安全资讯

[新闻]  2018年网络安全大事记

https://mp.weixin.qq.com/s/YvlUX8Zjp9gfAtJ6YY27BA

[法规]  公安机关办理刑事案件电子数据取证规则

http://www.mps.gov.cn/n2254314/n2254409/n4904353/c6337154/content.html

[新闻]  2018安防监控、雪亮工程项目盘点

https://mp.weixin.qq.com/s/Sz8HguJ0X13nw4ajAhxOhg

安全技术

[运维安全]  github_dis: 一款精简版github信息泄露搜集工具

https://github.com/dongfangyuxiao/github_dis/

[Web安全]  SDL最初实践-安全培训

https://mp.weixin.qq.com/s/s2D513XseLpIyE2i0UOC8Q

[数据挖掘]  基于QQ空间的说说数据的分析

https://www.jianshu.com/p/a5e1ca0c5204

[Web安全]  WAF绕过技术系列文章（二）

https://nosec.org/home/detail/2137.html

[其它]  WeiboImageReverse: Chrome 插件，反查微博图片po主

https://github.com/fei-ke/WeiboImageReverse

[漏洞分析]  子域名接管：二阶漏洞利用

http://www.4hou.com/web/15504.html

[漏洞分析]  SpEL injection(译)

https://cryin.github.io/blog/SpEL%20injection/

[数据挖掘]  网络空间测绘在网络国防中的重大意义和作用

https://mp.weixin.qq.com/s/TBmigl6-TTJNDzYCqlFc4w

[比赛]  CTF取证方法总结

http://www.4hou.com/web/15206.html

[Web安全]  SDL最初实践-开篇

https://mp.weixin.qq.com/s/tPzrWzZjRcfNZaHIa7JTWA

[恶意分析]  2018年高级持续性威胁（APT）研究报告

https://mp.weixin.qq.com/s/F5hBw_pVithLlY6ixE0q-g

[Web安全]  XML外部实体注入（XXE）漏洞学习资源及相关开源项目

https://nosec.org/home/detail/2139.html

[设备安全]  2018 年 IoT 那些事儿

https://paper.seebug.org/782/

[Web安全]  后渗透之meterpreter使用攻略

https://uknowsec.cn/posts/uncategorized/%E5%90%8E%E6%B8%97%E9%80%8F%E4%B9%8Bmeterpreter%E4%BD%BF%E7%94%A8%E6%94%BB%E7%95%A5.html

[恶意分析]  2018年全球十大APT攻击事件盘点

https://mp.weixin.qq.com/s/ja8eunPUaTqLj_smdABLTQ

[视频]  网易公开课：犯罪侦查科技

https://open.163.com/movie/2017/11/1/F/MD2P1B6R2_MD2P8LF1F.html

[运维安全]  中通内部安全通讯实践

https://xz.aliyun.com/t/3759

[漏洞分析]  项目推荐：awesome-browser-exploit

https://paper.seebug.org/780/

[漏洞分析]  利用EXCEL进行XXE攻击

https://xz.aliyun.com/t/3741

[数据挖掘]  从Lucene到Elasticsearch:全文检索实战

http://www.bugs.cc/2018/12/30/reading-notes-from-lucene-to-elasticsearch-full-text-search/

[Web安全]  关于Shiro反序列化漏洞的延伸—升级shiro也能被shell

https://mp.weixin.qq.com/s/NRx-rDBEFEbZYrfnRw2iDw

[取证分析]  首个已知 UEFI Rootkit 与 Sednit APT 有关联

https://www.solidot.org/story?sid=59167

[数据挖掘]  不解密识别恶意流量

http://www.4hou.com/web/14120.html

[设备安全]  Expliot - Internet of Things Exploitation framework

https://gitlab.com/expliot_framework/expliot

[恶意分析]  全球高级持续性威胁（APT）2018年总结报告

https://mp.weixin.qq.com/s/sSuTHTLfqAGfaBbopU8yEQ

[工具]  patoolkit: a collection of traffic analysis plugins focused on security

https://github.com/pentesteracademy/patoolkit

[观点]  从传统安全转行风控领域的心路历程，兼谈黑产和风控行业趋势

https://mp.weixin.qq.com/s/GWOjp1E2B4J0efUjFBnp8Q

[杂志]  SecWiki周刊（第252期)

https://www.sec-wiki.com/weekly/252

[移动安全]  Android SMS Stealer – Max Kersten

https://maxkersten.nl/binary-analysis-course/malware-analysis/android-sms-stealer/

[漏洞分析]  Etouch2.0 分析代码审计流程 (二) 前台SQL注入

https://www.anquanke.com/post/id/169152

[观点]  构建网络攻击响应框架的政治考量

https://mp.weixin.qq.com/s/iOq84kVblAW5a2mK2GDJwA

[漏洞分析]  菜鸟学代码审计：Xnuca2018-hardphp详细分析

https://www.freebuf.com/articles/rookie/193118.html

[取证分析]  osquery架构一览 

https://blog.spoock.com/2018/12/29/osquery-under-the-hood/

[运维安全]  浅析商业银行数据安全保护体系建设思路 

http://blog.nsfocus.net/brief-analysis-on-the-construction-of-data-security-protection-system-in-commercial-banks/

[漏洞分析]  Guardzilla IoT Video Camera Hard-Coded Credentials (CVE-2018-5560)

https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-credentials/

[漏洞分析]  Struts2-005远程代码执行漏洞分析

https://www.freebuf.com/vuls/193078.html

[Web安全]  Reflected XSS on ws-na.amazon-adsystem.com(Amazon) – newp_th – Medium

https://medium.com/@newp_th/reflected-xss-on-ws-na-amazon-adsystem-com-amazon-f1e55f1d24cf

[其它]  NSA/CSS Technical Cyber Threat Framework v2.2

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/ctr-nsa-css-technical-cyber-threat-framework.pdf

[编程技术]  Cryptography in Python Burp Extensions

https://parsiya.net/blog/2018-12-24-cryptography-in-python-burp-extensions/

[取证分析]  OSINT Resources for 2019

https://xz.aliyun.com/t/3742

[观点]  信息新时代的软件新技术

https://mp.weixin.qq.com/s/cz-zjZw3rmFQ1o0w2ciHBQ

[Web安全]  JGillam/burp-paramalyzer: Paramalyzer

https://github.com/JGillam/burp-paramalyzer

[恶意分析]  Talos 2018年恶意软件追踪调查总结

http://www.4hou.com/info/observation/15463.html

[比赛]  35c3CTF collection writeup

https://xz.aliyun.com/t/3747

[恶意分析]  atmoner/nodeCrypto: Ransomware written in NodeJs

https://github.com/atmoner/nodeCrypto

[恶意分析]  Targeted cyberattacks logbook: APT Overview

https://apt.securelist.com/#!/threats/

[恶意分析]  dreadl0ck/netcap: A framework for secure and scalable network traffic analysis

https://github.com/dreadl0ck/netcap

[漏洞分析]  区块链安全—经典溢出漏洞cve分析

https://xz.aliyun.com/t/3743

[运维安全]  ANSSI-FR/audit-radius: A RADIUS authentication server audit tool

https://github.com/ANSSI-FR/audit-radius

[论文]  Cloud Strife: Mitigating the Security Risks of Domain-Validated Certificates

https://securitygossip.com/blog/2019/01/02/cloud-strife-mitigating-the-security-risks-of-domain-validated-certificates/

[取证分析]  Harpoon: an OSINT / Threat Intelligence tool

https://www.randhome.io/blog/2018/02/23/harpoon-an-osint-threat-intelligence-tool/

[Web安全]  PHP mt_rand安全杂谈及应用场景详解

https://www.freebuf.com/vuls/192012.html

-----微信ID：SecWiki-----
SecWiki，5年来一直专注安全技术资讯分析！
SecWiki：https://www.sec-wiki.com

本期原文地址: SecWiki周刊(第253期)