MCS Holdings, an intermediate certificate authority that operated under the authority of CNNIC. MCS used the certificates in a man-in-the-middle proxy, a device that intercepts secure connections by masquerading as the intended destination. Such devices are sometimes used by companies to monitor employees' encrypted traffic for legal or human resources reasons. It's one of the first times a certificate authority has faced such a banishment since the downfall of Netherlands-based DigiNotar in 2011. Other CAs, including US-based Trustwave, have also done what CNNIC did without getting the boot. While worldwide Chrome is the No. 2 most used browser, it had a commanding, 52-percent share in China last year, compared to 23 percent for IE. The move was announced on Wednesday evening in an update to last week's blog post disclosing the misissued certificates. The update left open the possibility that CNNIC may be reinstated at an undetermined future date if the group gives a detailed accounting of all currently valid certificates. The update read: As this post was being prepared, it wasn't clear if Mozilla or Microsoft planned to update Firefox and Internet explorer to also stop trusting CNNIC. Firefox 37, released this week, stopped trusting all certificates issued by MCS Holdings, and Microsoft has announced similar plans for Windows. Revoking trust in the root CNNIC certificate would be a much more disruptive course of action, since many more website certificates would be affected. Update 1: In an e-mailed statement, Mozilla Cryptographic Engineering Manager Richard Barnes said: "We believe it is very important to include the Mozilla community in these discussions, so we are taking a bit longer to announce our official plan. We expect to wrap up our discussion in mozilla.dev.security.policy soon, and in the meantime you can see the plan we are currently discussing here." The plan under consideration would: Reject certificates chaining to CNNIC with a notBefore date after a threshold date Request that CNNIC provide a list of currently valid certificates and publish that list so that the community can recognize any back-dated certs Allow CNNIC to re-apply for full inclusion, with some additional requirements (to be discussed on this list) If CNNIC's re-application is unsuccessful, then their root certificates will be removed Update2: Officials with CNNIC have issued a statement that's sharply critical of Google's move. It reads: Source

de exemplu google vrea incearca sa afle : ip, browser , OS , etc..

Imagine — reaching into your pocket — and pulling out a computer! Google has made it possible to put your whole computer into your pocket by introducing a whole new kind of Chrome device — a tiny stick that plugs into HDMI port of any display. Dubbed ChromeBit, a fully featured computer-on-a-stick from Asus that Google promises to retail for less than $100 when it comes out this summer. You just need to plug a Chromebit right into your TV or any monitor in order to turn it into a full-fledged Chrome OS-based computer. Google Chromebit is portable with an impressive look and will be available in three attractive colors — silver, blue and orange. It has a smarter clinch on the business end so that a user can easily plug it into practically any HDMI port without the need of any extension cable. SPECIFICATIONS This tiny little Google ChromeBit stick packaged with: Rockchip RK3288 (with quad-core Mali 760 graphics) 2GB of RAM 16GB of solid state storage memory a single full-size USB 2.0 port Bluetooth 4.0 Smart Ready controller WiFi 802.11 ac support ARM Mali 760 quad-core GPU Although Google Chromebit will not be the most powerful computer you could plug into your TV, it should not be too bad for the browser-based operating systems. Google believes that Chromebit will be of great use in schools and small businesses due to its price and easy manageability. $149 CHROMEBOOK In addition to Chromebit, Google also announced several cheap Chrome devices, including Haier Chromebook 11 (available online at Amazon) and Hisense Chromebook (available at Walmart). Both are 11.6-inch Chromebooks will be available at $149, making them cheaper and affordable than most smartphones. The basic specifications for the Haier and Hisense Chromebooks are essentially the same with 2GB of RAM, feature two USB ports, 16GB solid flash storage, SD Card reader and HDMI output, as well as 720p webcam and WiFi and Bluetooth antennas. $249 CHROMEBOOK FLIP The technology giant also announced that ASUS plans to launch a new "Chromebook Flip" convertible with the same internals later this spring for $249. Chromebook Flip will come with a 10.1-inch touchscreen display that flips all the way around so the device can be used in tablet mode. Source

Google is preparing to release new research on the prevalence of ad injectors, the often-unwanted browser extensions that inject ads onto Web pages, and the numbers will show just how widespread and problematic the software is. Ad injectors belong to that great, amorphous pile of applications that aren’t necessarily classed as malware but exhibit behavior that is unwanted by users. They’re designed to push ads onto the pages that users visit and they typically come in the form of browser extensions. Users sometimes install them purposely, but often ad injectors come bundled with other applications and can be difficult to remove. Google has been adjusting the way that it handles deceptive and unwanted software and its Chrome browser will display a warning when a user is going to download an ad injector from the Chrome Web store. The company doesn’t ban all ad injectors across the board, but will remove deceptive apps from the Web store. Google said that it has received more than 100,000 complaints from Chrome users about ad injectors in just the past three months. In a few weeks, Google plans to release some joint research on ad injectors it did with the University of California at Berkeley. Some of the findings that came out of the research make it clear that ad injectors represent a fairly large-scale problem for users: Ad injectors were detected on all operating systems (Mac and Windows), and web browsers (Chrome, Firefox, IE) that were included in our test. More than 5% of people visiting Google sites have at least one ad injector installed. Within that group, half have at least two injectors installed and nearly one-third have at least four installed. Thirty-four percent of Chrome extensions injecting ads were classified as outright malware. Google’s Nav Jagpal said in a blog post that the research found nearly 200 deceptive extensions in the Chrome Web store, which have been disabled. Jagpal said Google plans to release the full results of the research on May 1. Source

Google is continuing to refine its Safe Browsing API and now is giving users warnings about not just malicious software on sites they’re attempting to visit, but also about unwanted software. Google’s Safe Browsing API is designed to help protect users from a variety of threats on pages across the Internet. The functionality is built into Chrome, as well as Firefox and other browsers, and when a users tries to visit a page that Google’s crawlers or other users have reported to be hosting malware, phishing links or other types of threats it will throw up a warning dialog. Depending upon the type of threat found on the target page, the browser will give the user various types of information and options. Google started showing Chrome users warnings about deceptive or unwanted software last month, but now that information will be fed into the Safe Browsing API so that other browser vendors, as well as app developers, can pull it into their offerings. “In addition to our constantly-updated malware and phishing data, our unwanted software data is now publicly available for developers to integrate into their own security measures. For example, any app that wants to save its users from winding up on sites that lead to deceptive software could use our API to do precisely that,” Emily Schechter, safe browsing program manager at Google, said in a blog post. “We continue to integrate Safe Browsing technology across Google—in Chrome, Google Analytics, and more—to protect users.” Deceptive, or unwanted, software is a fairly broad category of applications that includes things such as browser extensions that change your home page or modify the settings in your browser. These applications sometimes are bundled with other software or downloaded in the background, sometimes without a user’s knowledge. They can also include spyware or adware that collect users’ data and pretend to be something other than what they really are. Google defines deceptive software broadly as “programs disguised as a helpful download that actually make unexpected changes to your computer”. Image from Flickr photos of Parkesmj. Source

Yoast has released a new version of its popular Google Analytics plugin for WordPress to address a persistent cross-site scripting (XSS) vulnerability that could have been exploited to execute arbitrary code. Google Analytics by Yoast has been downloaded nearly 7 million times. The application allows WordPress administrators to monitor website traffic by connecting the plugin to their Google Analytics account. The vulnerability was identified by Jouko Pynnonen, the CEO of Finland-based IT company Klikki Oy. Earlier this month, the expert reported identifying several vulnerabilities in the WPML premium WordPress plugin. According to the researcher, an attacker can leverage a flaw in Google Analytics by Yoast to store arbitrary code in a targeted administrator’s WordPress dashboard. The code is executed as soon as the administrator opens the plugin’s settings panel. The attack involves two security bugs. First, there is an access control flaw that allows an unauthenticated attacker to connect the plugin installed on the targeted website to his own Google Analytics account by overwriting existing OAuth2 credentials. The second stage of the attack relies on the fact that the plugin renders an HTML dropdown menu based on data from Google Analytics. Because this data is not sanitized, an attacker can enter malicious code in the Google Analytics account and it gets executed when the targeted administrator views the plugin’s settings panel. “Under default WordPress configuration, a malicious user can exploit this flaw to execute arbitrary server-side PHP code via the plugin or theme editors,” Pynnonen said in an advisory. “Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target site.” The security issues have been addressed with the release of Google Analytics by Yoast version 5.3.3. The update also fixes a flaw that allowed administrators to launch XSS attacks against other administrators. This vulnerability was publicly disclosed back in February by Kaustubh G. Padwad and Rohit Kumar. This isn’t the first time someone finds a vulnerability in a plugin from Yoast. Last week, UK-based researcher Ryan Dewhurst uncovered a blind SQL injection vulnerability in WordPress SEO by Yoast. Sursa: securityweek.com

Google is prepping a fix for Android users that addresses a meddlesome memory leakage issue that’s plagued some device users since the end of last year. The issue, present in versions 5.0.1 and 5.1 of the mobile operating system code-named Lollipop, has been causing irregular application activity on several Nexus devices for weeks. In some instances, users have apparently experienced issues launching apps and seen apps randomly restarting, often without opening or changing any application. The most prevalent issue users have witnessed has been a massive surge in memory usage. On an issue tracker for the for the bug on Android’s Open Source Project (AOSP) late last week some users reported seeing their RAM bloat to over 1 gigabyte and leave as little as 150 megabytes free, before their phones ultimately crashed. Users claim they’ve seen their phone’s system memory swell, usually after opening a game, then dismissing it. Even if apps are closed however, the phone will go on to gobble up memory until there’s no more space and the device stops responding. The issue – mostly seen in Nexus 5 devices – has lingered since December 2014, when Google pushed 5.0.1 to Nexus devices, but resurfaced in 5.1, which was rolled out last week. “Memory leak not fixed,” one user wrote on AOSP last week, “I’ve had system RAM bloated over 1GB, processes restarting and launcher redraws.” The issue was closed at Android’s Issue Tracker on Friday when a Google project member acknowledged the issue had been “fixed internally,” but added that the company did not have a timetable for public release. The bug’s status was also changed from “New” to “FutureRelease” on Friday, suggesting a fix is forthcoming, perhaps in 5.1.1, but emails to Google inquiring exactly when that fix would come were not immediately replied to on Monday Android’s security team has been busy over the past several months addressing issues that have popped up in Lollipop. In November it fixed a vulnerability that could have allowed an attacker to bypass ASLR and run arbitrary code on a target device under certain circumstances. In January the company took some heat for not fixing a bug in the WebView component of the OS on Jelly Bean 4.3, or older. Security engineers for Android later clarified that the issue would really be best fixed by OEMs and that it’s not practical for Google to push patches for older vulnerabilities. Source

Full materials and proof of concept code has been released for the Security Explorations discovery of various Google app engine java security sandbox bypasses. Download pack: Download: Google App Engine Java Security Sandbox Bypasses ? Packet Storm

Google leaked the complete hidden whois data attached to more than 282,000 domains registered through the company's Google Apps for Work service, a breach that could bite good and bad guys alike. The 282,867 domains counted by Cisco Systems' researchers account for 94 percent of the addresses Google Apps has registered through a partnership with registrar eNom. Among the services is one that charges an additional $6 per year to shield from public view all personal information included in domain name whois records. Rather than being published publicly, the information is promised to remain in the hands of eNom except when it receives a court order to turn it over. Starting in mid 2013, a software defect in Google Apps started leaking the data, including names, phone numbers, physical addresses, e-mail addresses, and more. The bug caused the data to become public once a domain registration was renewed. Cisco's Talos Security Intelligence and Research Group discovered it on February 19, and five days later the leak was plugged, slightly shy of two years after it first sprung. Whois data is notoriously unreliable, as is clear from all the obviously fake names, addresses, and other data that's contained in public whois records. Still, it's reasonable to assume that some people might be more forthcoming when using a supposedly privacy-enhancing service Google claimed hid such data. Even in cases where people falsified records, the records still might provide important clues about the identities of the people who made them. Often when data isn't pseudo-randomized, it follows patterns that can link the creator to a particular group or other Internet record. As Cisco researchers Nick Biasini, Alex Chiu, Jaeson Schultz, Craig Williams, and William McVey wrote: Google began warning Google Apps customers of the breach on Thursday night. An official e-mail reads: It's not particularly easy for the uninitiated to get bulk access to the 282,000 whois exposed records, especially now that two weeks have passed since the data has once again been hidden. Registrars make it difficult to download mass numbers of records, but as the Cisco researchers point out, the falsified data is now a permanent part of the Internet record that won't be hard for determined people to find. It wouldn't be surprising if now-hidden records begin selling in the black market soon. Google's breathtaking failure is a potent reminder why in most cases people do well to provide false information when registering for anything online. In some cases, accurate information is required. More often than not, things work fine with fields left blank or filled in with random characters. It's hard to know just how many people will be bitten by this epic blunder, but even if it's only 10 percent of those affected, that's a hell of a price. Update: A Google spokesman said the bug resided in the way Google Apps integrated with eNom's domain registration program interface. It was reported through Google's Vulnerability Rewards Program. The spokesman said the root cause has been identified and fixed. Source

Era ?i timpul. Au f?cut tool de migrare automat? spre GitHub, ceea ce e mi?to. Google Open Source Blog: Bidding farewell to Google Code

Google Earth Pro is a 3D interactive globe that can be used to aid planning, analysis and decision making. Businesses, governments and professional users from around the world use Google Earth Pro data visualization, site planning and information sharing tools. Google Earth Pro includes the same easy-to-use features and imagery of Google Earth, but with additional professional tools designed specifically for people who need it for more than entertainment purposes. Link: Free Google Earth Pro (100% discount)

Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin . contents:: Table Of Content Overview Title :Stored XSS Vulnerability in Google Analytics by Yoast Wordpress Plugin Author: Kaustubh G. Padwad, Rohit Kumar. Plugin Homepage: https://yoast.com/wordpress/plugins/google-analytics/ Severity: Medium Version Affected: Version 5.3.2 and mostly prior to it Version Tested : Version 5.3.2 version patched: Description Vulnerable Parameter Current UA-Profile Manually enter your UA code Label for those links Set path for internal links to track as outbound links: Subdomain tracking: Extensions of files to track as downloads: About Vulnerability This plugin is vulnerable to a Stored Cross Site Scripting vulnerability,This issue was exploited when administrator users with access to "Google Analytics by Yoast" Setting in wordpress above listed vulnerable parameter is vulnerable for stored XSS. A malicious administration can hijack other users session, take control of another administrator's browser or install malware on their computer. Vulnerability Class Cross Site Scripting (https://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) Steps to Reproduce: (POC) After installing the plugin Goto settings --> Google Analytics by Yoast Input this payload in "Manually enter your UA code" :- v style="position:absolute;top:0;left:0;width:100%;height:100%" onmouseover="prompt(1)" onclick="alert(1)">x Click on the Save Changes button and navigate your cursor to input box,you will see XSS in action Reload the page or re navigate to page to make sure its stored Mitigation https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Change Log https://github.com/Yoast/google-analytics-for-wordpress/pull/322/commits Disclosure 22-February-2015 Reported to developer 25-February-2015 Fixed by developer 05-March-2015 Issue Closed with team. 06-March-2015 Public Discloser credits Kaustubh Padwad & Rohit Kumar Information Security Researcher kingkaustubh@me.com & kumarrohit2255@gmail.com @s3curityb3ast,@rkumars3c [url]http://breakthesec.com[/url] [url]https://www.linkedin.com/in/kaustubhpadwad[/url] Source

nu am vazut sa mai fi fost postat pe forum si pentru mine arata interesant: [INDENT]A website that irrevocably deletes itself once indexed by Google. [/INDENT] [COLOR=#333333][FONT=Helvetica Neue]The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself.[/FONT][/COLOR] https://github.com/mroth/unindexed

Salut baieti, de curand am pus mana pe un Yezz Andy A5EL(4.4.2), totu merge super-ok cu o mica problema, cand vreau sa intru in google play ma pune sa "valorific codul". Aveti vre-o idee cum as putea sa rezolv treaba asta ? +ca nu isi face sincronizarile, am sters, am adaugat, am facut cont nou, nimic. Primesc mesajul " Sincronizarea se confrunta in prezent cu probleme. Aceasta va fi functionala in curand." Multumesc pentru timpul acordat, o zi cat mai placuta.

unindexed A website that irrevocably deletes itself once indexed by Google. The site is constantly searching for itself in Google, over and over and over, 24 hours a day. The instant it finds itself in Google search results, the site will instantaneously and irrevocably securely delete itself. Visitors can contribute to the public content of the site, these contributions will also be destroyed when the site deletes itself. Why would you do such a thing? The full explanation is in the content of the site (which is not linked anywhere here). UPDATE: The experiment lasted 22 days before it was indexed by Google on 24 February 2015 at 21:01:14 and instantaneously destroyed. It was primarily shared via physical means in the real world, word of mouth, etc. If you didn't find it before it went away. If you want to conduct your own similar experiment, the source code is here. info Nothing has been done to prevent the site from being indexed, however the NOARCHIVE meta tag is specified which prevents the Googles from caching their own copy of the content. The content for this site is stored in memory only (via Redis) and is loaded in via a file from an encrypted partition on my personal laptop. This partition is then destroyed immediately after launching the site. Redis backups are disabled. The content is flushed from memory once the site detects that it has been indexed. The URL of the site can be algorithmically generated and is configured via environment variable, so this source code can be made public without disclosing the location of the site to bots. Visitors can leave comments on the site while it is active. These comments are similarly flushed along with the rest of the content upon index event, making them equally ephemeral. other Sample configuration notes for running on Heroku: $ heroku create `pwgen -AnB 6 1` # generates a random hostname $ heroku addons:add rediscloud # default free tier disables backups $ heroku config:set REDIS_URL=`heroku config:get REDISCLOUD_URL` $ heroku config:set SITE_URL=`heroku domains | sed -ne "2,2p;2q"` $ git push heroku master $ heroku run npm run reset $ heroku addons:add scheduler:standard $ heroku addons:open scheduler Schedule a task every N minutes for npm run-script query (unfortunately seems like this can only be done via web interface). Use scripts/load_content.js to load the content piped from STDIN. You can configure monitoring to check the /status endpoint for "OK" if you trust an external service with your URL. Link: https://github.com/mroth/unindexed

The information security news today is all about Lenovo’s default installation of a piece of adware called “Superfish” on a number of laptops shipped before February 2015. The Superfish system is essentially a tiny TLS/SSL “man in the middle” proxy that attacks secure connections by making them insecure — so that the proxy can insert ads in order to, oh, I don’t know, let’s just let Lenovo tell it: “To be clear, Superfish comes with Lenovo consumer products only and is a technology that helps users find and discover products visually,” the representative continued. “The technology instantly analyses images on the web and presents identical and similar product offers that may have lower prices, helping users search for images without knowing exactly what an item is called or how to describe it in a typical text-based search engine.” Whatever. The problem here is not just that this is a lousy idea. It’s that Lenovo used the same certificate on every single Laptop it shipped with Superfish. And since the proxy software also requires the corresponding private key to decrypt and modify your web sessions, that private key was also shipped on every laptop. It took all of a day for a number of researchers to find that key and turn themselves into Lenovo-eating interception proxies. This sucks for Lenovo users. If you’re a Lenovo owner in the affected time period, go to this site to find out if you’re vulnerable and (hopefully) what to do about it. But this isn't what I want to talk about in this post. Instead, what I’d like to discuss is some of the options for large-scale automated fixes to this kind of vulnerability. It’s quite possible that Lenovo will do this by themselves — pushing an automated patch to all of their customers to remove the product — but I'm not holding my breath. If Lenovo does not do this, there are roughly three options: Lenovo users live with this and/or manually patch. If the patch requires manual effort, I’d estimate it’ll be applied to about 30% of Lenovo laptops. Beware: the current uninstall package does not remove the certificate from the root store! Microsoft drops the bomb. Microsoft has a nuclear option themselves in terms of cleaning up nasty software — they can use the Windows Update mechanism or (less universally) the Windows Defender tool to remove spyware/adware. Unfortunately not everyone uses Defender, and Microsoft is probably loath to push out updates like this without massive testing and a lot of advice from the lawyers. Google and Mozilla fix internally. This seems like a more promising option. Google Chrome in particular is well known for quickly pushing out security updates that revoke keys, add public key pins, and generally make your browsing experience more secure. It seems unlikely that #1 and #2 will happen anytime soon, so the final option looks initially like the most promising. Unfortunately it's not that easy. To understand why, I'm going to sum up some reasoning given to me (on Twitter) by a couple of members of the Chrome security team. The obvious solution to fixing things at the Browser level is to have Chrome and/or Mozilla push out an update to their browsers that simply revokes the Superfish certificate. There's plenty of precedent for that, and since the private key is now out in the world, anyone can use it to build their own interception proxy. Sadly, this won't work! If Google does this, they'll instantly break every Lenovo laptop with Superfish still installed and running. That's not nice, or smart business for Google. A more promising option is to have Chrome at least throw up a warning whenever a vulnerable Lenovo user visits a page that's obviously been compromised by a Superfish certificate. This would include most (secure) sites any Superfish-enabled Lenovo user visits -- which would be annoying -- and just a few pages for those users who have uninstalled Superfish but still have the certificate in their list of trusted roots. This seems much nicer, but runs into two problems. First, someone has to write this code -- and in a hurry, because attacks may begin happening immediately. Second, what action item are these warnings going to give people? Manually uninstalling certificates is hard, and until a very nice tool becomes available a warning will just be an irritation for most users. One option for Google is to find a way to deal with these issues systemically -- that is, provide an option for their browser to tunnel traffic through some alternative (secure) protocol to a proxy, where it can then go securely to its location without being molested by Superfish attackers of any flavor. This would obviously require consent by the user -- nobody wants their traffic being routed through Google otherwise. But it's at least technically feasible. Google even has an extension for Android/iOS that works something like this: it's a compressing proxy extension that you can install in Chrome. It will shrink your traffic down and send it to a proxy (presumably at Google). Unfortunately this proxy won't work even if it was available for Windows machines -- because Superfish will likely just intercept its connections too So that's out too, and with it the last obvious idea I have for dealing with this in a clean, automated way. Hopefully the Google team will keep going until they find a better solution. The moral of this story, if you choose to take one, is that you should never compromise security for the sake of a few bucks -- because security is so terribly, awfully difficult to get back. Sursa: A Few Thoughts on Cryptographic Engineering: How to paint yourself into a corner (Lenovo edition)

#!/usr/bin/python import sys import re import string import httplib import urllib2 import re def StripTags(text): finished = 0 while not finished: finished = 1 start = text.find("<") if start >= 0: stop = text[start:].find(">") if stop >= 0: text = text[:start] + text[start+stop+1:] finished = 0 return text if len(sys.argv) != 2: print "\nExtracts emails from google results.\n" print "\nUsage : ./goog-mail.py <domain-name>\n" sys.exit(1) domain_name=sys.argv[1] d={} page_counter = 0 try: while page_counter < 50 : results = 'http://groups.google.com/groups?q='+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter) + '&sa=N' request = urllib2.Request(results) request.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener = urllib2.build_opener() text = opener.open(request).read() emails = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email in emails: d[email]=1 uniq_emails=d.keys() page_counter = page_counter +10 except IOError: print "Can't connect to Google Groups!"+"" page_counter_web=0 try: print "\n\n+++++++++++++++++++++++++++++++++++++++++++++++++++++"+"" print "+ Google Web & Group Results:"+"" print "+++++++++++++++++++++++++++++++++++++++++++++++++++++\n\n"+"" while page_counter_web < 50 : results_web = 'http://www.google.com/search?q=%40'+str(domain_name)+'&hl=en&lr=&ie=UTF-8&start=' + repr(page_counter_web) + '&sa=N' request_web = urllib2.Request(results_web) request_web.add_header('User-Agent','Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)') opener_web = urllib2.build_opener() text = opener_web.open(request_web).read() emails_web = (re.findall('([\w\.\-]+@'+domain_name+')',StripTags(text))) for email_web in emails_web: d[email_web]=1 uniq_emails_web=d.keys() page_counter_web = page_counter_web +10 except IOError: print "Can't connect to Google Web!"+"" for uniq_emails_web in d.keys(): print uniq_emails_web+"" Sursa Test ! anci-ste@alice.it fcrovace@alice.it antorake@alice.it lauradilu@alice.it salvo_brusca67@alice.it pagescaos_calmo@alice.it claudio.maccherani@alice.it pagesaicelombarda@alice.it monicagasbarri@alice.it S.Camillo-Forlaninilportalone@alice.it materli1@alice.it lsantini@alice.it pincopallino@alice.it gratours@alice.it aicelombarda@alice.it Castrofilippofilippafarruggio@alice.it pagesfcrovace@alice.it luci.ba@alice.it poate il face cineva sa mearga mai bine prinde maxim 10-20 email-uri si se opreste .. Il rog frumos sa-mi dea si mie sau sa posteze !

Ever felt let down by someone who you made a promise, and then broke it? That’s what millions of Android users must be feeling right now when it comes to Google and Android. Last September, Google announced that mobile devices running the new version of Android (5.0, also known as Lollipop) would have full-disk encryption enabled by default. Here is how Google announced the news to the media in a statement: And each of every one of us who cares about security and privacy said, “This is a good thing. Well done Google.” The news of the “encryption-by-default” was reaffirmed in a blog post from Google’s Android team in October last year: It all sounds good, right? Wrong. Because we were a little hasty in breaking open the champagne last year, as Ars Technica has discovered that Google has quietly gone back on its promise and not all new Lollipop devices are going to have encryption by default. It turns out that while Google’s own Nexus 6 and Nexus 9 devices do indeed have encryption enabled by default, other older devices upgraded to Lollipop are not so lucky. Furthermore, brand new third-party Android devices (such as the second-generation Moto E and Galaxy S6 demonstrated at Mobile World Congress in Barcelona) are also not encrypted by default. The discrepancy between what Google said last year and what is now being seen on third-party Android Lollipop devices is explained by the OEM guidelines that manufacturers must follow to have their Lollipop devices approved by Google: In other words, the manufacturer still has a choice whether they currently enable full-disk encryption or not. And performance issues may mean that some third-party Lollipop devices will not yet have encryption by default. Ultimately there was a battle between security and performance. The full-disk encryption may have had too much of a hit on some devices, and so Google – fearing resistance from both customers and manufacturers – made the requirement optional. For now at least. So, if you want your Android to be fully encrypted you will still have to enable the option for yourself. Let’s hope not too many people have been lulled into a false sense of security by Google’s statements of last year. -> Source: Google does a U-turn over Android Lollipop full disk encryption | HOTforSecurity

Google yesterday announced that it would expand its browser security efforts with a new warning in Chrome about unwanted software to caution users about accessing sites that are known to encourage unsafe downloads. The Mountain View, Calif., search and browsing giant has invested serious resources into its safe browsing features over the past several years. The company revamped its malware and bad SSL certificate warnings last year following a pair of studies seeking to determine how browser-based warnings could effectively stop users from clicking through to potentially dangerous content. To this point, a user would trigger Google’s unwanted software warning in Chrome just as he attempted to download sketchy content. Now the warnings kick in as the user attempts to browser directly to a site or in Google search results leading to the site. “If you’re a site owner, we recommend that you register your site with Google Webmaster Tools,” wrote Google software engineer, Lucas Ballard. “This will help you stay informed when we find something on your site that leads people to download unwanted software, and will provide you with helpful tips to resolve such issues.” Early last year, Google ruffled some feathers by announcing it would block malicious file downloads by default in its Chrome browser. While some expressed concern about Google acting as a gatekeeper for acceptable content, the company ultimately went forward with the move. Yesterday’s announcement takes Google’s year-old decision one step further, allowing the company to encourage users not to visit certain sites as opposed to encouraging them not to download certain files. Later in 2014, the company expanded its definition of unwanted software to include programs that purport to be something they are not or make unwanted changes to the user’s browser. Source

Google is opting to make its annual Pwnium competition a year-round global opportunity with an endless bounty of reward money. In previous years, Pwnium was held once a year during a security conference, and security researchers would need to have a bug chain in March, pre-register for the event and be present at the competition's location, Google wrote on its blog. Now, researchers can submit bugs throughout the year through the Chrome Vulnerability Reward Program. “By allowing security researchers to submit bugs all year-round, collisions are significantly less likely and security researchers aren't duplicating their efforts on the same bugs,” Google wrote. The top available reward is $50,000, but the company's lawyers also noted in the post that, “this is an experimental and discretionary rewards program and Google may cancel or modify the program at any time.” Source