SecWiki周刊(第154期)
2017/02/06-2017/02/12
安全资讯
日本车联网信息安全发展现状与分析
http://mp.weixin.qq.com/s?__biz=MzA5MzE5MDAzOA==&mid=2664108338&idx=1&sn=aeb39e4c32d9b1181e68f40574a21012&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MzA5MzE5MDAzOA==&mid=2664108338&idx=1&sn=aeb39e4c32d9b1181e68f40574a21012&scene=0#wechat_redirect
CISSP 知识体系权重和常见问题
http://mp.weixin.qq.com/s/i-9p2KD15yXCxhfB8E6T0A
http://mp.weixin.qq.com/s/i-9p2KD15yXCxhfB8E6T0A
76款流行iOS应用易受中间人攻击,1800万用户受影响
http://www.4hou.com/info/3291.html
http://www.4hou.com/info/3291.html
冰点调查 | 揭秘微信里的暴力色流,日流水400万
http://mp.weixin.qq.com/s/0i6VlEJjAXcYAsLrMF0JJA
http://mp.weixin.qq.com/s/0i6VlEJjAXcYAsLrMF0JJA
Tony Lee:从微软安全专家到京东安全的勇士之路
https://mp.weixin.qq.com/s?__biz=MzIzMTAzNzUxMQ==&mid=2652877778&idx=1&sn=ac823e022888aaeced5fa1f42472e6bf&chksm=f3415cfac436d5ecde6e7d1e9c578453ac8f5db9b1f2da86898933ee26727f93700d90fb6c54&scene=0
https://mp.weixin.qq.com/s?__biz=MzIzMTAzNzUxMQ==&mid=2652877778&idx=1&sn=ac823e022888aaeced5fa1f42472e6bf&chksm=f3415cfac436d5ecde6e7d1e9c578453ac8f5db9b1f2da86898933ee26727f93700d90fb6c54&scene=0
美国电视公司Vizio搜集用户数据,知道你看的每一部剧
http://www.4hou.com/info/3278.html
http://www.4hou.com/info/3278.html
一个隐秘却又疯狂的地下市场诞生:支付牌照买卖
http://m.cebnet.com.cn/20170210/102363588.html?from=timeline
http://m.cebnet.com.cn/20170210/102363588.html?from=timeline
以流量分析为基因的安全公司——科来
http://mp.weixin.qq.com/s?__biz=MjM5Njc3NjM4MA==&mid=2651070423&idx=1&sn=c1dd8802cbc6d572452c8c9c059cb5cc&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MjM5Njc3NjM4MA==&mid=2651070423&idx=1&sn=c1dd8802cbc6d572452c8c9c059cb5cc&scene=0#wechat_redirect
专访:黑客段子手“呆子不开口”
http://www.leiphone.com/news/201701/BUCpAjTHrX8PK5Ej.html
http://www.leiphone.com/news/201701/BUCpAjTHrX8PK5Ej.html
A Hacker Just Pwned Over 150,000 Printers Left Exposed Online
https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over-150-000-printers-left-exposed-online/
https://www.bleepingcomputer.com/news/security/a-hacker-just-pwned-over-150-000-printers-left-exposed-online/
从创新沙盒看"效率"将成为评估安全产品的首要标准
http://mp.weixin.qq.com/s?__biz=MzAwNjA3MzEwNg==&mid=2651329418&idx=1&sn=3dbcba973a9d7339aa7d5368c8d3a6f2&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MzAwNjA3MzEwNg==&mid=2651329418&idx=1&sn=3dbcba973a9d7339aa7d5368c8d3a6f2&scene=0#wechat_redirect
RSA创新沙盒优胜者11年融资并购回顾
http://www.aqniu.com/industry/22800.html
http://www.aqniu.com/industry/22800.html
安全技术
Unpatched (0day) jQuery Mobile XSS
http://sirdarckcat.blogspot.jp/2017/02/unpatched-0day-jquery-mobile-xss.html
http://sirdarckcat.blogspot.jp/2017/02/unpatched-0day-jquery-mobile-xss.html
基于机器学习的web异常检测
http://www.4hou.com/info/news/3293.html
http://www.4hou.com/info/news/3293.html
直播攻击学校网站,厉害了我的哥
http://www.4hou.com/info/attitude/3300.html
http://www.4hou.com/info/attitude/3300.html
自然语言处理导论-课程网页
http://ccl.pku.edu.cn/alcourse/nlp/
http://ccl.pku.edu.cn/alcourse/nlp/
环境搭建:Docker给你不一样的渗透体验
http://mp.weixin.qq.com/s/Sv9l--OK7ADihDG9kUsarA
http://mp.weixin.qq.com/s/Sv9l--OK7ADihDG9kUsarA
Attack and Defend: Linux Privilege Escalation Techniques of 2016
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
攻击JavaScript引擎:一个JavaScriptCore的学习案例(CVE-2016-4622 (2016-10-27))
http://www.mottoin.com/95838.html
http://www.mottoin.com/95838.html
MS14-068域权限提升漏洞总结
http://www.mottoin.com/95877.html
http://www.mottoin.com/95877.html
Bot Traffic Report 2016
https://www.incapsula.com/blog/bot-traffic-report-2016.html
https://www.incapsula.com/blog/bot-traffic-report-2016.html
如何在Android上发送加密邮件?推荐这四大神器
http://www.4hou.com/info/news/3318.html
http://www.4hou.com/info/news/3318.html
逆向修改手机内核,绕过反调试
http://mp.weixin.qq.com/s/c6maBlFu0DLK9qDooMm8fA
http://mp.weixin.qq.com/s/c6maBlFu0DLK9qDooMm8fA
fWaf – Machine learning driven Web Application Firewall
http://fsecurify.com/fwaf-machine-learning-driven-web-application-firewall/?from=timeline
http://fsecurify.com/fwaf-machine-learning-driven-web-application-firewall/?from=timeline
Learn&Fuzz: Machine Learning for Input Fuzzing
https://arxiv.org/pdf/1701.07232.pdf
https://arxiv.org/pdf/1701.07232.pdf
APT黑客利用.chm文件攻击俄罗斯重要机构
http://mp.weixin.qq.com/s/gjIEgqqQq_5czufuuiqM-Q
http://mp.weixin.qq.com/s/gjIEgqqQq_5czufuuiqM-Q
web-proxy: 基于 Tornado 实现的 Web 站点反向代理
https://github.com/restran/web-proxy
https://github.com/restran/web-proxy
Windows恶意软件API调用特征分析
http://www.4hou.com/technology/3267.html
http://www.4hou.com/technology/3267.html
Python爬虫——DNS解析缓存
http://blog.csdn.net/bone_ace/article/details/55000101
http://blog.csdn.net/bone_ace/article/details/55000101
阿里巴巴Java开发手册(正式版)
http://techforum-img.cn-hangzhou.oss-pub.aliyun-inc.com/%E9%98%BF%E9%87%8C%E5%B7%B4%E5%B7%B4Java%E5%BC%80%E5%8F%91%E6%89%8B%E5%86%
http://techforum-img.cn-hangzhou.oss-pub.aliyun-inc.com/%E9%98%BF%E9%87%8C%E5%B7%B4%E5%B7%B4Java%E5%BC%80%E5%8F%91%E6%89%8B%E5%86%
Analyzing BotNets with Suricata & Machine Learning
http://blogs.splunk.com/2017/01/30/analyzing-botnets-with-suricata-machine-learning/
http://blogs.splunk.com/2017/01/30/analyzing-botnets-with-suricata-machine-learning/
DbDat: Db Database Assessment Tool 数据库审计工具
https://github.com/foospidy/DbDat
https://github.com/foospidy/DbDat
Android免Root环境下Hook框架Legend原理分析
https://zhuanlan.zhihu.com/p/25200724
https://zhuanlan.zhihu.com/p/25200724
From RTF to Cobalt Strike passing via Flash
https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flash/
https://zairon.wordpress.com/2017/02/05/from-rtf-to-cobalt-strike-passing-via-flash/
渗透测试阿里巴巴的思路与收获
https://zhuanlan.zhihu.com/p/25100915
https://zhuanlan.zhihu.com/p/25100915
python-icap-yara: An ICAP Server with yara scanner for URL or content.
https://github.com/RamadhanAmizudin/python-icap-yara
https://github.com/RamadhanAmizudin/python-icap-yara
RSA USA 2017 PPT 抢先下
https://pan.baidu.com/s/1eSh13kY#list/path=%2F
https://pan.baidu.com/s/1eSh13kY#list/path=%2F
Threat Hunting with Splunk
http://mp.weixin.qq.com/s?__biz=MzI4NzU2NjU4NQ==&mid=2247483960&idx=1&sn=31ec650a5aaeb9be46ab7a11b10ddcd4&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MzI4NzU2NjU4NQ==&mid=2247483960&idx=1&sn=31ec650a5aaeb9be46ab7a11b10ddcd4&scene=0#wechat_redirect
基于WAVSEP的靶场搭建指南
http://www.freebuf.com/sectool/125940.html
http://www.freebuf.com/sectool/125940.html
GrepBugs: A regex based source code scanner 基于正则的源码审计工具
https://github.com/foospidy/GrepBugs
https://github.com/foospidy/GrepBugs
互联网企业安全高级指南读书笔记之二
http://www.mottoin.com/95828.html
http://www.mottoin.com/95828.html
BurpSuite和Fiddler串联使用解决App测试漏包和速度慢的问题
http://www.mottoin.com/95865.html
http://www.mottoin.com/95865.html
How to Exploit XSS with an Image
http://resources.infosecinstitute.com/exploit-xss-image/
http://resources.infosecinstitute.com/exploit-xss-image/
基于R语言的文本-向量算法实现Twitter文章的情感分析
http://analyzecore.com/2017/02/08/twitter-sentiment-analysis-doc2vec/
http://analyzecore.com/2017/02/08/twitter-sentiment-analysis-doc2vec/
IDA Pro使用(静态分析+动态调试)
http://skysider.com/?p=458
http://skysider.com/?p=458
Sci-Hub: 英文文献下载利器
http://sci-hub.cc/
http://sci-hub.cc/
Predicting Domain Generation Algorithms using LSTMs DGA恶意域名自动发现
https://github.com/endgameinc/dga_predict
https://github.com/endgameinc/dga_predict
安全应急响应的一些经验总结
http://www.4hou.com/special/2572.html
http://www.4hou.com/special/2572.html
使用ZoomEye批量快速攻击目标
http://www.92ez.com/?action=show&id=23436
http://www.92ez.com/?action=show&id=23436
PowerShell安全专题之攻击工具篇
http://www.4hou.com/technology/3134.html
http://www.4hou.com/technology/3134.html
有了漏洞扫描器,如何用好?一点不成熟的小总结
http://www.freebuf.com/articles/neopoints/126205.html
http://www.freebuf.com/articles/neopoints/126205.html
2017SANS网络威胁情报峰会
http://mp.weixin.qq.com/s?__biz=MzA3MTUwMzI5Nw==&mid=2654431137&idx=1&sn=41a139286d511ba474a694b7f4ae4006&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MzA3MTUwMzI5Nw==&mid=2654431137&idx=1&sn=41a139286d511ba474a694b7f4ae4006&scene=0#wechat_redirect
当EFBFBD和它的朋友相遇:研究字符数组转换字符串
http://www.mottoin.com/95897.html
http://www.mottoin.com/95897.html
利用 scapy 造一个 Passive DNS Collector 工具:Pdns_sniff
http://www.mottoin.com/95822.html
http://www.mottoin.com/95822.html
SecWiki周刊(第153期)
https://www.sec-wiki.com/weekly/153
https://www.sec-wiki.com/weekly/153
Harbor中的用户密码加密机制探究
http://phantom0301.cc/2017/02/08/harborpass/
http://phantom0301.cc/2017/02/08/harborpass/
Car Hacking: The definitive source
http://illmatics.com/carhacking.html
http://illmatics.com/carhacking.html
SOP bypass / UXSS on IE11 htmlFile
http://www.brokenbrowser.com/uxss-ie-htmlfile/
http://www.brokenbrowser.com/uxss-ie-htmlfile/
MySQL Out-of-Band Hacking
chrome-extension://ikhdkkncnoglghljlkmcimlnlhkeamad/pdf-viewer/web/viewer.html?file=https%3A%2F%2Fwww.exploit-db.com%2Fdocs%2F41273.pdf
chrome-extension://ikhdkkncnoglghljlkmcimlnlhkeamad/pdf-viewer/web/viewer.html?file=https%3A%2F%2Fwww.exploit-db.com%2Fdocs%2F41273.pdf
2016年中国网站安全漏洞分析报告 #密码: 2viy
https://pan.baidu.com/s/1cH1gGA
https://pan.baidu.com/s/1cH1gGA
CRYPTKEEPER 发现通用密码事件分析报告
http://www.antiy.com/response/cryptkeeper/cryptkeeper.pdf
http://www.antiy.com/response/cryptkeeper/cryptkeeper.pdf
利用 Node.js 反序列化来进行远程命令执行
http://www.mottoin.com/95916.html
http://www.mottoin.com/95916.html
构建风控系统之排坑扫雷(二)
http://www.4hou.com/info/industry/3251.html
http://www.4hou.com/info/industry/3251.html
PowerShell安全专题之 PS5 安全增强功能
http://www.4hou.com/technology/3144.html
http://www.4hou.com/technology/3144.html
全解Google(谷歌)基础设施架构安全设计
http://www.freebuf.com/special/126159.html
http://www.freebuf.com/special/126159.html
The technology and implementation of PHP automated white box audit
http://www.aijiaonang.com/function/100439.html
http://www.aijiaonang.com/function/100439.html
WordPress REST API 内容注入
http://139.129.31.35/index.php/archives/444/
http://139.129.31.35/index.php/archives/444/
The Week in Ransomware - CryptoShield, Spora, and Exploit Kits
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-3rd-2017-cryptoshield-spora-and-exploit-kits/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-3rd-2017-cryptoshield-spora-and-exploit-kits/
Fileless attacks against enterprise networks
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/
如何用区块链技术提升网络安全?
http://www.4hou.com/info/observation/3277.html
http://www.4hou.com/info/observation/3277.html
9-Feb-2017: Symbolic execution 符号执行
https://yurichev.com/blog/symbolic/#XOR swap
https://yurichev.com/blog/symbolic/#XOR swap
10 Most Common Web Security Vulnerabilities
http://www.thesecurityblogger.com/10-most-common-web-security-vulnerabilities/
http://www.thesecurityblogger.com/10-most-common-web-security-vulnerabilities/
利用 Node.js 反序列化远程执行代码
http://paper.seebug.org/213/
http://paper.seebug.org/213/
匿名者自述是如何黑掉一万多个暗网网站的?
http://www.4hou.com/info/3259.html
http://www.4hou.com/info/3259.html
Web path scanner
https://github.com/maurosoria/dirsearch
https://github.com/maurosoria/dirsearch
浅入浅出 Android 安全
http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458281912&idx=1&sn=f7f30e1a7f2d24d97d2acecbd5cb2497&scene=0#wechat_redirect
http://mp.weixin.qq.com/s?__biz=MjM5NTc2MDYxMw==&mid=2458281912&idx=1&sn=f7f30e1a7f2d24d97d2acecbd5cb2497&scene=0#wechat_redirect
Network reconnaissance and vulnerability assessment tools.
https://github.com/RoliSoft/ReconScan
https://github.com/RoliSoft/ReconScan
Web, Database and OS scripting cmd line reference
https://ss64.com/
https://ss64.com/
Alternative for Information_Schema.Tablesin MySQL
https://www.exploit-db.com/docs/41274.pdf
https://www.exploit-db.com/docs/41274.pdf
浅谈区块链(下):应用展望
http://www.arkteam.net/?p=1538
http://www.arkteam.net/?p=1538
-----微信ID:SecWiki-----
SecWiki,13年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com本期原文地址: SecWiki周刊(第154期)
