【文章摘要】不过我们只需要记住一个原则就行了，永远不要相信外界输入的数据。现在扫描SQL注入的工具也有很多，上线前，多用安全工具扫一扫，防范有疏漏。

【相关推荐】

给产品经理讲技术｜年入千万就指望它了，视频直播背后的技术

给产品经理讲技术｜H5基础知识：表单

给产品经理讲技术｜撩妹技术三部曲之“设计模式”

给产品经理讲技术丨没线，并不可怕？

给产品经理讲技术丨提需求的正确姿势是什么

不少朋友都会写SQL语句，如果你还不会写，可以看看果果以前写的文章「学学写点SQL语句，好吗？」，可是你造吗，SQL注入攻击是Web开发中最常见的一种安全问题，恶意攻击者可以利用它来获取数据库中的敏感信息、篡改数据，甚至可以获得系统的控制权限。产生SQL注入漏洞的原因也很简单，就是开发者没有对用户提交的内容进行过滤，导致了恶意SQL语句的执行。

我们来看个简单的栗子，假设有一个登录系统，用户在登录时提交用户名和密码，如果通过用户名和密码能从后台数据库中找到某个用户，那么就算登录成功了。可以写出这样的代码：

sql = “SELECT * FROM user_table WHERE username='” + username + “‘ AND password='” + password + “‘”

可以看出，这个SQL语句是将查询语句和用户提交的数据拼接起来的，如果我提交的用户名是guoguo，密码是passwd123，那么这个SQL语句就是：

SELECT * FROM user_table WHERE username=’guoguo’ AND password=’passwd123′

这样看上去很正常对吧？可是，如果我是个坏人，提交的数据是这样的，用户名填的是guoguo’ ― ，密码是123，那么在后台得到的SQL语句就变成这样的了：

SELECT * FROM user_table WHERE username=’guoguo’ ‘ AND password=’123′

这里就有点蹊跷了哦，我们先看前面那个SQL语句，必须是账号密码两个条件匹配上了，才会返回guoguo这个用户的信息，否则查询不到任何结果。再看第二个SQL语句， 在SQL语句中是注释符号，它后面的语句都将被无视，那么这个语句翻译成白话就是“把用户名是guoguo的用户给我找出来”，看见没？这样完全不需要知道密码，就能拿到guoguo的用户信息，继而登录guoguo的账户。

这种通过在提交数据里面写入SQL代码，巧妙改变后台SQL执行逻辑的攻击方式，就是SQL注入攻击。

如何防范SQL注入攻击呢？其实也很简单，在这个栗子中，我们将用户输入的数据进行过滤，只允许使用字母和数字，那么这个攻击就起不到任何作用了。

当然了，你也可以写更复杂的过滤规则，不过我们只需要记住一个原则就行了，永远不要相信外界输入的数据。现在扫描SQL注入的工具也有很多，上线前，多用安全工具扫一扫，防范有疏漏喔～

欢迎添加微信公众号：给产品经理讲技术

本文由产品壹佰为你推荐并呈现

文章来源：微信公众号：给产品经理讲技术（ID：pm_teacher）

文章作者：果果

友情提示：

若出处标注错误，请联系QQ：2977686517及时更正，感谢理解和支持！

少年关注我们的官方微博@产品100和微信订阅号：chanpin100ghsd，有惊喜哦！

2016年6月24日-25日，由51CTO举办的 WOT2016企业安全技术峰会 将在北京JW万豪酒店召开。会前，51CTO记者采访了峰会特邀讲师、华为安全业务TMG主任钱晓斌，就企业安全风险管理，企业安全威胁中常见的DDoS攻击防护两方面的内容进行了深入交流。

与安全圈的很多人一样，钱老师也是非计算机专业出身，大学时主修经济学。在机关工作了几年后，转学计算机。随后一直从事安全工作，至今已有15年。工作初期主要从事国内第一代自主知识产权的防火墙与UTM产品开发，逐步从BSD做到linux，从配置管理做到内核协议栈，从黑白名单做到引擎特征库，从产品架构做到技术规划。目前在华为负责安全产品线的安全能力构建、技术规划与生态建设工作。

目前，传统企业正在加速信息化进程，加速网络架构与应用的云化，加强业务逻辑中的数据驱动能力。企业所面临的安全威胁随之变得更加复杂多变。而且，因为每个企业发展阶段与业务性质的不同，对各个层面安全性的敏感度与耐受度呈现出极大的差异。

而互联网企业的业务先天就构建在网络与数据之上，安全是其立身之本，稍有不慎，就会造成重大的业务损失。

钱老师表示，总体上说，企业应充分重视以下五大方面的安全挑战：

1、企业安全威胁感知能力的挑战。

2、新兴的攻击手段和安全漏洞给安全产品安全技术带来新的挑战。

3、企业所处的安全环境、生态、安全协作机制方面存在的挑战。

4、企业安全体系生命周期管理能力的挑战。

5、人员安全意识和安全能力的挑战。

对此，钱老师建议，企业需在真正理解自身安全和风险的情况下，进行安全方面的规划和投资。同时避免安全体系的碎片化、片段化，逐步实现真正的安全。站在企业整体安全视角来看，企业需不断提升安全体系生命周期的管理能力，从而建立起完善的安全管理流程与制度，实现安全保障目标。而且，面对新兴攻击和新式攻击手段，企业要在加强自身安全体系建设时，也需要向专业安全厂商进行咨询，根据实际情况进行安全检测，部署合适的产品，例如部署类似APT沙箱、大数据安全分析平台等下一代安全产品。回顾很多安全事件，我们会发现有很多来自于企业内部人员造成的泄露事件，所以提升企业员工安全意识，是每个企业要重视且必须要做的事情。

此外，他认为，安全问题的存在与解决都不是一个局部的问题，我们也无法让一个企业独自面对所有的安全问题。国家在网络安全方面的立法趋于严格，行业对于企业的监督也在加强。企业在提升安全风险管控能力的同时，也迫切需要我们这个社会改善企业所处的安全环境、安全生态与安全协作机制。

在企业所面临的众多的安全威胁中，DDoS攻击可谓经久不衰。这么多年DDoS攻击发生了哪些变化?下面我们一起来听听钱老师怎么说。他表示，从DDoS出现到发展的这几十年来看，僵尸网络呈现出大规模、全球化的特点。尤其是近几年来，随着互联网和物联网的发展，DDoS单次攻击高达500Gbps以上，僵尸网络不再仅仅存在于用户的终端，而大量存在于数据中心的虚拟机上。我们现在看到的物联终端也可能成为僵尸网络的宿主载体，虽然运营商和企业用户在本地大多已经在本地部署了清洗设备，但上行链路遭受攻击时已经拥堵了网络出口。这也是为什么90%以上的运营商在寻找云端的流量清洁方案。

谈到DDoS攻击的防御，钱老师认为：“针对DDoS攻击全球化规模化的特点，要有效地防御DDOS攻击，必须建立一个全球性的立体防御体系，必须要联合业界众合作伙伴的智慧和力量。”

那么，企业该如何加强DDoS攻击防护?钱老师建议，有条件的企业将业务托管到具有较强抗DDoS能力的云服务上。对于企业自行部署的系统，应该在前端安装DDoS防护能力较强的安全过滤产品。对于需要大容量AntiDDoS服务的云厂商与具备AntiDDoS能力的安全厂商，可以通过加入“云清联盟”的方式，加强协作，提升自己，服务客户。

华为首倡“云清联盟”的概念，并努力付诸实践。“云清”的含义是基于云端的流量清洗方案，联盟的含义是旨在将全球MSSP服务提供商和IDC服务提供商的资源进行整合，共建攻击流量的 “泄洪池”，构成一个云端的“DDoS防御生态系统”，“一方有难，八方支援”，在上游更加彻底解决大流量DDoS攻击问题。这个联盟设计的初衷，就是通过近源云清洗实现全球大流量DDoS防御，具体而言包括：云端防护、IGW层防护、Backbone层防护和DC边界防护。

除了面向全球的“云清联盟”DDoS防御体系，华为安全业务覆盖网络安全、终端安全、云安全、应用安全、安全管理和安全服务等多个领域。产品包括高中低端下一代防火墙、入侵防御系统、DDoS攻击防御系统、虚拟综合业务网关、沙箱、大数据安全分析系统等产品，以及相应的针对传统威胁及未知威胁的解决方案。

钱老师表示，未来华为将继续发挥其在云管端的深厚积累与综合优势，在云安全、高级威胁检测、大数据安全分析等技术领域取得快速发展，并努力与同道一起，构建威胁情报共享平台，优化安全产业生态环境，为用户提供可信赖的安全服务。

最后，钱老师表示，近期他一直在围绕“安全以人为本”思考安全的多个层面。因此，在本届WOT企业安全技术峰会上，他准备与大家分享对安全系统中“人”的位置与作用的思考。

几天前因为一些很蠢的原因，我的域名被微信加入了黑名单，分享我的博客链接到朋友圈只有我自己能看见。还好我在大概两周前开始考虑博客搬迁的事情。我在万网买了 lutaonan.com 的域名，以后只要访问这个域名就能直接访问我的博客，RSS 地址为 http://lutaonan.com/rss 。 http://djyde.github.io 将不再更新，一个月后会强制定向到 lutaonan.com。 服务器迁移到了阿里云青岛的机房。博客引擎从 Hexo 换成 Ghost. 更换引擎的目的单纯，仅仅是想试试 Ghost 而已，并非觉得哪个比哪个好。

事实上很早以前我就想搬离 Github Pages, 因为国内访问很慢很不稳定，加上不能上 https, 但是一直考虑到我的博客几乎都是写给程序员的，就无所谓了。

然而最近有了一些变化，我喜欢写起非技术文章了。技术文章的沉淀周期很长，更新频率都是以『月』作单位的。而我又喜欢写东西，也喜欢分享生活。所以事实上从 2015 年 9 月的 《我是 Randy, 这是我的利器》 开始，我写的文章都是关于生活方式和 LifeHacker 类的，还有我以前最讨厌写的游记。所以博客的 subtitle 变成了『代码、科技和艺术』，我希望分享这些我所爱的、有价值的东西，这些东西都围绕『创造』。 创造对于我而言是一种与生俱来的生理冲动 。

从我刚开始能勉强读懂语文课文开始，我就有提笔写点东西的冲动。这种冲动很单纯，因为我连要写什么也不知道，只是看到空白的单行本

So, it's now 2016. GPU password-cracking is pretty well-known and accessible, yet companies and developers are still using little more than md5 to hash customers' passwords! Notice I simply said "hash", because I hesitate to call this "protection". Every time I see someone still using md5 it makes my question their entire security model.

I was just discussing with my friend @jmgosney the benefits of patching your own systems when vendors won't. Especially with these php systems (MyBB and vBulletin both come to mind here), it's often easy to swap out their cryptographic functions with much better industry standard functions. We happen to like bcrypt a great deal for this, and have both made adjustments to production systems to replace md5 with bcrypt. Since Jeremi already made one of these patches just recently for his own MyBB deployment, we've decided to share the patch with everyone in hopes to try and make the Internet a little safer if we can.

The following patch has been updated and tested to work with the latest MyBB 1.8.6.You will need to make a few slight modifications to your db for this patch to work.

Download the latest MyBB 1.8.6, unzip it, and change into that directory:

Next, copy his patch (listed below) into a file epixoip.patch in that directory.

Finally, use the patch utility to apply the patch:

And that's it! It makes you wonder why the vendors don't do this themselves, doesn't it?

(Now, we just need enough people to write in to the vendors/developers of these products and urge them to use better/modern security practices for said products.)

Adobe公司近日发布了最新的Flash Player 22.0.0.192版本，目的是修复已发现的一个严重安全漏洞。

据悉，Adobe在几天前发现了一个名为CVE-2016-4171的安全漏洞，该安全漏洞对windows、Macintosh、linux操作系统具有影响，也就是说所有桌面电脑用户都被该漏洞威胁。

为此，Adobe抓紧发布了Flash Player 22.0.0.192以修复这个高危安全漏洞，并建议用户能够尽快安装，以免受到安全威胁。

Adobe Flash本身的安全问题已经成为很多互联网公司担心的工具，它就像一颗随时会爆炸的地雷。所以越来越多的网站选择不再支持Adobe Flash以确保稳定和安全。

最近，苹果又计划在Safari 10中默认禁用Adobe Flash播放插件，鼓励网站和用户更多地使用使用html5技术。

Google's Android mascot.

Google paid 82 people a total of $550,000 in the last year for finding security vulnerabilities that could let hackers compromise phones, tablets, cars and other gadgets powered by the company's Android software.

The company launched the Android Security Rewards program in June 2015 in an attempt to harden the software. Google offered up to $30,000 for vulnerabilities. Although nobody received that amount, one researcher called heisecode was paid $75,750 for 26 vulnerability reports, Google said in a blog post Thursday.

Security holes can be used obtain personal data and gain access to other computing systems. Even bug bounties from Google and other software makers aren't the only way to make money from vulnerabilities. The FBI reportedly paid less than $1 million for a hack that let it access an iPhone used by Syed Farook, a shooter in December's San Bernardino terror attack.

For theAndroid security bounty program's second year, Google raised reward levels in several cases. For the most complete type of Android takeover method, Google now will pay $50,000, up from $30,000.

Increase workforce agility and mobility by going BYOD.

If you're considering implementing a BYOD (bring your own device) policy in your workplace, there are a few things you should consider before diving in and giving employees' personal devices access to sensitive information. Do you have the right security in place? Are there any restrictions on device usage during work hours? Are you and your employees using the right apps?

We've got a few tips that could keep your safe and on the right track when setting up a BYOD environment in your workplace.

Some employers may think that by creating a BYOD strategy, they'll save thousands on computers and other network devices that would otherwise be owned by the company.

This isn't really the case, since security measures and support for employee-owned devices will likely just replace those costs. Implementing a BYOD policy is about employee efficiency and mobility, and should not be considered a cost-saving measure, since the savings may be minimal or nonexistent. Let's just get that out of the way off the bat.

Before even mentioning BYOD to your employees, you need to set up a BYOD framework. The framework address issues like: who gets to use their devices while on the job and for what purposes; which types of devices may be used; and, how support for these devices will be carried out.

Your framework should also include your roll-out strategy. It should be careful and calculated, so as not to become vulnerable to security risks.

Prior to development, it's a good idea to perform a cost-benefit analysis, to make sure it's worth it to set up support for all the devices that will be added to your network.

You framework should include the input of your IT and HR staff, legal and financial advisors, and anyone else who should be involved in the decision-making process.

The BYOD framework is a top-down view of how BYOD will be implemented. Your policies fill in the details. These will explicitly define what your employees may and may not do when using their personal devices for work.

This is where you can talk about any specific apps that have to be on employee devices and any apps that cannot be on employee devices, for security reasons.

This is also where you'll outline how IT will support employee devices. If devices are malfunctioning, will it be up to IT to fix them or, in the case of smartphones, the wireless carrier in question? These are questions that are to be addressed and their answers outlined.

An endpoint security management system is pretty much a necessity at this point, if you're considering a BYOD environment. Endpoint protection is like anti-virus on steroids. It involves an integrated system of anti-malware, data input/output management, user management, and more.

This is where you can add log-in restrictions, block unsafe websites, monitor network traffic, and much more. Endpoint security is imperative if you want to protect your data and make your network safe for both you and your employees.

You may want an endpoint security system that involves MDM or Mobile Device Management software. This will allow you to control employee devices if they become lost or stolen. Any device employing the MDM software can be remotely accessed and erased.

An endpoint security management system should be factored into your cost-benefit analysis.

If you're requiring your employees to use specific apps on their own devices, then make sure the apps you're using are safe and do not contain harmful code. This could be damaging to both your network and your employees' devices, which could entail costly replacements for them and potential data loss or worse for you.

A good endpoint security management system can assume app control and prevent harmful apps from executing on your and employee devices.

A lot of people know the risks of computer viruses and spyware, but believe that smartphones are all but invincible. This is absolutely not the case and employees should know the possible security risks associated with bringing their own devices to work.

They should be walked through your framework and policies and educated in the use of any MDM software you implement. They should also be made aware of any NAC (Network Access Control) tools are in place, like website blockers.

Before rolling out a company-wide BYOD policy, test it in very small doses. Have your IT department monitor usage and strains on the network and have HR monitor its effect on employee relations, efficiency, and satisfaction.

Is your workplace a BYOD environment? What is your experience?

Sound off in the comments below!

It has been a while, but some security news leads our day. First, The Next Web reports on 45M passwords being stolen from over 1100 VerticalScope forums. This has the potential to bleed into another password reuse hack like we have seen lately. Sentry has an excellent post about a security incident that they had recently. As far as they know, no data has been taken, but their response and documentation of the process is fantastic. At Codelitt, we get a great post about securing ubuntu. This builds on another blogger’s “my first 5 minutes on a server” post, so make sure you read the linked posts as well.

As always, enjoy today’s items, and please participate in the discussions on these sites.

Twitter accounts associated with ISIS got gay pride graphics.

A hacker associated with the Anonymous activist group has given several Twitter accounts a pro-gay look after a Sunday attack that killed 49 people in a gay bar in Orlando.

"You had all those innocent lives lost. I just felt there's something I could do against the Islamic State to defend those people," a hacker calling himself WauchulaGhost said in an interview with CNNMoney . He and other Anonymous members found a vulnerability that let them take over the accounts, he said, letting him replace ISIS flags with gay-pride rainbow flags and posting Orlando memorial imagery.

ISIS uses social media to spread its messages, but Twitter is trying to stop the practice on its service. In February Twitter said it suspended 125,000 ISIS-related accounts . Some but not all of the accounts WauchulaGhost showed as hacked have been suspended.

The same concept has been successfully used in IT security for years and it should be no different when planning for DDoS attacks. But despite their relatively predictable nature and deployment, too many IT execs seem to be caught by surprise when a DDoS attack hits home. Can we stop DDoS attacks from happening? Unlikely. Can we mitigate the impact or head it off in the pass? Absolutely.

The most expedient way to prepare for and quickly respond to an attack is to increase visibility into Internet assets, so DDoS attacks can be spotted as they’re gaining traction and mitigated in short order. Knowing what your network’s normal behaviour looks like via an internet performance management system means you will be able to more readily tell when an attack is underway so you can spring into action.

Of course there are times when your network is going to experience legitimately higher volumes of traffic. Whether or not it’s to mitigate DDoS attacks, businesses must provision for enough server capacity, tuned for best performance under high load. Build the biggest network you can with effective elements for advanced mitigation. Yes, this is adding expense, but given the well documented consequences of a DDoS attack or indeed any downtime it’s one that’s easily justifiable if you’re facing a battle with the procurement department.

The theory is great, but it’s probably useful to examine a real life instance of what best practice when a DDoS attack is underway looks like. The following example demonstrates best practice in taking steps once internet performance monitoring systems have warned that a DDoS attack is underway.

Szcü is a popular Turkish daily newspaper. Like so many print publications around the world, it is increasingly reliant on its online offering to drive revenue into the business. It serves its web content from a large number of endpoints behind different providers around the world. Regularly the target of DDoS attacks, Szcü uses traffic management tools to manage its endpoints and ensure visitors only connect to healthy endpoints.

Unbeknown to site visitors, this happens all the time, without their service being interrupted. Recently though, the newspaper suffered an attack that was much larger than usual at 40Gbps, lasting several hours. During this period, the attackers targeted all of Szcü’s endpoints at some point. As usual, their traffic management system’s load balancing capabilities had reacted by actively removing unhealthy endpoints from being served up to site visitors. But critically, it was then re-adding them as the attackers moved on to other endpoints.

In effect, the attackers were playing a game of whack-a-mole with Szcü’s infrastructure. But despite the service being unavailable for some users site visitors dropped from a ‘normal’ level of 37,000 down to 25,000 during the attack, Szcü was able to hobble through the attack and stay online for the majority of people. Critically, they stayed out of the headlines.

Improvements to the distribution of traffic across all of an organisation’s data centres and content delivery networks, as well as the visibility to plan for and monitor internet performance, is critical to an organisation’s ability to effectively respond to any DDoS attack. But it’s also being used to optimise performance when the network isn’t under attack, and enable migration and critical infrastructure planning to provide the best user experience possible.

Planning for DDoS attacks should be a major consideration of any effective internet performance management strategy, rather than a problem tackled in isolation.

Over the last month there have been numerous TeamViewer users reporting unauthorized access into their computers that resulted in financial loss and stolen credentials. TeamViewer is a software package used by both personal and enterprise users for remote control, desktop sharing, file transfers and more. TeamViewer also uses end-to-end encryption to prevent a number of different potential attack vectors such as Man in The Middle (MITM) and brute-force attacks.

These reports of drained PayPal accounts and stolen credentials have mainly been found on Reddit, but have also been seen on a number of other sites dating back to May 1, 2016. Most of the attention drawn to TeamViewer came on June 1st at around 1pm EST when TeamViewer sustained a 3-hour long denial of service attack aimed at their DNS infrastructure. It should also be noted that earlier in the day an unknown user had posted TeamViewer’s DNS information on pastebin .

Shortly after the outage, TeamViewer issued a statement about the attack and unauthorized connections:

“TeamViewer experienced a service outage on Wednesday, June 1, 2016. The outage was caused by a denial-of-service attack (DoS) aimed at the TeamViewer DNS-Server infrastructure. TeamViewer immediately responded to fix the issue to bring all services back up.”

At the time of the outage, users began going to Reddit to see if there were any updates or information about the cause. Most users ended up here , where several TeamViewer users shared their stories of compromise and event logs proving their devices were compromised.

June 1st 2016 Reddit I then checked my logs at C:\Program Files (x86)\TeamViewer\TeamViewer11_Logfile.log and sure enough, it shows someone connected to my computer at 2:58 am, right before the paypal purchases/transfers

May 24th 2016 Tim Oliver’s Blog Someone had actually logged into my TeamViewer from Russia, and FOR THE BRIEFEST OF MOMENTS had direct control of my NUC!

May 1st 2016 TeamViewer Forums on May 1st 2016 (at 13:04 GMT+3, Bucharest, Romania) someone hack intro my PC from TeamViewer and stole all my passwords from browsers (IE, Firefox, Chrome, Opera) with a little software fromhttp://www.nirsoft.net/utils/web_browser_password.html called WebBrowserPassView.

After further research, it was discovered that this has been a persistent problem for the last month. TeamViewer even issued a press release on May 23rd stating that:

TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side. Therefore, TeamViewer underscores the following aspects:

1. Neither was TeamViewer hacked nor is there a security hole

2. TeamViewer is safe to use and has proper security measures in place

3. Our evidence points to careless use as the cause of the reported issue

4. A few easy steps will help prevent potential abuse

Many people have been quick to fault TeamViewer, but are they really at fault? If TeamViewer had been breached, we would be seeing a different set of data points and accounts breached on a much larger scale. This clearly indicated that the issue is client-side, and there are a number of theories to support this idea. The first surrounds the recent database leaks on The Real Deal, a darknet market. Vendor, Peace of Mind has been selling a number of leaked databases with a total of over 100 million credentials. Sites like LinkedIn, Tumblr and Myspace have all been implicated. One of the popular ideas is that the attackers are using leaked credentials to gain access to other digital platforms due to password and username reuse. While this is possible, we have seen other evidence to suggest this is all a result of a malware campaign targeting the client-side application of TeamViewer.

Recently, it was reported by Dr. Web that BackDoor.TeamViewer.49 was:

“A Trojan for Microsoft windows that is spread by Trojan.MulDrop6.39120. The Trojan’s main payload is incorporated into the avicap32.dll library. Trojan.MulDrop6.39120 runs TeamViewer that automatically loads the library to the computer’s memory. All lines, imports, and functions of TeamViewer’s process are actively implemented by this malicious library. The most critical parts of the Trojan’s code are encrypted with base64 and RC4.”

TeamViewer also issued a statement about BackDoor.TeamViewer.49, saying:

“The real issue seems to be the installation of a malware program via the installation over a manipulated Adobe Flash player update. With the installation of the malware program, TeamViewer will be installed on the remote side. Resuming, the current situation unfolds as follows: The aforementioned malware is spread via another malware named Trojan.MulDrop6.39120 which is a forged update of Adobe Flash Player.”

“The executable file of Trojan.MulDrop6.39120 installs the player on Windows. Meanwhile, it covertly saves TeamViewer, BackDoor.TeamViewer.49, and a necessary configuration file on the disc. During the installation, a legitimate installer window of Flash Player is displayed. When users install this malicious Flash Player update, they get a legitimate Flash version, but also the Trojan.MulDrop6 Trojan, which secretly installs TeamViewer on the victim’s computer.”

BackDoor.TeamViewer.49 runs parallel with the current attacks, but some things just don’t match up. What has most likely happened is we are currently seeing the introduction of a new exploit kit that is leveraging a vulnerability to gain access to devices with TeamViewer installed on them. Once the attacker gains access to the device, they run a program that retrieves and recovers passwords that are stored in browsers with tools like ChromePass and WebBroswerPassView. Once the attacker has the list of stored passwords, they quickly exfiltrate the file and begin accessing PayPal and Ebay accounts in an attempt to purchase gift cards and other turn-and-burn items that they can quickly resell.

One common thread seen with these attacks is that the attackers are motivated by profit at your expense. They are using very basic attack methods to target low-hanging fruit. TeamViewer has provided these recommendations inside of their press release:

TeamViewer strongly recommends:

Users should avoid all affiliate or adware bundles: While users may think they are just downloading a harmless program, the software could in fact install something else.

Users ought to download TeamViewer only through the official TeamViewer channels such as the TeamViewer website https://www.teamviewer.com

Users should protect any user account whether it is with TeamViewer or any another supplier by using unique and secure passwords that are frequently changed.

Users should ensure they have reliable anti-malware and security solutions in place at all times.

It’s also suggested that every user, no matter what the service you use, create a different password for each account. In addition to this you should also use a strong, complex password and change them often. Never store your passwords in your browser. Users should also use 2-factor authentication when possible. To check to see if your service offers two-factor authentication visit https://twofactorauth.org/

Follow us on Twitter or via RSS feeds with complete announcement texts or excerpts

Back to index

Building a BitTorrent client from scratch in C#

BitTorrent is a protocol for peer-to-peer file sharing. It allows users to directly share files with each other across the internet without any central server acting as a middleman.

In order to do this, the files are divided up into small regular-sized pieces. Each client or peer in the network can then either request a piece (if it is missing it) or send a piece (if another peer requests it). Peers can send and receive pieces simultaneously from multiple other peers until all peers have the complete file. A peer is called a seeder if it has pieces available to send out and a leecher if they are still requesting pieces.

The lack of a central server means that there is bandwidth costs of sharing content is reduced for the originator. Initially there will be a single seeder, however once other peers obtain the files they become seeders too. The protocol tends to favour more popular content. The more peers that want a file, the more peers there will be that have the file to share. Supply scales with demand. In this regard, it is also a more resilient method as the network becomes resistant to a system failure and does not have any single point of failure once there are multiple seeders.

Unpopular content can be difficult or slow to download if there are only a handful of seeders. Small files can be slower to download than from a traditional server as there is an certain amount of time overhead finding peers. The lack of a central server can also lead to a situation where all of the peers in the network are almost complete but all missing the same piece (although this should be rare due to the algorithms used to select pieces to request).

Peer-to-peer networks became mainstream with the creation of Napster in 1999 by Shawn Fanning. Napster maintained a centralised index of selected files on each user's computer and then allowed users to search for and download files directly from each other.

The BitTorrent protocol was created by Bram Cohen in 2001 and made various improvements on Napster system. It removed the single centralised index of files and replaced them with indexes that could be hosted by anyone (called trackers ). It also broke the files into pieces that could each be downloaded from different clients rather than downloading the entire file from a single peer (the combined pieces are verified using hashes). Later improvements in the protocol have removed the need for trackers completely.

Like Napster before it, BitTorrent was heavily used for illegal file sharing. Both have negative legal connotations. Unlike Napster however, the lack of a centralized authority has made it much more resilient to being shut down.

Today, the protocol is still used for file sharing amoung regular users but also for content delivery (various open source software projects as well as games), internal distribution of new code to servers (Facebook and Twitter). Other popular systems that make use of peer-to-peer networks are various cryptocurrencies (Bitcoin, Ethereum) and decentralized marketplaces (OpenBazaar).

The original specification outlined a number of components:

Recent additions to the protocol mean that neither torrent files or trackers are necessary anymore resulting in a complete removal of any centralization.

You get the full code from this project on my github .

The aim of this projects was to gain a better understanding of the technical details of the BitTorrent protocol. In terms of the depth of the research, I like to get to the point where I have a good idea of what I don't know. BitTorrent is actually a great topic as it covers a lot of different areas: HTTP, TCP, custom encodings, cryptographic hashing, file IO and (optionally) multi-threading. I used C# because it's the language I'm most familiar with. I essentially built version 1.0 of the protocol, however further additions are necessary before it would be able to be tested in the real world (seeFurther Research).

You can get the official specification but there are also some other references with more detail.

I used the following:

Before we go digging around, let's do a test run with the existing software to make sure everything is working correctly. First let's create a new torrent file using our BitTorrent client. To use as a test file, I grabbed a few paragraphs of ipsum lorem and threw them into a text file. Make sure you use the IP address of the machine you're going to be running the tracker on when adding a tracker to your torrent. The default port for trackers is 6969.

My testing set up is shown below. I have a Terminal open ready to run the tracker on OS X and I have two VirtualBox machines running with Transmission open in both. Only one of the boxes has the actual underlying file we want to share. One other thing to note is that I had to set both network adapters on the virtual machines to Bridged mode (VirtualBox VM -> Machine -> Settings... -> Network -> Attached To).

Next, add the torrent to each of the clients in our two virtual machines. You should be able to see that one is trying to seed the file and the other is trying to download the file.

Finally, pause both of the clients and then start the tracker in the Terminal:

The program doesn't require any arguments and starts running at http://localhost:6969/ by default. You can open http://localhost:6969/stats?mode=everything in your browser to double check it's running if you need to (it'll just spit out some xml output after a few seconds).

You'll probably need to pause and restart each of the clients after starting the tracker. After a few seconds the file should have been successfully copied to the second virtual machine.

Great! So now we know everything is working so we can go back to start and try to recreate some of this.

Let's open up the torrent file we created earlier in a text editor:

It's pretty ugly in there. It's clearly encoded in some unusual format. If we take a look at the spec we can see it uses a custom encoding system called BEncoding . Fortunately, it's pretty straight forward. There are only four types that can be encoded.

The DAO , a digital Decentralised Autonomous Organisation that has been set up to support projects related to Ethereum, a public blockchain platform that allows programmable transactions, has been hit by unknown attackers that are draining its ether (cryptocurrency) reserves.

Users who have invested their ether in DAO get a token that allows them to vote on which projects will get funded by the organization and, hopefully, get dividends once the project is successful. According to the organization’s website, they have amassed some 9.23 million ether. At the moment, the attackers transferred a little over a third of it to an ether wallet they control .

The attack was made possible not because there is a vulnerability in Ethereum, but because there is one in DAO.

“The attack is a recursive calling vulnerability, where an attacker called the ‘split’ function, and then calls the split function recursively inside of the split, thereby collecting ether many times over in a single transaction,” Vitalik Buterin, Ethereum creator and one of the DAO curators, explained on the blog of Switzerland-based Ethereum Foundation.

He says that the leaked ether is in a child DAO, and can’t be withdrawn by the attackers for at least another 27 days.

In the meantime, the developers proposed a solution to getting the ether back to DAO token holders.

“The development community is proposing a soft fork, (with NO ROLLBACK; no transactions or blocks will be ‘reversed’) which will make any transactions that make any calls/callcodes/delegatecalls that execute code with code hash 0x7278d050619a624f84f51987149ddb439cdaadfba5966f7cfaea7ad44340a4ba (ie. the DAO and children) lead to the transaction (not just the call, the transaction) being invalid, starting from block 1760000 (precise block number subject to change up until the point the code is released), preventing the ether from being withdrawn by the attacker past the 27-day window. This will later be followed up by a hard fork which will give token holders the ability to recover their ether,” Buterin explained.

This time window will then be used by the community to debate and decide on a definitive fix for the situation.

“Miners and mining pools should resume allowing transactions as normal, wait for the soft fork code and stand ready to download and run it if they agree with this path forward for the Ethereum ecosystem. DAO token holders and ethereum users should sit tight and remain calm. Exchanges should feel safe in resuming trading ETH,” he added.

As the news of the attack spread, many users panicked and began selling their ether, and at the same time ether’s value has taken a sharp dive. But, things seem to have started improving once news of the proposed solution got around (click on the screenshot to enlarge it):

The situation seems stable right now, but it the hard fork is implemented, the stolen funds will be retrieved, but it will be the end for DAO.

“The DAO will be winded down completely and transformed into a simple contract where you can only withdraw. It’s shutting down but as no ether was stolen and no ether was spent, nothing was lost,” stated Stephan Tual, founder and COO of Slock.it, a company that created a system for building smart locks with Ethereum, and hoped to receive funding via the DAO.

One of the major up-and-coming MFA methods is U2F, which relies on an initial key exchange and challenge-response mechanism.

It's a relatively new protocol, and is only starting to see more widespread adoption, notably among big web entities like Google, but it's not the first easy-to-use, key-exhchanging, challenge-responding mechanism out there; in fact, two come to mind quite easily:

SSH, which has been around since 1995 and is available on essentially every linux and BSD box set up since 2000, with growing adoption on windows via add-on software in older versions and built-in software in newer versions; and

PGP, which has been around since 1991, and is actually included on some of the newer Yubikeys (albeit, controversially, with a closed-source implementation in the latest generation), as well as on millions of PCs worldwide, with plenty of high-quality, actively-maintained implementations and libraries for a slew of OSes.

It seems like it would make perfect sense to use either of these widely-available protocols/standards (respectively) as an MFA mechanism for more than just SSHing into a remote machine or encrypting email; so why haven't either gained any traction where U2F is booming?

As mobile applications still gain in popularity and more and more transactions are carried out via mobile devices, security is topic of growing importance. In his talk "Modern iOS Application Security" at QCon New York 2016 , Dan Guido takes a closer look at iOS security.

Guido starts by explaining the security mechanisms in place for iOS applications. The security model consists of various levels from securing communication channels down to hardware based device specific encryption:

While these mechanisms provide very secure environments for apps, Guido continuous showing the threads that still have to be kept in mind.

Transport Layer Security is not mandatory for all network connections but without proper data encryption and certificate checking, information is vulnerable to man in the middle attacks. All necessary mechanisms can be activated while configuring network connections or even easier by embedding libraries like TrustKit that will handle security in the background.

Data Protection is a very powerful mechanism which also lead to the recentdispute between Apple and the FBI. If data is encrypted using the internal hardware key, it cannot be encrypted outside the device. Thus, sensitive data should always be encrypted with passcode and device id. Though, developers still would have to avoid data leakage. There are apps and tools which try to find data in places where it is not highly secure like the pasteboard or preferences and cookies. Furthermore, sensitive data should be minimized - developers should avoid to backup or sync that data, background screen shots and logging should exclude sensitive data and keyboard caches need to be deactivated.

According to Guido, following those guidelines provides a high level of application security but there is one more thing that developers need to take care of: Jailbreaks. As soon as a device is jailbroken, all of the above security mechanisms might get rendered useless - no matter if the jailbreak was installed voluntarily or maliciously. If a developer needs to provide high security she or he has to ensure that no jailbreak is active:

Guido concludes with hinting at the fact that LLVM only produces bitcode instead of machine code. Apple uses this to actually change or optimize the code for different platforms and developers can use the same concept add automatic security hardening already in the IDE. There are also toolkits like MAST that can be used in this context.

Please not that most QCon presentations will be made available for free on InfoQ in the weeks after the conference.

The official uninstallers that Adobe supplied for those wishing to remove the plugin from their windows installation have for some time been supplying hackers with a ‘privilege escalation’ attack vector.

It’s an ironic revelation, since anyone using an uninstaller is likely to be running itfor security reasons.

The vulnerability was discovered by security researcher Stefan Kanthak and its progress with Adobe reported via Seclists . According to Kanthak the executable uninstallers prior to versions 22.0.0.192 and 18.0.0.360, which were both released on the 15th of June, were vulnerable to DLL hijacking, since they load and run Windows system DLLs from the Flash application directory instead of the more heavily protected Windows system directory.

Kanthak describes the coding goof as a ‘well-documented beginner’s error’, and even points to the documentation that outlines the problem: which is that the process which loads a DLL first looks for it in the folder where it is itself residing, instead of defaulting to a system directory, meaning that a hacker able to exploit the process can run their own DLLs without a search for the valid versions which are in the correct place. This assumes, of course, that the attacker has been able to save DLLs locally, but this is a common procedure in many valid install routines.

The Adobe Flash uninstallers (which have now been patched) are executed with the requirement for administrator privileges, and once granted, the escalation is accomplished. The vulnerability was present in both the 32-bit and 64-bit versions of the Adobe uninstaller.

Kanthak first reported the vulnerability to Adobe in March, and the company’s first patch for the exploit was issued the following month. However the patched version contained the same vulnerability, but simply loaded different DLLs.

Finally Adobe released another revised patch on Wednesday, and this has resolved the issue, according to the report.

Verizon has begun pushing out a new update to its Samsung Galaxy Note 5 andGalaxy S6 edge+ handsets in the past 24 hours. There aren’t any major new features packed in here, but the updates do include the latest Android security patches from Google.

ADVERTISEMENT

The update brings the two device’s security up to the latest Android June patch. The update addresses a number of important potential exploits, including driver elevation privilege vulnerabilities with Qualcomm processors, issues with the Mediaserver, and SD card emulation. In total there are 6 critical fixes, 11 high severity patches, and 4 problems fixed that were of moderate concern. Most of the fixes attempt to deal with privilege elevation exploits, as Google tries to eliminate potential vulnerabilities similar to Stagefright before Android N hits devices.

If you’d like a full breakdown of the June security patch, you can read Google’s full detailed bulletin here .

As usual, Verizon will be rolling the patches out across the country in the coming days, but you might have some luck hammering that update button in the settings menu if you haven’t seen the OTA notification appear quite yet. Have you spotted the updating rolling out for your handset already?

Equinix is making F5 Networks' Silverline protection available in a handful of its International Business Exchange data centers. Silverline can detect the launch of an attack as it makes use of the network, and take steps to mitigate it in real time.

7 Ways Cloud Computing Propels IT Security

(Click image for larger view and slideshow.)

Distributed Denial of Service (DDoS) attacks are among of the oldest Internet threats to business operations, but they haven't diminished over the years. In fact, DDoS attacks are getting stepped up to a more significant level , flooding a site's Web servers, communication channels, and ability to process application requests. To make matters worse, such attacks are costing more than ever to remediate.

According to Lockheed-Martin spinoff Neustar , a firm offering DDoS protection, 73% of global brands suffered a significant DDOS attack in 2015.

In one example, a group calling itself New World Hacking claimed to have launched a 602-gigabit-per-second DDOS attack against the BBC on New Year's Eve 2015. The claim proved exaggerated when Internet traffic monitors reported they could not detect the surge in traffic, which should have been evident on network segments being used for the attack. Nevertheless, attacks as large of 300 Gbps have been recorded, and such attacks would overwhelm many enterprise defenses.

Tools and parties with knowledge to launch such attacks are available at commodity pricing on the Internet. It's the era of DDOS-as-a-Service, according to a blog post by FlowTraq CEO Vincent Berk .

This map will even show you where the worst attacks are currently underway.

There are many remedies available, and one of the latest -- from Equinix -- claims to be able to detect DDoS attacks as they are launched and cut them off before they can do any damage. And the protection isn't installed in the data center. It exists as a service in a handful of the Equinix data center hubs that provide connections to a wide variety of telecommunications carriers.

Equinix is making F5 Networks' Silverline protection available in a handful of its International Business Exchange data centers. Silverline can detect the launch of an attack as it makes use of the network, and it applies "leading attack mitigation methods and bandwidth to stop even the largest of volumetric DDoS attacks," according to a May 25 Equinix announcement.

According to Equinix, the service can scrub "hundreds of gigabits per second" of malicious data out of a company's traffic stream after the data has been launched as a DDoS attack. It then isolates the attacker's traffic.

The new service will be availble in Equinix's US data centers in Silicon Valley and Washington, D.C., and also in Singapore and Frankfurt. All of those locations offer the Equinix Cloud Exchange, which lets a business customer access a hub and connect to the cloud provider of choice over a high speed, private line. Silverline inside the Cloud Exchange can build defenses faster and to a higher scale than similar services being supplied over the Internet or via Level 2 VPN, according to Equinix spokesmen.

In addition to attack detection and mitigation, the automated service is backed up by continuously available experts in mitigation and recovery in the F5 Security Operations Center.

Equinix operates approximately 100 IBX data centers around the world in major markets. There is an Equinix data center in Ashburn, Va., for example, where Amazon Web Services decided to locate its major operations for the eastern region of the US. Equinix is a provider of Amazon's Direct Connect high speed private line service. There are several Equinix centers in the New York metropolitan area, as well as in Los Angeles, Chicago, Seattle, and Silicon Valley, along with locations around the world. The company didn't say how of its many IBX centers may someday host Silverline DDoS protection services.

Charles Babcock is an editor-at-large for InformationWeek and author of Management Strategies for the Cloud Revolution, a McGraw-Hill book. He is the former editor-in-chief of Digital News, former software editor of Computerworld and former technology editor of Interactive ...View Full Bio

某安全媒体上放了投稿人答案，其中诸多疏漏。中午我们pkav都做了一遍并且激烈的争论后得出的我们的答案，大家看一下是不是还有错的？本身我都标注了颜色什么的，但是发上来估计都没了。

说实在的这些题很多题目就有问题。。。可以争论的地方很多。

0×02 不定项选择题-30

1 应用程序开发过程中，下面那些开发习惯可能导致安全漏洞？（）

A 在程序代码中打印日志输出敏感信息方便调式

B 在使用数组前判断是否越界

C 在生成随机数前使用当前时间设置随机数种子

D 设置配置文件权限为rw-rw-rw-

答案：AD

解释：

A 为日志包含敏感信息，容易泄露账号密码接口数据等信息，可能产生安全漏洞。

B 为数组大小问题，数组不越界，可防止溢出安全漏洞。因此是安全的。

C 用当前时间来作为随机数种子的话，随着时间的不同，生成的随机数也会不同。因此是安全的。

D 为配置文件的权限问题，rw为可以读取可以写入。第一个rw-为文件所属用户、第二个rw-为用户所在组、第三个rw-为其它用户的读写。可以导致非法写入和越权访问，可能产生安全漏洞。

2 以下哪些工具提供拦截和修改HTTP数据包的功能?（）

A Burpsuite

B Hackbar

C Fiddler

D Nmap

答案：AC

解释：

A Burpsuite是可以通过设置浏览器代理进行网络渗透的，用于攻击Web应用的集成平台。可以进行拦截和修改HTTP数据包。

B Hackbar 是用来进行sql注入、测试XSS和加解密字符串的。可以用来快速构建一个HTTP请求（GET/POST）等。但是不能拦截和修改HTTP数据包。

C Fiddler是一个http协议调试代理工具，它能够记录并检查所有你的电脑和互联网之间的http通讯。可以进行拦截和修改HTTP数据包。

D Nmap是一款网络端口扫描工具，可以扫描各种端口及其服务甚至是漏洞检测。但是不能不能拦截和修改HTTP数据包。

3 坏人通过XSS漏洞获取到QQ用户的身份后，可以进行一下操作?（）

A 偷取Q 币

B 控制用户摄像头

C 劫持微信用户

D 进入QQ空间

答案：D

解释：

XSS漏洞是获取用户cookie的，即是获得用户cookie等敏感信息。

A 偷取Q币。需要用户进行确认或者输入密码，具有很强的交互性。因此无法进行。

B 控制用户用户摄像头。因为开启摄像头，需要用户手动确认。因此无法进行。

C 劫持微信用户。因为微信登录会验证手机信息甚至短信验证，并且只能同时在一个设备上登录一个微信账号。因此无法进行。

D 进入QQ空间。 因为登录QQ空间是不需要用户交互操作的，并且使用cookie获得用户身份后，就好像正常用户一样可以查看QQ空间，QQ资料等。

4 以下哪些工具可以抓取HTTP数据包？（）

A Burpsuite

B Wireshark

C Fiddler

D Nmap

答案：ABC

解释：

A Burpsuite是可以通过设置浏览器代理进行网络渗透的，用于攻击Web应用的集成平台。因此是可以HTTP数据包。

B Wireshark是监听网络接口数据的，可以设置监听某个网卡来监听各种网络数据包。因此是可以抓取HTTP数据包。

C Fiddler是一个http协议调试代理工具，它能够记录并检查所有你的电脑和互联网之间的http通讯。因此是可以抓取HTTP数据包。

D Nmap是一款网络端口扫描工具，可以扫描各种端口及其服务甚至是漏洞检测。但是不能抓取HTTP数据包。

5 以下哪些说法是正确的？（）

A IOS系统从IOS6开始引入kernelASLR安全措施

B 主流的Iphone手机内置了AES及RSA硬件加速解密引擎

C 安卓系统采用了安全引导链（secureboot chain ），而IOS系统则未采用

D Android 4.1 系统默认启用了内存ASLR

答案：ABD

解释：

A IOS系统从IOS6开始引入kernelASLR安全措施。情况属实。因此是正确的。

B 主流的Iphone手机内置了AES及RSA硬件加速解密引擎。情况属实。因此是正确的。

C 安卓系统采用了安全引导链（secureboot chain ），而IOS系统则未采用。情况不属实，原因是IOS系统也采用了安全引导链。因此是不正确的。

D Android 4.1 系统默认启用了内存ASLR。情况属实。因此是正确的。

6 以下哪些是常见的php ’ 一句话木马“ ？ （）

A

< ?php assert ($_POST(value));?>

B

<%execute(request("value"))%>

C

D

<%if(request.getParameter("!")!=null)(newjavio.FileOutputStream(application.getRealPath("\\") + request.getParmeter("!"))).write (request.getParameter("t").getByte())):%>

答案：AC

解释：

A assert用来判断一个表达式是否成立，可以远程连接。可为PHP一句话木马。

B execute 用来执行表达式，可以执行某些操作。可为asp一句话木马。

C eval 实现php对表达式的计算和执行，可以用来执行某些操作。可为PHP一句话木马。

D 通过判断执行文件输出写入，此为JSP木马。

7 以下哪个说法是正确的？（）

A xcodeghost 是一种可以直接远程控制手机控制权的攻击方式

B wormhole是一种可以直接远程控制手机控制权的攻击方式

C ” 心脏滴血“ 是一种可以直接远程控制手机控制权的攻击方式

D shellshock是一种可以直接远程控制手机控制权的攻击方式

答案：AB

解释：

A 通过Xcode从源头注入病毒XcodeGhost，是一种针对苹果应用开发工具Xcode的病毒。于2015年9月被发现。它的初始传播途径主要是通过非官方下载的Xcode 传播，通过CoreService 库文件进行感染。当应用开发者使用带毒的Xcode工作时，编译出的App 都将被注入病毒代码，从而产生众多带毒APP。用户在iOS设备上安装了被感染的APP后，设备在接入互联网时APP会回连恶意URL地址init.icloud-analysis.com，并向该URL上传敏感信息(如设备型号、iOS 版本)。回连的C&C服务器会根据获取到的设备信息下发控制指令，从而完全控制设备，可以在受控设备上执行打开网页、发送短信、拨打电话、打开设备上所安装的其他APP等操作。

因此xcodeghost是一种可以直接远程控制手机控制权的攻击方式。

B 百度SDK虫洞漏洞相关的核心代码存在于SDK的com.baidu.hello.moplus中，所有使用该SDK开发的APP，均会开放40310端口响应数据请求。虽然请求限制在本地进行，但攻击者仍然很容易绕过，这可能导致用户数据的大量泄漏。百度旗下应用安装到手机上之后，它会打开40310/6259端口，任何IP都可以连接该端口。被百度称为immortalservice的HTTP服务监视来自该端口的信息，之所以被称为immortal（不朽），原因是它“会在后台一直运行，并且如果你手机中装了多个有wormhole漏洞的app，这些app会时刻检查40310/6259端口，如果那个监听40310/6259端口的app被卸载了，另一个app会 立马启动服务重新监听40310/6259端口。 ”连接端口的IP需要验证一些头文件，但很容易通过伪装绕过。成功与该服务进行通讯后，就可以通过URL给APP下达指令，攻击者可以从用户设备远程获取位置信息，搜索框信息，包信息和其它敏感数据。它可以在用户设备上远程添加联系人，扫描下载文件，上传特定文件。所有这些行为只需简单的通过发送HTTP请求便可以完成。因为在本地HTTP服务（由Moplus SDK建立的）中没有进行身份认证，使得攻击行为不仅可以通过app开发者，也可以由任何其它人来触发。只需一个命令，攻击者或者网络罪犯就可以远程控制感染的设备。此外，他们只需要使用nmap进行全网段扫描，测试TCP端口6259或40310的状态，端口状态为OPEN的所有Android设备都可能被远程控制。需要注意的是在同一个局域网内，以及在同一个的3G/ 4G网络的所有设备都可以被攻击。

因此wormhole是一种可以直接远程控制手机控制权的攻击方式。

漏洞让特定版本的openSSL成为无需钥匙即可开启的“废锁”，入侵者每次可以翻检户主的64K信息，只要有足够的耐心和时间，就可以翻检足够多的数据，拼凑出户主的银行密码、私信等敏感数据。对此安全专家提醒，网友在网站完成修复升级后，仍需及时修改原来的密码。

因此 ” 心脏滴血“ 不是一种可以直接远程控制手机控制权的攻击方式，而是一种窃取用户信息的攻击方式。

D Shellshock，又称Bashdoor，是在Unix中广泛使用的Bash shell中的一个安全漏洞，首次于2014年9月24日公开。许多互联网守护进程，如网页服务器，使用bash来处理某些命令，从而允许攻击者在易受攻击的Bash版本上执行任意代码。这可使攻击者在未授权的情况下访问计算机系统。执行命令envx=’() { :;}; echo Shellshock’ bash -c “exit”如果有输出，就说明存在该漏洞。只要是能通过某种手段为bash传递环境变量的程序都受此影响。当然最典型的的就是bash写的CGI程序了，客户端通过在请求字符串里加入构造的值，就可以轻松攻击运行CGI的服务器。

因此shellshockbu不是一种可以直接远程控制手机控制权的攻击方式，而是可以直接远程控制服务器控制权的攻击方式。

8 在同一个bash 下依次执行

root@kali：~/Desktop# whoami

root

root@kali：~/Desktop# function whoami() { echo 1;}

root@kali：~/Desktop# whoami

最后一次执行的whoami 的结果是什么？（）

A root

B 1

C echo 1

D echo 1;

答案：B

解释：第一次执行whoami 是正常显示 root.。functionwhoami() { echo 1;} 通过定义函数whoami ， 使得whoami 是一个函数，而初始化值为echo 1 ，而echo 1 的执行结果是1。也就是说，通过调用函数whoami 并且初始化(执行echo函数)，所以输出结果为1。

9 以下哪个攻击可用来运行ddos攻击？（）

A 菜刀

B WSI

C Dosend

D Chkrootkit

答案：C

解释：

A 中国菜刀是一款专业的网站管理软件。

B WSI是PHP注入工具。

C Dosend是一款linux发包攻击工具，可用来实现DDOS攻击。

参考链接为 http://download.csdn.net/detail/linghuncangsang/6664547

D chkrootkit是用来检测rootkit的。

10 以下哪些服务器曾被发现文件解析漏洞？（）

A Apache

B IIS

C nginx

D squid

答案：ABC

A Apache解析漏洞。它 是从右到左开始判断解析,如果为不可识别解析,就再往左判断.

比如upupimage.php.owf.rar “.owf”和”.rar”?这两种后缀是apache不可识别解析,apache就会把upupimage.php.owf.rar解析成php.

B IIS 解析漏洞。一是IIS5.x/6.0中的/xx.asp/xx.jpg ，网站下建立文件夹的名字为.asp、.asa 的文件夹，其目录内的任何扩展名的文件都被IIS当作asp文件来解析并执行。

二 是123.asp;.jpg会被服务器看成是123.asp，IIS6.0 默认的可执行文件除了asp还包含这三种/upupimage.asa/upupimage.cer /upupimage.cdx

C nginx解析漏洞。一是nginx默认Fast-CGI开启状况下,黑阔上传一个名字为upupimage.jpg，内容为’);?>的文件，然后访问upupimage.jpg/.php,在这个目录下就会生成一句话木马 shell.php。

二是Nginx在图片中嵌入PHP代码然后通过访问xxx.jpg%00.php来执行其中的代码，影响版:0.5.,0.6.,0.7 <= 0.7.65, 0.8 <= 0.8.37

D Squid爆出来的更多是拒绝服务攻击。它是一个高效的Web缓存及代理程序，最初是为Unix平台开发的，现在也被移植到Linux和大多数的Unix类系统中，最新的Squid可以运行在windows平台下。

11 以下命令可以用来获取DNS记录的是？（）

A traceroute

B ping

C dig

D who

答案：ABC

解释：

A traceroute 。该命令为追踪路由情况。可获取DNS记录。

B ping 。该命令为检测网络是否通畅。可获取DNS记录。

C dig 。linux下查询域名解析有两种选择,nslookup或者dig，如 digwww.csdn.net

D who 。该命令为查询登录linux系统的用户数目。

12 linux 环境下，查询日志文件最后100行数据，正确的方式是？（）

A mv -100 log

B grep -100 log

C cat -100 log

D tail -100 log

答案：D

解释：

A mv -100 log 。该为mv命令，是移动文件或者文件夹的，与查看日志无关。

B grep -100 log 。该为grep命令，是筛选或者匹配关键词的，与查看日志无关，但是可以配合其他命令进行查看日志。

C cat -100 log 。该命令为顺序查看命令，查看log的前一百行数据（包括空行）。

D tail -100 log。 该命令为倒序查看名，查询log文件的最后100行数据。故选择D

13 Firefox浏览器插件Hacbar提供的功能（）

A POST方式提交数据

B BASE64编码和解码

C 代理修改WEB页面的内容

D修改浏览器访问referer

答案：ABD

解释：

A POST方式提交数据。通过在hackbar勾选”Enablepost data”，hackbar可以显出示该功能。

B BASE64编码和解码。通过在hackbarc菜单栏”Encoding”，hackbar可以显出示该功能。

C 代理修改WEB页面的内容。该功能属于插件firebug的。hackbar 无该项功能。

D修改浏览器访问referer。通过在hackbar勾选”EnableReferer “，hackbar可以显出示该功能。

14 以下哪个攻击可以提供拦截和修改http数据包功能？（）

A Metasploit

B Hackbar

C Sqlmap

D Burpsuite

答案：D

解释：

A Metasploit 。 它为集成的漏洞攻击平台，具有多种攻击载荷和shell。但是无法提供拦截和修改http数据包。

B Hackbar 是用来进行sql注入、测试XSS和加解密字符串的。可以用来快速构建一个HTTP请求（GET/POST）等。但是不能拦截和修改HTTP数据包。

C Sqlmap 是用来进行sql注入，获取数据库信息和获操作系统信息，甚至注入后门webshell的，但是不能拦截和修改HTTP数据包。

D Burpsuite是可以通过设置浏览器代理进行网络渗透的，用于攻击Web应用的集成平台。可以进行拦截和修改HTTP数据包。

15 以下哪几种工具可以对网站进行自动化web漏洞扫描？（）

A hackbar

B AWVS

C IBM appscan

D Nmap

答案：BC

解释：

A hackbar 是用来进行sql注入、测试XSS和加解密字符串的。可以用来快速构建一个HTTP请求（GET/POST）等。但是不能自动化web 漏洞扫描

B AWVS 是业界非常推荐的漏洞扫描神器，它拥有数目非常多而且最强大的漏洞检测脚本，国内多数人使用破解版，它可以进行自动化web漏洞扫描。

C IBM appscan 是国外IBM安全公司的一款非常厉害的安全漏洞扫描产品，能够扫描各种生产环境的WEB，也就是说它也可以进行自动化web 漏洞扫描。

D Nmap是一款网络端口扫描工具，可以扫描各种端口及其服务甚至是系统漏洞检测，从它的NSE脚本可以看到它也可以进行WEB漏洞扫描，但是需要复杂的配置命令，故它不能进行自动化web漏洞扫描。

答案：BC