資安新聞及事件週報 2018/09/24 ~ 2018/09/28



資安新聞及事件週報  2018/09/24  ~  2018/09/28

1.重大弱點漏洞

IBM DB2 多個漏洞
https://www-01.ibm.com/support/docview.wss?uid=ibm10731657

Office噩夢公式遠程代碼執行漏洞
https://blog.csdn.net/qq_39850969/article/details/82806675

Trend Micro Deep Discovery Inspector Reflected Cross-site Scripting 反射式跨網站指令
https://github.com/nixwizard/CVE-2018-15365

FragmentSmack DoS 漏洞影響80多款思科產品
https://www.easyaq.com/news/1589039024.shtml

思科:逾80款路由器、交換器產品受Linux DoS漏洞影響
https://www.ithome.com.tw/news/126120

macOS Mojave正式版問世,馬上傳出有隱私漏洞
https://www.ithome.com.tw/news/126062

Red Hat 內核多個漏洞
https://www.auscert.org.au/bulletins/68846

Red Hat JBoss 多個漏洞
https://securitytracker.com/id/1041707

Apache HTTPD 阻斷服務漏洞
https://httpd.apache.org/security/vulnerabilities_24.html#CVE-2018-11763

New CVE-2018-8373 Exploit Spotted in the Wild
https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted-in-the-wild/

New CVE-2018-8373 Exploit Spotted in the Wild
https://bit.ly/2xQa0CR

Tenda AC9和AC10操作系統命令注入漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16334

整數溢位漏洞Mutagen Astronomy正潛藏多種Linux版本
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5025

WiFi新漏洞可致數據洩露影響所有路由器
http://net.zol.com.cn/698/6987439.html

谷歌公開披露尚未修補的微軟Jet 數據庫引擎RCE 漏洞
https://www.oschina.net/news/100211/google-discloses-microsoft-jet-rce

知道還不補!研究人員踢爆WD低階NAS有身分驗證繞過漏洞,但WD知情一年遲遲未修
https://www.ithome.com.tw/news/125993

推測式執行的旁路攻擊漏洞 L1 Terminal Fault
https://bit.ly/2Nwn2jF

留神4GEE WiFi Mini數據機driver資料夾,恐用以接管Windows
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5024

Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable
https://bit.ly/2znD9HL

Wi-Fi加密協議漏洞(WPA2)
https://bit.ly/2O8rwfI

WiFi新漏洞可致數據泄露 影響所有路由器
https://hk.saowen.com/a/8ffc9edd78d418a9f14210ac437d7f23714c59d2ef1a64c43777bb6fbb972cd6

Cisco 已發布安全更新以解決 Webex Network Recording Player 遠端執行程式碼弱點
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180919-webex

Cisco IOS XE Software Static Credential漏洞(CVE-2018-0150)
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180328-xesc

Researcher Discloses New Zero-Day Affecting All Versions of Windows
https://thehackernews.com/2018/09/windows-zero-day-vulnerability.html?m=1

ASUS GT-AC5300拒絕服務漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17127

資安業者踢爆微軟JET Database Engine含有遠端程式攻擊的零時差漏洞
https://www.ithome.com.tw/news/126068

趁虛而入! 2001年CodRed 開啟漏洞攻擊元年-盤點歷年漏洞攻擊
https://blog.trendmicro.com.tw/?p=57025

New Linux Kernel Bug Affects Red Hat, CentOS, and Debian Distributions
https://bit.ly/2OUPici

Google Chrome 安全漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6055

IBM Sterling B2B Integrator 漏洞
https://www-01.ibm.com/support/docview.wss?uid=ibm10731379

New CVE-2018-8373 Exploit Spotted
https://blog.trendmicro.com/trendlabs-security-intelligence/new-cve-2018-8373-exploit-spotted/

Vulnerability Spotlight: Epee Levin Packet Deserialization Code Execution Vulnerability
https://blog.talosintelligence.com/2018/09/epee-levin-vuln.html

Holes found in Mojave’s privacy protection
https://blog.malwarebytes.com/security-world/privacy-security-world/2018/09/holes-found-in-mojaves-privacy-protection/

Buggy implementation of CVE-2018-8373 vulnerability used to deliver Quasar RAT
https://blog.malwarebytes.com/threat-analysis/2018/09/buggy-implementation-of-cve-2018-8373-used-to-deliver-quasar-rat/

Simple Authentication and Security Layer (SASL) vulnerabilities
https://blog.malwarebytes.com/cybercrime/2018/09/simple-authentication-and-security-layer-sasl-vulnerabilities/

ex-NSA Hacker Discloses macOS Mojave 10.14 Zero-Day Vulnerability
https://bit.ly/2NH58uF

TP-Link EAP Controller に安全でないデシリアライゼーションの問題
https://jvn.jp/vu/JVNVU96340370/

Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
https://www.exploit-db.com/exploits/45479/


2.銀行/金融/保險/證券/電子支付/行動支付/支付系統/虛擬貨幣/區塊鍊 新聞及資安

門羅幣的錢包軟體暗藏可「燒毀」業者貨幣的重大漏洞
https://www.ithome.com.tw/news/126111

Monero 開發人員已修復“燃燒”加密貨幣的漏洞
http://www.bitcoin86.com/szb/29132.html

區塊鏈革命 打造信任機器
https://money.udn.com/money/story/5648/3385177

RAM漏洞利用引煩惱EOS尋求解決方案
https://bcsec.org/index/detail/tag/2/id/293

漏洞再藏交易所,黑客盯上行情區
http://www.bcpress.com/2018/09/25/66927/

前華爾街分析師:持有但不交易比特幣,會損害其作為電子支付的系統生態
https://bit.ly/2N3r8uu

瑞波支付平台 百家銀行採用
https://money.udn.com/money/story/5599/3387187

以太坊智慧合約 廣受企業歡迎
https://money.udn.com/money/story/5599/3387185

比特幣軟體爆 DoS 漏洞,僅 8 萬美元就能讓整條鏈崩潰
https://www.inside.com.tw/2018/09/20/a-major-bug-in-bitcoin-software-could-have-crashed-the-currency

Bitcoin Core Software Patches a Critical DDoS Attack Vulnerability
https://bit.ly/2QVSupF

開發人員修補可破壞比特幣生態體系的Bitcoin Core漏洞
https://www.ithome.com.tw/news/126006

比特幣發現最新致命漏洞開發人員將其全部細節保密
https://www.tuoniaox.com/56416.html

符合實名交易!全家代收比特幣服務 照常進行
https://www.chinatimes.com/realtimenews/20180922002816-260410

超商買比特幣,10月起也列管
https://bit.ly/2xN4uB8

向政府釋善意 幣託、Maicoin等15家交易所簽下自律準則
https://www.chinatimes.com/realtimenews/20180921003836-260410

比特幣驚現拒絕服務漏洞,Bitcoin Core開發者已發布緊急修復客戶端
https://bit.ly/2I8l5DW

上海資安中心制定區塊鏈安全標準
https://bit.ly/2QRCtBc

黑客正在利用軟件漏洞增發加密貨幣(比特幣、門羅幣)
http://www.jingyubc.com/articles/1872310815676170735

拉攏年輕人用台灣Pay 彰銀行動網銀推高回饋「柴寶幣」
https://n.yam.com/Article/20180921872821

LINE一卡通完全攻略技巧:帳號申請、自動加值、綁定教學
https://mrmad.com.tw/linepay-ipass

行動支付補貼大戰! LINEPay、街口發紅包搶客
http://e6705003.pixnet.net/blog/post/48553281

趙揚清介紹本土行動支付
https://bit.ly/2OcijTX

電支龍頭戰 LINE一卡通挑戰街口
http://ec.ltn.com.tw/article/breakingnews/2560179

LINE Pay一卡通個資全都露 官方:姓名改採遮罩處理
https://www.nownews.com/news/20180921/2976833/

電子支付雙雄爭霸戰 決勝要素在三大關鍵
https://bit.ly/2MWioq4

金管會︰街口無中資持股
http://ec.ltn.com.tw/article/paper/1234442

行動支付補貼大戰! LINEPay、街口發紅包搶客
https://news.tvbs.com.tw/life/997716

WeChat Pay中港雙向支付下月開通
http://hd.stheadline.com/news/realtime/hk/1327054/

悠遊卡可買運彩 台彩卻卡關財政部
https://newtalk.tw/news/view/2018-09-24/143534

中鈔信用卡董事長:目前已暫停信用卡業務,開始佈局區塊鏈數位業務
https://bit.ly/2xBZjoh

美國政府支付網站存漏洞 1400萬用戶信息遭泄露
https://bit.ly/2MUfguN

政府支付平台Click2Gov被駭信用卡資料
https://bit.ly/2QQPKtz

2年期以上保單 14天內可撤約…三天審閱期將解套
https://udn.com/news/story/7239/3383787

虛擬銀行推動金融科技革新!市民未來在家開戶
http://hk.on.cc/hk/bkn/cnt/finance/20180923/bkn-20180923181004392-0923_00842_001.html

國銀大清「洗」 OBU關掉5萬戶
http://ec.ltn.com.tw/article/paper/1234670

個人信用免費凍結 防範盜卡賊
https://money.udn.com/money/story/5599/3381794

信用卡要求「照片調大」! 老爸大頭照變滿版...刷臉不怕盜刷
https://www.ettoday.net/dalemon/post/38613

中國人民銀行舉辦2018國家網路安全宣傳周金融網路安全論壇
https://news.sina.com.tw/article/20180925/28289648.html

2019秋招啟幕金融科技崗搶戲 20家銀行總行招賢納士
https://news.sina.com.tw/article/20180921/28261604.html

電子支付機構業務定型化契約應記載事項修正 控管風險與使用者約定儲值限額
https://bit.ly/2IkgPl3

歐買尬旗下歐付寶定位大轉彎 將協助銀行打造自有品牌電子支付系統
https://news.cnyes.com/news/id/4208786

從支付網路看 美國移動支付的低滲透率
https://iview.sina.com.tw/post/17199740

川普轟伊朗腐敗 「北韓模式」施壓  歐盟擬另設支付系統維持貿易關係
https://bit.ly/2NH9SAA

歐盟稱將建立與伊結算金融機制 規避美制裁
http://www.hkcna.hk/content/2018/0925/710352.shtml

傳外銀不讓立委開戶 顧立雄:不得因身份拒絕
https://money.udn.com/money/story/5641/3386700

歐買尬旗下歐付寶 電子支付定位大轉彎
https://bit.ly/2NJqKqp

Akamai報告:近兩個月全球金融服務業有超過83億次的惡意登入嘗試
https://www.ettoday.net/news/20180926/1267041.htm

外媒:迅雷與新大陸戰略合作探索網絡安全和電子支付領域
https://www.ithome.com/0/385/361.htm

兩男子利用刷卡器漏洞盜竊76萬
http://www.bj148.org/zixun/zxbb/201809/t20180925_1446137.html

ATM小額跨行轉帳提款 金管會擬減免手續費
https://bit.ly/2NFhxzf

中信銀行積極開展2018年國家網路安全周活動
https://iview.sina.com.tw/post/17218702

情侶業務員高峰會上演武打行 遭開除?保險圈議論過重
https://www.ettoday.net/news/20180927/1267598.htm

純網銀24小時服務明年上路 資安是關鍵
https://news.tvbs.com.tw/life/999999

3.資安事件新聞

A.病毒木馬 / 殭屍網路 / 勒索軟體

NSS Labs控告多家防毒業者壟斷
https://www.ithome.com.tw/news/126041

惡意採掘程式今年大增 459%
https://bit.ly/2xssLwX

新惡意軟體即服務Black Rose Lucy現身,中國可能是下一個攻擊目標
https://www.ithome.com.tw/news/126049

經營惡意版VirusTotal服務Scan4You的駭客被判處14年刑期
https://www.ithome.com.tw/news/126046

「警察強迫裝間諜軟體,該怎麼辦?」中國民眾發問求助 全球網友力挺幫他想辦法
https://www.limitlessiq.com/news/post/view/id/6798/

惡意挖礦程式猖獗!降維安全實驗室又有新發現
https://bit.ly/2xGQrh8

新Njrat木馬(Bladabindi)的新功能源碼分析
http://www.freebuf.com/articles/terminal/184930.html

ESET 發現第一個 UEFI rootkit 惡意程式 LoJax,感染後連重灌系統也沒轍
https://bit.ly/2Q9yU8a

QRecorder 通話錄音程式暗藏木馬 盜取金融憑證轉走銀行存款
https://bit.ly/2DCNLXa

自我傳播的Emotet銀行木馬捲土重來
https://news.softpedia.com/news/self-propagating-emotet-banking-trojan-making-a-comeback-522862.shtml

新的Virobot惡意軟體可以用作勒索軟體、鍵盤側錄程式和殭屍網路
https://www.zdnet.com/article/new-virobot-ransomware-will-also-log-keystrokes-add-pc-to-a-spam-botnet/

新型殭屍勒索病毒 Virobot ,透過 Outlook濫發夾毒垃圾信
https://blog.trendmicro.com.tw/?p=57436

虛擬貨幣挖礦病毒針對 Windows 和 Linux 的Kodi多媒體串流使用者
https://blog.trendmicro.com.tw/?p=57367

Urpage 與 Bahamut、Confucius 及 Patchwork 等駭客集團的關聯性
https://blog.trendmicro.com.tw/?p=57158

Operator of VirusTotal Like Malware-Scanning Service Jailed for 14 Years
https://thehackernews.com/2018/09/scan4you-malware-scanner.html?m=1

New Malware Combines Ransomware, Coin Mining and Botnet Features in One
https://bit.ly/2xER2PJ

Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail
https://bit.ly/2DnRMP5

Scotland's Arran Brewery Slammed by Dharma Bip Ransomware
https://www.bankinfosecurity.com/scotlands-arran-brewery-slammed-by-dharma-bip-ransomware-a-11537

HOW RYUK RANSOMWARE TARGETS AV SOLUTIONS, NOT JUST YOUR FILES
https://www.aurigasec.com/blog/how-ryuk-ransomware-targets-av-solutions-not-just-your-files

Viro Botnet Ransomware Breaks Through
https://blog.trendmicro.com/trendlabs-security-intelligence/virobot-ransomware-with-botnet-capability-breaks-through/

VPNFilter III: More Tools for the Swiss Army Knife of Malware
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html

VPNFilter Router Malware Adds 7 New Network Exploitation Modules
https://bit.ly/2NL745u

FBI wants to keep “helpful” Mirai botnet authors around
https://nakedsecurity.sophos.com/2018/09/20/fbi-wants-to-keep-helpful-mirai-botnet-authors-around/

Cybersecurity Researchers Spotted First-Ever UEFI Rootkit in the Wild
https://bit.ly/2DBsCNf

LoJax: First UEFI rootkit found in the wild, courtesy of the Sednit group
https://www.welivesecurity.com/2018/09/27/lojax-first-uefi-rootkit-found-wild-courtesy-sednit-group/

APT28 Uses LoJax, First UEFI Rootkit Seen in the Wild
https://www.bleepingcomputer.com/news/security/apt28-uses-lojax-first-uefi-rootkit-seen-in-the-wild/

ESET has discovered the first UEFI rootkit in the wild
https://www.techspot.com/news/76651-eset-has-discovered-first-uefi-rootkit-wild.html

Malware hits fashion giant SHEIN; 6.42 million online shoppers affected
https://nakedsecurity.sophos.com/2018/09/27/malware-hits-fashion-giant-shein-6-42-million-online-shoppers-affected/

B.行動安全 / iPhone / Android / App

Android 手機 9 成都中招!Linux 內核新漏洞曝光簡易「Root 機」
https://bit.ly/2PUwPgk

最新旗艦級《Android 9 Pie》手機無一倖免
https://lihkg.com/thread/831379/page/1

民間版台鐵訂票App出包 研發者送辦
https://udn.com/news/story/11322/3379232

宏達電這款手機 打開錢包要社交密碼
https://tw.finance.appledaily.com/realtime/20180924/1435110/

宏達電區塊鏈手機 2大安全性關鍵技術
https://bit.ly/2PZKqmm

手機這樣充電,1秒泄露你的銀行帳戶!現在看還不晚
http://ek21.com/news/1/85057/

趕緊檢查自己的應用程序!你是否下載過以下這些假冒銀行APP
https://www.huaglad.com/zh-tw/aunews/20180921/333324.html

Fed前副主席費雪警告︰ 中國若掌握5G 威脅更勝貿易戰
http://news.ltn.com.tw/news/focus/paper/1234638

政府新解密法或強迫手機安間諜軟件 通信公司擔心會損害網絡安全
http://www.epochtimes.com/b5/18/9/25/n10739320.htm

企業行動資安面臨多重威脅與挑戰
https://technews.tw/2018/09/26/corporate-action-security-faces-multiple-threats-and-challenges/

新版iOS 11再出安全漏洞, HomeKit輕鬆破解, 網友: 國內沒人用
https://t.cj.sina.com.cn/articles/view/6534032620/185756cec00100c60k

被孩子們發現漏洞!蘋果iOS 12屏幕限制時間可輕鬆繞過
https://www.ithome.com/html/iphone/385474.htm

Android通話錄音程式QRecorder暗藏木馬,專偷金融憑證盜轉銀行存款
https://www.ithome.com.tw/news/126136

iOS 12新漏洞:App顯示大小與實際不符 明顯偏大
https://hk.saowen.com/a/138d54da9d29d63d564459979cf7cde4a620b4f6d98ce88815eef42e9d90a330

香港地區 Google Play 商店應用程式保安風險報告 (2018年 9 月)
https://www.hkcert.org/my_url/zh/blog/18092801

香港地區 Google Play 商店應用程式保安風險報告 (2018年 8 月)
https://www.hkcert.org/my_url/zh/blog/18090301

Police forcing me to install Jingwang spyware app, how to minimize impact
https://security.stackexchange.com/questions/194353/police-forcing-me-to-install-jingwang-spyware-app-how-to-minimize-impact

iTunes is assigning you a ‘trust score’ based on emails and phone calls
https://nakedsecurity.sophos.com/2018/09/24/itunes-is-assigning-you-a-trust-score-based-on-emails-and-phone-calls/

iOS 12 is here: these are the security features you need to know about
https://nakedsecurity.sophos.com/2018/09/19/ios-12-is-here-these-are-the-security-features-you-need-to-know-about/

Years on, third party apps still exposing Grindr users’ locations
https://nakedsecurity.sophos.com/2018/09/19/years-on-third-party-apps-still-exposing-grindr-users-locations/

Mobile Menace Monday: SMS phishing attacks target the job market
https://blog.malwarebytes.com/cybercrime/2018/09/mobile-menace-monday-sms-phishing-attacks-target-the-job-market/

Pangu Hackers have Jailbroken iOS 12 on Apple's New iPhone XS
https://thehackernews.com/2018/09/ios12-iphone-jailbreak-exploit.html

Cryptojacking – coming to a server-laptop-phone near you (and how to stop it)
https://nakedsecurity.sophos.com/2018/09/27/cryptojacking-coming-to-a-server-laptop-phone-near-you-and-how-to-stop-it/

Phone spampocalypse: fighting back in the age of unwanted calls
https://blog.malwarebytes.com/101/2018/09/phone-spampocalypse-fighting-back-in-the-age-of-unwanted-calls/

C.事件 / 駭客 / DDOS / APT / 徵才 / 國際資安事件

防「假新聞」再影響選舉,臉書動員300人的「作戰室」如何運作
https://www.thenewslens.com/article/104651

美參議員私人電郵遭駭客攻擊 批參院不理
https://udn.com/news/story/6813/3380965

檢測開原始碼安全漏洞,Snyk獲2200萬美元B輪融資
https://read01.com/7DL2gJn.html

Mozilla 新服務 Firefox Monitor 正式上線 , 幫助以 email 排查網路帳號安全
https://www.kocpc.com.tw/archives/219597

網絡安全周圓滿落幕漏洞銀行踐行公眾網絡安全意識普及
http://tech.chinadaily.com.cn/2018-09/27/content_36990587.htm

資安借力學的崛起
https://www.ithome.com.tw/voice/126024

16歲蘋果少年駭客 遭處8個月緩刑
https://news.cnyes.com/news/id/4208971

沃爾瑪:菜農也得用共享加密系統
http://www.epochtimes.com/b5/18/9/26/n10741807.htm

處理資安事件的正確心態
https://www.informationsecurity.com.tw/article/article_detail.aspx?tv=71&aid=8670

[資安小錦囊] 如何防範「資安事件」於未然
https://www.informationsecurity.com.tw/article/article_detail.aspx?tv=71&aid=8666

資科辦推跨行業平台 協作抗黑客
https://news.mingpao.com/pns/%E5%89%B5%E7%A7%91%E7%B7%9A/web_tc/article/20180924/special/1537728572391

手機通訊「定位」外籍嫌 千支電眼查行蹤
https://bit.ly/2Nyd4OC

PTT的社交工程攻擊與資安危機
http://talk.ltn.com.tw/article/paper/1234615

香港政府牽頭「網絡安全資訊共享協作平台」啟動 暫有80間機構參與
https://bit.ly/2O9iz66

政府把關 《香港》全面提升資安防護
https://www.trademag.org.tw/content02.asp?id=733656&type=19&url=%2Findex%2Easp%3Fno%3D19

騰訊員工好奇檢查酒店WiFi漏洞 被新加坡安全局逮捕
http://www.hkcd.com/content/2018-09/25/content_1103680.html

臺灣公益漏洞通報平臺助企業推動獎勵計畫
https://www.ithome.com.tw/news/126022

新加坡提供漏洞賞金計劃,並成立東協網路安全中心
https://www.zdnet.com/article/singapore-to-offer-bug-bounty-set-up-asean-cybersecurity-centre/

英國政府通訊總部和英國國防部將用2.5億英鎊組建“聯合網路力量”
http://www.itpro.co.uk/cyber-warfare/31958/gchq-and-mod-to-form-250m-joint-cyber-force

英砸百億僱2千網軍 打擊俄駭客
https://tw.appledaily.com/international/daily/20180922/38132464/

廣東打黑客集團 刑拘160餘人
https://bit.ly/2zoE0HZ

加強防禦 《英國》擴大資安部署
https://www.trademag.org.tw/content02.asp?id=733226&type=19&url=%2Findex%2Easp%3Fno%3D19

當心中共天網籠罩台灣
http://www.peoplenews.tw/news/ad3e1978-332e-4013-95de-4f434d127278

美聯邦人事管理局遭駭 幕後黑手恐是中共
https://www.ydn.com.tw/News/306253

美2200萬份個資被駭 白宮高官:中國是幕後黑手
https://tw.appledaily.com/new/realtime/20180923/1434921/

美政府2200萬份個資被駭... 白宮顧問:中國發動的!
http://news.ltn.com.tw/news/world/breakingnews/2559507

美陸軍開始接收戰術數位媒體工具包
https://www.ydn.com.tw/News/306340

川普首頒「國家網路戰略」 這4國列敵對國
https://bit.ly/2pxDphF

川普政府:俄羅斯、中國、伊朗、北韓為網路四大對手
https://bit.ly/2zAXwBk

川普指控中國干預選舉 凸顯美國另啟戰線
https://www.nownews.com/news/20180928/2987291/

川普新戰略 授權多部門 主動反擊中共網攻
http://www.epochtimes.com/b5/18/9/23/n10735959.htm

對抗俄「中」網攻 美決主動出擊
https://bit.ly/2pANpqt

防堵中、俄網軍攻擊 美國國安顧問:將與台灣等盟友合作反制
https://bit.ly/2O1lzkV

環時:美國編排「中國間諜劇」產生新受害者
https://www.chinatimes.com/realtimenews/20180927001926-260409

歐盟要求網路平台需有迅速移除恐怖主義內容之機制
https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=zh&RSSType=news&seq=16151

記取俄干預美歐大選教訓 拉脫維亞加強網路戒備
https://www.nownews.com/news/20180923/2980443/

美鞏固網絡領先地位 防駭客轉守為攻
http://www.ntdtv.com/xtr/b5/2018/09/22/a1392491.html

美中衝突!美官員首次公開指控 中國駭客入侵
https://news.ftv.com.tw/news/detail/2018923I01M1

大規模反制中國 美最快數週內行動
http://news.ltn.com.tw/news/world/paper/1234685

川普簽網路戰略 主動打擊駭客
http://beta.orientaldaily.com.my/s/260626

美鞏固網路領先地位 防中俄駭客轉守為攻
https://bit.ly/2Dlq4md

國安官員:台灣資安戰略應與美合作
http://news.ltn.com.tw/news/focus/paper/1233988

黑客來襲 中國「網軍」的目標是台灣大選
https://www.secretchina.com/news/b5/2018/09/21/871550.html

中國招聘網站 滲透台灣搶人才
http://news.ltn.com.tw/news/focus/paper/1234254

情蒐美國防科技人才個資 中國線民在美被捕
https://bit.ly/2xQZEmm

把機密資料帶回家又被俄羅斯駭客偷走的NSA前員工被判5.5年徒刑
https://www.ithome.com.tw/news/126114

攜回內部資料致機密外洩 美國安局前雇員遭判刑
https://udn.com/news/story/6809/3387540

2018網絡安全人才發展白皮書重磅發布
http://www.freebuf.com/articles/paper/185402.html

徵才 - S01:駐點資安助理工程師(新北市板橋區)#W12
https://www.104.com.tw/job/?jobno=6di28

徵才 - 資安規劃與專案管理師
https://www.104.com.tw/job/?jobno=6di0n

徵才 - 急徵!資安工程師(駐場地點:台北市)
https://www.104.com.tw/job/?jobno=5u8ui&jobsource=

Advanced DDoS Detection and Defense
https://www.bankinfosecurity.com/interviews/advanced-ddos-detection-defense-i-4124

The Link Between Volatility and Risk
https://www.bankinfosecurity.com/link-between-volatility-risk-a-11548

How to Spot and Stop Newer Email Threats
https://www.bankinfosecurity.com/how-to-spot-stop-newer-email-threats-a-11547

SIEM & Security Analytics: What's On the Horizon
https://www.bankinfosecurity.com/webinars/siem-security-analytics-whats-on-horizon-w-1730

Cybersecurity , DDoS , DDoS Attacks Defending Against Next-Generation DDoS Attacks
https://www.bankinfosecurity.com/defending-against-next-generation-ddos-attacks-a-11539

Cybercrime Markets Sell Access to Hacked Sites, Databases
https://www.bankinfosecurity.com/cybercrime-markets-sell-access-to-hacked-sites-databases-a-11536

Ex-NSA Developer Gets 5.5 Years in Prison for Taking Top Secret Documents Home
https://bit.ly/2DvTuhG

Incident Report Guessing: Chatbots, the BA Hack and Ticketmaster
https://bit.ly/2R0B6Qq

Domain flub leaves 30 million customers high and dry
https://nakedsecurity.sophos.com/2018/09/26/domain-flub-leaves-30-million-customers-high-and-dry/

Woman hijacked CCTV cameras days before Trump inauguration
https://nakedsecurity.sophos.com/2018/09/25/woman-hijacked-cctv-cameras-days-before-trump-inauguration/

Police accidentally tweet bookmarks that reveal surveilled groups
https://nakedsecurity.sophos.com/2018/09/24/police-accidentally-tweet-bookmarks-that-reveal-surveilled-groups/

All VestaCP installations being attacked
https://forum.vestacp.com/viewtopic.php?f=10&t=17641

16-Year-Old Boy Who Hacked Apple's Private Systems Gets No Jail Time
https://thehackernews.com/2018/09/apple-server-hack.html

Russia’s Elite Hackers Have a Clever New Trick That's Very Hard to Fix
https://www.wired.com/story/fancy-bear-hackers-uefi-rootkit/

Russian hackers are taking their cyber warfare to the next level
https://mashable.com/article/russia-fancy-bear-hackers-lojax-rootkit-malware/#vksU99GDtaqX

D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷

查一查你的航空公司哩程!小心別被駭走
https://udn.com/news/story/6809/3381355

FBI警告:釣魚騙局瞄準工資直接存款  
https://bit.ly/2Du9SPJ

修補漏洞加強監管 杜絕財務詐騙空間
http://paper.wenweipo.com/2018/09/22/WW1809220002.htm

外洩1.4億筆用戶資料的Equifax被英國判罰50萬英鎊
https://www.ithome.com.tw/news/126040

UK Regulator Fines Equifax £500,000 Over 2017 Data Breach
https://bit.ly/2DxPIEz

英媒揭TripAdvisor三分一評論疑偽造 「5星好評」索價390港元
https://bit.ly/2QSTTgI

買房遭電郵詐騙個案 美國2年內暴增11倍
https://udn.com/news/story/6813/3383485

twitter介面漏洞 恐洩百萬用戶私訊
http://paper.wenweipo.com/2018/09/23/GJ1809230002.htm

SHEIN-時尚購物網站遭駭,650萬用戶資料外洩
https://twcert.org.tw/subpages/securityInfo/hackevent_details.aspx?id=869

刑事局公布 9/17~9/23 詐騙高風險網站
https://blog.trendmicro.com.tw/?p=57462

火眼:《2018上半年電子郵件威脅報告》
https://www.aqniu.com/industry/39170.html

New FireEye Email Threat Report Underlines the Rise in Malware-less Email Attacks
https://www.fireeye.com/company/press-releases/2018/new-fireeye-email-threat-report-underlines-the-rise-in-malware-l.html

Twitter API Flaw Exposed Users Messages to Wrong Developers For Over a Year
https://bit.ly/2OOHmcy

網查病 小心醫療隱私曝光
https://bit.ly/2Iayc7C

立法保護裸奔年代個資安全
https://opinion.chinatimes.com/20180924001622-262102

優步個資外洩案以1.5億美元在美和解
http://www.chinatimes.com/realtimenews/20180927001051-260408

5700萬筆個資被竊 Uber願支付45億和解金
https://news.cts.com.tw/cts/international/201809/201809271938256.html

數位隱私保護主義抬頭 歐盟個資法來勢洶洶 GDPR法案風暴來襲 業者資安法遵嚴陣以待
https://www.netadmin.com.tw/article_content.aspx?sn=1809130005

交出金融帳戶陷阱多 台灣司法人權進步協會:千萬別隨便交給他人
https://bit.ly/2R2uCjZ

防詐利器「地籍異動即時通」 財產移轉立刻收警報
https://news.housefun.com.tw/news/article/204563208236.html

匯出鉅款才知道上當! BEC 商務電子郵件詐騙一再得逞的六個因素
https://blog.trendmicro.com.tw/?p=57183

Hackers Steal Customers' Credit Cards From Newegg Electronics Retailer
https://bit.ly/2QQFth4

Breach Investigations: The Detective's View
https://www.bankinfosecurity.com/breach-investigations-detectives-view-a-11550

Winning the Battle Against New Account Fraud
https://www.bankinfosecurity.com/winning-battle-against-new-account-fraud-a-11546

Why Was Equifax So Stupid About Passwords
https://www.bankinfosecurity.com/blogs/was-equifax-so-stupid-about-passwords-p-2666

Using Machine Data Analysis to Detect Fraud
https://www.bankinfosecurity.com/using-machine-data-analysis-to-detect-fraud-a-11538

When Will GDPR Show Its Teeth
https://www.bankinfosecurity.com/interviews/when-will-gdpr-show-its-teeth-i-4122

SHEIN-Fashion Shopping Site Suffers Data Breach Affecting 6.5 Million Users
https://bit.ly/2xDy6BC

Warning issued as Netflix subscribers hit by phishing attack
https://nakedsecurity.sophos.com/2018/09/21/warning-issued-as-netflix-subscribers-hit-by-phishing-attack/

Bankrupt NCIX customer data resold on Craigslist
https://nakedsecurity.sophos.com/2018/09/24/bankrupt-ncix-customer-data-resold-on-craigslist/

Here we Mongo again! Millions of records exposed by insecure database
https://nakedsecurity.sophos.com/2018/09/19/here-we-mongo-again-millions-of-records-exposed-by-insecure-database/

6 sure signs someone is phishing you—besides email
https://blog.malwarebytes.com/101/2018/09/6-sure-signs-someone-is-phishing-you-besides-email/

Uber to pay $148m to settle cyber-attack dispute
https://www.malextra.com/tech/uber-pay-148m-settle-cyber-attack-dispute-1165062.html

COI on SingHealth cyber attack: IHiS staff took six days to discover data had been stolen
http://www.singaporelawwatch.sg/Results/coi-on-singhealth-cyber-attack-ihis-staff-took-six-days-to-discover-data-had-been-stolen

E.研究報告

JavaMelody 组件 XXE 漏洞解析
https://paper.seebug.org/705/

Adobe Reader類型混淆導致代碼執行漏洞分析(CVE-2018-12794)
http://www.4hou.com/vulnerable/13735.html

IKEA官網本地文件包含(LFI)漏洞分析
http://www.4hou.com/vulnerable/13759.html

禪道pms-路由及漏洞分析
https://bit.ly/2Oce2zT

2018網絡安全人才發展白皮書
https://book.yunzhan365.com/umta/dwpr/mobile/index.html

ZooPark:Android逆向之靜態分析
http://www.freebuf.com/articles/system/184286.html

多種使用SMB端口遠程連接PC的方法介紹
http://www.freebuf.com/articles/system/183670.html

偽造電子郵件以及製造電子郵件炸彈的攻防探討
http://www.freebuf.com/sectool/184555.html

LAME:通過SSL加密通信進行橫向滲透的新技術
http://www.freebuf.com/articles/system/183666.html

漏洞管理的定義與最佳實踐
https://www.aqniu.com/learn/39198.html

從CVE-2018至1273年學漏洞分析
https://www.secpulse.com/archives/75930.html

Apache Commons Fileupload Dos漏洞分析
https://blog.spoock.com/2018/09/26/cve-2014-0050/

5 Ways to Hack SMB Login Password
http://www.hackingarticles.in/5-ways-to-hack-smb-login-password/

IDA-minsc Wins Second Place in Hex-Rays Plugins Contest
https://blog.talosintelligence.com/2018/09/ida-minsc.html

Three New DDE Obfuscation Methods
https://blog.reversinglabs.com/blog/cvs-dde-exploits-and-obfuscation

Open Sourcing HASSH A profiling method for SSH Clients and Servers
https://engineering.salesforce.com/open-sourcing-hassh-abed3ae5044c

How Microsoft rewrote its C# compiler in C# and made it open source
https://bit.ly/2xUHsIr

F.商業
中華電信導入細胞廣播技術
https://bit.ly/2DqfQB0

微軟產品發布 AI人工智能•IoT 仍是重點
https://bit.ly/2xW5Vxh

微軟拚永續成長 推出產品更新和資安、AI新服務
https://udn.com/news/story/6811/3385458

微軟持續推動人工智慧與開放數據架構 協助企業轉型、加速科技成長
https://bit.ly/2MZFR9K

Cloudflare推出數位簽章時間校準服務Roughtime
https://www.ithome.com.tw/news/126051

全球10月登場!全新Windows Server 2019四大亮點搶先看
https://www.techbang.com/posts/61413-new-windows-server-20194-highlights-first-glance

COMPUTEX 2019新增資訊安全與影像監控展區
http://www.tca.org.tw/tca_news1.php?n=1246

技嘉與大猩猩科技聯手推出AI智慧影像方案
https://www.techbang.com/posts/61454-gigabyte-and-gorilla-technology-launch-ai-intelligent-imaging-program

Microsoft is killing passwords one announcement at a time
https://nakedsecurity.sophos.com/2018/09/26/microsoft-is-killing-passwords-one-announcement-at-a-time/

中華電發展4重點 5G純網銀入列
http://photo.udn.com/money/story/5612/3387551

G.政府

中秋連假 金管會要求保險公司保戶服務不中斷
https://www.ydn.com.tw/News/305955

資安學院29日開課 首波鎖定金融業
https://money.udn.com/money/story/5641/3384211

國安局官員:「五星寺」不除必成國安隱患
http://news.ltn.com.tw/news/politics/breakingnews/2559857

年投10億培養晶片設計人才 科技部「半導體射月計畫」強化跨領域研發
https://www.storm.mg/article/515235

國安會資安業務竟外包 橘委憂成國安漏洞
https://www.mirrormedia.mg/story/20180927inv004

資策會改造再出發,執行長于孝斌自許 Digital Transformation Enabler
https://technews.tw/2018/09/28/iii-digital-transformation-enabler/

H.工控系統  SCADA / ICS Security

Fuji Electric V-Server VPR內存錯誤引用漏洞
http://monitouch.fujielectric.com/site/support-e/download-index-01.html

Rockwell Automation棧溢出高危漏洞(CVE-2018-14829)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14829

Schneider Electric Modicon TM218LDAE40DRPHN存在拒絕服務漏洞
http://www.cnvd.org.cn/flaw/show/CNVD-2018-17389

I.教育訓練類

網頁掛馬常見漏洞分析與檢測
http://www.4hou.com/vulnerable/13732.html

Windows 內核系列一: UAF基礎
https://bbs.pediy.com/thread-247019.htm

ZDResearch Advanced Web Hacking Training 2018 – Learn Online
https://bit.ly/2NG3BVC

Web Security: an introduction to HTTP
https://medium.freecodecamp.org/web-security-an-introduction-to-http-5fa07140f9b3

Unsecure RDP Connections are a Widespread Security Failure
https://www.webroot.com/blog/2018/09/25/unsecure-rdp-connections-widespread-security-failure/


J.玄武實驗室每日安全動態推送

每日安全動態推送(09-25)
https://tw.weibo.com/xuanwulab/4288125134299881

每日安全動態推送(09-26)
https://tw.weibo.com/xuanwulab/4288485726687440

每日安全動態推送(09-27)
https://tw.weibo.com/xuanwulab/4288841823706609

每日安全動態推送(09-28)
https://tw.weibo.com/xuanwulab/4289202704744880


K.物聯網/IOT/人工智慧/車聯網/光聯網/深度學習/機器學習/無人機

Future-Proofing for IoT Risks
https://www.bankinfosecurity.com/future-proofing-for-iot-risks-a-11549

《Blackberry》表示自動駕駛科技難以避免遭駭客入侵
https://www.kingautos.net/224914

勤業:挑選知名智慧連網 避免資安風險
https://udn.com/news/story/7240/3388372

互聯網時代 IP CAM變DDOS武器
https://www.chinatimes.com/realtimenews/20180926002723-260410

縱橫物聯網時代!打造數位資訊安全防護策略 勤業眾信:縱向建立資安框架 橫向管理跨域資訊風險
https://times.hinet.net/news/21983260

勤業:挑選知名智慧連網 避免資安風險
http://news.m.pchome.com.tw/living/cna/20180926/index-15379485912064518009.html

互聯網時代 資安漏洞變經濟危機
https://bit.ly/2DvUq5G

物聯網時代來臨 別忽略資安防護
https://money.udn.com/money/story/5612/3389492

物聯網時代增加資安犯罪 須提高警覺
https://news.wearn.com/c24733.html

互聯網時代 資安漏洞變經濟危機
https://www.wantgoo.com/news/content/index?ID=861077

加州議會通過IoT裝置安全法案
https://www.nccst.nat.gov.tw/NewsRSSDetail?lang=zh&RSSType=news&seq=16152

4.近期資安活動及研討會
  
  Call For Paper | HITCON PACIFIC 2018  9/17 ~ 10/14
  https://blog.hitcon.org/2018/09/call-for-paper-hitcon-pacific-2018.html
 
   【課程】金融大數據分析技術與演算法實戰,用 Python + 機器學習技術,分析房價、股價、匯率數據及預測趨勢  9/29
  https://bit.ly/2PwvT2g

  亥客書院 - 數位鑑識概念與實作  9/29
  https://hackercollege.nctu.edu.tw/?p=594

  ISDA 教育訓練 Burpsuite實戰百分百  9/29
  https://reg.isda.org.tw/info.php?no=36

  TDOH Conf 2018 9/29
  https://tdoh-conf.online/

  TWCERT / CC 2018年台灣資安通報應變年會  10/3
  https://www.informationsecurity.com.tw/edm/IS_EDM_181003/

  亥客書院 -網路流量分析與檢測 10/6
  https://hackercollege.nctu.edu.tw/?p=891

  物聯網資安培訓專班(國立臺灣大學) 10/7 ~ 10/21
  https://w3.iiiedu.org.tw/coursedetail.php?id=ICSA04I&l=40&c=ICSA04I1801

  國家高速網路與計算中心教育訓練 - 惡意程式分析 10/9
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3646&from_course_list_url=homepage

  Windows Server 高峰會  10/9
  https://www.microsoftevents.com/profile/form/index.cfm?PKformID=0x4938443abcd&wt.mc_id=AID738824_EML_5710125

  金融資安培訓專班(國立臺灣大學) 10/10 ~ 10/15
  https://w3.iiiedu.org.tw/coursedetail.php?id=FCSA04I&l=40&c=FCSA04I1801

  中部科學園區管理局 - 跨平台資安防範全面啟動研討會 10/11
  http://www.fstopsoft.com/DynamicContent.aspx?id=3DB42D1290F9C34F

  金融資安專業培訓(中華電信) 10/13 ~ 11/10
  https://w3.iiiedu.org.tw/coursedetail.php?id=FCSA03I&l=30&c=FCSA03I1801

  金融資安培訓課程(中華民國資訊軟體協會) 10/13 ~ 11/10
  https://w3.iiiedu.org.tw/coursedetail.php?id=FCSA01I&l=35&c=FCSA01I1801

  金融資安培訓課程(勤業眾信風險管理諮詢股份有限公司) 10/16 ~ 11/13
  https://w3.iiiedu.org.tw/coursedetail.php?id=FCSA05I&l=30&c=FCSA05I1801

  AWS Transformation Day Taipei 10/16
  https://amzn.to/2NKLQob

   XRY Certification 教育訓練 10/17 ~ 10/18
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=39

  JCCONF 2018  10/19
  https://jcconf.tw/2018/

  2018 健康物聯網黑客松  10/19 ~ 10/21
  http://hack.tmu.edu.tw/2018.php

  物聯網資安培訓課程(崑山科技大學)  10/20 ~ 11/3
  https://w3.iiiedu.org.tw/coursedetail.php?id=ICSA05I&l=30&c=ICSA05I1801 

  物聯網資安專業培訓(中華電信) 10/20 ~ 11/17
  https://w3.iiiedu.org.tw/coursedetail.php?id=ICSA02I&l=30&c=ICSA02I1801

  Foundations in Digital Forensics with EnCase? (DF120) (原CF1)  10/23 ~ 10/26
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=40

  國家高速網路與計算中心教育訓練 - 網路封包分析  10/23
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3650&from_course_list_url=homepage

  107年度各級專業人員持續訓練課程 - 資安治理概論與規劃  10/26
  https://www.tpipas.org.tw/course_view.aspx?no=118&tid=219

  物聯網資安培訓課程(中華民國資訊軟體協會) 10/26 ~ 11/9
  https://w3.iiiedu.org.tw/coursedetail.php?id=ICSA01I&l=35&c=ICSA01I1801

  金融資安培訓課程(台灣雲端安全聯盟) 10/26 ~ 11/3
  https://w3.iiiedu.org.tw/coursedetail.php?id=FCSA02I&l=30&c=FCSA02I1801

  亥客書院 -惡意程式檢測實務 10/27
  https://hackercollege.nctu.edu.tw/?p=885

  ISDA 白帽駭客巡迴入門〈1〉10/27
  https://reg.isda.org.tw/info.php?no=27

  TANET 2018-台灣網際網路研討會 暨資訊工程X智慧計算學門成果發表會 10/21 ~ 10/26
  https://cis.ncu.edu.tw/SeminarSys/activity/TANET2018/home

  Red Hat Forum 2018 TAIPEI  11/2
  https://www.redhat.com/en/events/red-hat-forum-taipei-2018?sc_cid=701f2000001OEJMAA4

  物聯網資安實務課程(台灣雲端安全聯盟) 11/2 ~ 11/10
  https://w3.iiiedu.org.tw/coursedetail.php?id=ICSA03I&l=30&c=ICSA03I1801

  ISDA 白帽駭客巡迴入門〈1〉11/03
  https://reg.isda.org.tw/info.php?no=28

  Building and Investigation with EnCase? (DF210) (原CF2)  11/5 ~ 11/8
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=41

  亥客書院 - DDoS原理與實務  11/10
  https://hackercollege.nctu.edu.tw/?p=774

  Magnet原廠授權認證課程Magnet AXIOM Examinations 11/12 ~ 11/15
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=42

  原廠認證Cellebrite Certified Operator (CCO)  11/19 ~ 11/20
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=43

  Metasploit與滲透測試實務 11/25 ~ 11/26
  https://hackercollege.nctu.edu.tw/?p=641

  EnCase EnCE 認證考試 Preparation 課程  12/5 ~ 12/7
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=44

  駭客入侵調查暨資安緊急應變實務 12/10 ~ 12/11
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=45

  亥客書院 - 進階網頁滲透測試  12/15
  https://hackercollege.nctu.edu.tw/?p=323

  專業手機暨硬碟資料救援教育訓練課程 12/26 ~ 12/28
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=46

  亥客書院 - 高階網頁滲透測試    2019/1/5
  https://hackercollege.nctu.edu.tw/?p=768

沒有留言:

張貼留言

2024年 12 月份資安、社群活動分享

  2024年 12 月份資安、社群活動分享 Self-Taught Coding Tuesdays - Study, Code, Design, Build, Network 2024/12/3 https://www.meetup.com/taiwan-code-camp/e...