腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News)

腾讯玄武实验室安全动态推送

Tencent Xuanwu Lab Security Daily News

2016/05/25

Nicolas Krassas @Dinosn

[ Android ] Google to kill passwords on Android, replace 'em with 'trust scores' http://www.theregister.co.uk/2016/05/24/google_smartphone_password_replacement_trust_scores/

" Google 计划用 '可信评分' 机制替换 Android 系统当前的传统密码策略： https://t.co/qlKxEFii5u"
Nicolas Krassas @Dinosn

[ Android ] How to: Testing Android Application Security, Part 1 https://blogs.mcafee.com/mcafee-labs/testing-android-application-security-part-1/

" Android APP 安全性测试 Part 1，来自 McAfee Blog： https://t.co/bxi0OIGn42"
Unit 42 @Unit42_Intel

[ Attack ] #Unit42 discovers new #Wekby attack using DNS requests as C2 mechanism http://bit.ly/1TUGTQN #cybersecurity

" APT 组织 Wekby 利用 DNS 作为 C&C 信道攻击美国的一些机构： https://t.co/Glq9sT6Cst "
J Wolfgang Goerlich @jwgoerlich

[ Crypto ] How to Use the REST API to Encrypt S3 Objects by Using AWS KMS http://blogs.aws.amazon.com/security/post/Tx1XVNEO1G6VT04/How-to-Use-the-REST-API-to-Encrypt-S3-Objects-by-Using-AWS-KMS

" 用 AWS KMS REST API 加密 S3 对象， AWS KMS 指亚马逊云密钥管理服务： https://t.co/tt3lYPyCOZ "
Denis Kolegov @dnkolegov

[ Defend ] Waf.js: How to Protect Web Applications using JavaScript @ ru_raz0r and my slides from our talk at @ phdays: http://www.slideshare.net/DenisKolegov/wafjs-how-to-protect-web-applications-using-javascript

"Waf.js - 用 JavaScript 写的 DOM 级防火墙 : https://t.co/b1Lh6ycJVO"
Nicolas Krassas @Dinosn

[ Detect ] Identifying VM Checking and Detecting in Malware http://www.morphick.com/blog/2014/12/3/vm-checking-and-detecting

" 识别恶意软件对虚拟机的检查行为，来自 Morphick 2014 年的一篇 Blog： https://t.co/LpszrSTRoB "
Casey Smith @subTee

[ Detect ] .NET GUIDs to help hunt for malware https://www.virusbulletin.com/virusbulletin/2015/06/using-net-guids-help-hunt-malware used to determine whether multiple malware samples are from the same VS Project

" 凭借 .NET GUIDs 检测恶意软件，来自 VirusBulletin Blog： https://t.co/qCVwbMIDFI"
Sebas Guerrero ⚡ @0xroot

[ Fuzzing ] mutation-based general purpose fuzzer, written in JavaScript https://github.com/attekett/Surku

" Surku - 基于变异的 Fuzzer，JavaScript 语言编写： https://t.co/jjRF1SYYcG"
Ronald Prins @cryptoron

[ Hardware ] FBI: Wireless Keystroke Logger Disguised as USB Device Charger Targets Wireless Keyboards http://www.americanbar.org/content/dam/aba/administrative/cyberalert/keysweeper.authcheckdam.pdf https://t.co/DYvpOSRptw

" 伪装成 USB 充电器的无线键盘击键记录器： https://t.co/MTNh1UTYOO https://t.co/DYvpOSRptw"
Diogo Mónica ✪ @diogomonica

[ Hardware ] One gate to rule them all. Fabrication-time hardware attack gets best paper award at IEEE S&P (PDF) http://ieee-security.org/TC/SP2016/papers/0824a018.pdf

" IEEE 安全与隐私研讨会最佳论文《生产过程中的硬件攻击》，讲述黑客如何向硬件植入一段模拟电路，通过特殊序列触发干扰芯片的功能： https://t.co/wLqrXPLmen"
Anwar Mohamed @anwarelmakrahy

[ Hardware ] The Secret Life of SIM Cards http://fb.me/7QfXEWESh

"SIM Hacks - 关于 SIM 卡的一些笔记： https://t.co/IIR4Faw9ol"
Dominic White @singe

[ iOS ] This is what a user sees when my captive portal prompts to install a malicious root CA https://www.sensepost.com/blog/2016/too-easy-adding-root-cas-to-ios-devices/ https://t.co/SA9zyrQp2M

" 通过一个诱惑性的弹框引导用户安装 iOS 根 CA 证书，来自 SensePost Blog： https://t.co/6on1htDPsu https://t.co/SA9zyrQp2M"
Binni Shah @binitamshah

[ IoTDevice ] Hacking the Kinect (Guide to Reverse Engineering USB protocols) : https://learn.adafruit.com/hacking-the-kinect/overview

" Hacking 微软 Kinect（USB 协议逆向），来自 AdaFruit︰ https://t.co/EJhInjqczc"
Jóseph Mlodzìanowskì @cedoxX

[ Linux ] Netdata - Real-Time Performance Monitoring -- http://www.kitploit.com/2016/05/netdata-real-time-performance-monitoring.html

"Netdata - Linux 操作系统性能实时监控工具，有着一个酷炫的展示界面： https://t.co/U6vq65s8a8"
Binni Shah @binitamshah

[ Network ] Tor - Building the Next Generation of Onion Services : https://blog.torproject.org/blog/mission-montreal-building-next-generation-onion-services

" 构建下一代洋葱服务，来自 Tor 官方 Blog ︰ https://t.co/2gNN2w2HMg"
Nicolas Krassas @Dinosn

[ Network ] Invisible Hijacking: a case study of hijacking millions of IP address invisibly with BGP - RIPE72 presentation https://ripe72.ripe.net/presentations/45-Invisible_Hijacking.pdf

"看不见的劫持 - 数百万 IP 劫持案例研究： https://t.co/4XpJCpduw4 "
Binni Shah @binitamshah

[ Network ] A Forensic Case Study on AS Hijacking : The Attacker’s Perspective : http://www.sigcomm.org/sites/default/files/ccr/papers/2013/April/2479957-2479959.pdf (pdf)

" 从攻击者的角度来分析一个 BGP AS（自治系统）劫持案例，来自 2013 年的一篇 Paper︰ https://t.co/CCkzdQldcD "
Dennis Yurichev @yurichev

[ Obfuscation ] Breaking simple executable cryptor http://yurichev.com/blog/breaking_simple_exec_crypto/

" 对抗简单的可执行文件加密壳： https://t.co/oD18UkyYBP"
John Lambert @JohnLaTwC

[ Others ] Patterns and anti-patterns in password hygiene by #AzureAD @ RobynHicock from analyzing millions of leaked passwords http://research.microsoft.com/pubs/265143/Microsoft_Password_Guidance.pdf

" 通过对已公开泄漏的密码的分析，微软发了一份《密码管理指南》： https://t.co/k23B53zJwm "
Binni Shah @binitamshah

[ Others ] Pastejacking : Using JavaScript to override your clipboard contents and trick you into running malicious commands : https://github.com/dxa4481/Pastejacking

"Pastejacking - 剪贴板劫持攻击，使用 JavaScript 改写剪贴板中的内容，诱骗你运行恶意指令︰ https://t.co/zXF7YQU9R8"
Chris @xorrior

[ Pentest ] New blog post in the EmPyre series from @ Killswitch_GUI and I that covers persistence with EmPyre. https://www.xorrior.com/the-return-of-the-empyre/

" The Return Of the EmPyre： https://t.co/0d0ipyy2YC"
Larry W. Cashdollar @_larry0

[ Popular Software ] Publishing more of my slide decks http://www.slideshare.net/LarryCashdollar/mining-ruby-gem-vulnerabilities-for-fun-and-no-profit

"挖掘 Ruby Gem 的漏洞， Gem 是 Ruby 的包管理工具，相当于 apt-get： https://t.co/cEFCye2yWa"
Frederic Jacobs @FredericJacobs

[ Popular Software ] Dropbox developed their own .kext to run in your OS X kernel. But end-to-end crypto is too hard? ¯\_(ツ)_/¯ https://blogs.dropbox.com/tech/2016/05/going-deeper-with-project-infinite/

"Dropbox 新公开了一个技术项目，名叫 Project Infinite： https://t.co/ZzB4wR1m7J"
b33f @FuzzySec

[ Popular Software ] PayPal remote code execution using Java deserialization ? - http://artsploit.blogspot.co.uk/2016/01/paypal-rce.html

" PayPal Java 反序列化漏洞 RCE： https://t.co/eCMNgcTuGy"
Mogwai Security @mogwaisec

[ Popular Software ] Mogwai Security Advisory MSA-2016-01: PowerFolder Remote Code Execution Vulnerability http://lab.mogwaisecurity.de/advisories/MSA-2016-01/

"PowerFolder 服务器 10.4.321 远程代码执行漏洞，来自 Mogwai 漏洞公告： https://t.co/rXG3XHOjJi"
Nicolas Krassas @Dinosn

[ Tools ] How to Build a PCI-DSS Dashboard with ELK and Wazuh http://logz.io/blog/how-to-build-a-pci-dss-dashboard-with-elk-and-wazuh/

" 如何用 ELK 和 Wazuh 搭建一个 PCI-DSS（支付卡行业安全标准） Dashboard： https://t.co/AF4KYbyogq "
Jóseph Mlodzìanowskì @cedoxX

[ Tools ] CJExploiter - Drag and Drop ClickJacking Exploit Development Assistance Tool -- http://www.kitploit.com/2016/05/cjexploiter-drag-and-drop-clickjacking.html

"CJExploiter - 拖拽和点击劫持漏洞利用辅助工具： https://t.co/LhxHdOgVA2"
Jóseph Mlodzìanowskì @cedoxX

[ Tools ] Clair - Vulnerability Static Analysis for Containers -- http://www.kitploit.com/2016/05/clair-vulnerability-static-analysis-for.html

" 之前推送过 Clair 这个工具，这是个用于发现 APPC 和 Docker 容器漏洞的静态分析工具： https://t.co/z1zucG9Gqf"
Enno Rey @Enno_Insinuator

[ Windows ] New ERNW Newsletter: "Security Assessment of Microsoft DirectAccess" https://www.ernw.de/download/newsletter/ERNW_Newsletter_53_MS_DA_Security_Assessment_Signed.pdf [PDF] #IPv6 https://t.co/0zdln5ihkg

" 微软 DirectAccess 安全评估报告，凭借 DirectAccess，外网用户可以不依赖 VPN 直接访问企业内网资源，来自 ERNW： https://t.co/aM25R6qdfU https://t.co/0zdln5ihkg"
Jóseph Mlodzìanowskì @cedoxX

[ WirelessSecurity ] WiFi-Pumpkin v0.7.5 - Framework for Rogue Wi-Fi Access Point Attack -- http://www.kitploit.com/2016/05/wifi-pumpkin-v075-framework-for-rogue.html

"WiFi-Pumpkin - 无线 Wi-Fi 接入点攻击框架更新 0.7.5 版本： https://t.co/C8QMu6l1bb FreeBuf 关于该工具的文章： http://www.freebuf.com/sectool/104233.html "

2016/05/25