12月20日安全热点 - Alteryx数据泄露/Wordpress插件后门

 

资讯类

Alteryx遭数据泄露，1.23亿家庭共35亿信息已经不再安全

http://www.zdnet.com/article/alteryx-s3-leak-leaves-120m-american-households-exposed/

 

安装量超过30万的Wordpress插件恐存在后门

https://www.theregister.co.uk/2017/12/20/backdoor_wordpress_captcha/

 

联网打印机存在风险，1000多台Lexmark打印机存在漏洞

http://securityaffairs.co/wordpress/66909/iot/1000-lexmark-printers-vulnerable.html

 

Chrome内置广告拦截功能将在2018年生效

https://www.bleepingcomputer.com/news/google/chromes-built-in-ad-blocker-will-start-blocking-ads-on-february-15-2018/

 

腾讯发现Tensorflow中的漏洞，可被利用攻击人工智能

https://winbuzzer.com/2017/12/18/tencent-warns-google-tensorflow-users-vulnerability-ai-platform-xcxwbn/

 

技术类

移动云计算下的网络攻击检测

https://arxiv.org/pdf/1712.05914.pdf

 

通过33C3 CTF学习浏览器利用

https://bruce30262.github.io/2017/12/15/Learning-browser-exploitation-via-33C3-CTF-feuerfuchs-challenge/

 

安卓Fingerprint API的使用

http://www.s3.eurecom.fr/~yanick/publications/2018_ndss_fingerprint.pdf

 

CVE-2017-5717：Intel Content Protection HECI Service Type Confusion EoP

https://bugs.chromium.org/p/project-zero/issues/detail?id=1358

 

机器学习速查文档

https://ml-cheatsheet.readthedocs.io/en/latest/index.html

 

memMITM：内存检查中的SSL中间人攻击PoC

https://github.com/caseysmithrc/memMITM

 

利用Python打造人工智能相机

https://www.makeartwithpython.com/blog/poor-mans-deep-learning-camera/

 

Merlin工具介绍：命令与控制工具

https://medium.com/@Ne0nd0g/introducing-merlin-645da3c635a

 

Internetexplorer.Application和命令与控制

https://adapt-and-attack.com/2017/12/19/internetexplorer-application-for-c2/

 

写一个自己的游戏引擎（C++）

http://preshing.com/20171218/how-to-write-your-own-cpp-game-engine/

 

揭秘密码黑市——你所不知道的地下交易

https://krebsonsecurity.com/2017/12/the-market-for-stolen-account-credentials/

 

Splashdata发布第七年度密码报告，最常用的100个密码，看看有没有你的

https://motherboard.vice.com/en_us/article/paqd4m/too-many-people-are-still-using-password-as-a-password

https://13639-presscdn-0-80-pagely.netdna-ssl.com/wp-content/uploads/2017/12/Top-100-Worst-Passwords-of-2017a.pdf

 

Kryptoslogic：Wannacry年度回顾

https://blog.kryptoslogic.com/malware/2017/12/20/end-of-year.html?1

 

Yeeight LED灯可能在监视你 Part 1

https://medium.com/@slinafirinne/yeelight-the-bluetooth-led-bedside-lamp-from-xiaomi-that-spies-on-you-part-one-a651207c70bd

 

CVE-2017-17405 NET::FTP 文件名命令注入

https://hackerone.com/reports/294462

 

Trend Micro Smart Protection Server出现多个漏洞

https://www.coresecurity.com/advisories/trend-micro-smart-protection-server-multiple-vulnerabilities

 

针对近期出现的针对数据库服务的攻击分析报告

https://www.guardicore.com/2017/12/beware-the-hex-men/

 

让生成ROP链就像喝水一样容易

https://github.com/orppra/ropa

 

Apache Groovy反序列化漏洞回顾

https://www.zerodayinitiative.com/blog/2017/12/19/apache-groovy-deserialization-a-cunning-exploit-chain-to-bypass-a-patch

 

Linkedin未读通知的滥用

https://randomadversary.com/2017/12/19/Access-to-Linkedin-unread-notifications-count-without-username-and-password/

 

EV证书安全与价值探讨

https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/

 

从*.BAT到银行钓鱼页面

https://www.trustwave.com/Resources/SpiderLabs-Blog/Sneaky–BAT-File-Leads-to-Spoofed-Banking-Page/

 

朝鲜与比特币攻击活动的藕断丝连

https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new

 

Dragonfly行动分析表明它可能和更早的攻击活动有联系

https://securingtomorrow.mcafee.com/mcafee-labs/operation-dragonfly-analysis-suggests-links-to-earlier-attacks/