資安新聞及事件週報 2018/11/19 ~ 2018/11/23

1.重大弱點漏洞

微軟發佈11月份安全性公告
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/ff746aa5-06a0-e811-a978-000d3a33c573

Micro Focus NetIQ Access Manager 跨站脚本漏洞
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12480

美國郵政局發布API 漏洞補丁6000 萬用戶安全受影響
http://hackernews.cc/archives/24479

美國郵政服務USPS站點緊急修復用戶信息安全漏洞
http://www.tmtpost.com/nictation/3605826.html

開發人員指Gmail有幽靈郵件臭蟲,可讓寄件人資訊隱形
https://www.ithome.com.tw/news/127189

Dropbox的紅隊演練意外找出macOS的3個零時差漏洞
https://www.ithome.com.tw/news/127212

ZOHO ManageEngine OpManager 跨站脚本漏洞
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19288

DJI 被爆身份認證存安全漏洞 帳戶隨時被騎劫 幸已修補
https://bit.ly/2Q7tJt2

VMware 發布新的安全更新
https://www.vmware.com/security/advisories/VMSA-2018-0027.html

Cisco 多個產品存在安全性弱點
https://www.us-cert.gov/ncas/current-activity/2018/11/07/Cisco-Releases-Security-Updates

Gmail漏洞可以任意修改發件人地址
http://www.4hou.com/vulnerable/14586.html

Gmail app用戶謹防幽靈郵件以假亂真
https://www.twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5052

Adobe 已發布安全更新以解決 Flash Player,Acrobat和Reader,Photoshop CC 中的多個弱點
https://www.us-cert.gov/ncas/current-activity/2018/11/13/Adobe-Releases-Security-Updates

IBM API Connect信息洩露漏洞
http://www-01.ibm.com/support/docview.wss?uid=swg22017136

Google Chrome 遠端執行任意程式碼漏洞
https://www.us-cert.gov/ncas/current-activity/2018/11/19/Google-Releases-Security-Updates-Chrome

BestXsoftware Best Free Keylogger 安全漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-18519

Pivotal Cloud Foundry On Demand Services SDK 安全漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15759

Flash Player類型混淆嚴重漏洞,成功利用可能導致任意代碼執行(CVE-2018-15981)
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15981

phpMyAdmin通過密碼漏洞留後門文件
https://www.jb51.net/article/151095.htm

Spectre變種2的修補程式拖慢效能又讓Linux之父不開心了
https://www.ithome.com.tw/news/127181

Linux 4.20 更新修補 Specter V2 漏洞 將導致 Intel CPU 性能跌 50%
https://bit.ly/2Bu0ubF

電子學習平台Moodle登入介面具嚴重CSRF缺陷,現已修補
https://www.twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5053

Microsoft acquires FSLogix in name of improving Office 365 virtualization
https://www.zdnet.com/article/microsoft-acquires-fslogix-in-name-of-improving-office-365-virtualization/#ftag=RSSbaffb68

Popular AMP Plugin for WordPress Patches Critical Flaw – Update Now
https://bit.ly/2S612tB

For Apple users without latest security updates, the letter 'd' is not always the letter 'd'
https://www.zdnet.com/article/for-apple-users-without-latest-security-updates-the-letter-d-is-not-always-the-letter-d/#ftag=RSSbaffb68

Microsoft Azure, Office 365 users hit by multi-factor authentication issue
https://www.zdnet.com/article/microsoft-azure-office-365-users-hit-by-multi-factor-authentication-issue/#ftag=RSSbaffb68

Hands-on with the new Raspberry Pi 3 Model A+ and new Raspbian Linux release
https://www.zdnet.com/article/hands-on-with-the-new-raspberry-pi-3-model-a-and-new-raspbian-linux-release/#ftag=RSSbaffb68

How Dropbox's red team discovered an Apple zero-day exploit chain by accident
https://www.zdnet.com/article/how-the-dropbox-red-team-found-an-apple-zero-day-exploit-chain-during-pen-tests/#ftag=RSSbaffb68

3 New Code Execution Flaws Discovered in Atlantis Word Processor
https://bit.ly/2znQn6E

JVNVU#91640357 Android アプリ「みずほ銀行 みずほダイレクトアプリ」における SSL サーバ証明書の検証不備の脆弱性
https://jvn.jp/vu/JVNVU91640357/


2.銀行/金融/保險/證券/電子支付/行動支付/支付系統/虛擬貨幣/區塊鍊 新聞及資安


A-Nex展開首次代幣發行,展示網路安全領域無法被駭客侵入的加密貨幣技術
https://times.hinet.net/news/22082964

以太坊又一漏洞被發現,交易轉賬時可能耗費大量Gas
https://www.huoxing24.com/newsdetail/20181122155152153889.html

以太坊GasToken 發現安全漏洞,利用該漏洞可獲得大額gas 費
https://www.chainnews.com/news/841915101965.htm

區塊鏈跨境匯款、支付 面臨的挑戰與機會
https://bit.ly/2Q4ljm9

EOS DApp 充值“假通知”漏洞分析
https://bitkan.com/zh/blog/28363

周小川談數字貨幣和電子支付 鼓勵競爭但要後果可控
https://chinaqna.com/w1/1820/

銀行公會深耕法遵洗防規範 籌組「集體自律機制」深入當地探討問題
https://www.cmoney.tw/notes/note-detail.aspx?nid=147310

FIN & TECH創新聚落 中華電攜金研院 打造金融科技聚落
https://www.chinatimes.com/newspapers/20181117000306-260210

支付寶正式挑機八達通
https://bit.ly/2FpywBQ

顧立雄:打造行動支付生態圈
https://money.udn.com/money/story/5648/3488263

台灣Pay等成果發表 三大財金首長共同出席
https://shareba.com/module/news/296260546631746103.html

財金公司今年五大亮點 跨行業務營運預超過210兆元
https://udn.com/news/story/7239/3488868

防數位人頭戶 電子支付帳戶開戶新增十大禁令
https://tw.appledaily.com/new/realtime/20181118/1468426/

金融座談/財金公司董事長趙揚清:普惠金融 推動台灣Pay
https://money.udn.com/money/story/5648/3488270

顧立雄:發展金融科技 需兼顧資安及消費者保護
http://ec.ltn.com.tw/article/breakingnews/2617125

金融資訊系統 創新科技推手
https://www.chinatimes.com/newspapers/20181120000353-260210

支付平台滿天飛!2個問題考考你,「行動支付」跟「電子支付」有什麼不同
https://bit.ly/2QT59sV

這才叫 真 行動支付!日本開發行動 ATM 車,讓ATM機可以開到你面前給你提錢
https://www.techbang.com/posts/62682-japan-develops-mobile-atm-car-netizen-true-action-payment

明年起發票獎金 超商、基層金融機構1.3萬個據點可領
https://www.ettoday.net/news/20181119/1309847.htm

集保e存摺App2.0版本上線
https://money.udn.com/money/story/5607/3489983

集保e存摺2.0版登場 證券存摺行動化
https://www.chinatimes.com/realtimenews/20181119004045-260410

南山系統又出包!保單遭2度停效保戶氣炸
https://tw.finance.appledaily.com/realtime/20181119/1469164

Group-IB:俄羅斯銀行正遭遇網釣攻擊
https://ithome.com.tw/news/127121

研究人員揭露7個Magecart隊伍的攻擊手法,突顯電子購物網站安全性岌岌可危
https://www.ithome.com.tw/news/127114?fbclid=IwAR3PxWF7Sv5nBdOijsVGdywbhW6fSFRFydA6fahX0340a_um4H9k4RkPnVE

FIDO 身分辨識研討會議程表間接證實,劉奕成將以國家隊網銀 CEO 身分出席
https://bit.ly/2Qb7Hpf

台灣大董事會通過 參與「LINE Bank」純網銀籌備
http://ec.ltn.com.tw/article/breakingnews/2619977

台灣大擬以5%持股 加入LINE Bank純網銀團隊
https://www.chinatimes.com/realtimenews/20181121003763-260410

LINE純網銀合作對象到位!橫跨金融、電信產業
https://tw.news.appledaily.com/new/realtime/20181121/1470563/

LINE 正式發表區塊鏈技術平台「LINK Chain」,並宣布對外開放人工智慧技術
http://technews.tw/2018/11/22/line-developer-day-link-chain/

與中華電互別苗頭,台灣大董事會通過參與「LINE Bank」純網銀籌備
https://bit.ly/2PH0IF7

集點活動恐走入歷史
https://www.chinatimes.com/newspapers/20181123000335-260205

跨行轉帳500以下免手續費 金管會最快11月底拍板
https://bit.ly/2OYGtgK

攻行動支付 LINE小綠機將登台
https://www.chinatimes.com/newspapers/20181122000267-260202

活動通報名平台攜手Bytepay區塊鏈應用
https://www.chinatimes.com/newspapers/20181122000189-260301

跨行專戶餘額新制 1/4上路
https://money.udn.com/money/story/5613/3494517

跨行支付太夯 央行提高跨行專戶抵充存款比率至8%
https://www.ettoday.net/news/20181121/1312252.htm

QR CODE支付平台再進軍港鐵 2021年4間公司一掃入閘
https://bit.ly/2S9tFGj

當虛擬銀行遇上陳德霖(程總裁)
https://hk.finance.appledaily.com/finance/realtime/article/20181121/58936509

Bradesco agrees blockchain deal with Japan's largest bank
https://www.zdnet.com/article/bradesco-agrees-blockchain-deal-with-japans-largest-bank/#ftag=RSSbaffb68

How HSBC Bank used a smartwatch to boost in-branch customer interaction
https://www.atmmarketplace.com/articles/how-hsbc-bank-used-a-smartwatch-to-boost-in-branch-customer-interaction/

Russia welcomes introduction of first cardless ATMs
https://www.atmmarketplace.com/news/russia-welcomes-introduction-of-first-cardless-atms/

Magecart Spies Payment Cards From Retailer Vision Direct
https://www.bankinfosecurity.com/magecart-spies-payment-cards-from-retailer-vision-direct-a-11709

Vision Direct reveals customer credit card leak, fake Google script may be to blame
https://www.zdnet.com/article/vision-direct-reveals-customer-credit-card-leak/#ftag=RSSbaffb68

Here's Why Account Authentication Shouldn't Use SMS
https://www.bankinfosecurity.com/heres-account-authentication-shouldnt-use-sms-a-11708


3.資安事件新聞

A.病毒木馬 / 殭屍網路 / 勒索軟體


挖礦惡意程式攻擊 Linux 系統,並利用 Rootkit 自我隱藏
https://blog.trendmicro.com.tw/?p=57986&fbclid=IwAR1PgSpmHs5af-3PSgyFRegDjj8SVmmddO06y8ADHd_Qv7NdMX64bi-l8_E

銀行木馬Emotet已在全球建立了721個C&C伺服器
https://ithome.com.tw/news/127157

防毒軟體龍頭 360也走向衰落
https://www.chinatimes.com/newspapers/20181122000205-260301

駭客威力強!三招教你化解病毒危機
https://bit.ly/2BqilA4

德州醫院遭勒索軟體Dharma攻陷
https://www.ithome.com.tw/news/127150

垃圾郵件舊瓶裝新酒,專挑冷門檔案格式夾帶惡意附件
https://blog.trendmicro.com.tw/?cat=4091

勒索病毒家族數量減少,但感染為何持續發生
https://blog.trendmicro.com.tw/?p=57953

挖礦病毒隱身術再進化,利用 Windows Installer 躲避偵測
https://blog.trendmicro.com.tw/?p=57942

Microsoft Office線上影片功能,被散播 URSNIF 資料竊取病毒
https://blog.trendmicro.com.tw/?p=57996

挖礦惡意程式攻擊 Linux 系統,並利用 Rootkit 自我隱藏
https://blog.trendmicro.com.tw/?p=57986

Hacking group returns, switches attacks from ransomware to trojan malware
https://www.cybersecurity-review.com/news-november-2018/hacking-group-returns-switches-attacks-from-ransomware-to-trojan-malware/

Threats agents will investigate new techniques of cyber attacks
https://manchikoni.com/threats-agents-will-investigate-new-techniques-of-cyber-attacks/

Malware Moves: Attackers Retool for Cryptocurrency Theft
https://www.bankinfosecurity.com/malware-moves-attackers-retool-for-cryptocurrency-theft-a-11715

City of Valdez, Alaska admits to paying off ransomware infection
https://www.zdnet.com/article/city-of-valdez-alaska-admits-to-paying-off-ransomware-infection/#ftag=RSSbaffb68

Golem Malware - The Malware Hiding in Your Windows Fonts Folder
https://bit.ly/2R048iW

Texas hospital becomes victim of Dharma ransomware
https://www.zdnet.com/article/texas-hospital-becomes-victim-of-ransomware-patient-data-potentially-leaked/#ftag=RSSbaffb68

Russian APT comes back to life with new US spear-phishing campaign
https://www.zdnet.com/article/russian-apt-comes-back-to-life-with-new-us-spear-phishing-campaign/#ftag=RSSbaffb68

Most antivirus programs fail to detect this cryptocurrency-stealing malware
https://www.zdnet.com/article/this-stealthy-malware-circumvents-antivirus-software-to-steal-your-cryptocurrency/#ftag=RSSbaffb68

Malicious code hidden in advert images cost ad networks $1.13bn this year
https://www.zdnet.com/article/malicious-code-hidden-in-advert-images-cost-ad-networks-1-13bn-last-year/#ftag=RSSbaffb68

GandCrab Ransomware: Cat-and-Mouse Game Continues
https://www.bankinfosecurity.com/blogs/gandcrab-ransomware-cat-and-mouse-game-continues-p-2684

India's New PCI SSC Associate Director on Payments Security
https://www.bankinfosecurity.asia/interviews/indias-new-pci-ssc-associate-director-on-payments-security-i-4177


B.行動安全 / iPhone / Android / App


30秒攻破手機漏洞捧走62萬美元獎金
http://news.creaders.net/china/2018/11/17/2018624.html

殭屍帳號掰掰 Instagram機器學習幫你砍讚、取消追蹤
https://www.ettoday.net/news/20181120/1310831.htm

Instagram 驚傳密碼外洩後 用機器學習工具移除按讚機器人 幫你砍讚、取消殭屍帳號
https://www.limitlessiq.com/news/post/view/id/7639/

【IG 密碼外洩】Instagram 出現安全漏洞,可暴露用戶密碼
https://bit.ly/2TDO2gr

因應GDPR推出的使用者資料下載功能出現漏洞!IG驚傳在網址列洩露密碼
https://www.ithome.com.tw/news/127162

里數App攻港有「漏洞」 KOL嘆頭等全因網友「資助」
https://hk.finance.appledaily.com/finance/realtime/article/20181121/58936543

被 800 隻貓 DoS ! Skype for Business 被發現處理 Emoji 出現漏洞
https://bit.ly/2OYtFan

注意Kitten of Doom!鉅量表情符號癱瘓商務型Skype
https://www.twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5054

13款假遊戲登上Google Play,實際上是下載廣告的惡意程式
https://www.ithome.com.tw/news/127153

簡訊驗證碼洩漏千萬人個資 外媒認為還是蘋果安全
https://udn.com/news/story/7098/3494230

駭客鎖定矽谷主管的行動電話門號下手,偷走百萬美元加密貨幣
https://www.ithome.com.tw/news/127210

新犯罪浪潮?駭客透過電話號碼竊取價值百萬美元加密貨幣
https://bit.ly/2AlKGpw

How Just Opening A Site In Safari Could Have Hacked Your Apple macOS
https://bit.ly/2QlekFK

Major SMS security lapse is a reminder to use authenticator apps instead
https://bit.ly/2QcpAnO

0-Days Found in iPhone X, Samsung Galaxy S9, Xiaomi Mi6 Phones
https://bit.ly/2OS9Xgx

Cook a perfect turkey with the help of the Meater wireless thermometer and your smartphone
https://zd.net/2KntBQB

Fake Google Android driving apps claim half a million victims
https://www.zdnet.com/article/fake-google-android-driving-apps-claim-half-a-million-victims/#ftag=RSSbaffb68

Apple vehicles abandoned as employees go on foot to boost Maps data
https://www.zdnet.com/article/apple-vehicles-left-out-in-the-cold-employees-go-on-foot-to-boost-maps-data/#ftag=RSSbaffb68

Mobile Cyber Attacks: How to Stay Protected in an Overly-Connected World
https://www.peerlyst.com/posts/mobile-cyber-attacks-how-to-stay-protected-in-an-overly-connected-world-dflabs

SIM-swapping 21-year-old scores $1 million by hijacking a phone
https://www.zdnet.com/article/sim-swapping-21-year-old-scores-1-million-by-hijacking-a-phone/#ftag=RSSbaffb68


C.事件 / 駭客 / DDOS / APT / 徵才 / 國際資安事件

女王變身天才駭客!克萊兒芙伊挑樑「龍紋身女孩」 揭密莎蘭德最想逃避的過去
https://www.beautimode.com/article/content/85905/

5歲學程式、14歲就揪出IBM漏洞!印度天才少年現正以「驚人智慧」,翻譯人類腦波
https://www.storm.mg/lifestyle/635780

剖析網路時代的治理失能與衝擊後遺
https://bit.ly/2qPcMp0

中華電今網路大當機30分鐘 竟是因人為疏失
https://tw.news.appledaily.com/life/realtime/20181119/1468986/

假消息未經查證便經採用 人工智慧增加點閱率成幫兇 網路新聞造假泛濫成災 治理原則應採多元管治
https://www.netadmin.com.tw/article_content.aspx?sn=1811020006

報告: 網路犯罪改採人工發動目標性攻擊
https://bit.ly/2FAUuSw

以開放資料養綠?歐洲怎麼「駭」出一片綠色家園
https://g0v.news/civictechweekly-1d73924c6a3e

路由器…智慧家庭資安維護關鍵
https://udn.com/news/story/7240/3488209

使用者資安意識倒退嚕!75%會在多個應用系統配置相同密碼
https://www.ithome.com.tw/news/127104

駭客愛用的專案託管平臺Sr.ht釋出公開測試版
https://www.ithome.com.tw/news/127093

資安疑慮 海康威視被當眼中釘
https://money.udn.com/money/story/5612/3490273

資安疑慮? 海康威視傳遭美封殺
http://www.udnbkk.com/article-268325-1.html

Sophos網絡威脅報告揭露 駭客趨向以人手發動總攻擊
https://bit.ly/2Q5b8h3

全校師生Google Drive癱瘓 恒大︰Google表示歉意
https://hk.finance.appledaily.com/finance/realtime/article/20181122/58943580

從反毒反貪到虛擬貨幣 國際洗錢防制不斷更新
http://news.ltn.com.tw/news/weeklybiz/paper/1247863

怎麼阻止中國駭客竊取機密?FBI前局長:只有報復性攻擊,駭回去!
https://www.rti.org.tw/news/view/id/2003001

基進黨選將籲高雄青年返鄉 用民主1票抵抗10萬中國網軍
http://news.ltn.com.tw/news/politics/breakingnews/2620587

21世紀台海戰爭 在網路世界開打
https://www.ettoday.net/news/20181120/1311108.htm

中國加強網攻澳洲企業 澳媒:竊取智慧財產權
https://money.udn.com/money/story/5599/3491341

當帶風向比新聞更深入人心...虛擬菜市場裡的婆婆媽媽:暗黑網軍
https://www.cmmedia.com.tw/home/articles/12952

FBI 探員:中國國安部主導竊密,不擇手段搶奪美企技術
https://technews.tw/2018/11/19/china-unscrupulously-snatched-us-technology/

APEC美中交鋒火熱 隱現中共兩項貿易戰略
http://www.epochtimes.com/b5/18/11/18/n10860310.htm

美國雷根號航母訪問香港 解放軍在台灣投票日沒辦法「助選」了
https://bit.ly/2OTGnHr

【美中貿易戰的關鍵引爆點(下)】美國報復不斷加碼 中國「韜光養晦」為時已晚
https://bit.ly/2AfiSTO

中國外銷社會控制 中興通訊負責承製委內瑞拉智慧身分證
https://www.upmedia.mg/news_info.php?SerialNo=52352

川習會添壓力! 賴海哲批中國「網攻」:變本加厲
https://bit.ly/2BrXI6E

防網軍癱瘓計票 資安應變小組成軍
http://news.ltn.com.tw/news/politics/paper/1248649

FBI前局長:報復性網路攻擊才能阻擋中國攻勢
https://tw.appledaily.com/new/realtime/20181122/1471095/

義大利遭受境外大規模針對認證電子郵件帳戶的網路攻擊
https://www.twcert.org.tw/subpages/securityInfo/hackevent_details.aspx?id=883

韓青瓦台:文金會前後 韓政府未受駭客攻擊
https://bit.ly/2RdQE3i

韓青瓦臺澄清文金會前後未遭朝鮮駭客攻擊
https://cb.yna.co.kr/gate/big5/m-cn.yna.co.kr/view/ACK20181122002400881?section=politics/index

停止敵對行為?北韓9月狂駭南韓政府網站 竊取「文金三會」情報
https://www.ettoday.net/news/20181122/1312607.htm

美媒曝中共駭客瞄準一國際盛事 目的讓人意想不到
http://www.ntdtv.com/xtr/b5/2018/11/22/a1400242.html

紐時報導資安危機 台積電遭病毒感染成案例
https://news.tvbs.com.tw/politics/1033733

新加坡與美國推行聯合資安技術援助計畫,以提升東協防禦網襲能力
https://twbusiness.nat.gov.tw/news.do?id=395247643

只懂出張嘴? 日本資安戰略大臣:我從沒用過電腦
https://wacowla.com/blog/2018/11/15/ad-japans-new-cybersecurity-minister-admits-he-has-never-used-a-computer/

網路安全官員竟沒用過電腦?也不知啥是USB
http://news.m.pchome.com.tw/living/ftv/20181116/index-15423495004103819009.html

日本資安戰略大臣櫻田義孝:我從未用過電腦
https://www.ithome.com.tw/news/127088

史上「最強」資安手段?日本網路安全戰略大臣承認:從未使用過電腦
https://finance.technews.tw/2018/11/16/japan-cybersecurity-minister-admits-he-never-used-a-computer/

日本政府如何加強資安、防範駭客?找一個電腦白癡掌管「網路安全戰略總部」
https://www.storm.mg/article/629467

日本負責網路安全的高官坦承:沒用過電腦
http://www.epochtimes.com/b5/18/11/19/n10860963.htm

無界限!中明目張膽竊取美、澳機密
https://bit.ly/2AfXU7o

資安公司警告 俄駭客假冒美政府進行網攻
https://www.ydn.com.tw/News/313274

醜態百出!臉書公開 13 封 FBI 密函,揭露美政府私下要求 FB、IG 用戶個資現況
https://buzzorange.com/techorange/2018/11/16/facebook-unveil-letter-from-fbi/

攜手防駭 美五角大廈、國土安全部簽備忘錄
https://bit.ly/2Bg88WQ

北約戰情室GIS系統軟體機密 恐遭中國掌握
http://news.ltn.com.tw/news/world/paper/1247671

川普簽署法案設立網路及基礎架構安全署,將網路安全事務拉高到聯邦層級
https://www.ithome.com.tw/news/127115

美憂資安風險 勸盟友避用華為電信設備
https://www.ydn.com.tw/News/314024

恐洩國家機密?傳美德義日為保密防諜齊禁用華為
https://news.ftv.com.tw/news/detail/2018B23I07M1

國家級駭客橫行,研究:中國、伊朗及北韓駭客最活躍
https://www.ithome.com.tw/news/127149?fbclid=IwAR0hilij3dmHn2wRuCXADsU8ekreJdB5zUaUdTghR4EG43L6z8wu0r8VdQo

Israel aims at hardening aviation industry assets from cyberattack
https://csecybsec.com/cse-news/israel-aims-at-hardening-aviation-industry-assets-from-cyberattack/

China has launched more and more cyber attacks against Australia
https://jqknews.com/news/99730-China_has_launched_more_and_more_cyber_attacks_against_Australia.html

Did China Spy on Australian Defense Websites
https://www.bankinfosecurity.asia/did-china-spy-on-australian-defense-websites-a-11714

L0rdix becomes the new Swiss Army knife of Windows hacking
https://www.zdnet.com/article/l0rdix-becomes-the-new-swiss-army-knife-of-hacking/#ftag=RSSbaffb68

Facebook entices researchers with $40,000 reward for account takeover vulnerabilities
https://www.zdnet.com/article/facebook-entices-researchers-with-40000-reward-for-account-takeover-vulnerabilities/#ftag=RSSbaffb68

Two Friends Who Hacked TalkTalk Receive Prison Sentences
https://www.bankinfosecurity.com/two-friends-who-hacked-talktalk-receive-prison-sentences-a-11712

Cybercrime Conference Returns to Dublin
https://www.bankinfosecurity.com/blogs/cybercrime-conference-returns-to-dublin-p-2685

Second WordPress hacking campaign underway, this one targeting AMP for WP plugin
https://www.zdnet.com/article/second-wordpress-hacking-campaign-underway-this-one-targeting-amp-for-wp-plugin/#ftag=RSSbaffb68

Safeguard Your Data And Privacy Online With This Award-Winning VPN
https://bit.ly/2qWHtbG

Big foreign cyber attack targets Italian certified email accounts
https://reut.rs/2RXNIaS

Russian hacker arrested in Bulgaria for ad fraud of over $7 million
https://www.zdnet.com/article/russian-hacker-arrested-in-bulgaria-for-ad-fraud-of-over-7-million/#ftag=RSSbaffb68

Turning shadow IT into a business advantage
https://www.zdnet.com/article/turning-shadow-it-into-a-business-advantage/#ftag=RSSbaffb68

Russia wants DNC hack lawsuit thrown out, citing international conventions
https://www.zdnet.com/article/russia-wants-dnc-hack-lawsuit-thrown-out-citing-international-conventions/#ftag=RSSbaffb68

Popular Dark Web hosting provider got hacked, 6,500 sites down
https://www.zdnet.com/article/popular-dark-web-hosting-provider-got-hacked-6500-sites-down/#ftag=RSSbaffb68

China's Hack Attacks: An Economic Espionage Campaign
https://www.bankinfosecurity.com/interviews/chinas-hack-attacks-economic-espionage-campaign-i-4175

APAC firms look to edge for faster response but worry over data security
https://www.zdnet.com/article/apac-firms-look-to-edge-for-faster-response-but-worry-over-data-security/#ftag=RSSbaffb68

Pure Storage launches cloud data management suite for AWS in hybrid play
https://www.zdnet.com/article/pure-storage-launches-cloud-data-management-suite-for-aws-in-hybrid-play/#ftag=RSSbaffb68

Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers
https://www.zdnet.com/article/hackers-use-drupalgeddon-2-and-dirty-cow-exploits-to-take-over-web-servers/#ftag=RSSbaffb68

Best Cyber Monday 2018 deals: Business Bargain Hunter's top picks
https://www.zdnet.com/article/best-cyber-monday-2018-deals-business-bargain-hunters-top-picks/#ftag=RSSbaffb68

Why you need to know about Penetration Testing and Compliance Audits
https://bit.ly/2PGNnww

Secret Charges Against Julian Assange Revealed Due to "Cut-Paste" Error
https://bit.ly/2FzKrwX

Cyber-security firm doxxes hacker who sold MySpace and Dropbox databases in 2016
https://www.zdnet.com/article/cyber-security-firm-doxxes-hacker-who-sold-myspace-and-dropbox-databases-in-2016/#ftag=RSSbaffb68

Digital leaders reboot to hedge against a downturn
https://www.zdnet.com/article/digital-leaders-reboot-to-hedge-against-a-downturn/#ftag=RSSbaffb68

Brazilian government boosts satellite infrastructure
https://www.zdnet.com/article/brazilian-government-boosts-satellite-infrastructure/#ftag=RSSbaffb68

Live Webinar: The Role of Threat Intelligence in Cyber Resilience
https://www.bankinfosecurity.com/webinars/live-webinar-role-threat-intelligence-in-cyber-resilience-w-1843

Is Nigeria Ready For Possible Cyber-Attack On 2019 Presidential Election
https://elombah.com/is-nigeria-ready-for-possible-cyber-attack-on-2019-presidential-election/

Expert says Quebec government servers are highly vulnerable to cyber attack
https://brica.de/alerts/alert/public/1237343/expert-says-quebec-government-servers-are-highly-vulnerable-to-cyber-attack/

Security warning - UK critical infrastructure still at risk from devastating cyber attack
http://ednews.net/en/news/sience/337202-security-warning

UK firms in the dark around the impact of cyber attacks
https://digitalisationworld.com/news/55872/uk-firms-in-the-dark-around-the-impact-of-cyber-attacks

Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader
https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader

Spain approves contested data protection law
https://bit.ly/2A8e5U0

Rowhammer attacks can now bypass ECC memory protections
https://www.zdnet.com/article/rowhammer-attacks-can-now-bypass-ecc-memory-protections/#ftag=RSSbaffb68

徵才 - (中和)網路監控工程師
https://www.104.com.tw/job/?jobno=4sjwz&jobsource=freshman2009

徵才 - 五年內5,000人 中華電最大退休潮 3路因應
https://www.chinatimes.com/newspapers/20181119000356-260204

徵才 - (研發替代役)資安研發工程師
https://www.104.com.tw/job/?jobno=6fmhy


D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷

Instagram安全漏洞 用戶密碼疑曝光
https://bit.ly/2DBtobt

黑色星期五折扣季即將到來,民眾須慎防釣魚網頁及金融詐欺
https://www.twcert.org.tw/subpages/securityInfo/securitypolicy_details.aspx?id=774

大數據淘金及個資保護如何兼顧?鐵山帶您認識資安趨勢,提高競爭力
https://www.cw.com.tw/article/article.action?id=5092919

男子提出辭職 須先刪同事微信
https://bit.ly/2zfECiy

減肥名醫涉幫人詐領6200萬保險金 照看診演講檢警無奈
https://www.ettoday.net/news/20181117/1308481.htm

戴智慧手環要當心!? 個人資訊恐露餡
https://fnc.ebc.net.tw/FncNews/life/59697

健身手環搶女性市場 避開突如其來的大姨媽
https://tw.lifestyle.appledaily.com/gadget/realtime/20181119/1468865

Instagram 部分用戶密碼遭外洩 原因在「下載數據副本」產生的安全漏洞
https://www.saydigi.com/2018/11/413747.html

因應GDPR推出的使用者資料下載功能出現漏洞!IG驚傳在網址列洩露密碼
https://www.ithome.com.tw/news/127162?fbclid=IwAR0nNNmqtcjZpuXf1SsKtYJSUkJPRt-MtLLPZcmlxvzbuT7rjHHjjO4wK00

黑幫搞盜刷 電商損失慘重
http://news.ltn.com.tw/news/society/paper/1247516

商人盜用他人資料支付寶開戶網購4.5萬元 判囚1年
https://news.mingpao.com/ins/instantnews/web_tc/article/20181121/s00001/1542803192065

信用卡騙術層出不窮 供應商被騙走20萬元貨
https://bit.ly/2Q8YZrJ

研究人員破解了德國晶片身分證的線上驗證程序
https://ithome.com.tw/news/127202

完全監控? Facebook申請家庭族譜軟體專利
https://tw.appledaily.com/new/realtime/20181120/1469196/

資安危機!傳亞馬遜「技術性錯誤」泄用戶個資
http://tw.aboluowang.com/2018/1123/1207896.html

感恩節前夕亞馬遜爆資安意外 部分客戶隱私外洩
http://www.bldaily.com/international/p-342552.html

亞馬遜資安危機! 網站公開用戶姓名電郵
https://fnc.ebc.net.tw/FncNews/video/60405

美國郵政署網站API漏洞恐使6000萬用戶資料外洩
https://www.ithome.com.tw/news/127222

英國線上眼鏡商城Vision Direct個資外洩,偽造Google Analytics惹的禍
https://www.ithome.com.tw/news/127218

美國大選期間,研究:6%的Twitter帳號散播31%不可靠的訊息
https://www.ithome.com.tw/news/127214

Get paid up to $40,000 for finding ways to hack Facebook or Instagram accounts
https://bit.ly/2r3t1yU

Real Identity of Hacker Who Sold LinkedIn, Dropbox Databases Revealed
https://bit.ly/2zo7gON

US Postal Service Left 60 Million Users Data Exposed For Over a Year
https://bit.ly/2KsO0nI

Vision Direct Cyber-Attack Exposes Valuable Customer Data
https://www.cyberradio.com/2018/11/vision-direct-cyber-attack-exposes-valuable-customer-data/

Instagram Accidentally Exposed Some Users' Passwords In Plaintext
https://bit.ly/2OX1fNY

Two TalkTalk hackers jailed for 2015 data breach that cost it £77 million
https://bit.ly/2S2TZlx

On-site, cloud, or what? Where data should reside in hybrid environments
https://www.zdnet.com/article/on-site-cloud-or-what-where-data-should-reside-in-hybrid-environments/#ftag=RSSbaffb68

IRS failed to apply consumer protections for 11,406 taxpayers
https://www.zdnet.com/article/irs-failed-to-apply-consumer-protections-for-11406-taxpayers/#ftag=RSSbaffb68

OIG: HHS Must Do More to Address Cybersecurity Threats
https://www.bankinfosecurity.com/oig-hhs-must-do-more-to-address-cybersecurity-threats-a-11713

研究人員破解了德國晶片身分證的線上驗證程序
https://www.ithome.com.tw/news/127202?fbclid=IwAR120yEpClN6GcMlkTj5VDVvUZzwA57rWmaDUyqxhpMz3YRHj8K-pxZ-LXs

German eID card system vulnerable to online identity spoofing
https://www.zdnet.com/article/german-eid-card-system-vulnerable-to-online-identity-spoofing/#ftag=RSSbaffb68

Amazon leaks users' email addresses due to 'technical error'
https://www.zdnet.com/article/amazon-leaks-users-email-addresses-due-to-technical-error/#ftag=RSSbaffb68

New data reveals the secret to holiday retail success
https://www.zdnet.com/article/new-data-reveals-the-secret-to-holiday-retail-success/#ftag=RSSbaffb68



E.研究報告

淺析PDF事件導致的安全漏洞
https://zhuanlan.zhihu.com/p/49944840

Gmail也出漏洞,郵件潛在的安全風險不得不防
https://www.freebuf.com/news/189607.html

ColdFusion最新任意文件上傳漏洞的利用活動分析(CVE-2018-15961)
http://www.4hou.com/web/14548.html

漏洞戰爭CVE-2010-2883 小白分析望大佬指點迷津
https://bbs.pediy.com/thread-247855.htm

WebLogic反序列化漏洞(CVE-2017-3248)
https://blog.csdn.net/caiqiiqi/article/details/84246779

挖洞經驗| HackerOne安全團隊內部處理附件導出漏洞($12,500)
https://www.freebuf.com/vuls/189115.html

WP AMP插件漏洞分析
http://www.4hou.com/vulnerable/14605.html

FineCMS 5.0.10 多個漏洞詳細分析過程
https://segmentfault.com/a/1190000017075354

0 day漏洞CVE-2018-8589的新利用
http://www.4hou.com/technology/14616.html

作者如何利用xss漏洞shua盒子rank的
https://www.freebuf.com/column/190194.html

Android系統中通過RSSI廣播洩漏敏感數據的漏洞詳情披露(CVE-2018-9581)
http://www.4hou.com/vulnerable/14657.html

個案分析-校園勒索恐嚇信與勒索病毒攻擊事件分析報告_10711
https://cert.tanet.edu.tw/prog/opendoc.php?id=2018112311113838247549581880227.pdf

學術網路風險威脅評估報告-1
https://cert.tanet.edu.tw/prog/opendoc.php?id=2018112202114040560944506610529.pdf


F.商業

從工業偵防到暗網情蒐,資策會助企業阻斷潛在資安風險
https://bit.ly/2zflHV4

資安業者警告:量子電腦數秒可破解公鑰,企業應做好全面應對
https://www.hksilicon.com/articles/1704484

趨勢科技最新合作:與 Moxa 共組新公司,打造「工業物聯網」最強資安
https://buzzorange.com/techorange/2018/11/16/trend-micro-cooperates-with-moxa/

BlackBerry砸14億美元併購資安公司Cylance
https://www.ithome.com.tw/news/127111

本土跟進搶攻邊緣運算市場,宏碁推出AIoT邊緣運算裝置aiSage
https://www.ithome.com.tw/news/127130

VMware 的虛擬化技術,跨界侵蝕原不大相干的電信市場
https://technews.tw/2018/11/22/vmware-visualization-solution-would-eat-up-not-related-telecom-tech-market/

YubiKey 5: The ultimate security gift
https://www.zdnet.com/article/yubikey-5-the-ultimate-security-gift/#ftag=RSSbaffb68


G.政府

資安鐵三角 國安第一道防線
http://ieknet.iek.org.tw/ieknews/news_more.aspx?actiontype=ieknews&indu_idno=3&nsl_id=405ef8bb488a4dee8751561ca75e87b8

國家通訊暨網際安全中心成立 扛下5大任務
https://udn.com/news/story/7314/3485014

金管會主導成立金融資安中心 銀行、保險、證券都納入
https://www.ettoday.net/news/20181119/1309953.htm

資安為台競爭力特色 政委吳政忠:從高中培育資安人才
http://ec.ltn.com.tw/article/breakingnews/2614611

內政部:移民署資安總體檢無虞 請民眾放心
https://bit.ly/2Q3YRK2

10億8標案遭調查 施明德涉弊還繼續當官
https://bit.ly/2qSb7yL

107年政府組態基準(GCB)實作研習活動教材
https://www.nccst.nat.gov.tw/GCBDownloadDetail?lang=zh&seq=1066

純網銀申設 金管會雙重把關
http://www.merit-times.com/NewsPage.aspx?unid=531208

國軍盃網路安全競賽 強化資安實務
https://bit.ly/2BndX4V

「國防安全研究院」成立半年,究竟做些什麼?國防部今首度報告成果
https://www.storm.mg/article/635038

銀行法修正草案政院拍板 寶佳條款正式入法
http://ec.ltn.com.tw/article/paper/1248930

政院通過《銀行法》修正 納競業禁止條款
https://www.chinatimes.com/realtimenews/20181122002587-260407

政院通過《銀行法》修正 罰鍰上限提高至5千萬
https://www.ydn.com.tw/News/313884

違反內稽內控最高可飆罰5000萬 行政院拍板嚇阻爛銀行
https://www.ettoday.net/news/20181122/1312830.htm

防投票日出包 NCC:中華電信已有備援應戰
https://bit.ly/2FEYnGh

資通安全管理法子法最新公告
https://bit.ly/2AiCgz8

銀行法修正 金金分離入法
https://www.chinatimes.com/newspapers/20181123000245-260202

H.工控系統  SCADA / ICS Security

普萊德首進軍歐洲工業自動化展 主推智慧工控聯網方案
https://news.cnyes.com/news/id/4241122

關於施耐德M221系列PLC設備存在數據真實性驗證不足漏洞的情況通報
https://www.secrss.com/articles/6601


I.教育訓練類

資安補帖─Day35─滲透靶機─果汁機靶機小筆記
https://ithelp.ithome.com.tw/articles/10209923

資安補帖─Day36─OSINT
https://ithelp.ithome.com.tw/articles/10209958

資安補帖─Day37─APP檢測
https://ithelp.ithome.com.tw/articles/10209984

資安補帖─Day38─Crypto分享
https://ithelp.ithome.com.tw/articles/10210003

資安補帖─Day39─分享:CTF從入門到放棄
https://ithelp.ithome.com.tw/articles/10210008

資安補帖─Day40─Web入門分享─hacksplaining
https://ithelp.ithome.com.tw/articles/10210024

資安補帖─Day41─盤點資安基礎起手式
https://ithelp.ithome.com.tw/articles/10210038

資安補帖─Day42─談學習筆記
https://ithelp.ithome.com.tw/articles/10210065

資安補帖─Day43─CTFG Warm Question
https://ithelp.ithome.com.tw/articles/10210078

Web 安全漏洞之XSS 攻擊
https://juejin.im/post/5bf214e151882579cf011c2a

漏洞分析入門(一)
https://bbs.pediy.com/thread-247870.htm

一篇文章帶你深入理解漏洞之XXE 漏洞
https://xz.aliyun.com/t/3357

以太坊智能合約漏洞介紹與規模化審計方法詳解(上)
https://bbs.pediy.com/thread-247896.htm

J.玄武安全推送

每日安全動態推送(11-19)
https://tw.weibo.com/xuanwulab/4308060375525203

每日安全動態推送(11-20)
https://tw.weibo.com/xuanwulab/4308396826365903

每日安全動態推送(11-21)
https://tw.weibo.com/xuanwulab/4308770492239267

每日安全動態推送(11-22)
https://tw.weibo.com/xuanwulab/4309133911689310

每日安全動態推送(11-23)
https://tw.weibo.com/xuanwulab/4309497193068998


K.物聯網/IOT/人工智慧/車聯網/光聯網/深度學習/機器學習/無人機

機器學習犯罪面?假造指紋可通過生物辨識系統測試
https://cnews.com.tw/002181116a06/

Gartner發布十大物聯網策略技術趨勢
https://money.udn.com/money/story/5612/3488864

當機器人「看見」:萬物聯網時代,影像數據將引領產業新革命
https://www.inside.com.tw/2018/11/20/when-the-robot-sees-in-the-era-of-iot

指紋辨識就安全了嗎?研究:AI能產生以假亂真的假指紋
https://www.ithome.com.tw/news/127152

APAC consumers want IoT devices, but fear data leaks
https://www.zdnet.com/article/apac-consumers-want-iot-benefits-but-fear-data-leaks/#ftag=RSSbaffb68

L.CTF

CTF - hack.lu 2018
https://2018.hack.lu/ctf/

Meepwn CTF 2018
https://ctf.meepwn.team/

FAUST CTF 2018
https://2018.faustctf.net/

CODE BLUE CTF 2018
http://ctf.codeblue.jp/

nullcon Goa 2018 - CTF
https://nullcon.net/website/goa-2018/ctf.php

4.近期資安活動及研討會

 
  認證資訊系統安全專家 CISSP 輔導班 11月24日至12月8日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=278

  Metasploit與滲透測試實務 11/25 ~ 11/26
  https://hackercollege.nctu.edu.tw/?p=641

  新興資安產業生態系推動計畫 資訊安全檢測診斷成果發表會 11/26
  http://www.cisanet.org.tw/News/activity_more?id=Mzk2

  【課程】區塊鏈技術實作,學習DApp去中心化應用、動手寫智能合約、發行自己專屬的代幣  11/26   11/28
  https://www.techbang.com/posts/61972-courses-blockchain-dapp-smart-contracts

  平行計算程式設計基礎課程 11/27
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3701&from_course_list_url=homepage

  Taipei.py 十一月月會 (Monthly Meeting) 2018   11/29
  https://www.meetup.com/Taipei-py/events/255543630/

  開源碼WAF實作 11/29
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3765&from_course_list_url=homepage

  網路攻防實務 11/29
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3539&from_course_list_url=homepage

  Python 應用教學課程-平行處理 1~3 11/30 ~ 12/14
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3750&from_course_list_url=homepage

  【課程】Kubernetes(K8S)實戰班,容器編排管理絕佳工具,理論實作並重,有效打造企業級 DevOps 環境 12/1 12/2
  https://bit.ly/2rAkB2q

  ABAQUS基礎訓練課程 12/4 ~ 12/6
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3709&from_course_list_url=homepage

  EnCase EnCE 認證考試 Preparation 課程  12/5 ~ 12/7
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=44

  TANet/TWAREN監控平台與即時流量異常偵測系統介紹 12/6
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3766&from_course_list_url=homepage

  駭客入侵調查暨資安緊急應變實務 12/10 ~ 12/11
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=45

  TANet/TWAREN監控平台與即時流量異常偵測系統介紹 12/11
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3767&from_course_list_url=homepage

  網路封包分析 12/13
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3654&from_course_list_url=homepage

  眺望2019 物聯網安全高峰論壇  12/13
  https://www.2cm.com.tw/files/event/2018IoT_Security_Forum/index.html

  台灣駭客年會 HITCON Pacific 2018 12/13 ~ 12/14
  https://hitcon.kktix.cc/events/hitcon-pacific-2018

  亥客書院 - 進階網頁滲透測試  12/15
  https://hackercollege.nctu.edu.tw/?p=323

  Python 應用教學課程-雲端服務 1~3 12/21 ~ 1/4
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3753&from_course_list_url=homepage

  專業手機暨硬碟資料救援教育訓練課程 12/26 ~ 12/28
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=46

  系統日誌分析實務  12/27
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3653&from_course_list_url=homepage

  亥客書院 - 高階網頁滲透測試    2019/1/5
  https://hackercollege.nctu.edu.tw/?p=768

沒有留言:

張貼留言

2024年 12 月份資安、社群活動分享

  2024年 12 月份資安、社群活動分享 Self-Taught Coding Tuesdays - Study, Code, Design, Build, Network 2024/12/3 https://www.meetup.com/taiwan-code-camp/e...