Hello Hacking8!

一些阅读源码和Fuzzing 的经验,涵盖黑盒与白盒测试..

CVE-2022-0185

Linux kernel exploitation lab.

On the surface Telegram may seem like just another instant messaging app, but when you dig deep, the reality couldn't be more different.
The post Dark Web Threat Intelligence Part 1: Deep Dive into the Criminal Underground Network on Telegram appeared first on Security Boulevard.
从表面上看，Telegram 似乎只是另一个即时通讯应用，但是当你深入挖掘的时候，事实却大不相同。
后黑暗网络威胁情报第一部分: 深入地下犯罪网络的电报首先出现在安全大道。

Dear blog readers,
I've decided to share with everyone an in-depth historical OSINT analysis on some of the primary pay per install rogue fraudulent and malicious affiliate network based rogue and fraudulent revenue sharing scheme operating malicious software gangs that are known to have been active back in 2008 with the idea to assist everyone in their cyber campaign attribution efforts.
Sample portfolio of pay per install rogue fraudulent and malicious affiliate network domains known to have been in operation in 2008 include:
vipsoftcash[.]com
iframevip[.]com
avicash[.]com
softmonsters[.]biz
cashboom[.]biz
loader[.]cc
luxecash[.]com
iframepartners[.]com
installsforyou[.]biz
topsale2[.]ru
cashcodec[.]com
go-go-cash[.]com
oxocash[.]com
3xl-cash2[.]com
3xlpartnership[.]com
installs4sale[.]com
profitclick[.]org
megatraffer[.]com
oemcash[.]com
goldencashworld[.]biz
topsale[.]us
installsmarket[.]com
profit-cash[.]biz
ADWSearch[.]com
ovocash[.]com
loadsprofit[.]com
exerevenue[.]com
adwaredollars[.]com
yabucks[.]co

用于检测gradle项目的第三方依赖组件是否存在安全漏洞。

一项新调查显示，过去三年中，针对世界各地公司的网络攻击数量增加了 15%。

师傅们好，我有个最近见过几次的逻辑漏洞，主要实现方式是将被查询参数留空发送请求，响应包里会返回所有的查询内容（正常业务逻辑是根据被查询参数内容返回一条...

FFmpeg for browser and node, powered by WebAssembly

之前一直都把重点放在如何获取权限，而却忽视了获取权限之后如何维持，本文作为学习笔记记录一下，欢迎探讨。

First, the Guardian makes it clear that a conspiracy is real: …groups involved in banning books are in fact linked, and backed by influential conservative donors. Second, a racist motive is obvious: In Pennsylvania, the Central York school board banned a long list of books, almost entirely titles by, or about, people of color, including … Continue reading Billionaires Fund Campaigns to Ban Books in American School →
The post Billionaires Fund Campaigns to Ban Books in American School appeared first on Security Boulevard.
首先，《卫报》明确指出，一个阴谋是真实存在的: ... ... 参与禁书的团体实际上是有联系的，并得到了有影响力的保守派捐赠者的支持。其次，种族主义动机是显而易见的: 在宾夕法尼亚州，纽约中央学校董事会禁止了一长串的书籍，几乎全是有色人种的书籍，包括... ... 继续阅读亿万富翁基金运动，在美国学校禁止图书→
后亿万富翁基金运动禁止图书在美国学校首先出现在安全大道。

Phoenix TS Is proud to be a trusted and verified partner of CompTIA! CompTIA (The Computing Technology Industry Association) is globally recognized for providing vendor neutral training and certifications that help drive the market of information technology.   Phoenix has collaborated with CompTIA to provide training that allows professionals to pursue the most sought-after certifications […]
The post CompTIA and Continuing Education (CE’s) appeared first on Phoenix TS.
The post CompTIA and Continuing Education (CE’s) appeared first on Security Boulevard.
凤凰 TS 是自豪的是一个可信赖和证实的合作伙伴计划！计算机技术行业协会(comtia)是全球公认的提供供应商中立的培训和认证，有助于推动信息技术市场。菲尼克斯与 CompTIA 合作，提供培训，使专业人士追求最受欢迎的认证[ ... ]
后计划和继续教育(CE’s)首先出现在凤凰 TS。
后计划和继续教育(CE’s)首先出现在安全大道。

Adversary Emulation Framework

An eBPF program debugger

Collection of various WINAPI tricks / features used or abused by Malware

The post What Logistics Leaders Need To Know About APIs in Supply Chain Cyber Security appeared first on Security Boulevard.
关于供应链网络安全中物流领导者需要了解的 api 的帖子首先出现在安全大道上。

via the respected security expertise of Robert M. Lee and the superlative illustration talents of Jeff Haas at Little Bobby Comic
Permalink
The post Robert M. Lee’s & Jeff Haas’ Little Bobby Comic – ‘WEEK 365’ appeared first on Security Boulevard.
通过受人尊敬的安全专家罗伯特 m. 李在小鲍比漫画最高级的插图天赋
Permalink
罗伯特 · m · 李和杰夫 · 哈斯的《小鲍比》漫画《第365周》首次出现在安全大道上。

Our thanks to Security BSides London for publishing their tremendous videos from the Security BSides London 2021 Conference on the organization’s YouTube channel. Enjoy!
Permalink
The post Security BSides London 2021 – Security Queens’ ‘From Paupers To Queens: The Tale Of Two Wannabe Hackers’ appeared first on Security Boulevard.
我们感谢伦敦安全协会在该组织的 YouTube 频道上发布了他们在伦敦安全协会2021年会议上的大量视频。享受吧！
Permalink
后2021年伦敦安全双城-安全皇后’’从乞丐到皇后: 两个想成为黑客的故事’首次出现在安全大道。

By Steve Hanna, Co-chair of TCG’s Industrial Work Group and IoT Work Group Many sectors now utilize Internet of Things (IoT) equipment to drive digital transformation, and ultimately increase automation and efficiency. In particular, the energy sector is seeing wide implementation, from the equipment used in oil and gas extraction, to the tools monitoring an … Continue reading "Protecting the energy sector’s industrial IoT"
The post Protecting the energy sector’s industrial IoT appeared first on Trusted Computing Group.
The post Protecting the energy sector’s industrial IoT appeared first on Security Boulevard.
作者: 史蒂夫 · 汉纳，TCG 工业工作组和物联网工作组的共同主席许多部门现在利用物联网设备来推动数字化转型，并最终提高自动化和效率。特别是，能源部门正在广泛实施，从石油和天然气开采使用的设备，到监测工具... ... 继续阅读”保护能源部门的工业物联网”
保护能源部门的工业物联网最先出现在可信计算集团上。
保护能源部门的工业物联网最早出现在安全大道上。

Topic: UniFi Network Application Unauthenticated Log4Shell Remote Code Execution Risk: High Text:## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-...
主题: UniFi 网络应用程序未经身份验证 Log4Shell 远程代码执行风险: 高文本: # # # 此模块需要 Metasploit:  https://Metasploit.com/download  # 当前来源:  https://github.com/rapid7/Metasploit-  ..。

Topic: LDaRosa Xpath Injection Vulnerability Risk: Medium Text:********************************************************* #Exploit Title: LDaRosa Xpath Injection Vulnerability #Date: 2022-0...

Topic: Online Project Time Management 1.0 SQL Injection Risk: Medium Text:## Title: Online Project Time Management 1.0 Multiple SQL - Injections ## Author: nu11secur1ty ## Date: 01.20.2022 ## Vendor...

Compound Actions align with MITRE ATT&CK TTPs at the procedure level.

Registrations Open for IWCON 2022 — the Online Infosec Conference & Networking Event
Listen to 15+ awesome speakers and meet some of the coolest peeps in Infosec!
Register for IWCON 2022 here.
The editorial team of Infosec Writeups is happy to announce that we are organizing IWCON 2022 — our first-ever virtual conference and networking event on 26–27 February 2022.
Our goal is to dissect not just technical aspects, but highlight the human angle of being in Infosec.
Learn more details here.
Why attend IWCON 2022?
We have speakers from around the world to share their personal stories and unique experiences of how they established themselves in Infosec. Some of the speakers at the conference are Louis Nyffenegger, Tanya Janca, ZSeano, and Aseem Shrey.
A full list of all the speakers and the topics of their presentations will be released super soon. Keep following our page for updates.
We’re expecting 1500+ people to attend the conference live. Our attendees are mostly cybersecurity professionals and Infosec infl

Registrations Open for IWCON 2022 — the Online Infosec Conference & Networking Event
Listen to 15+ awesome speakers and meet some of the coolest peeps in Infosec!
Register for IWCON 2022 here.
The editorial team of Infosec Writeups is happy to announce that we are organizing IWCON 2022 — our first-ever virtual conference and networking event on 26–27 February 2022.
Our goal is to dissect not just technical aspects, but highlight the human angle of being in Infosec.
Learn more details here.
Why attend IWCON 2022?
We have speakers from around the world to share their personal stories and unique experiences of how they established themselves in Infosec. Some of the speakers at the conference are Louis Nyffenegger, Tanya Janca, ZSeano, and Aseem Shrey.
A full list of all the speakers and the topics of their presentations will be released super soon. Keep following our page for updates.
We’re expecting 1500+ people to attend the conference live. Our attendees are mostly cybersecurity professionals and Infosec infl

To usher in the new year, Lightspin is expanding our multi-cloud coverage. Beyond our support of AWS, Azure, and Kubernetes, in 2022, we are proud to announce we support Google Cloud Platform (GCP) as well!
This expansion into GCP means you can easily, quickly, and without any agents onboard your GCP projects to Lightspin. We'll scan your projects to detect misconfigurations, exposed secrets, and of course the attack paths that nefarious actors may use to compromise your environment.
The post In 2022, Lightspin is Further Expanding Our Coverage appeared first on Security Boulevard.
为了迎接新的一年，Lightspin 正在扩大我们的多云覆盖范围。除了我们对 AWS、 Azure 和 Kubernetes 的支持，在2022年，我们很自豪地宣布，我们也支持 Google 云平台(GCP) ！
这种向 GCP 的扩张意味着你可以很容易、快速、无需任何代理商就可以将你的 GCP 项目带到 Lightspin。我们将扫描您的项目，以检测错误的配置，公开的秘密，当然，攻击路径，邪恶的角色可能使用危害您的环境。
2022年，Lightspin 正在进一步扩大我们的覆盖范围首次出现在安全大道上。

As a cybersecurity industry leader, Imperva is working with the National Cybersecurity Alliance (NCA) as a 2022 Data Privacy Week Champion to promote the need for businesses to prioritize data privacy and protection and the importance of individuals and companies to secure their online data. As part of Data Privacy Week, Imperva is committed to […]
The post Imperva Champions Data Privacy Week 2022 appeared first on Blog.
The post Imperva Champions Data Privacy Week 2022 appeared first on Security Boulevard.
作为网络安全行业的领导者，Imperva 正在与国家网络安全联盟(NCA)合作，作为2022年数据隐私周的冠军，宣传企业优先考虑数据隐私和保护的必要性，以及个人和公司保护其在线数据的重要性。作为数据隐私周的一部分，Imperva 致力于[ ... ]
2022年 Imperva 冠军数据隐私周首次出现在博客上。
后 Imperva 冠军数据隐私周2022首次出现在安全大道。

Artificial intelligence (AI) is woven into the fabric of today’s business world.
However, business model integration of AI is in its infancy and smaller companies often lack the resources to leverage AI.
Related: Deploying human security sensors
Even so, AI … (more…)
The post GUEST ESSAY: A primer on why AI could be your company’s cybersecurity secret weapon in 2022 appeared first on Security Boulevard.
人工智能(AI)已经融入了当今的商业世界。
然而，人工智能的商业模型集成还处于初级阶段，较小的公司往往缺乏利用人工智能的资源。
相关: 部署人类安全传感器
即便如此，人工智能... (更多...)
2022年，为什么人工智能可以成为你公司网络安全的秘密武器。

Our thanks to Security BSides London for publishing their tremendous videos from the Security BSides London 2021 Conference on the organization’s YouTube channel. Enjoy!
Permalink
The post Security BSides London 2021 – Klaus Agnoletti’s ‘CrowdSec: A Crowd-Based Approach To Infrastructure Defense’ appeared first on Security Boulevard.
我们感谢伦敦安全协会在该组织的 YouTube 频道上发布了他们在伦敦安全协会2021年会议上的大量视频。享受吧！
Permalink
2021年伦敦奥运会后，克劳斯 · 阿尼奥莱蒂的“众包: 基于人群的基础设施防御方法”首次出现在安全大道上。

Back in the olden times (in 2005) a website was setup called the Million Dollar Homepage. A brainchild of student Alex Tew who wanted to raise some money for university. The concept was simple, get a webpage composed of a million pixels and sell them all for $1 each. They were sold in 10 x … Continue reading The Million Dollar Homepage →
The post The Million Dollar Homepage appeared first on Security Boulevard.
早在古时候(2005年) ，有一个网站被设置为百万美元首页。一个想为大学筹集资金的学生亚历克斯 · 图的创意。这个概念很简单，得到一个由一百万像素组成的网页，然后以每个1美元的价格出售它们。它们以10倍的价格售出... ... 继续阅读百万美元首页→
百万美元首页首先出现在安全大道。

A popular maker of WordPress plugins and themes was hacked—93 of AccessPress’s offerings were modified to give the hackers “full access” to users’ sites.
The post WordPress Supply Chain Attack—93 Add-Ons Infected for Months appeared first on Security Boulevard.
一家广受欢迎的 WordPress 插件和主题制造商遭到黑客攻击ーー AccessPress 提供的93种产品被修改，黑客可以“完全访问”用户的网站。
后 WordPress 供应链攻击ーー93个附加组件感染数月首次出现在安全大道。

漏洞类型:Debug mode enabled, Information disclosure 作者:Abid Ahmad (@RootIntrud3r)

程序:Box 漏洞类型:OTP bypass, MFA bypass 作者:Tal Peleg

程序:VMware 漏洞类型:SSRF, CSRF 作者:Shubham Shah (@infosec_au) & Keiran Sampson (@hpy_downunder)

漏洞类型:Android bug, Insecure Firebase database 赏金:$2,000 作者:Omar Espino (@omespino)

漏洞类型:Broken Access Control, Authorization flaw 赏金:$1,000 作者:Mr Robert | Ahmed M Hassan (@Mr_Robert20)

漏洞类型:XXE 作者:Aditya Singh / rook1337 (@imrook1337)

漏洞类型:SSRF, LFI, Information disclosure, Broken Access Control, Authentication bypass, XSS, SQL injection 作者:Kuldeep Pandya (@kuldeepdotexe) & Sam Paredes (@caffeinevulns)

程序:Google, Adobe 漏洞类型:RCE, Path traversal, Android bug 赏金:$10,000 作者:sunny‏‏‎ (@hulkvision)

程序:Facebook 漏洞类型:Logic flaw 作者:Neilmark Ochea (@nmochea)

漏洞类型:XSS, IDOR 赏金:$800 作者:JM Sanchez / 0xEchidonut (@jmrcsnchz)

程序:Xiaomi 漏洞类型:XSS, HTML injection, Android bug 作者:Neilmark Ochea (@nmochea)

程序:Microsoft 漏洞类型:Insecure deserialization 作者:frycos (@frycos)

漏洞类型:CSTI, Account takeover 作者:M7.Arman (@ArmanSecurity)

漏洞类型:SQL injection, XSS, CSRF 作者:Bitcrack

程序:Acronis 漏洞类型:DoS 赏金:$0 (OOS) 作者:Ugroon (@veletisleri)

程序:Microsoft 漏洞类型:RCE 作者:Gabriel Sztejnworcel (@sztejnworcel)

漏洞类型:CORS misconfiguration 作者:Tarikul Islam (@sa1tama0)

程序:Moodle 漏洞类型:Session hijacking, Session management flaw, Account takeover, RCE 赏金:N/A (VDP) 作者:Johannes Moritz & Robin Peraglie

Written by CISOs, for CISOs This article provides highlights from our ‘CISO Point of View: The ever-changing role of data, and the implications for data protection
The post New Data Protection Methods and the Impact on Securing Storage & Backup appeared first on Continuity™.
The post New Data Protection Methods and the Impact on Securing Storage & Backup appeared first on Security Boulevard.
这篇文章从我们的“ CISO 观点: 数据不断变化的角色，以及对数据保护的影响”中提供了重点
新的数据保护方法及其对存储和备份安全的影响最早出现在 ContinuityTM 上。
后新的数据保护方法和对安全存储和备份的影响首先出现在安全大道。

Dear blog readers,
In this post I've decided to do an in-depth OSINT analysis on the recently busted REvil ransomware gang and decided to elaborate more and emphasize on the key fact in specific how come that a single ransomware group with several publicly accessible and easy to shut down C&C (command and control) server domains including several randomly generated Dark Web Onion URLs could easily result in millions of damage and who really remembers a situation when getting paid for getting hacked including the basic principle that you should never interact with cybercriminals but instead should passively and proactively monitor them could result in today's modern and unspoken ransomware growth epidemic and the rise of wrong buzz words as for instance ransomware-as-a-corporation where you basically have the bad guys obtain initial access to an organization's network and then hold its information encryption leading us to the logical conclusion who on Earth would pay millions of dollars to avoid possible bad r

Zero Trust is a security framework that requires authentication, authorization, and validation from all users, whether inside or outside the organization's network. This is mandatory for security configuration and precedes granting privileged access to the organization's data or applications. The term Zero Trust means that the network doesn't trust anyone connected to a local network, cloud, or hybrid.
The post Zero Trust Security – A Quick Guide appeared first on Security Boulevard.
Zero Trust 是一个安全性框架，它需要来自所有用户的身份验证、授权和验证，无论是在组织的网络内部还是外部。这对于安全配置是必需的，并且在授予对组织的数据或应用程序的特权访问之前必须这样做。零信任这个术语意味着网络不信任任何连接到本地网络、云或混合网络的人。
邮政零信托安全-一个快速指南首次出现在安全大道。

A remote work policy can contain a variety of sections that help guide productivity and promote security. Learn more today!
The post What to Include in a Remote Work Policy appeared first on JumpCloud.
The post What to Include in a Remote Work Policy appeared first on Security Boulevard.
远程工作策略可以包含有助于指导生产力和提高安全性的各种部分！
在远程工作策略中应该包括什么这篇文章最先出现在 JumpCloud 上。
《远程工作政策包括什么》一文最先出现在安全大道上。

The first 2022 IDA training session will take place online from 16-20 and 23-25 May 2022 , from 9am Pacific Standard Time. The session is devised to help professional reverse engineers master IDA Pro, the de-facto industry standard reverse engineering tool and take their reversing skills to the next level. Provided by the experts behind [...]
2022年国际开发协会第一期培训课程将于2022年5月16日至20日和23日至25日太平洋标准时间上午9时在线举行。该课程旨在帮助专业的逆向工程师掌握 IDA Pro，实际上是行业标准的逆向工程工具，并将他们的逆向技能提升到一个新的水平。由[ ... ]背后的专家提供

一个用于给LazyBoard( board.level06.com )采集数据的Chrome扩展

Brace for impact
准备迎接撞击

A deflate compressor that emits compressed data that is in the [A-Za-z0-9] ASCII byte range.

List of Computer Science courses with video lectures.

List of Computer Science courses with video lectures.