SecWiki周刊（第68期)

SecWiki周刊（第68期）

2015/06/15-2015/06/21

安全资讯

[视频] Deep Web纪录片
http://www.solidot.org/story?sid=44514

[移动安全] Game-over HTTPS defects in dozens of Android apps expose user passwords
http://arstechnica.com/security/2015/06/game-over-https-defects-in-dozens-of-android-apps-expose-user-passwords/

[取证分析] Encrypting Windows Hard Drives
https://www.schneier.com/blog/archives/2015/06/encrypting_wind.html

[Web安全] LastPass Hacked, Change Your Master Password Now
http://lifehacker.com/lastpass-hacked-time-to-change-your-master-password-1711463571

[恶意分析] Watering holes exploiting JSONP hijacking to track users in China
https://www.alienvault.com/open-threat-exchange/blog/watering-holes-exploiting-jsonp-hijacking-to-track-users-in-china

[恶意分析] 2015年第25周安全周报
http://blog.topsec.com.cn/ad_lab/2015%e5%b9%b4%e7%ac%ac25%e5%91%a8%e5%ae%89%e5%85%a8%e5%91%a8%e6%8a%a5/

[运维安全] 不同规模企业下的安全管理
http://www.ayazero.com/?p=38

[运维安全] 安全建设需求：生态级公司vs平台级公司
http://www.ayazero.com/?p=42

安全技术

[Web安全] 使用sqlmapapi.py批量化扫描实践
http://drops.wooyun.org/tips/6653

[数据挖掘] WePay机器学习反欺诈实践：Python+scikit-learn+随机森林
http://www.csdn.net/article/2015-05-18/2824689

[Web安全] Understanding and Monitoring Embedded Web Scripts
http://blog.ourren.com/2015/06/18/understanding-and-monitoring-embedded-web-scripts/

[Web安全] 海莲花深度分析报告（35P）
http://www.nsfocus.com.cn/content/details_141_1949.html

[漏洞分析] 远程安全漏洞扫描
http://pan.baidu.com/s/1o65jmRK

[移动安全] XARA Attack Demos
https://sites.google.com/site/xaraflaws/home

[Web安全] 分享一个jsonp劫持造成的新浪某社区CSRF蠕虫
https://www.leavesongs.com/HTML/sina-jsonp-hijacking-csrf-worm.html

[Web安全] 渗透JDM.LA
http://mp.weixin.qq.com/s?__biz=MjM5MDkwNjA2Nw==&mid=207127230&idx=4&sn=31cf9f24128063aceb22b29386a1414f&key=af154fdc40fed00344bc7138106964ec89f110774db68ac2c5471d4ed41c57cd6921677a45e312dc708a1bd532128d6f&ascene=0&uin=NjY5NjY5MDgw

[Web安全] undetected-meterpreter-stagers:Custom stagers with python encrypting proxy
https://github.com/DiabloHorn/undetected-meterpreter-stagers

[运维安全] 聊一聊chkrookit的误信和误用
http://xteam.baidu.com/?p=237

[杂志] 《安全参考》HACKCTO-201506-30
http://pan.baidu.com/s/1kT6AZpP

[漏洞分析] Analysis of CVE-2015-2360 – Duqu 2.0 Zero Day Vulnerability
http://blog.trendmicro.com/trendlabs-security-intelligence/analysis-of-cve-2015-2360-duqu-2-0-zero-day-vulnerability/

[Web安全] JSONP挖掘与高级利用
http://drops.wooyun.org/papers/6630

[Web安全] Shodan Developer API document
https://developer.shodan.io/

[取证分析] VolDiff: Malware Memory Footprint Analysis based on Volatility
https://github.com/aim4r/VolDiff

[漏洞分析] Dude, where’s my heap
http://googleprojectzero.blogspot.com/2015/06/dude-wheres-my-heap.html

[漏洞分析] Understanding type confusion vulnerabilities: CVE-2015-0336
http://blogs.technet.com/b/mmpc/archive/2015/06/18/understanding-type-confusion-vulnerabilities-cve-2015-0336.aspx

[编程技术] How to Create A Simple Chat System in PHP
http://taha-sh.com/blog/how-to-create-a-simple-chat-system-in-php

[设备安全] How to Unlock a Door: 11 Steps (with Pictures)
http://www.wikihow.com/Unlock-a-Door

[移动安全] Femtocell安全漏洞分析
http://jaq.alibaba.com/blog.htm?spm=0.0.0.0.3zwaJ3&id=73

[Web安全] 利用PDO::FETCH_FUNC特性留后门
http://www.secoff.net/archives/436.html

[编程技术] the-art-of-command-line
https://github.com/jlevy/the-art-of-command-line

[Web安全] 利用JSONP进行水坑攻击
http://drops.wooyun.org/papers/6612

[数据挖掘] 基于大数据分析的安全管理平台技术研究及应用
http://www.valleytalk.org/2015/06/14/%e3%80%90%e6%8a%a5%e5%91%8a%e3%80%91%e5%9f%ba%e4%ba%8e%e5%a4%a7%e6%95%b0%e6%8d%ae%e5%88%86%e6%9e%90%e7%9a%84%e5%ae%89%e5%85%a8%e7%ae%a1%e7%90%86%e5%b9%b3%e5%8f%b0%e6%8a%80%e6%9c%af%e7%a0%94%e7%a9%b6/

[Web安全] 2015 360初赛 writeup
http://blog.sycsec.com/?p=716

-----微信ID：SecWiki-----
SecWiki，12年来一直专注安全技术资讯分析！
SecWiki：https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第68期)