Cybersecurity information flow

假如你在一次攻防演练或者渗透测试中有多个攻击测试目标，一个一个去手动测试是肯定不现实的，可以先借助安全扫描工具去“自动扫描测试目标站点”的薄弱漏洞的位置，为你后续的深入测试提供事半功倍的效果。

PHP in Browser, powered by WebAssembly.

近日，研究人员发现一种名为 TunnelVision 的攻击方法，可以窃取几乎所有 VPN 应用的流量。

Run WordPress in the browser via WebAssembly PHP

A CFML Parser written in CFML

通过分析当今企业使用AI和ML工具的方式，揭示了跨业务部门和地区的关键AI挑战及机遇，帮助企业了解如何适应不断变化的AI环境并保护其AI工具...

The LockBit ransomware group has added the City of Wichita to its Tor leak site and threatened to publish stolen data. Last week, the City of Wichita, Kansas, was the victim of a ransomware attack and shut down its network to contain the threat. Wichita is the most populous city in the U.S. state of […]

" LockBit 勒索软件组织已将威奇托市（美国堪萨斯州）添加到其 Tor 泄露站点，并威胁要发布被盗取的数据。上周，堪萨斯州的威奇托市成为勒索软件攻击的受害者，为遏制威胁而关闭了其网络。威奇托市是美国人口最多的州——加利福尼亚州的一个城市。"

发布时间:2024-05-07 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy', 'Defense'] 无附件
As governments seek to confront today's complex and evolving threat landscape, they are experimenting with distinct approaches to safeguarding their national cybersecurity. This project compares a dozen key countries' national cybersecurity strategies in order to determine the most effective and innovative policy approaches that should inform global standards. The countries assessed include the US, China, the UK, Germany, South Korea, Singapore, the UAE, and Australia, among others. Having closely analyzed each strategy document and interviewed more than 20 officials and non-government experts representing all countries included in the study, we employ a two-dimensional framework to evaluate the strategies alongside one another against a 67-point rubric with an eye toward identifying leaders, innovators, and under-performers in each category.  We also consider external factors that make each strategy unique, such as a given 

发布时间:2024-05-07 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy'] 无附件
Computer security professionals have been working weekends and through vacations for over 50 years yet haven't changed that too many advantages still heavily favor attackers and not defenders. Sure, defenders have made countless gains but not relative to those made by attackers.<br><br>Until last year, with the publication of the US National Cybersecurity Strategy, it was never even an actual goal to improve defense at the largest scale and least cost, to shift those advantages. This is great progress but means little if we can't measure if defense is indeed gaining relative advantages over attack. Far too few metrics measure the overall balance of offense and defense and those that do are buried or not applied to this most-important issue.<br><br>This talk introduces several such indicators to determine if we're winning. Many of these indicators – such as changes to Mean Time to Detect – are already collected by the community. Others 

发布时间:2024-05-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Exploit Development & Vulnerability Discovery', 'Network Security'] 无附件
In the real-world C/S communication architecture, the server is often considered more vital than the client from a security perspective. Many privileged services in Windows also play the role of remote servers whose security is highly prioritized by Microsoft. Many of them have been reviewed and audited by the best security researchers worldwide. So we looked at these services and asked ourselves: what else has been overlooked? <br><br>Five months ago, after discovering an RCE vulnerability in the Distributed File System Replication service, a Peer-to-Peer file-sharing component, we realized that there are engaging scenarios where the client is as important (or even more critical) as the server. Nonetheless, we were impressed by how often these client components were used and how fragile they were to potential attacks. In the subsequent months, we conducted extensive research a

发布时间:2024-05-08 演讲时间:0000-00-00 12:00am 演讲时长:40-Minute
Tags:['Policy', 'AI, ML, & Data Science'] 无附件
Prompt Injection is one of the most popular attack vectors on Large Language Models (LLMs), and notably at the top of OWASP Top 10 for LLMs. It is also relatively easy to carry out and can have insidious consequences including exfiltrating private data. But from a legal and policy perspective is prompt injection considered hacking? This talk presents the first ever legal analysis of this novel attack against LLMs marrying adversarial ML research with cybersecurity law.<br><br>Companies are already beginning this question to court: recently, OpenAI made a claim in their lawsuit against NYTimes that the newspaper hacked ChatGPT using "deceptive prompts". More urgently, equating prompt injection to hacking, also has the ability to stifle and chill AI security research. <br><br>We use the Computer Fraud and Abuse Act (CFAA), the most significant anti-hacking law in the United States, to examine two popular kinds o

A C# Solution Source Obfuscator for avoiding AV signatures with minimal user interaction. Powered by the Roslyn C# library.

Standalone Metasploit-like XOR encoder for shellcode

A locally authenticated attacker with low privileges can bypass authentication due to insecure inter-process communication.
[GitHub]Exploit for Ivanti Automation Manager CVE-2022-44569

" 一个具有较低权限的本地验证攻击者可以通过不安全的过程间通信来绕过验证。\n[GitHub] Ivanti自动化经理CVE-2022-44569漏洞利用"

Need a Power-Up in Solo Leveling: Arise? Unlock Free Rewards with These Codes Want to level up your characters faster? Get the inside scoop on working Solo Leveling Arise redeem codes and how to use them in this regularly updated blog post.


Solo Leveling Arise Redeem Codes


Play on Mobile and PC!
This is where things get awesome – Solo Leveling: Arise is available for both mobile and PC. Plus, you can use the same account on both platforms! Progress at home, continue your adventure on the go!


Multiplayer Raids on the Horizon?
Rumors are swirling that a co-op multiplayer mode for challenging raids might be on the way. Imagine taking down epic bosses alongside your friends - the hype is real!


How to Redeem Solo Leveling Codes for Free
Open Solo Leveling Arise Game
Login to Solo Leveling Arise game
Click on Options, then go to Settings (Gear Icon)
Click on Account, then click on "Redeem Codes"
Pop up box appears, enter the below codes in it.
Exclusive Solo Leveling Arise Redeem Codes – Limited Time!
To ce

iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)

Clinic Queuing System 1.0 - RCE

Standalone Metasploit-like XOR encoder for shellcode

影响厂商:Mattermost 奖励: 危险等级:medium
" 会员角色，未经发送消息权限，可通过执行通道命令进行发送。"

影响厂商:Teleport 奖励:900.0USD 危险等级:medium
" 具有“编辑者”权限的成员可以创建一个无法修改、查看或删除的访问列表。"

影响厂商:b'Teleport'(https://hackerone.com/teleport) 
" 一个具有编辑权限的成员可以创建一个无法修改、查看或删除的访问列表。"

影响厂商:b'Mattermost'(https://hackerone.com/mattermost) 
" 具有发送消息权限的会员角色可以通过执行频道命令来发送消息。"

Supply chain attacks have been well studied on my blog because they combine the best of both social engineering attacks and highly technical exploits: they can be used to target any organization with relative ease, like social engineering attacks, and there is no limit to how technically advanced you can

" 供应链攻击在我的博客上已经得到了充分的研究，因为它们结合了社交工程攻击和高技术漏洞的优势：与社交工程攻击一样，它们可以相对容易地针对任何组织；同时，在技术先进程度上，你没有限制。"

Packer files for building CentOS 7, 8, Rocky Linux 8, 9 and Ubuntu 20.04 and 22.04 images for Proxmox

A network technique that decloaks a VPN users traffic on a local network without disconnecting them from a VPN.

To stay on top of relevant and emerging threats, CISOs must adjust and refine their cybersecurity strategies to address the rising challenge of attack surface expansion. As a result, organizations increasingly use service-level agreements (SLAs) to ensure their security providers meet their needs and expectations.   SLAs are contracts that outline the services, metrics, and responsibilities […]
The post Service-level agreements in cybersecurity: Everything you need to know   appeared first on Intigriti.

" 为应对攻击面不断扩大带来的挑战，首席信息安全官（CISO）必须调整和优化其网络安全策略，以保持领先地位。因此，组织越来越依赖服务级别协议（SLA）来确保安全服务提供商满足其需求和期望。SLA是一种概述服务、指标和责任等方面的合同 [...]\n原文发表于Intigriti官网：《网络安全中的服务级别协议：你所需要了解的一切》"

RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine based on deep document understanding.