SecWiki周刊(第47期)
2015/01/19-2015/01/25
安全资讯
[视频]  白帽黑客吐嘈《骇客交锋》:一部极烂的黑客电影
http://www.aqniu.com/news/6399.html
[其它]  热门游戏《英雄联盟》和《流放之路》官方版本中被植入木马后门
http://www.freebuf.com/news/57062.html
[Web安全]  Weakest, common passwords of 2014 revealed
http://www.welivesecurity.com/2015/01/21/weakest-common-passwords-2014-revealed/
[运维安全]  1800 Minecraft logins leak online
http://www.welivesecurity.com/2015/01/20/1800-minecraft-logins-leak-online/
[恶意分析]  Unpatched Vulnerability (0day) in Flash Player is being exploited
http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
[移动安全]  我关于手机安全的部分观点
http://www.weibo.com/p/1001603796524613155744
[其它]  第二代防火墙标准发布会即将在京召开
http://www.nsfocus.com.cn/news/201501/902.html
[其它]  英美两国扩大网络空间安全合作协议
http://www.aqniu.com/news/6383.html
[Web安全]  雷峰沙龙ASRC上海白帽子交流会总结
http://www.weibo.com/p/1001603801026883881684
安全技术
[工具]  Github敏感信息收集工具Gitrob介绍
http://www.91ri.org/11928.html
[Web安全]  Google account hijacking via exploitation of XSS flaw | Security Affairs
http://securityaffairs.co/wordpress/32615/hacking/google-account-hijacking-via-xss.html
[漏洞分析]  深入解读MS14-068漏洞:微软精心策划的后门?
http://www.freebuf.com/vuls/56081.html
[恶意分析]  首次现身中国的CTB-Locker“比特币敲诈者”病毒分析
http://www.freebuf.com/vuls/57033.html
[移动安全]  通付盾开源第一代安全加固方案(dex文件整体加密)
https://github.com/SharkTeam
[运维安全]  一条命令实现无文件兼容性强的反弹后门
http://zone.wooyun.org/content/18244
[编程技术]  深入理解Yii2.0
http://www.digpage.com/index.html
[Web安全]  python和django的目录遍历漏洞(任意文件读取)
http://www.lijiejie.com/python-django-directory-traversal/
[无线安全]  Pocket Hacking: NetHunter实战指南
http://drops.wooyun.org/tips/4634
[运维安全]  高手对决 -- 博客服务器被黑的故事
http://yafeilee.me/blogs/54be6e876c69341430050000
[恶意分析]  Analysis and Detection of Heap-based Malwares Using Introspection in a Virtualiz
http://scholarworks.uno.edu/cgi/viewcontent.cgi?article=2947&context=td
[其它]  新型渗透测试系统-Parrot Security OS-☜-ACHE-²º¹³
http://r1-r1.com/post/402411_5745698
[运维安全]  使用 GitHub / GitLab 的 Webhooks 进行网站自动化部署
http://www.lovelucy.info/auto-deploy-website-by-webhooks-of-github-and-gitlab.html
[恶意分析]  ProcDOT:a new way of visual malware analysis
http://www.procdot.com/
[漏洞分析]  Mathy Vanhoef: Reversing and Exploiting ARM Binaries: rwthCTF Trafman
http://www.mathyvanhoef.com/2013/12/reversing-and-exploiting-arm-binaries.html
[漏洞分析]  Rsync path spoofing attack vulnerability (CVE-2014-9512)
http://xteam.baidu.com/?p=169
[工具]  廉价Arduino山寨板制作teensy
http://lcx.cc/?i=4482
[漏洞分析]  PEDA - Python Exploit Development Assistance for GDB
https://github.com/longld/peda
[漏洞分析]  Ghost In The Shellcode 2015 CTF Write-up
http://labs.jumpsec.com/2015/01/19/ghost-shellcode-2015-ctf-write-cloudfs-challenge/
[运维安全]  如何发现 NTP 放大攻击漏洞
http://drops.wooyun.org/tips/4715
[Web安全]  关于webshell验证存活工具编写及思考
https://sobug.com/article/detail/5
[恶意分析]  PDF deconstruído al aroma de shellcode (III)
http://www.securityartwork.es/2014/10/21/pdf-deconstruido-al-aroma-de-shellcode-iii/
[设备安全]  加油站实时监测设备的一次全球统计报告
http://plcscan.org/blog/2015/01/tank-gauges-vulnerability-global-census-report/
[漏洞分析]  Windows 存储设备栈分析
http://blog.jowto.com/?p=97
[Web安全]  Metasploit渗透技巧:后渗透Meterpreter代理
http://www.freebuf.com/tools/56432.html
[数据挖掘]  美团推荐算法实践
http://tech.meituan.com/mt-recommend-practice.html
[漏洞分析]  Exploiting NVMAP to escape the Chrome sandbox - CVE-2014-5332
http://googleprojectzero.blogspot.it/2015/01/exploiting-nvmap-to-escape-chrome.html
[无线安全]  GSM HACK的另一种方法:RTL-SDR
http://drops.wooyun.org/papers/4716
[Web安全]  对抗机器人:打造前后端结合的WAF(应用层防火墙)
http://www.freebuf.com/articles/web/57172.html
[数据挖掘]  聊天机器人与自动问答技术
http://blog.csdn.net/heiyeshuwu/article/details/42965693
[编程技术]  淘宝内部分享:MySQL & MariaDB性能优化
http://www.tuicool.com/articles/Uz2aqeM
[编程技术]  PEP 8 - Style Guide for Python Code
https://www.python.org/dev/peps/pep-0008/
[取证分析]  Linux下基于内存分析的Rootkit检测方法
http://drops.wooyun.org/tips/4731
[恶意分析]  Malware analysis with ... Gephi?
http://www.405labs.com/blog/2015/1/21/malware-analysis-with-gephi
[取证分析]  CapTipper - Malicious HTTP traffic explorer tool
http://www.omriher.com/2015/01/captipper-malicious-http-traffic.html
[恶意分析]  Dynamic Malware Analysis with REMnux v5 – Part 1
http://countuponsecurity.com/2015/01/13/dynamic-malware-analysis-with-remnux-v5-part-1/
[编程技术]  Examine Shellcode in a Debugger through Control of the Instructio
http://digital-forensics.sans.org/blog/2014/12/30/taking-control-of-the-instruction-pointer#.VLAphMvYpfU.twitter
[Web安全]  Exploiting Un-validated HTML Form Elements
https://www.youtube.com/watch?v=CNRlg8BiJOw
[运维安全]  dubbo中文参考文档
http://alibaba.github.io/dubbo-doc-static/User+Guide-zh.htm
[编程技术]  Using Assembly Language in Linux--(1)
http://blog.chinaunix.net/uid-25909722-id-2881267.html
[其它]  苹果手机产品安全设计相关文章
http://www.patentlyapple.com/patently-apple/patents-security/
[编程技术]  libpcap 编程入门资源
http://blog.csdn.net/cnbird2008/article/details/42883969
[杂志]  乌云月爆第九期
http://pan.baidu.com/s/1ntwXTTR
[漏洞分析]  Unpatched Vulnerability (0day) in Flash Player is being exploited by Angler EK
http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-flash.html
[移动安全]  使用调试器对安卓APP进行安全测试
http://www.freebuf.com/articles/terminal/57027.html
[编程技术]  Python Tips and Traps
https://www.airpair.com/python/posts/python-tips-and-traps
[Web安全]  SQL Injections in MySQL LIMIT clause
https://rateip.com/blog/sql-injections-in-mysql-limit-clause/
[恶意分析]  Glorious Leader's Not-That-Glorious Malwares
https://www.codeandsec.com/Glorious-Leaders-Not-That-Glorious-Malwares-Part-2
[恶意分析]  Using Kernel Rootkits to Conceal Infected MBR | MalwareTech
http://www.malwaretech.com/2015/01/using-kernel-rootkits-to-conceal.html
[编程技术]  Shellcode in linux, Create your shellcode from asm
https://www.youtube.com/watch?v=mvatIExT-IA
[编程技术]  A toolkit to help you write shellcode
https://media.blackhat.com/us-13/Arsenal/us-13-Fratantonio-ShellNoob-Slides.pdf
[Web安全]  ghost-in-the-shellcode-2015 write-ups
https://github.com/ctfs/write-ups-2015/tree/master/ghost-in-the-shellcode-2015
[漏洞分析]  安全漏洞本质扯谈之安全漏洞“串串烧”2
http://www.weibo.com/p/1001643801038518942277
[Web安全]   Looking back at three months of afl-fuzz
http://lcamtuf.blogspot.com/2015/01/looking-back-at-three-months-of-afl-fuzz.html
[编程技术]  Linux Assembly
http://asm.sourceforge.net/
[Web安全]  XRay:Transparency for the Web
http://xray.cs.columbia.edu/
[运维安全]  国外程序员整理的系统管理员资源大全
http://blog.jobbole.com/83212/
[漏洞分析]  Backdoor in a Public RSA Key
http://kukuruku.co/hub/infosec/backdoor-in-a-public-rsa-key
[运维安全]  SSHGuard:Defend from brute force attacks
http://www.sshguard.net/
[漏洞分析]  PDF deconstruído al aroma de shellcode ( I )
http://www.securityartwork.es/2014/09/30/pdf-deconstruido-al-aroma-de-shellcode-i/
[编程技术]  Shellcode on linux, Crea tu shellcode apartir de asm 2
https://www.youtube.com/watch?v=k3ZSeYq0txE
[Web安全]  Awesome Penetration Testing
https://github.com/enaqx/awesome-pentest#online-resources
[编程技术]  Using Assembly Language in Linux
http://asm.sourceforge.net/articles/linasm.html
[其它]  Chinese Spies Stole Australia’s New F-35 Lightning-II fighter Jet Design
http://thehackernews.com/2015/01/F-35-Lightning-II-fighter-Jet-Design.html
[编程技术]  Using Assembly Language in Linux--(2)
http://blog.chinaunix.net/uid-25909722-id-2890374.html
[恶意分析]  PDF deconstruído al aroma de shellcode ( II )-
http://www.securityartwork.es/2014/10/08/pdf-deconstruido-al-aroma-de-shellcode-ii/
[编程技术]  Powershell and Windows RAW SOCKET
http://drops.wooyun.org/tips/4707
[运维安全]  iftop: display bandwidth usage on an interface
http://www.ex-parrot.com/pdw/iftop/
[Web安全]  zxcvbn: realistic password strength estimation
https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/
[编程技术]  亿级用户下的新浪微博平台架构
http://blog.jobbole.com/83459/
[漏洞分析]  linux symbolic link attack tutorial
http://xteam.baidu.com/?p=175
-----微信ID:SecWiki-----
SecWiki,12年来一直专注安全技术资讯分析!
SecWiki:https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第47期)