跳到主要內容

資安新聞及事件週報 2018/10/29 ~ 2018/11/02

1.重大弱點漏洞

Your Web Applications Are More Vulnerable Than You Think
https://ibm.co/2EOZYIU

PayPal-Credit Card-Debit Card Payment 1.0 - SQL Injection
https://www.exploit-db.com/exploits/45728/

xorg-x11-server 1.20.3 - Privilege Escalation
https://www.exploit-db.com/exploits/45742/

xorg-x11-server < 1.20.3 - Local Privilege Escalation
https://www.exploit-db.com/exploits/45697/

WebDrive 18.00.5057 - Denial of Service (PoC)
https://www.exploit-db.com/exploits/45761/

蘋果更新眾多平台,修補安全漏洞
https://www.ithome.com.tw/news/126740

存在4年的LibSSH弱點,可讓駭客無須輸入密碼就能控制伺服器
https://www.ithome.com.tw/news/126764

New Privilege Escalation Flaw Affects Most Linux Distributions
https://bit.ly/2SpIo0N

近期數版X.Org Server出現Command Line參數核驗缺陷,易受入侵接管
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5040

威聯通NetBak Replicator無法承受鉅量字串輸入
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5043

Dell EMC Integrated Data Protection Appliance 安全漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11062

Apache Tomcat JK (mod_jk) Connector 路徑遍歷漏洞
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11759

Red Hat 內核多個漏洞
https://www.auscert.org.au/bulletins/71006

Easy-to-exploit privilege escalation bug bites OpenBSD and other big name OSes
https://bit.ly/2Q1A9Xb

多款華擎產品安全漏洞
https://www.exploit-db.com/exploits/45716

X.Org的X Server含有權限擴張漏洞,波及眾多Linux與BSD系統
https://www.ithome.com.tw/news/126726

Hacker Discloses New Windows Zero-Day Exploit On Twitter
https://bit.ly/2qc8t6C

SandboxEscaper expert is back and disclosed a new Windows Zero-Day
https://bit.ly/2z8C7xZ

Windows/x64 - Remote (Bind TCP) Keylogger Shellcode (864 bytes) (Generator)
https://www.exploit-db.com/exploits/45743/

What comes after Windows 10 19H1? Vanadium
https://www.zdnet.com/article/what-comes-after-windows-10-19h1-vanadium/#ftag=RSSbaffb68

Microsoft's latest Windows 10 19H1 test build adds updated sign-in options for Hello, more
https://www.zdnet.com/article/microsofts-latest-windows-10-19h1-test-build-adds-updated-sign-in-options-for-hello-more/#ftag=RSSbaffb68

Microsoft provides a new way for business users to test Windows 10 Enterprise features
https://www.zdnet.com/article/microsoft-provides-a-new-way-for-business-users-to-test-windows-10-enterprise-features/#ftag=RSSbaffb68

Windows 10 Security Checklist Starter Kit
https://myitforum.com/windows-10-security-checklist-starter-kit/

Windows 10 Bug Let UWP Apps Access All Files Without Users' Consent
https://thehackernews.com/2018/10/windows10-uwp-apps.html

Windows 10臭蟲讓UWP程式能直接存取所有檔案
https://www.ithome.com.tw/news/126706?fbclid=IwAR2APqb03h2luJson1SBYPYy_sMFhbdilc-HB3ny9rGmBuqsoIVQMvTP0TU

研究人員再次披露Windows 0-day漏洞
http://www.twoeggz.com/news/11889601.html

Windows 10被曝新零日漏洞涉及3大版本
http://netsecurity.51cto.com/art/201810/585746.htm

Windows 10 19H1 Build 18267 ISO images (3rd Party) now available
https://bit.ly/2Rpv8bx

CVE-2018-14665 privilege escalation flaw affects popular Linux distros
https://securityaffairs.co/wordpress/77402/hacking/cve-2018-14665-linux-distros.html

Vulnerability In Microsoft Word Online Video Feature Allows for Phishing
https://bit.ly/2qeQzAk

離譜!微軟網站嚴重LogMeIn漏洞唔理  讓騙徒輕易呃用家金錢
https://www.winandmac.com/2018/10/tech-support-scam-with-official-microsoft-site/

Windows 10 又搞事情了!UWP API漏洞讓你的磁盤信息徹底走光
https://zhuanlan.kanxue.com/article-5308.htm

關於防範WebLogic高危漏洞的安全預警通知
http://zuits.zju.edu.cn/2018/1029/c7943a887370/pagem.htm

Cisco Patched Privilege Escalation Vulnerability In Webex Meetings Desktop App
https://bit.ly/2yCtf4g

思科修補WebEx Meetings app權限升級漏洞
https://www.ithome.com.tw/news/126660

美國調查:8 成 Wi-Fi 路由器存漏洞 D-Link、華為最不安全
https://www.techritual.com/2018/10/29/173040/

IPython 7.1.0 release, Python command line interaction
https://meterpreter.org/ipython/?fbclid=IwAR2nyjT5KRp34jAdO1KskBZPmDCYPuypI010LUaE0p84LnByX7Fz5Jxk2Es

FreeBSD 12.0-BETA2 release, Unix-like operating system
https://meterpreter.org/freebsd/?fbclid=IwAR1oJIkkYpHE9mc12nataBofbS_uR9JMclckG7pIDgcgUEYJ9KJO3OoySj8

nginx ultimate bad bot blocker v3.2018.10.1231 releases
https://bit.ly/2SsnTAL

Kali Linux 2018.4 releases: Penetration Testing Distro
https://securityonline.info/kali-linux-2018-4/?fbclid=IwAR1iC_3A4gE6dyL9D9d1E33Hmh11zmZE72LTRy68HRrnzgzOhHng-nil2WM

E-Negosyo System 1.0 - SQL Injection
https://www.exploit-db.com/exploits/45730

Linux系統容易受到X.Org服務器中的權限提升和文件覆蓋漏洞攻擊
https://www.linuxidc.com/Linux/2018-10/155067.htm
https://www.linuxidc.com/Linux/2018-10/155067.htm

Squid代理緩存服務器修復遠程拒絕服務漏洞
https://www.linuxidc.com/Linux/2018-10/155075.htm

Linux Kodachi 5.0 releases: Secure open source Linux distribution
https://bit.ly/2P2xfoA

VyOS 1.2.0-rc5 is available for download
http://blog.vyos.net/vyos-1-dot-2-0-rc5-is-available-for-download

MISP v2.4.97 released – Malware Information Sharing Platform & Threat Sharing
https://bit.ly/2DbVAlH

New Privilege Escalation Flaw Affects Most Linux Distributions
https://bit.ly/2P3qqU0

PTP Lab — Privilege Escalation with Services
https://medium.com/@bondo.mike/ptp-lab-privilege-escalation-with-services-5d14a99a28d1

Windows 10 Bug Let UWP Apps Access All Files Without Users' Consent
https://bit.ly/2Q764pd

Microsoft is developing a dark theme for Office on macOS Mojave
https://bit.ly/2DeKnAQ

CVE-2018-18649: Gitlab Wiki API Remote Code Execution Vulnerability Alert
https://bit.ly/2ETFVJw

Cisco zero-day exploited in the wild to crash and reload devices
https://www.zdnet.com/article/cisco-zero-day-exploited-in-the-wild-to-crash-and-reload-devices/#ftag=RSSbaffb68

CVE-2018-15454 Cisco ASA及FTD軟件拒絕服務漏洞
https://www.secrss.com/articles/6097

Nutanix AOS & Prism < 5.5.5 (LTS) / < 5.8.1 (STS) - SFTP Authentication Bypass
https://www.exploit-db.com/exploits/45748/

WebExec - Authenticated User Code Execution (Metasploit)
https://www.exploit-db.com/exploits/45695/

Phrack: Viewer Discretion Advised: (De)coding an iOS Kernel Vulnerability (Adam Donenfeld)
https://www.exploit-db.com/papers/45745/


2.銀行/金融/保險/證券/電子支付/行動支付/支付系統/虛擬貨幣/區塊鍊 新聞及資安

面對汰弱留強的數碼轉型 金融行業如何應對
https://bit.ly/2O4xhXX

比特幣前傳:半世紀前,密碼學都還未成為一門真正的科學
http://news.knowing.asia/news/d31d1f8b-ee95-4ef7-b5e4-5890abc7975c

Bitcoin Core version 0.17.0.1 released
https://bitcoin.org/en/release/v0.17.0.1?fbclid=IwAR04O6DFqIgUnoMUtgrpkFmj4CZkAIKJi5Ypx5LXDS8d8kbU4VT2gPEjUqA

市場將會迎來首個擁有比特幣作為後盾來支撐其價值的ERC 20代幣
https://bit.ly/2ADft2M

警惕:這兩種代幣可能是北韓操控的騙局
http://news.knowing.asia/news/3a0e5492-79ca-4e92-bd71-83e5b32e76ba

怒甩580億陰霾!日虛擬貨幣交易所遭駭280日重啟新帳戶註冊
https://www.ettoday.net/news/20181030/1294014.htm

法國銀行用自己的實際行動,表達了對區塊鏈的偏愛
http://news.knowing.asia/news/14f62801-c3a8-4b6a-ae9e-6711d14dd091

全球首例!遠航推加密幣換機票
https://money.udn.com/money/story/5612/3451900

加密幣交易所遭駭 凸顯三議題
https://udn.com/news/story/7338/3446574

虛擬通貨規範 資誠:不扼殺創新並考量風險
https://money.udn.com/money/story/6710/3449413

日本金融廳:穩定幣不是幣!將要求業者持有銀行執照
https://bit.ly/2yKUauu

加拿大銀行在區塊鏈試驗中成功完成股票清算和結算
https://news.sina.com.tw/article/20181029/28637722.html

Bitcoin's Network - "語言"的變化
https://bit.ly/2Ofh7Ld

衡量成功的方式
https://bit.ly/2Q4ceXi

IOTA宣布Trinity 錢包漏洞賞金計劃
https://xcong.com/lives/1374466

電子錢包扣帳現漏洞 香港金管局急推3招補救
https://bit.ly/2PsntvB

一銀ATM跨國盜領破案揭密 國際資安合作 防駭總動員
https://www.chinatimes.com/newspapers/20181029000606-260102

一銀8,300萬ATM盜領案 退休國安高層揭破案內幕
https://bit.ly/2Sox0lY

洗錢與資安 純網銀兩大考驗
http://ec.ltn.com.tw/article/paper/1242807

警調抽絲剝繭 精準研判破一銀案
https://www.chinatimes.com/newspapers/20181029000611-260102

遙控盜領 吐到鈔盡機亡
https://www.chinatimes.com/newspapers/20181029000610-260106

4大特色 跨國智慧犯罪手法解析
https://www.chinatimes.com/newspapers/20181029000312-260202

4大特色 跨國智慧犯罪手法解析
https://www.chinatimes.com/newspapers/20181029000312-260202

香港行動支付轉數快需加強系統保安及私隱保障
http://www.thinkhk.com/article/2018-10/26/30545.html

轉數快騙案10多宗涉款逾40萬 議員轟香港電子支付落後
https://hk.on.cc/hk/bkn/cnt/news/20181030/bkn-20181030093257981-1030_00822_001.html

香港金管局暫接逾十宗騙案涉近40萬元 受害用戶將獲賠償
https://bit.ly/2P1Zxj9

香港金管局:十多宗轉數快騙案涉40萬 最快本周重開電子錢包增值
http://www.thinkhk.com/article/2018-10/30/30626.html

香港金管局出招防盜 「轉數快」eDDA改雙重認證
https://bit.ly/2OeT4Mu

香港金管局指日後設eDDA程序時需銀行雙重認證
http://www.metroradio.com.hk/news/live.aspx?NewsId=20181030090522

騙徒利用電子直接扣帳授權eDDA漏洞+電子錢包行騙
https://www.mrmiles.hk/fps-fraud/

香港金管局指10多個銀行帳號被盜用涉18萬元 用戶未授權可免責
https://bit.ly/2RmnwXc

香港金管局副總裁承認初設計轉數快時諗漏了令匪徒有機可乘
http://www.metroradio.com.hk/news/live.aspx?NewsId=20181030101325

香港金管局要求 SVF 銀行須採雙重認證 下周全面恢復轉數快
https://bit.ly/2qhrBR0

逾10宗"轉數快"騙案 金管局:與系統本身無關
http://www.hkcna.hk/content/2018/1030/719397.shtml

「轉數快」逾10宗存款未經授權被轉走 金管局指涉及金額40多萬
https://passiontimes.hk/article/10-30-2018/48986

李達志稱市民款項因「轉數快」被盜屬認證問題  或本周恢復功能
https://bit.ly/2JpIx0e

電子錢包變偷錢工具 網絡扒手化身信用卡卡主狂轉賬
https://hk.news.appledaily.com/breaking/realtime/article/20181101/58863066

電子支付的安全性
https://bit.ly/2Q4G121

北富銀行員監守自盜 挪用客戶存款罰400萬
https://bit.ly/2qhkKXq

「開放銀行」有譜 兩方式研議
https://www.ptt.cc/bbs/Bank_Service/M.1540527142.A.070.html

將來網路銀行 劉奕成將接CEO
https://bit.ly/2qhgwz9

ATM頻出包太依賴IBM?金管會要求全面盤點
https://bit.ly/2qbfNQ3

ATM頻當機,顧立雄要求總盤點
https://bit.ly/2Rg3oWC

銀行ATM頻傳當機 金管會大盤點
http://ec.ltn.com.tw/article/paper/1242201

勞退自選平臺 金管會請集保結算所研議實驗計劃
http://dailynews.sina.com/bg/tw/twlocal/bcc/2018-10-25/doc-iuvsyyet5484871.shtml

政大創新園區 國際大咖進駐
https://money.udn.com/money/story/5603/3445070

發展虛擬通貨 資誠:留意法令、資安、稅務三大挑戰
https://money.udn.com/money/story/5613/3449511

金管會明年6月擬納管ICO 會計師:ICO籌資將面臨三大挑戰
https://news.cnyes.com/news/id/4227792

LINE Bank覓新歡 富邦出線機會高
https://www.mirrormedia.mg/story/20181029fin004/

LINE純網銀洗牌!富邦砸70億擠下中信成最大股東
https://bit.ly/2RiMl6i

【熊大銀行QQ】前悠遊卡董座 因3個理由拋棄LINE
https://bit.ly/2RmXHWK

P2P借貸平台倒閉? 顧立雄:未直接監管仍需了解
https://shareba.com/module/news/293450114844379607.html

傳P2P平台倒閉?金管會:盼業者與銀行合作 強化經營健全性
https://news.cnyes.com/news/id/4228290

P2P促進會自清 盼為行業正名
https://money.udn.com/money/story/5613/3451946

P2P洗錢大漏洞?立委要求金管會納管 顧立雄這麼說
https://www.nownews.com/news/20181031/3042120/

金管會要不要管P2P 顧立雄:會全盤了解
https://www.chinatimes.com/realtimenews/20181031001592-260410

民間融資業者變身 偽P2P滿天飛
https://www.chinatimes.com/newspapers/20181031000686-260110

時間就是金錢!申辦投資人集保資料查詢系統 時時掌握投資動態
https://www.ettoday.net/news/20181030/1290371.htm

純網銀申設辦法出爐 獎落誰家明年6月揭曉
https://bit.ly/2Oh7o7j

純網銀配分出爐 營運模式+資安占比70%
https://www.ttv.com.tw/news/view/10710310019300F/579

怡富貸無預警關站 驚嚇投資人
https://www.chinatimes.com/newspapers/20181031000683-260110

金融區塊鏈函證 臺企銀即起試營運
https://www.chinatimes.com/newspapers/20181102000503-260210

Australian Cryptocurrency Theft Highlights Security Mistakes
https://www.bankinfosecurity.com/australian-cryptocurrency-theft-highlights-security-mistakes-a-11643

Zcash's Next Upgrade to Make Private Transactions 100x Lighter and 6x Faster
https://bit.ly/2Job3zy

What’s New in Sapling
https://bit.ly/2D8oP8R

$194 Million was Moved Using Bitcoin With $0.1 Fee, True Potential of Crypto
https://bit.ly/2CMK8vE

Magecart hackers change tactic and target vulnerable Magento extensions
https://securityaffairs.co/wordpress/77365/cyber-crime/magecart-new-tactic.html

New ATM Attack Uses Customer-Built Skimmers to Steal Credit Card Data and PINs
https://ibm.co/2JlbV83

Financial Industry CISOs to get a first look at Thales Data Threat Report at 2018 FinServ Data Security Summit
https://bit.ly/2EMEpsn

We're giving these out on Halloween! Each one has claimable BTC
https://bit.ly/2OgvbUO

Cobalt Gang targets banks and financial service providers by sneaking PDFs past staff
https://bit.ly/2OaKeiY

Largest Cyber Attack in Pakistan! Million Bank Heist from Bank Islami 29 Oct 2018
https://ividbuzz.com/post/2106/largest-cyber-attack-in-pakistan-6-million-bank-heist-from-bank-islami-29-oct-2018

Managing Cyber Risks: A New Tool for Banks
https://www.bankinfosecurity.com/interviews/managing-cyber-risks-new-tool-for-banks-i-4161

Cardtronics combats rising tide of attacks on UK ATMs
https://www.atmmarketplace.com/news/cardtronics-combats-rising-tide-of-attacks-on-uk-atms/

ATM supplier steps up security measures
https://forecourttrader.co.uk/news/fullstory.php/aid/15846/ATM_supplier_steps_up_security_measures.html


3.資安事件新聞

A.病毒木馬 / 殭屍網路 / 勒索軟體

新興殭屍網路DemonBot招兵買馬,鎖定Hadoop伺服器
https://www.ithome.com.tw/news/126669

北部醫院中勒索病毒 健保署:患者資料安全不影響就診
https://udn.com/news/story/7266/3444536

桃園某醫院疑有「勒索型病毒」入侵 資料遭加密中毒
https://udn.com/news/story/7321/3444619

微軟Windows Defender Antivirus成為第一個能在沙盒中運行的防毒產品
https://www.ithome.com.tw/news/126679

微軟 Edge 瀏覽器下載 Chrome?小心抓到病毒
https://www.inside.com.tw/2018/10/29/edge-download-malware

駭客透過曝露在外的Docker Engine API來部署挖礦程式
https://www.ithome.com.tw/news/126690?fbclid=IwAR03Z7RGQmUbyYvrKa-GA0GJchok6ugw_AeEyw9i3jP43kFixXj_CbqsAkc

當心! 插入YouTube影片的Word文件可能讓惡意程式上身
https://www.ithome.com.tw/news/126688

惡名昭彰的殭屍網路病毒Mirai作者之一被判賠償860萬美元
https://www.ithome.com.tw/news/126699

Mac用戶當心,加密貨幣價格追蹤程式CoinTicker暗藏木馬
https://bit.ly/2yFIj14

從5隻病毒到物聯網 張明正:人體可能遭駭
https://bit.ly/2EVCfHd

マルウエアTSCookieの設定情報を正常に読み込めないバグ
https://blogs.jpcert.or.jp/ja/2018/10/tscookie-1.html

Researchers find Stuxnet, Mirai, WannaCry lurking in industrial USB drives
https://www.zdnet.com/article/almost-half-of-usb-drives-in-industrial-settings-pose-severe-security-risk/#ftag=RSSbaffb68

Crypto-Locking Kraken Ransomware Looms Larger
https://www.bankinfosecurity.com/crypto-locking-kraken-ransomware-looms-larger-a-11652

Malware Analysis for Blue Teams
https://www.bankinfosecurity.com/interviews/malware-analysis-for-blue-teams-i-4157

Kraken Cryptor ransomware merges with Fallout exploit kit, fees slashed to gain followers
https://www.zdnet.com/article/kraken-cryptor-ransomware-merges-with-fallout-exploit-kit/#ftag=RSSbaffb68

GandCrab ransomware crew loses $1M after Bitdefender releases free decrypter
https://www.zdnet.com/article/gandcrab-ransomware-crew-loses-1mil-after-bitdefender-releases-free-decrypter/#ftag=RSSbaffb68

Ransomware and the Case for Software-as-a-Service
https://medium.com/@benbob/ransomware-and-the-case-for-software-as-a-service-5268621dac33

Emotet malware gang is mass-harvesting millions of emails in mysterious campaign  
https://www.zdnet.com/article/emotet-malware-gang-is-mass-harvesting-millions-of-emails-in-mysterious-campaign/

GPlayed Trojan's baby brother is after your bank account
https://www.zdnet.com/article/gplayed-trojans-baby-brother-is-after-your-bank-account/#ftag=RSSbaffb68

Windows Built-in Antivirus Gets Secure Sandbox Mode – Turn It ON
https://thehackernews.com/2018/10/windows-defender-antivirus-sandbox.html

Fresh GandCrab Decryptor Frees Data for Free
https://www.bankinfosecurity.com/fresh-gandcrab-decryptor-frees-data-for-free-a-11646

FireEye: Russian Research Lab Aided the Development of TRITON Industrial Malware
https://thehackernews.com/2018/10/russia-triton-ics-malware.html

DDoS-for-Hire Service Powered by Bushido Botnet
https://bit.ly/2OU91gu

Malware Theory - Oligomorphic, Polymorphic and Metamorphic Viruses
https://bit.ly/2Obst34

Windows Defender becomes first antivirus to run inside a sandbox
https://www.zdnet.com/article/windows-defender-becomes-first-antivirus-to-run-inside-a-sandbox/

Stop Using Microsoft Edge To Download Chrome -- Unless You Want Malware
https://bit.ly/2EOQduo

GlobeImposter 2.0 Ransomware extension .docx!Demonstration of attack video review
https://bit.ly/2RklAyn

Windows 10 UWP bug could give malicious devs access to all your files
https://zd.net/2StYiYb

Mirai Co-Author Gets House Arrest, $8.6 Million Fine
https://www.bankinfosecurity.com/mirai-co-author-gets-house-arrest-86-million-fine-a-11648

Android banking malware found on Google Play with over 10,000 installs targets Brazil
https://lukasstefanko.com/2018/10/android-banking-malware-found-on-google-play-with-over-10000-installs-targets-brazil.html

Android/TimpDoor Turns Mobile Devices Into Hidden Proxies | McAfee Blogs
https://paper.li/Seifreed/1536123682#/

Chalubo Bot Family Launches Distributed Denial-of-Service Attacks Against Linux Systems
https://ibm.co/2CMcyWG

Employee Watched Porn at Work via 9000 Web pages Drops Malware on U.S Government Network
https://gbhackers.com/employee-watched-porn/

Satori Botnet's Alleged Developer Rearrested
https://www.bankinfosecurity.com/satori-botnets-alleged-developer-rearrested-a-11651

Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer
https://bit.ly/2CRUx9A

Google Play Store: these 23 Android applications hide a dangerous banking malware
https://grouvytoday.com/google-play-store-these-23-android-applications-hide-a-dangerous-banking-malware/6596/

B.行動安全 / iPhone / Android / App

Google可能強制要求廠商針對熱門機種 1年內提供至少4次安全更新 以改善漏洞問題
https://bit.ly/2D7nkYz

iOS 12 似乎又擋掉了警方用的密碼破解應用
https://www.kocpc.com.tw/archives/225005

蘋果公司封鎖警方破解出來的「後門」,然而沒公佈詳細情況。
https://www.techapple.com/archives/26615

童子賢:建議政府調降5G頻譜競標拍賣的標金
https://www.chinatimes.com/realtimenews/20181029001553-260412

5G投資額龐大 童子賢籲政府調降頻譜標金
https://bit.ly/2yFVChL

兩款AudioCodes IP Phone受中間人攻擊,將洩露Skype for Business帳號隱私
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5042

香港地區 Google Play 商店應用程式保安風險報告 (2018年 10 月)
https://www.hkcert.org/my_url/zh/blog/18103101

Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed
https://thehackernews.com/2018/10/apple-macbook-microphone.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&_m=3n.009a.1862.kl0ao0dcsu.156u

Google Makes 2 Years of Android Security Updates Mandatory for Device Makers
https://bit.ly/2Jj4LRy

New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
https://thehackernews.com/2018/10/iphone-ios-passcode-bypass.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+TheHackersNews+%28The+Hackers+News+-+Security+Blog%29&_m=3n.009a.1862.kl0ao0dcsu.1570

Why 5G (and even 6G) could put your business at risk for a cyberattack
https://www.techrepublic.com/article/why-5g-and-even-6g-could-put-your-business-at-risk-for-a-cyberattack/

scrounger: Mobile application testing toolkit
https://securityonline.info/scrounge/?fbclid=IwAR0sGwht2H6PxeEplAkmt6VhQX3fuBxBdorbFphMpVVpW2do_8cAWUC0L7I

ONION3G – SIM Card that Enables You To Connect Your Mobile Data via Tor & Anonymous Browsing
https://gbhackers.com/onion3g-sim-card-anonymously/

Apple Blocks GrayKey Passcode Cracking Tech With The Latest iOS 12 Update
https://bit.ly/2CStieS

Signal Secure Messaging App Now Encrypts Sender's Identity As Well
https://bit.ly/2qm855y



C.事件 / 駭客 / DDOS / APT / 徵才 / 國際資安事件

107年資安技能金盾獎 臺大勇奪金盃
https://money.udn.com/money/story/10860/3444864

玉山資誠論壇10月31日舉行 教戰企業構築資安防線
https://times.hinet.net/news/22051458

資安影響企業營收 周建宏:傳統設備難應付攻擊
https://www.chinatimes.com/realtimenews/20181031003470-260410

「人才就像練肌肉,要用健康的組織結構吸引」:專訪資策會資安所長毛敬豪
https://www.inside.com.tw/2018/10/31/iii_csti_2018

到底在「鬼叫」什麼?盤點駭客搞怪手法
https://blog.trendmicro.com.tw/?p=57828

企業常遇到的四種網頁注入(Web Injection)攻擊
https://blog.trendmicro.com.tw/?p=57572

資誠:提前掌握網路威脅情資 可提高資安治理
https://tw.appledaily.com/new/realtime/20181031/1457919/

牛肉麵店老闆不單純 扮駭客改電郵詐騙貨款300萬
https://www.ettoday.net/news/20181031/1294718.htm

Tomorrowland 票務系統驚傳遭到駭客入侵,影響人數超過6萬人
https://bit.ly/2RoWTkd

給想學習黑客技術朋友們的一封信
https://hk.saowen.com/a/865f8f364337b6f3fe066e7d5fe77a428875cd34b46d986c212e15636435539a

智慧城市成愁城,Alphabet 陷於隱私僵局
https://technews.tw/2018/10/30/alphabet-sidewalk-labs-toronto-smart-city-privacy-nightmare/

REST範式替代品gRPC-Web釋出正式版
https://www.ithome.com.tw/news/126704?fbclid=IwAR2dobBw1YqXgbLoQ0wMxIGEsF8aeLu2alaV3g4f6v-tpU2JKpk29Hrj7es

Google隱形reCAPTCHA技術正式版出爐
https://www.ithome.com.tw/news/126702?fbclid=IwAR2YBKXiaX4HJipuQo7unc7wt0FnJ3aCCQePlc2FB_-0_dMjCHwvO_zWoFU

香港無人機表演遭干擾半數墮海
http://www.epochtimes.com/b5/18/10/29/n10814514.htm

定位系統遭入侵 旅發局取消無人機表演
https://bit.ly/2zaHWuC

GPS遭黑客入侵 美酒佳餚被迫取消無人機表演
http://www.orangenews.hk/news/system/2018/10/27/010102052.shtml

中共駭客攻擊現新證據 中國電信當黑手
http://tw.aboluowang.com/2018/1027/1195211.html

劫持西方重要網絡 中共以入網點截取資訊
http://www.epochtimes.com/b5/18/10/27/n10812177.htm

中國電信長期挾持經過美國與加拿大的流量
https://bit.ly/2zbluSj

9月來第三起! 中國情報官員遭控竊取美民用航空機密
https://money.udn.com/money/story/10511/3452130

中國電信劫持北美網路,挑動美方資安神經
https://technews.tw/2018/10/30/china-telecoms-bgp-hijacking/

不只假新聞!中國網攻密集 年底大選成為「練兵場」
https://www.upmedia.mg/news_info.php?SerialNo=50854

中國10名情報人員與駭客被控偷竊美國飛機引擎的技術
https://www.cmmedia.com.tw/home/articles/12552

兩個月三起!美密集起訴中共情報官員
https://bit.ly/2Q89AQe

竊取飛機引擎機密 美起訴10名中國間諜駭客
https://tw.news.appledaily.com/international/realtime/20181031/1457519/

美國NCSA及Intel合作UpdateMeow專案,提醒系統更新重要性
https://twcert.org.tw/subpages/securityInfo/securitypolicy_details.aspx?id=770

歐洲之星系統遭未授權存取,已重置客戶密碼
https://twcert.org.tw/subpages/securityInfo/hackevent_details.aspx?id=878

新加坡政府建構基礎設施,國民身分數位化加速金融科技發展
http://news.knowing.asia/news/be55b904-d6c6-4510-b651-dd7336b0c051

身懷此絕技 日本給你2千萬年薪
https://www.secretchina.com/news/b5/2018/10/31/875145.html

日本自衛隊擬招聘「白帽駭客」 年薪數千萬日圓
https://www.chinatimes.com/realtimenews/20181026002490-260408

日本政府招募白帽駭客,年薪相當新台幣 550 萬元
http://technews.tw/2018/10/29/japan-government-hiring-hackers-as-internet-defense/

網路攻擊威脅日益增多 日本自衛隊擬對外招聘「白色駭客」
https://hk.aboluowang.com/2018/1029/1196155.html

Cost of cybercrime to double to $6trn by 2021
http://saudigazette.com.sa/article/546335/BUSINESS/Cost-of-cybercrime-to-double-to-$6trn-by-2021?linkId=58961114

Bleedingbit zero-day chip flaws may expose majority of enterprises to remote code execution attacks
https://www.zdnet.com/article/new-bleedingbit-zero-day-vulnerabilities-impact-majority-of-enterprises-at-the-chip-level/#ftag=RSSbaffb68

CIA Vault7 leaker to be charged for leaking more classified data while in prison
https://www.zdnet.com/article/cia-vault7-leaker-to-be-charged-for-leaking-more-classified-data-while-in-prison/#ftag=RSSbaffb68

Cloud hosting is the secure solution you've been seeking
https://www.zdnet.com/article/cloud-hosting-is-the-secure-solution-youve-been-seeking/#ftag=RSSbaffb68

AustCyber to figure out what 'cyber skills' actually are
https://www.zdnet.com/article/austcyber-to-figure-out-what-cyber-skills-actually-are/#ftag=RSSbaffb68

US-CERT issues guide on how to properly dispose of your electronic devices
https://www.zdnet.com/article/us-cert-issues-guide-on-how-to-properly-dispose-of-your-electronic-devices/#ftag=RSSbaffb68

Did Google Bow To China In Refusing To Provide AI Technology For U.S. Defense
https://bit.ly/2DeznUb

US charges two Chinese intelligence officers 'and their team of hackers'
https://www.zdnet.com/article/us-charges-two-chinese-intelligence-officers-and-their-team-of-hackers/#ftag=RSSbaffb68

Computer Hacker Who Launched Attacks On Rutgers University Ordered To Pay $8.6m Restitution;
Sentenced To Six Months Home Incarceration
https://bit.ly/2OZTLhV

Analysis of North Korea's Internet Traffic Shows a Nation Run Like a Criminal Syndicate
https://www.securityweek.com/analysis-north-koreas-internet-traffic-shows-nation-run-criminal-syndicate

Arrest Of Intelligence Officer Sparks Fears Of Chinese Hacking Attack
https://www.cybersecurityintelligence.com/blog/arrest-of-intelligence-officer-sparks-fears-of-chinese-hacking-attack-3843.html

U.S. Maritime Industry Not Prepared for Future Cyber Attacks
https://www.multivu.com/players/English/84339241-jones-walker-2018-maritime-cybersecurity-survey-results/

4 Tips to Prevent Cyber Attacks
http://www.taylordata.com/4-tips-to-prevent-cyber-attacks/

Satellites of Canadian military operations are vulnerable to Cyber Attacks
https://www.cybersecurity-insiders.com/satellites-of-canadian-military-operations-are-vulnerable-to-cyber-attacks/

Cryptocurrency Clipboard Hijacker Discovered in PyPI Repository
https://bit.ly/2OX4eL1

We asked 100 people to name a backdoored router. You said 'EE's 4GEE HH70
https://bit.ly/2SoqKuz

Copyright Office Ruling Issues Sweeping Right to Repair Reforms
https://bit.ly/2Q1Wl3I

Pocket iNET ISP Exposed 73GB of Sensitive Data On Misconfigured S3 Bucket
https://bit.ly/2ObDW2o

Taiwan to share Chinese hacks data with private companies
https://on.ft.com/2Pp76Qh

Hacking Health Care: Silicon Valley’s Solutions To Elderly Care, Diabetes And More
https://bit.ly/2qei8tJ

Hackers Are So Fed Up With Twitter Bots They’re Hunting Them Down Themselves
https://bit.ly/2PshLK7

How you can improve your workflow using the JavaScript console
https://medium.freecodecamp.org/how-you-can-improve-your-workflow-using-the-javascript-console-bdd7823a9472

Army of 01101111: The Making of a Cyber Battalion
https://medium.com/@WIRED/army-of-01101111-the-making-of-a-cyber-battalion-3f1b39eed5d3

Quantum Computers Will Break the Encryption That Protects the Internet
https://medium.com/@the_economist/quantum-computers-will-break-the-encryption-that-protects-the-internet-88f6ff0aa0af

NodeJS Authentication with Password and JWT in Express
https://medium.com/@therealchrisrutherford/nodejs-authentication-with-passport-and-jwt-in-express-3820e256054f

Microsoft team members share the structure of Windows Kernel
https://bit.ly/2SrThPU

A few dollars to bring down sites with new Bushido-based DDoS-for-hire service
https://securityaffairs.co/wordpress/77413/hacking/bushido-ddos-for-hire-service.html

5 tips to keep your data safe and secure
https://bit.ly/2EPSRQE

How To Prevent Your Business Becoming Collateral Damage Of Geopolitical Cyber Conflict
https://bit.ly/2OaCvRT

Important information about the new capability of broadFileSystemAccess in UWP apps
https://bit.ly/2qguWiX

PasteJacker - Add PasteJacking To Web-Delivery Attacks
https://bit.ly/2RnKLQn

Multiple open source communities will discuss moving from mailing lists to forums
https://bit.ly/2zaV2s0

Clickjackings in Google worth 14981.7$
https://bit.ly/2qi9k66

Chrome OS 70 officially launched: Material Design style themes
https://bit.ly/2CNXV5l

Preventing Mimikatz Attacks
https://medium.com/blue-team/preventing-mimikatz-attacks-ed283e7ebdd5

How to Prevent a Cryptocurrency Exchange Hack with Kralanx
https://bit.ly/2SseZ6a

What a crane in the ass: Bug leaves construction machinery vulnerable to evil command injection
https://bit.ly/2qjNVcE

SILENTTRINITY – A Post-Exploitation Agent Powered By Python, IronPython, C#/.NET
https://bit.ly/2CPjaDG

Healthcare Security Summit Speaker on Vendor Risk Management
https://bit.ly/2AAiosR

New Internet Search Resources (OSINT)
https://inteltechniques.com/blog/2018/10/29/new-internet-search-resources-osint/

HOW CRITICAL IS INCIDENT RESPONSE MANAGEMENT TO ANY BUSINESS
https://www.eccu.edu/how-critical-is-incident-response-management-to-any-business/

US bans exports to Chinese DRAM maker citing national security risk
https://zd.net/2PtjGOI

5 Most Important Things to Consider When Selecting a VPN for Streaming
https://gbhackers.com/vpn-for-streaming/

NY Man Arrested for Cutting Wires to Red Light Cameras, Exposing Revenue Scheme
https://bit.ly/2OZUXSG

Google launches reCAPTCHA v3 that detects bad traffic without user interaction
https://www.zdnet.com/article/google-launches-recaptcha-v3-that-detects-bad-traffic-without-user-interaction/#ftag=RSSbaffb68

Password Cracker - Generating Passwords with Recurrent Neural Networks (LSTMs)
https://towardsdatascience.com/password-cracker-generating-passwords-with-recurrent-neural-networks-lstms-9583714a3310

Secure communications basics for journalists
https://medium.com/the-walkley-magazine/secure-comms-for-journalists-cryptoaustralia-3855b9c5791f

Boards have wider cyber security awareness but still struggle to manage risks
https://betanews.com/2018/10/30/board-level-security-awareness/

Introducing AdaNet: Fast and Flexible AutoML with Learning Guarantees
https://bit.ly/2F5ZY7N

THE BIGGEST CYBER HAWK AND PRYING EYE THREATS TO THE WORLD
https://bit.ly/2Ro7aNF

Google won't let you sign in if you disabled JavaScript in your browser
https://www.zdnet.com/article/google-wont-let-you-sign-in-if-you-disabled-javascript-in-your-browser/#ftag=RSSbaffb68

徵才 - 駐點資安維運工程師(外商)
https://www.104.com.tw/job/?jobno=6eofm


D.資料外洩/個資法/GDPR/網路詐騙/網路釣魚/盜刷

提防網上應用程式編程漏洞 洩露個人資料
https://www.hkcert.org/my_url/zh/blog/18103001

《病毒30演變史》歷年駭客/詐騙集團經典語錄
https://blog.trendmicro.com.tw/?p=57207

航空公司爆數據洩漏 企業資訊保安要做足
https://bit.ly/2Q6ZDSY

英國航空承認再有18.5萬客戶資料遭黑客入侵外洩 包括信用卡資料
https://bit.ly/2yCurEM

國泰航空個資外洩!乘客爆信用卡被盜
https://bit.ly/2RrNyrS

國泰航空遇駭洩顧客個資 確認5個月後才認挨轟
https://money.udn.com/money/story/5599/3442625

國泰洩密補救措施 恐未對症下藥
https://bit.ly/2Q3fz90

國泰航空個資外洩!乘客爆信用卡被盜刷 受害者不止一人
https://www.setn.com/News.aspx?NewsID=449699

上月才出事!英航坦承又有18.5萬乘客個資外洩
http://news.ltn.com.tw/news/world/breakingnews/2593134

又有航空公司爆資安漏洞 乘客個資上網就能查到
http://news.ltn.com.tw/news/world/breakingnews/2596084

國泰航空驚爆資安醜聞 系統半年前被駭 940萬筆乘客個資外洩
https://news.cnyes.com/news/id/4225795

國泰私隱外洩事主收「可疑電郵」 促再提供個人資料
https://bit.ly/2CN4hSl

外洩資料永存Dark Web 保安專家︰有機會幾年後被盜用
https://hk.finance.appledaily.com/finance/realtime/article/20181031/58855534

【CX洩私隱】英航國泰先後資料外洩 「寰宇一家」會員連環中招
https://hk.news.appledaily.com/local/realtime/article/20181026/58837941

電子登機證爆漏洞 改幾隻字即睇其他乘客個人資料
https://hk.news.appledaily.com/local/realtime/article/20181030/58851244

稍改網址  私隱盡洩 港航網大漏洞 登機證資料任睇
https://hk.news.appledaily.com/local/daily/article/20181030/20534131

香港航空電子登機證洩私隱 改網址字母任睇其他乘客個人資料 方保僑:恐違 GDPR 遭重罰
https://bit.ly/2SuHmAE

4大陷阱 施小惠誘人誤成詐騙共犯
http://news.ltn.com.tw/news/society/breakingnews/2594515

偽裝成「美女」勾搭騙財 浙江臨海警方抓獲網路詐騙團伙
https://news.sina.com.tw/article/20181026/28611804.html

失業男偷OL信用卡 塗改盜刷買手機變現
https://tw.appledaily.com/new/realtime/20181028/1455552/

機械公司遭夫妻竄改電郵詐騙 差1字損失293萬
http://news.ltn.com.tw/news/society/breakingnews/2597481

遇手機信號4G變2G千萬注意,當心網銀、支付帳戶餘額全部「蒸發」
https://ek21.com/news/1/141119/

「網路購物設定錯誤」 詐騙集團得手上百萬
https://udn.com/news/story/7320/3450791

專騙一般民眾的郵件詐騙手法激增,對方聲稱知道你的密碼,並以恐嚇方式騙取比特幣
https://www.ithome.com.tw/news/126766

ATM當機匯款被吞 女子意外躲過電信詐騙
http://www.epochtimes.com/b5/18/11/1/n10822962.htm

提防網上應用程式編程漏洞 洩露個人資料
https://www.hkcert.org/my_url/zh/blog/18103001

Phishing for knowledge
https://securelist.com/phishing-for-knowledge/88268/

British Airways: additional 185,000 passengers may have been affected
https://bit.ly/2yEnjYu

British Airways Hack Update: 185,000 More Customers Found Affected
https://bit.ly/2JqKg5C

UK Facebook Fine: Just the Beginning
https://www.bankinfosecurity.com/interviews/uk-facebook-fine-just-beginning-i-4155

Cathay Pacific Suffered Data Breach Affecting 9.4 Million Customers
https://bit.ly/2O9UY0R

Cathay Pacific Breach: What Happened
https://www.bankinfosecurity.com/cathay-pacific-breach-what-happened-a-11644

British Airways Finds Hackers Stole More Payment Card Data
https://www.bankinfosecurity.com/british-airways-finds-hackers-stole-more-payment-card-data-a-11645

How to spot a phishing email
https://medium.com/@sreeram.networking/how-to-spot-a-phishing-email-d4673f6f5939

How to Block Robocalls and Spam Calls
https://medium.com/pcmag-access/how-to-block-robocalls-and-spam-calls-32a3429c3cab

Facebook Fined £500,000 for Cambridge Analytica Data Scandal
https://bit.ly/2SoctOj

Girl Scouts Alerted to Possible Data Breach
https://bit.ly/2zcATSd


E.研究報告

新一代 React API — React Hooks
https://bit.ly/2OZDzgT

WebExec漏洞原理與分析淺談
https://www.anquanke.com/post/id/162884

從Scrum到ScrumBan-實例記錄和分析
https://bit.ly/2yEzd4v

打造超省 CentOS 家用伺服器
https://bit.ly/2JpG1Y5

從WebLogic 看反序列化漏洞的利用與防禦
https://paper.seebug.org/728/

CTF編碼全家桶
https://bit.ly/2CL42r9

看!這裡有三種非Web型的XSS注入漏洞
https://xz.aliyun.com/t/3048

Gmail 和Google 的兩個XSS 老漏洞分析
https://toutiao.io/posts/s2p72q/preview

漏洞戰爭-cve-2010-2883
https://bbs.pediy.com/thread-247518.htm

賽門鐵克郵件網關身份驗證繞過漏洞(CVE-2018-12242)分析
https://www.zkaq.org/?t/1431.html

探尋Metasploit Payload模式背後的秘密
https://bit.ly/2ProvrB

OpenSSL-CVE-2015-1793漏洞分析
http://www.mottoin.com/tech/122368.html

Ping死你!| Apple CVE-2018-4407 內核漏洞利用與修復
https://www.anquanke.com/post/id/163080

對某HWP漏洞樣本的分析
https://www.anquanke.com/post/id/163085

網絡安全基礎,緩衝區溢出漏洞解析
https://hk.saowen.com/a/d5bd065eaff4c341e242ec2c49d057f68403f2435ebb7e756ed5b09d724fd946

Build a progressive web app using Vue CLI 3
https://bit.ly/2OYMsHh

JQShell - A Weaponized Version Of CVE-2018-9206
https://bit.ly/2AzTxFz

Out-of-Bounds write in systemd-networkd dhcpv6 option handling
https://bit.ly/2AzT5XT

Brass Horn Comms - Onion3G
https://bit.ly/2zccAnh

Cybersecurity Future Trends: Why More Bots Means More Jobs
https://ibm.co/2qdBCyz

Cloudflare WAF Bypass Vulnerability Discovered
https://bit.ly/2EWxFZo

Lynis 2.7.0 releases: Open source auditing in Linux system
https://bit.ly/2CK6luu

Not Your Ordinary OSCP Review
https://bit.ly/2z8EOiR

vuLnDAP: A vulnerable LDAP based web app written in Golang
https://bit.ly/2zbP4XQ

Top Five Ways the Red Team breached the External Perimeter
https://bit.ly/2RlZc7O

Top Five Ways I gained access to Your Corporate Wireless Network (Lo0tBo0ty KARMA edition)
https://bit.ly/2qecI1F

Top Five Ways I Got Domain Admin on Your Internal Network before Lunch (2018 Edition)
https://bit.ly/2z6tUdz

Questions RE: setting up Lightning Node on Raspberry Pi with Stadicus' guide
https://bit.ly/2CMahuz

Beginner’s Guide to ️⚡Lightning️⚡ on a Raspberry Pi
https://bit.ly/2Pqz0LQ

kemon: Open-Source Pre macOS Kernel Monitoring
https://securityonline.info/kemon/

Top 10 Penetration Testing & Ethical Hacking Linux Distributions – 2018
https://gbhackers.com/top-10-penetration-testing-ethical-hacking-linux-distributions/

maltrail v0.10.500 releases: Malicious traffic detection system
https://bit.ly/2OVGUxq

Ethical-Hacking-Resources
https://bit.ly/2z6HeyG

memtriage: quickly query a Windows machine for RAM artifacts
https://bit.ly/2JibsmO

repo-security-scanner: finds secrets accidentally
https://bit.ly/2z9tOSn

PhishX –Spear Phishing Tool for Capturing Credentials
https://bit.ly/2qfjbcS

admin-panel-finder: A powerful admin login page finder in python
https://bit.ly/2AuK56e

OWASP Mutillidae II 2.6.71 releases
https://bit.ly/2O8osMI

WMImplant: RAT powershell Tool
https://bit.ly/2Jj0cXv

HOW TO BUILD YOUR OWN ROGUE GSM BTS FOR FUN AND PROFIT
https://bit.ly/2SmjhMm

BUILD A LAPTOP WITH RASPBERRY PI
https://bit.ly/2D85ogw

Superando la carencia de talento en ciberseguridad
https://bit.ly/2OaorHW

CrabStick v2.0.0 releases: Automatic LFI/RFI vulnerablity analysis and exploit tool
https://bit.ly/2EKj6I2

Ropper v1.11.8 releases: find gadgets to build rop chains for different architectures
https://bit.ly/2OTF6os

WiFi-Pumpkin v0.8.7 beta released, Framework for Rogue Wi-Fi Access Point Attack
https://bit.ly/2EZewFQ

hate_crack v1.06 released: automating cracking methodologies through Hashcat
https://bit.ly/2zfcsno

hashcat v5.0 releases: advanced password recovery utility
https://bit.ly/2ET8KWn

API reference
https://developer.android.com/reference/

Web Architecture 101
https://bit.ly/2OS3OWi

Nemea: System for network traffic analysis and anomaly detection
https://securityonline.info/nemea/

XSStrike v3.0 beta released: advanced XSS detection and exploitation suite
https://securityonline.info/xsstrike/?fbclid=IwAR1lsVOwWOqnL0l3gpSZF-0boj7rQqembyoIvnIsq5oa6ba6s_pO-DETzWE

Cyberry: 1 Vulnhub Hacking Challenge Walkthrough
https://bit.ly/2zaJDs1

subfinder v1.2 releases: subdomain discovery tool
https://securityonline.info/subfinder/?fbclid=IwAR17WZ5D15Gs0Cem1uH9_Hp2TSXM1rpE_RmFD2SQcWrxEBZh3ymeLV5JiIk

Cyberry: 1 Vulnhub Hacking Challenge Walkthrough
https://bit.ly/2EOZkLB

Leaked: iOS 12.1 will be released on October 30th
https://bit.ly/2qfGJOL

subfinder v1.2 releases: subdomain discovery tool
https://securityonline.info/subfinder/?fbclid=IwAR3sw-DL4SDnVnyhBA24SqZMiYMqGLLEqcXYbya-rQN-1XeomL9MsZNEVl0

DependencyCheck v3.3.4 releases: detects publicly disclosed vulnerabilities in application dependencies
https://bit.ly/2PY8qqq

Hawkeye scanner-cli v1.3.3 releases: security/vulnerability/risk scanning tool
https://securityonline.info/hawkeye/?fbclid=IwAR0aheBUFniY7I8ZZFzMUqv54_kpYwqRKl9oNg2hhJ11CWlj4ZcBVi9XxdM

DOGE: Darknet Osint Graph Explorer
https://bit.ly/2JnFohp

blitz: Incident Response Automation Framework
https://securityonline.info/blitz/

Recon-ng – Open Source Intelligence (OSINT) Reconnaissance Framework
https://bit.ly/2Rn6KXS

Metadata-Attacker : A Tool To Generate Media Files With Malicious Metadata
https://kalilinuxtutorials.com/metadata-attacker/

ADRecon: Active Directory gathering information tool
https://bit.ly/2Q6rZNg

Faraday v3.2 - Collaborative Penetration Test and Vulnerability Management Platform
https://www.kitploit.com/2018/10/faraday-v32-collaborative-penetration.html?utm_source=dlvr.it&utm_medium=facebook

Dirhunt – Search and Analyze Target Domain Directories
https://bit.ly/2zdyDu6

Kotlin 1.3 Released with Coroutines, Kotlin/Native Beta, and more
https://bit.ly/2Q4s6ZH

Kodachi 5.0 The Secure OS
https://www.digi77.com/linux-kodachi/?fbclid=IwAR0bGz2WrufUNfw-lgitj1rYlj1Uc0wsFJRkDjsG5UiQtQn1wo9j_CDqu8c

Benefits of DNS Service Locality
https://ubm.io/2yBZd0k

Modern Microprocessors A 90-Minute Guide
https://bit.ly/2OYwRYo

Xori – Custom disassembly framework
https://securityonline.info/xori-custom-disassembly-framework/

hardentools v2.0-rc1 releases: disables a number of risky Windows features
https://bit.ly/2RoC3By

strace v4.25 releases: diagnostic, debugging and instructional userspace utility
https://bit.ly/2ACiGzx

Android Studio 3.4 Canary 2 Releases
https://bit.ly/2zhqhBE

munin v0.9.1 released: Online hash checker for Virustotal and other services
https://bit.ly/2DbMYvz

pcileech 3.6 releases: Direct Memory Access (DMA) Attack Software
https://bit.ly/2qmLC8M

rsyslog v8.39.0 releases: a Rocket-fast SYStem for LOG processing
https://securityonline.info/rsyslog/?fbclid=IwAR07gQN70aVKjp-ftB_bYkXcSBn5ss_fT8eR8MnGT4LoDPRREV-RPT7y1u8

manticore v0.2.2 releases: Dynamic binary analysis tool
https://bit.ly/2DfjZH8


F.商業
網路資安與雲服務成長帶動 零壹前三季獲利年增逾25% EPS 1.5元
https://news.cnyes.com/news/id/4226494

中華電打造 SDN管控及軟體式雲端資料中心方案
https://money.udn.com/money/story/5612/3444895

330億美元買下Red Hat IBM成立107年來最大手筆併購
https://udn.com/news/story/6811/3448114

遠通電收導入DynaShield 把關個資更全面
https://www.chinatimes.com/newspapers/20181030000396-260210

Mesosphere釋出DC/OS 1.12版,通吃多雲及邊緣運算環境
https://www.ithome.com.tw/news/126689

納入網址過濾與內容安全即時分析,Akamai強化網頁瀏覽防護
https://www.ithome.com.tw/review/126694

讓AMD產品時程準確到位的Infinity Fabric
https://bit.ly/2RsCSte

容器資安新創Aporeto推新產品,提供VMware Kubernetes引擎環境監控、資安服務
https://www.ithome.com.tw/news/126797

IBM Buys "Red Hat" Open-Source Software Company for $34 Billion
https://bit.ly/2Pz3TxJ

G.政府

資料被鎖在銀行公平嗎?金管會研究OpenBanking
https://bit.ly/2Ob7dKJ

亞太洗錢防制10天後來台 受檢名單出爐「跌破金管會眼鏡」
https://bit.ly/2PpFQkF

用FinTech重現台灣科技島榮耀 顧立雄鼓勵大小錢都用行動支付
https://news.cnyes.com/news/id/4228126

比特幣如何課稅 關鍵在明年金管會定義
https://www.ettoday.net/news/20181030/1293520.htm


H.工控系統  SCADA / ICS Security

周末充電課程,進階智能設備漏洞挖掘
https://read01.com/AJdNeeO.html#.W9m1x5MzbIU

智慧製造系統開始連網 流量可視化與資安需求浮現
https://www.digitimes.com.tw/iot/article.asp?cat=130&cat1=50&cat2=25&id=0000545665_9pk7eqpo532sdg6v1x0mq

工業4.0高風險?台積電資安事件後,「每個工廠都很害怕!」
https://www.cw.com.tw/article/article.action?id=5092718

研華改善WebAccess HMI/SCADA遠端監控軟體數項弱點
https://twcert.org.tw/subpages/securityInfo/loophole_details.aspx?id=5041

Advisory (ICSA-18-296-01) Advantech WebAccess
https://bit.ly/2qgKHq8

What you need to know about Cybersecurity when adopting IIoT solutions
https://iiot-world.com/cybersecurity/what-to-know-about-cybersecurity-when-adopting-iiot-solutions/

This is how hackers can take down our critical energy systems through the Internet
https://www.zdnet.com/article/this-is-how-hackers-can-take-down-our-core-water-energy-systems/#ftag=RSSbaffb68

Medical Device Security Best Practices From Mayo Clinic
https://www.bankinfosecurity.com/interviews/medical-device-security-best-practices-from-mayo-clinic-i-4159


I.教育訓練類

Kali學習筆記
https://www.cnblogs.com/xuyiqing/category/1213186.html

Open Source Summit Europe & ELC + OpenIoT Summit Europe 2018
https://bit.ly/2yDYADm

An introduction to Raspberry Pi GPIO
https://bit.ly/2zbxKlz

Xcode and LLDB Advanced Debugging Tutorial: Part 1
https://medium.com/@fadiderias/xcode-and-lldb-advanced-debugging-tutorial-part-1-31919aa149e0

Introduction to LFI/RFI vulnerabilities and their mitigation - Local and Remote File Inclusion hack
https://bit.ly/2yKP2XB

How to create a Bitcoin wallet address from a private key
https://medium.freecodecamp.org/how-to-create-a-bitcoin-wallet-address-from-a-private-key-eca3ddd9c05f

How you can protect Microsoft Exchange from cyber attacks
https://medium.com/iron-bastion/protecting-microsoft-exchange-from-cyber-attacks-a8c38f68a06b

Cyberwar 101
https://medium.com/@gentrylane/cyberwar-101-4fcc98671bdf

The Complete JavaScript Handbook
https://medium.freecodecamp.org/the-complete-javascript-handbook-f26b2c71719c

How can I prevent 'grep' from showing up in ps results?
https://bit.ly/2Dgdkwm

Python to PHP Communication — How to Connect to PHP services using Python
https://medium.com/@rossbulat/python-to-php-communication-how-to-connect-to-php-services-using-python-f48893a2c98e

三十篇資安實例分享及解析DAY 18--三立電視台離職工程師,涉嫌利用「洋蔥網路」,駭入三立的網路影音平台
https://ithelp.ithome.com.tw/articles/10205355

三十篇資安實例分享及解析DAY 19--個資蟑螂集團
https://ithelp.ithome.com.tw/articles/10205547

三十篇資安實例分享及解析DAY 22--內政部舉辦「身分證明文件再設計徵選活動」,遭對案駭客攻擊
https://ithelp.ithome.com.tw/articles/10206573?sc=rss.qu

1.45億條個人資訊被洩露?看看裡面有你嗎?【鐵人挑戰13天】
https://ithelp.ithome.com.tw/articles/10204786

J.玄武實驗室每日安全動態推送

每日安全動態推送(10-29)
https://tw.weibo.com/xuanwulab/4300462834379282

每日安全動態推送(10-30)
https://tw.weibo.com/xuanwulab/4300804028367372

每日安全動態推送(10-31)
https://tw.weibo.com/xuanwulab/4301169909596672

每日安全動態推送(11-01)
https://tw.weibo.com/xuanwulab/4301529848430711

每日安全動態推送(11-02)
https://tw.weibo.com/xuanwulab/4301896077828442


K.物聯網/IOT/人工智慧/車聯網/光聯網/深度學習/機器學習/無人機

為企業物聯網而生,BlackBerry Spark 超安全連接設計,讓隱私保護不再妥協
https://bit.ly/2JrcEVe

虎頭山物聯網基地動土 亞洲矽谷計畫再邁步
https://bit.ly/2P4uxzj

美國會報告:中共將「物聯網漏洞」武器化
http://www.epochtimes.com/b5/18/10/30/n10818464.htm

物聯網時代資安風險遽增 專家:防不勝防
https://bit.ly/2JymOU7

Ceiling Analysis in Deep Learning and Software Development
https://bit.ly/2z5Gbz1

IoT: Solving the problem of connectivity on the move
https://www.zdnet.com/article/iot-solving-the-problem-of-connectivity-on-the-move/#ftag=RSSbaffb68


L.CTF

Lampião: 1 Vulnhub CTF Challenge Walkthrough
https://bit.ly/2yI1SFN

Jarbas: 1 Vulnhub CTF Challenge Walkthrough
https://bit.ly/2yAZ51d

SECCON 2018 – Web Ghostkingdom 題解
https://bit.ly/2P4UJd3

CTFs
https://ctftime.org/ctfs

Google CTF
https://capturetheflag.withgoogle.com/



4.近期資安活動及研討會
 
  ISDA 白帽駭客巡迴入門〈1〉11/03
  https://reg.isda.org.tw/info.php?no=28

  【課程】機器視覺原理與實作,從影像處理到動態分析物體追蹤,用Python+OpenCV打造實際應用 11/3
  https://bit.ly/2ReY6dQ

  Machine Learning Study Group Session#7: Deep Learning with Python  11/3
  https://www.meetup.com/Women-Who-Code-Taipei/events/255844670/

  Building and Investigation with EnCase? (DF210) (原CF2)  11/5 ~ 11/8
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=41

  Imperva 2018 資安趨勢論壇 11/7
  https://seminar.ithome.com.tw/live/20181107Imperva/index.html

  ANSYS CFX進階訓練課程 11/7 ~ 11/8
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3705&from_course_list_url=homepage

  Functional Thursday #69 (時間更動:11/8)
  https://www.meetup.com/Functional-Thursday/events/255503800/

  【課程】Apache Spark 大數據處理平台技術實務,企業主流、超高速運算,結合機器學習套件進行實作 11/9
  https://www.techbang.com/posts/59350-apache-spark-large-data-analysis-combat

  亥客書院 - DDoS原理與實務  11/10
  https://hackercollege.nctu.edu.tw/?p=774

  認證系統安全從業人員SSCP輔導班  11月10日至11月18日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=277

  新型態資安實務示範課程教學教師研習營  11/10 ~ 11/11
  https://docs.google.com/forms/d/e/1FAIpQLScCByNq_aQ6kIXawayMQPq9yMTtlFXkQ6JVTPrtpBh3TVGzoA/viewform

  Magnet原廠授權認證課程Magnet AXIOM Examinations 11/12 ~ 11/15
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=42

  SQL Migration to Azure Data service實作課 11/13
  https://bit.ly/2Nx6tiy

  資安趨勢與企業因應管理(可抵內稽)  11月13日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=280

  Amber MD 軟體訓練課程 11/14 ~ 11/15
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3706&from_course_list_url=homepage

  DRBL與Clonezilla「集中管理環境」進階課程 11/14 ~ 11/15
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3697&from_course_list_url=homepage

  主機系統效能監控 11/15
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3726&from_course_list_url=homepage

  TANet區/縣(市)網路效能量測系統建置實務+雲端量測之介紹與實務 11/16
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3758&from_course_list_url=homepage

  原廠認證Cellebrite Certified Operator (CCO)  11/19 ~ 11/20
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=43

  Fortinet 2018 數位 X 資安 轉型論壇  11/15
  https://seminar.ithome.com.tw/live/2018fortinet/index.html?eDM_V1

  Python 應用教學課程-微分方程求解 1~2 11/16 ~ 11/23
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3749&from_course_list_url=homepage

  【課程】Raspberry Pi 3樹莓派遊戲機實作,GPIO教學、傳感器應用、系統整合,入門到應用一天學會 11/17
  https://bit.ly/2qelKfh

  網站安全與稽核簡介(Ⅰ)(可抵內稽)  11月15日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=281

  系統弱點分析與安全測試實務 11/20
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3764&from_course_list_url=homepage

  網站安全與稽核簡介(Ⅱ)(可抵內稽)  11月23日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=282

  認證資訊系統安全專家 CISSP 輔導班 11月24日至12月8日
  https://twcert.org.tw/subpages/securityInfo/securityactivity_details.aspx?id=278

  Metasploit與滲透測試實務 11/25 ~ 11/26
  https://hackercollege.nctu.edu.tw/?p=641

  【課程】區塊鏈技術實作,學習DApp去中心化應用、動手寫智能合約、發行自己專屬的代幣  11/26   11/28
  https://www.techbang.com/posts/61972-courses-blockchain-dapp-smart-contracts

  平行計算程式設計基礎課程 11/27
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3701&from_course_list_url=homepage

  Taipei.py 十一月月會 (Monthly Meeting) 2018   11/29
  https://www.meetup.com/Taipei-py/events/255543630/

  開源碼WAF實作 11/29
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3765&from_course_list_url=homepage

  網路攻防實務 11/29
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3539&from_course_list_url=homepage

  Python 應用教學課程-平行處理 1~3 11/30 ~ 12/14
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3750&from_course_list_url=homepage

  【課程】Kubernetes(K8S)實戰班,容器編排管理絕佳工具,理論實作並重,有效打造企業級 DevOps 環境 12/1 12/2
  https://bit.ly/2rAkB2q

  ABAQUS基礎訓練課程 12/4 ~ 12/6
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3709&from_course_list_url=homepage

  EnCase EnCE 認證考試 Preparation 課程  12/5 ~ 12/7
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=44

  TANet/TWAREN監控平台與即時流量異常偵測系統介紹 12/6
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3766&from_course_list_url=homepage

  駭客入侵調查暨資安緊急應變實務 12/10 ~ 12/11
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=45

  TANet/TWAREN監控平台與即時流量異常偵測系統介紹 12/11
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3767&from_course_list_url=homepage

  網路封包分析 12/13
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3654&from_course_list_url=homepage

  台灣駭客年會 HITCON Pacific 2018 12/13 ~ 12/14
  https://hitcon.kktix.cc/events/hitcon-pacific-2018

  亥客書院 - 進階網頁滲透測試  12/15
  https://hackercollege.nctu.edu.tw/?p=323

  Python 應用教學課程-雲端服務 1~3 12/21 ~ 1/4
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3753&from_course_list_url=homepage

  專業手機暨硬碟資料救援教育訓練課程 12/26 ~ 12/28
  http://www.iforensics.com.tw/cgi-bin/registform.cgi?pick=46

  系統日誌分析實務  12/27
  https://edu.nchc.org.tw/course/one_course_introduction.asp?lms_auto_course_id=3653&from_course_list_url=homepage

  亥客書院 - 高階網頁滲透測試    2019/1/5
  https://hackercollege.nctu.edu.tw/?p=768

留言

這個網誌中的熱門文章

9月份資安社群及教育訓練活動分享

9月份資安社群及教育訓練活動分享


 HITCON HackDoor 駭入辦公室 7/2 ~ 9/28
 https://www.accupass.com/event/1906050355291064968019

 MLDM Monday|用開放資料玩出政府創新應用 : 當雨神來臨時  9/2
 https://www.meetup.com/Taiwan-R/events/262992081/

 Taipei Rails Meetup  9/3
 https://www.meetup.com/rails-taiwan/events/dlgzljyzmbfb/

 高雄 Rails Meetup 9/4
 https://www.meetup.com/rails-taiwan/events/qxfvjkyzmbgb/

 Android Code Club(Taipei) 9/4
 https://www.meetup.com/Taiwan-Android-Developer-Study-Group/events/bsctnqyzmbgb/

 SyntaxError 9/4
 https://www.meetup.com/pythonhug/events/tnzzgpyzmbgb/

 工業控制系統資安研討會 9/5
 http://bit.ly/2NsMvt5

 HackingThursday 固定聚會 9/5
 https://www.meetup.com/hackingthursday/events/vkhnnqyzmbhb/

 TWJUG 201909 聚會 9/5
 https://www.meetup.com/taiwanjug/events/264123847/



8月份資安社群及教育訓練活動分享

8月份資安社群及教育訓練活動分享

 HITCON HackDoor 駭入辦公室 7/2 ~ 9/28
 https://www.accupass.com/event/1906050355291064968019

 The Virus Bulletin Conference 2019 8/1
 https://www.virusbulletin.com/blog/2019/06/free-vb2019-tickets-students/

【社群】8/1(四) RASPBERRY PI + ROS,實現無人自駕
 https://ctsphub.tw/20190801_robotnight/

 HackingThursday 固定聚會 8/1
 https://www.meetup.com/hackingthursday/events/vkhnnqyzlbcb/

 資安事件調查實務(上)  8/2
 https://tp2rc.tanet.edu.tw/node/306?fbclid=IwAR11YQmw-28fOA6LUrsNiFKd7ccaAiMa5cZsYf22iRfTUR5LPYXwjqZNo2I

 【CIT週末玩程式】- (8月)認識電腦與程式邏輯訓練(I) 8/3
 https://www.meetup.com/Women-Who-Code-Taipei/events/jtcjfryzlbfb/

 Python 基礎工作坊@TMU 8/6
 https://www.meetup.com/Women-Who-Code-Taipei/events/mfnfcryzlbjb/

5月份資安、社群活動分享

5月份資安、社群活動分享

 108年度資安初學者挑戰活動 (MyFirstCTF) 5/1 ~ 5/10 報名
 https://ais3.org/mfctf/

 HackingThursday 固定聚會  5/2
 https://www.meetup.com/hackingthursday/events/vkhnnqyzhbdb/

 Python 商務網站 * 極速學習 (2019春季 - 台北)  5/2
 https://cjltsod.kktix.cc/events/django-2019-spring-taipei

 國票金控「純網銀鯰魚與資安技術漣漪」日本樂天技術結合台灣AI 人工智慧發表會  5/2
 https://www.accupass.com/event/1904111400151860776797

 資安法 X 技術實務論壇  5/2
 https://csa.kktix.cc/events/csa190502

 國立交通大學 亥客書院 - 基礎網站安全建構實務  5/4
 https://hackercollege.nctu.edu.tw/?p=1045

 ISDA 白帽菁英萌芽計劃II 0505 
 https://reg.shield.org.tw/info.php?no=54

 Pwn入門  5/5
 https://hackersir.kktix.cc/events/fcu190505

 Elixir台灣 台北 Meetup # Monday, May 6, 2019
 https://www.meetup.com/elixirtw-taipei/events/njjhvpyzhbjb/

 公部門之AI資安防護新思維研討會 5/7
 http://www.cisanet.org.tw/News/activity_more?id=MTQzOA==

 向資安服務看齊 我們一起讓資安從「有做」到「有效」  5/8 ~ 5/10
 https://www.informationsecurity.com.tw/Seminar/2019_all/

 資安危機 - 進擊的勒索加密軟體 2019-05-09(四) 14:45 ~ 17:00
 https://www.accupass.com/event/19041703435474776…