Channel:
CodeSection,代码区,网络安全 - CodeSec
Spring Safety Filter Chains
When using Spring Security you map a chain of filters to URL patters to specify how those URLs are secured. These patterns can contain wildcards such as /foo/*/bar /foo/**/bar I couldn't find any docs...
View Article公链实战系列2――椭圆加密算法生成公钥、私钥
在系列1里面我们讲了Base58加密算法,今天我们来讲一讲钱包地址,也就是当你在使用比特币交易的时候的账户和密码(当然,区块链里面一般不这么叫) 总之,你理解就好。 在比特币中,公、私钥的生成采用的核心算法是椭圆加密算法(Elliptic curve cryptography)简称ECC, ECC是一种建立在公开密匙的算法,也就是非对称加密算法。 类似RSA、ElGamal算法等。...
View ArticleClik here to view.
AMR智能合约被曝遭受黑客攻击:可无限生成代币
摘要: Bianews 7月8日消息,降维安全实验室(johnwick.io)监控到AMR合约存在高危安全风险的交易。通过对代码分析,发现其中存在重要安全溢出漏洞,目前已经被人恶意利用并且进行大量增发,降维安全实验室已经对合作伙伴交易所进行高危预警并且停止风险币种交易... Bianews...
View ArticleClik here to view.
当你浏览色情网站时,很可能正在帮黑客挖矿
作者:0x2 一般网站的主要收入来源是广告,如果没有人点击广告,就等于没有收入。尤其是一些内容流量网站,就靠广告活着。但是广告能给网站带来的收入毕竟有限,穷则思变,有些网站因此盯上了虚拟货币。 全球排名前 1 万的网站中,有 2.2% 的网站正在做这种损人利己的勾当。 区块律动 BlockBeats 做了个统计,截止 7 月 9 日,全网有超过 3...
View ArticleClik here to view.
记一次手动清理Linux挖矿病毒
时间:2018年5月16日 起因:某公司的运维人员在绿盟的IPS上监测到有挖"门罗币"的恶意事件,受影响的机器为公司的大数据服务器以及其他linux服务器。 我也是赶鸭子上架第一次解决运行在Linux上的挖矿病毒事件,由于当时自己没有专门的Linux挖矿的清理工具,便开始分析IPS上提供的信息。...
View ArticleMac 下安装 cryptography 失败
在 Mac 下面安装 cryptography 依赖包,始终报错,出现 'openssl/opensslv.h' file not found 的错误。 $ pip install cryptography ... building '_openssl' extension cc -fno-strict-aliasing -fno-common -dynamic -arch i386 -arch...
View ArticleClik here to view.
区块链科普:非对称加密、椭圆曲线加密算法
区块链加密介绍 区块链加密技术 区块链技术的应用和开发,数字加密技术是关键。一旦加密方法遭到破解,区块链的数据安全将受到挑战,区块链的不可篡改性将不复存在。...
View ArticleYubikey SSH Authentication
About a year ago I bought a YubiKey Nano to use as a hardware token via the emerging FIDO protocol and for OTP. For some time I’ve been aware that it’s possible to keep a PGP keypair on the key and...
View ArticleClik here to view.
360捕获持续8年针对我国的网络间谍组织
近日,360追日团队(Helios Team)、360安全监测与响应中心与360威胁情报中心发布《 蓝宝菇(APT-C-12)核危机行动揭露 》报告,首次披露了其捕获的持续8年攻击中国大陆地区的网络间谍组织――蓝宝菇。 据报告透露,从2011年开始至今,高级攻击组织蓝宝菇(APT-C-12)对我国政府、军工、科研、金融等重点单位和部门进行了持续的网络间谍活动。...
View ArticleClik here to view.
【技术分享】fastjson <= 1.2.24 反序列化漏洞分析
fastjson是一个非常流行的库,可以将数据在JSON和Java Object之间互相转换,但是在2017年官方主动爆出了fastjson的反序列化漏洞以及升级公告 [https://github.com/alibaba/fastjson/wiki/security_update_20170315],这次我们就学习一下这个漏洞。 最终的payload会放到我的GitHub...
View ArticleHow to build an NPM worm
How to build an npm worm npm is a registry and package manager for javascript that ships as part of Node.js . It's used by tens of millions of people to install hundreds of thousands of packages...
View ArticleClik here to view.
How ‘digital transformation’ gave birth to a new breed of criminal: ‘machine-...
There’s a new breed of identity thief at work plundering consumers and companies. However, these fraudsters don’t really care about snatching up your credentials or mine. By now, your personal...
View ArticleClik here to view.
DevOps: Who Does What (Part 1)
The following is an excerpt from a presentation by Cornelia Davis, Senior Director for Technology at Pivotal, titled “ DevOps: Who Does What .” You can watch the video of the presentation , which was...
View ArticleClik here to view.
CSS2018将于8月召开 全球顶级安全大咖齐聚研讨安全驱动力
第四界中国互联网安全领袖峰会(Cyber Security Summit,简称“CSS”)将于8月27日-28日在北京国家会议中心召开。作为亚太地区规格最高、规模最大、影响最深的网络安全新生态首创平台,CSS...
View ArticleCSO Spotlight: Justin Berman, Zenefits
Justin is the CISO at Zenefits, where he leads all security and IT efforts. He brings more than a decade of security and technology experience from high-profile organizations. Previously, Justin served...
View ArticleClik here to view.
做好工业网络和关键基础设施安全态势感知的7个步骤
工业网络攻击是另一种形式的推进地缘政治议程的“经济战” 。世界各国开始意识到IT网络攻击是利益驱动的新型犯罪,我们必须看清,当前全球工业和关键基础设施,已成强大对手发起的21世纪战争中的潜在目标(无论是故意的还是连带伤害波及的)。 风暴正在形成,你准备好了吗? FBI/DHS发出的TA18-074A警报中描述的 俄罗斯对美国能源设施的渗透 ,国家支持的 Triton 和 NotPetya攻击...
View ArticleMatching disaster recovery to cyber threats
As the connected ecosystem continues to expand, it is easy to predict that cyber attacks will keep growing in rate and complexity. Research from Cybersecurity Ventures estimates that cyber attacks...
View ArticleClik here to view.
Clik here to view.
How Hackers Attack: 5-Minute Interview with Andy Robbins, Adversary...
Basically, we get paid to break into organizations, steal their data, and give them a report on how we did it,said Andy Robbins , Pen Tester and Red Team Lead at SpecterOps . Andy is one of the...
View ArticleClik here to view.
Debug NuGet packages
Using a NuGet package is a very convenient way to add a dependency to your project. However, when you have an issue with a NuGet package and you want to debug it, it's hard because you don't have the...
View Article
