思科Elastic Services Controller服务端口身份验证绕过漏洞
思科Elastic Services Controller软件的基于Web的身份验证功能中的漏洞可能允许未经授权的远程攻击者绕过身份验证,并在受影响的系统上以管理员权限执行任意操作。
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc
uTorrent客户端存在严重安全漏洞
https://threatpost.com/utorrent-users-warned-of-remote-code-execution-vulnerability/130030/
俄罗斯Sofacy APT组织将重点攻击目标从北约成员国转移到中东地区
http://securityaffairs.co/wordpress/69365/apt/sofacy-apt-east.html
被忽视的朝鲜黑客组织——APT37
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
黑客可以劫持超过52,000个婴儿监视器视频源
基于恐怖电影的新型勒索软件——Annabelle
https://www.bleepingcomputer.com/news/security/the-annabelle-ransomware-is-a-horrific-mess/
技术类
趋势科技电子邮件加密网关多个漏洞
OWASP Web应用自动威胁手册
https://www.owasp.org/images/3/33/Automated-threat-handbook.pdf
消失的字节:逆向工程MS Office RTF分析器
https://securelist.com/disappearing-bytes/84017/
当婴儿监视器不再智能
使用Facebook帐户攻击Tinder帐户
https://medium.com/@appsecure/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1
关于密码安全性的讨论
https://blog.cloudflare.com/how-developers-got-password-security-so-wrong/
攻击LNMP架构Web应用的几个小Tricks
https://www.leavesongs.com/PENETRATION/some-tricks-of-attacking-lnmp-web-application.html
隐藏在XXE Zeroday HP PPM中的漏洞
https://rhinosecuritylabs.com/application-security/xxe-zeroday-vulnerability-in-hp-project/
用户级API监控和代码注入检测
https://0x00sec.org/t/userland-api-monitoring-and-code-injection-detection/5565
用k匿名验证泄漏的密码
https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/
代码审计之QCMS 3.0
在Twitter上进行钓鱼
https://github.com/omergunal/PoT
IDA双击RCE
Chrome扩展程序和Express服务器利用CSS的键盘记录功能
https://github.com/maxchehab/CSS-Keylogging