今日已更新 166 条资讯 | 累计 20138 条内容
关于我们

标签:#cybersecurity

找到 166 篇相关文章

AI 资讯

Hacking Meta’s AI Chatbot

Hackers are convincing Meta’s AI support chatbot to let them take over other peoples’ accounts: A video posted on X showed the step-by-step process to hack someone’s Instagram account. The hacker allegedly used a VPN to spoof the targets’ presumed location to avoid triggering Instagram’s automated account protections. Then, the hacker opened a chat with Meta AI Support Assistant and asked the bot to add a new email address to the target’s account. The chatbot can be seen sending a verification code to the email address provided by the hacker; the hacker then shares the verification code with the chatbot, which prompts the chatbot to show a button to “Reset Password.” The hacker enters a new password and takes over the victim’s account...

2026-06-04 原文 →
AI 资讯

A Deep Dive into Cleaning Persistent WordPress Malware and Hardening the REST API

The Hook: The 48-Hour Re-Infection Nightmare It’s a scenario that keeps e-commerce founders and agency directors awake at night: You wake up to a critical alert that your flagship WordPress site is redirecting users to a spam domain. You immediately deploy a premium security plugin, run a deep scan, quarantine three suspicious files, and breathe a sigh of relief. The scanner gives you a green checkmark. You're safe. Then, exactly 48 hours later, the redirects return. What went wrong? The automated scanner checked the surface, but the attacker had already established a foothold deeper in the architecture. They didn't rely on a loose PHP file in your uploads directory; instead, they weaponized an overlooked, unauthenticated WordPress REST API endpoint to re-inject the payload the moment your scanner turned its back. When high-value enterprise sites are compromised, treating the symptoms with standard security plugins is like putting a band-aid on a structural fracture. To truly remediate a persistent infection, you must think like a forensic analyst, hunt down hidden persistence mechanisms, and harden the application perimeter. The Anatomy of Persistence: Where Malware Hides Modern WordPress malware is sophisticated. Attackers know that standard security tools look for modified core files or rogue scripts in the /wp-content/plugins/ directory. To survive cleanups, they embed themselves into the core infrastructure of your site using three primary vectors: 1. wp-config.php Pre-Loading Attackers frequently inject obfuscated code directly into the top of wp-config.php . Because this file executes before the rest of the WordPress core loads, malware can hook into the initialization process, silently recreating deleted malicious files every time a page is requested. 2. Malicious Must-Use (MU) Plugins Files placed in /wp-content/mu-plugins/ are executed automatically by WordPress and cannot be disabled from the admin dashboard . Attackers love this directory. They will ofte

2026-06-03 原文 →
开源项目

Your ATT&CK Heatmap Is Counting Rules, Not Coverage

Every detection vendor ships a MITRE ATT&CK heatmap, and every one of them is mostly green. Broad coverage, techniques lit up across the board, a reassuring wall of color in the sales deck and the board slide. It's the universal flex. We cover the matrix. Then you parse the actual rules – the real YAML in the public repo, not the marketing layer on top of it – and the green collapses into three tactics. Everyone covers execution and persistence. Almost nobody covers discovery, lateral movement, or collection. The heatmap wasn't measuring coverage. It was counting rules, and counting them in a way designed to look complete. What a green cell actually means A green cell in a Navigator layer means one thing: at least one rule somewhere references that technique tag. That's it. Not "we detect this reliably." Not "this fires on real attacks and stays quiet otherwise." Not "this survives an attacker who knows the rule exists." One rule that names the technique in its metadata turns the cell green, and forty rules turn it the same shade. Unless the layer is scored by rule count – and most published heatmaps aren't – one and forty are indistinguishable. I've written before that an untested detection isn't a detection, it's a query that runs on a schedule. The heatmap is the same lie one level up. A green matrix isn't coverage. It's a wall of queries that run, rendered in a color that means "present," dressed up as a color that means "protected." The vendor knows the difference. The buyer staring at the green doesn't. You can measure the real shape yourself Here's the part the heatmap marketing depends on you not doing: the rules are public, and you can count them. SigmaHQ, Elastic's detection-rules, Splunk ESCU, Panther, Sublime – all on GitHub, all tagged with attack.TXXXX technique IDs and tactic tags in the rule metadata. The method is boring on purpose. Walk the rule directories. Pull the ATT&CK tags out of each rule. Aggregate by technique, roll the technique counts up

2026-06-03 原文 →
AI 资讯

The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites

id CTI-2026-0603-NETSCALER title The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites subtitle CVE-2026-3055: a March-disclosed SAML IdP information-disclosure flaw escalates in June — the gap between the "RCE" label and the real impact author Dennis Kim (김호광 / HoKwang Kim) email gameworker@gmail.com github gameworkerkim date 2026-06-03 classification TLP:GREEN severity CRITICAL lang en tags Edge-Device · Pre-Auth · Memory-Overread · Session-Hijack · SAML-SSO · CitrixBleed · CISA-KEV threat_actors Unattributed (likely a mix of ransomware and state-sponsored actors) cve CVE-2026-3055 (CVSS 9.3 v4.0 · CISA KEV) · related CVE-2026-4368 (CVSS 7.7) frameworks MITRE ATT&CK · NIST SP 800-61 · NIST SP 800-207 (Zero Trust) · CISA KEV · STIX/TAXII license CC BY-NC-SA 4.0 🚨 Heads-up: this is a VPN/remote-access issue — check your company's appliances now. If your organization runs Citrix NetScaler Gateway (the VPN / remote-access front door) or NetScaler ADC with SAML SSO enabled, you may be directly exposed to active, large-scale exploitation. Don't wait for a formal advisory to land in your inbox — inventory your internet-facing NetScaler appliances today , confirm patch level, and (critically) invalidate active sessions after patching . The details below explain why patching alone is not enough. The Third Shadow of CitrixBleed — Large-Scale Exploitation of a NetScaler Memory Overread Reignites Report ID CTI-2026-0603-NETSCALER · Published 2026-06-03 · Classification TLP:GREEN · Severity 🔴 CRITICAL Author Dennis Kim (김호광) · gameworker@gmail.com · @gameworkerkim CVE-2026-3055: a March-disclosed SAML IdP information-disclosure flaw escalates in June — the gap between the "RCE" label and the real impact Table of Contents Executive Summary (TL;DR) Opening — "An edge device, once it leaks, keeps leaking" Vulnerability Analysis — CVE-2026-3055 Memory Overread "RCE" or "Information Disclosure"? — Decomposing the Real Impact Timeline —

2026-06-03 原文 →
AI 资讯

How I Wrote a SOC-Grade Endpoint Investigation Playbook Without Being a Security Engineer

My father worked in IT for over thirty years, and growing up around that shaped how I thought about computers. The earliest memory I have is sitting in my father's lap as he does something on his computer. One of the oldest photos I have is of me sitting on a chair in front of a computer. I grew up idolizing him. I switched to Linux when I was 12, by myself. I taught myself scripting, picked up programming basics, and spent more time in a terminal than most adults I knew. I have memories of sitting on the roof at 13 with my laptop, trying to crack my neighbor's WiFi with aircrack-ng (they were aware of my endeavors). However, growing up in a politically volatile neighborhood (Lyari) also made me politically aware and literate from a young age. With that, I developed an interest in political science and philosophy. I sat my A levels in economics and sociology, and I did not look back. For the next few years, the technical side of my life became just a habit rather than a professional direction. Then I realized I do not have to choose one or the other. I can carry on doing both. Today, I am an academic and technical editor. The social sciences gave me the writing skills: reading long blocks of dense theory, explaining abstract concepts in plain language, writing long analytical essays. And I understand technical concepts well enough to work with them seriously. I thought of synthesizing both. When I started building a technical writing portfolio, cybersecurity documentation felt like a natural place to go. Not because I had operational experience, but because I had grown up adjacent to that world. I understood the culture, the tooling, and the mindset, even if I had never worked a SOC shift. I knew I wanted to cover security documentation. Security teams produce some of the most consequential written work in any organization, and most of it is poorly structured, inconsistently formatted, or written for the person who already knows the answer rather than the person who

2026-06-03 原文 →
AI 资讯

The Intersection of Encryption and AI

As part of their 20th Anniversary celebration, Dark Reading asked five cybersecurity industry leaders who wrote blogs or columns for them over the years to select their favorite piece and share their reflections on the topic today. This is my section. Renowned technologist and author Bruce Schneier contributed a column on June 20, 2010, warning about cryptography’s inability to secure modern networks , a point he says he has been trying to argue since 2000. “For a while now, I’ve pointed out that cryptography is singularly ill-suited to solve the major network security problems of today: denial-of-service attacks, website defacement, theft of credit card numbers, identity theft, viruses and worms, DNS attacks, network penetration, and so on...

2026-06-02 原文 →
AI 资讯

NAT, SNAT, DNAT, PAT & Port Forwarding Explained Without the Networking Headache

Most people use these technologies every day. Almost nobody knows they exist. Every time you open YouTube, browse Instagram, join a Zoom meeting, or play an online game, your router is quietly performing a series of networking tricks behind the scenes. Those tricks have names: NAT SNAT DNAT PAT Port Forwarding They sound intimidating. They're actually much simpler than they appear. Let's break them down using something familiar: your home Wi-Fi. The Problem the Internet Had to Solve Imagine a family of five living in one house. Everyone owns a device: Laptop Phone Smart TV Gaming Console Tablet Each device needs internet access. The problem? Your Internet Service Provider usually gives you only one public IP address . Something has to manage all those devices sharing a single internet connection. That's where NAT comes in. NAT: The Receptionist of Your Network NAT stands for Network Address Translation . Think of NAT as a receptionist in an office building. People inside the building have room numbers: Laptop = Room 101 Phone = Room 102 TV = Room 103 But when communicating with the outside world, everyone uses the building's main address. The receptionist keeps track of who sent what. Your router does exactly the same thing. What Happens When You Visit Google? Inside your home: Laptop 192.168.1.10 Your router: Public IP 49.x.x.x When you open Google: 192.168.1.10 ↓ Router ↓ 49.x.x.x ↓ Google Google never sees your private IP. It only sees your router's public IP. That's NAT in action. SNAT: Changing the Sender's Address SNAT stands for Source Network Address Translation . The keyword is: Source It changes the sender's address. Before leaving your network: Source: 192.168.1.10 After SNAT: Source: 49.x.x.x The router replaces your private IP with its public IP. Without SNAT, websites wouldn't know how to send responses back to you. Real-Life Example Imagine mailing a letter. Instead of writing your bedroom number as the return address, you write the house address. Tha

2026-06-02 原文 →
AI 资讯

PREDICTION-20260601-0008: boredom-with-asymmetric-leverage [2026-Q3 through 2027-Q1]

From the motivation-pattern-log — a public, dated, falsifiable prediction log for AI-era cybersecurity attack patterns grounded in motivation analysis. Predictions are scored quarterly against stated falsifiers. PREDICTION-20260601-0008 Created: 2026-06-01 Pattern: boredom-with-asymmetric-leverage Substrate: Open-source package registries (npm, PyPI, Crates.io, Packagist) and GitHub Actions CI/CD workflow injection Leading indicator observed: Four distinct, concurrent, cross-registry supply chain campaigns (TrapDoor: 34 packages across npm/PyPI/Crates.io; Megalodon: 5,718 automated commits to 5,561 GitHub repos in six hours; Packagist compromise of 8 packages; Laravel-Lang PHP credential stealer) appeared within a 72-hour window in 2026-W22, all exhibiting automation signatures — throwaway publisher accounts, wave publishing, base64-encoded shell payloads, off-the-shelf delivery via GitHub Releases — consistent with toolkit operation rather than bespoke tradecraft. npm's reactive rollout of 2FA-gated publishing signals registry operators recognizing volume pressure. Predicted window: 2026-Q3 through 2027-Q1 Predicted shape: Automated, low-sophistication credential-stealing and backdoor-planting campaigns against npm, PyPI, Crates.io, and Packagist will continue to increase in incident volume while average per-campaign novelty declines. The dominant operational signature will be scripted account creation, automated package publication across multiple registries simultaneously, and CI/CD workflow injection via forged or compromised GitHub bot identities — all executable with commodity toolkits requiring no original exploit development. At least two registry operators beyond npm will announce reactive publishing controls (mandatory 2FA, namespace-squatting detection, automated malware scanning with publication holds) within the window in direct response to volume pressure. Security vendors will report a measurable increase in "unsophisticated supply chain" incidents re

2026-06-02 原文 →
AI 资讯

为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南

为什么使用代理总弹出“安全验证”?深度解析 Cloudflare 拦截机制与避坑指南 在互联网开发、跨国办公或日常浏览中,使用代理(如 VPN、机场、Socks5、OpenVPN/WireGuard 协议等)已经是不可或缺的技能。 然而,许多人在开启代理后,访问国外网站(如 Dev.to、GitHub、Medium 等)时,频繁遭遇如下提示: Performing security verification This website uses a security service to protect against malicious bots. This page is displayed while the website verifies you are not a bot. 甚至更让人崩溃的是,有时候点击了验证码,它依然不断刷新,陷入 无限验证死循环 。这并不是你的系统或浏览器损坏了,而是代理网络的特性触发了现代 Web 安全防御机制。本文将从技术原理深入拆解这一现象,并提供切实可行的优化方案。 一、 核心原理:网站安全服务是如何盯上你的? 现代网站大多会部署 Cloudflare(如 Turnstile 验证) 、Akamai、Imperva 等网络安全与防 DDoS 攻击服务。这些服务通过以下几个维度来评估访问者是“真实人类”还是“恶意机器人(Bot)”: 1. IP 信誉度(IP Reputation)与“连坐”机制 这是最核心的技术原因。代理服务商(特别是商业 VPN 或公共机场)所使用的 IP 地址,绝大多数属于 数据中心(Data Center)机房 IP ,而非普通家庭的 住宅(Residential)IP 。 高密度共用: 同一个代理 IP 节点上,可能同时有成百上千个用户在发起请求。 黑名单牵连: 如果该 IP 下的其他匿名用户正在使用自动化脚本抓取数据、进行端口扫描,或者发起恶意网络攻击,安全系统的风控引擎(如 Cloudflare IP Threat Score)就会瞬间拉高该 IP 的风险等级。当你恰好切换到这个“脏 IP”时,就会被系统无差别“连坐”,要求强制验证。 2. 被动指纹识别(Passive Fingerprinting)与几何特征 安全防御系统不仅看你的 IP 归属地,还会通过深层网络和浏览器几何特征来判断你的真实身份: TLS/SSL 握手特征(JA3 指纹): 当你通过一些特定协议或混淆模式(如带有特定加密的 TCP 隧道)连接网站时,浏览器发出的 TLS 握手特征可能会发生形变。 TCP/IP 栈特征: 经过代理服务器的转发,数据包的 TTL(生存时间)、Window Size(TCP 窗口大小)等底层参数可能会与你浏览器宣称的操作系统(如 Windows 11 或 Ubuntu 24.04)的标准特征不匹配。 浏览器画布与几何指纹(Canvas/Geometry): 浏览器的窗口大小、屏幕分辨率以及它们的比例,也是风控系统评估的重要指标。 自动化爬虫脚本(如 Selenium、Puppeteer)在启动时,常常使用死板的默认分辨率(如完美的 1024x768 或 800x600 )。如果你的代理 IP 本身信誉度低,窗口又处于这些“机器人专属分辨率”下,或者网页窗口大小与物理显示器分辨率比例极其诡异(例如伪造环境时穿帮),就会直接触发拦截。 3. 环境与地缘标签冲突(以 Yandex 浏览器为例) 风控系统对你使用的浏览器品牌同样有一套风险权重评估。 如果你使用的是 Yandex 浏览器 或某些小众、经过重度隐私魔改的浏览器,在配合代理时会变得 极其难通过验证 。Yandex 浏览器虽然基于 Chromium 内核,但其内部由俄罗斯团队集成了大量独特的隐私保护技术与 Canvas 渲染机制,计算出的浏览器指纹非常非主流。 更致命的是 地缘标签冲突 :欧美的主流网络安全公司(如 Cloudflare)对特定区域标签的客户端流量天然设置了更低的信任阈值。当你 用着 Yandex 浏览器 ,IP 却 挂着美国或日本的代理 时,这种“指纹与地理位置的剧烈冲突”在风控模型眼里极度反常,系统会判定该请求大概率来自自动化黑客工具,从而直接卡死验证。 4. 地理位置与行为“瞬移” 如果你的代理客户端开启了“负载均衡”或“定时自动切换节点”,可能会导致前一分钟请求来自日本,后一分钟请求来自美国。这种超越物理极限的“空间瞬移”属于高风险异常行为。此外,如果通过代码 瞬间改变 窗口尺寸,而非人类拖拽时产生的连续 resize 事件,也会被风控脚本捕捉到异常。 二、 实战优化:如何彻底摆脱“无限验证”死循环? 要彻底解决或缓解这个问题,可以根据实际的使用场景,从 节点筛选 、 路由分流 以及 浏

2026-05-30 原文 →
产品设计

My First Cybersecurity Writeup – VAPT Experience

Overview This is my first real-world cybersecurity VAPT experience inside an enterprise insurance company environment. I worked across network infrastructure, web applications, internal devices, and physical security — and learned how professional security assessments are actually performed beyond labs and CTFs. Introduction I am a cybersecurity enthusiast focused on SOC operations, web application penetration testing, and vulnerability assessment. In this engagement, I worked on assessing the security posture of an insurance company across its network infrastructure, devices, web applications, and physical security controls. This was my first real-world experience working in an enterprise environment, and initially I was not fully confident about the workflow. However, with the guidance and support of my senior, I was able to understand the process step by step and actively contribute to the assessment. Objective Identify security vulnerabilities across network, web, and internal systems Assess exposure of critical assets Analyze potential attack paths in the environment Evaluate basic physical security controls Scope of Work Network infrastructure assessment Web application security testing Device-level security review Basic physical security evaluation Tools Used Nessus (vulnerability scanning) Burp Suite (web application testing & request interception) Nmap (network discovery & port scanning) GVM / OpenVAS (vulnerability assessment) OWASP ZAP (automated web scanning) Wireshark (packet analysis & traffic inspection) Approach / Methodology Performed network discovery using Nmap to identify active hosts and open ports Conducted vulnerability scanning using Nessus and GVM to detect known security issues Analyzed web application behavior using Burp Suite and OWASP ZAP Intercepted and inspected HTTP/HTTPS traffic to understand request/response flow Used Wireshark to analyze packet-level communication and detect anomalies Evaluated system exposure across internal devic

2026-05-29 原文 →
AI 资讯

GHES Key Rotation, Bug Bounty Program Refocus, AI Agent Permission Fatigue

GHES Key Rotation, Bug Bounty Program Refocus, AI Agent Permission Fatigue Today's Highlights This week's top security news features critical action for GitHub Enterprise Server users with a signing key rotation due to an ongoing investigation. We also cover GitHub's strategic refocusing of its bug bounty program for higher quality submissions and an interactive look at AI agent permission fatigue. Investigation update: GitHub Enterprise Server signing key rotation (GitHub Blog) Source: https://github.blog/security/investigating-unauthorized-access-to-githubs-internal-repositories/ This alert details a critical security update for GitHub Enterprise Server (GHES) customers, urging immediate action to rotate signing keys. The blog post indicates an investigation into unauthorized access to GitHub's internal repositories, which has necessitated this widespread security measure. While specific details of the breach or vulnerability are not fully disclosed, the requirement for a signing key rotation points to a potential compromise of cryptographic keys, which are fundamental to authentication and supply chain integrity. Such incidents could lead to unauthorized code signing, repository tampering, or other severe supply chain attacks, underscoring the importance of robust secrets management and incident response protocols. The advisory emphasizes a proactive stance for GHES administrators to protect their environments by following the provided guidance. This incident highlights the pervasive risk of supply chain attacks and the critical role of secure key management in enterprise environments. It reminds organizations that even trusted platforms like GitHub are targets and necessitates vigilant monitoring and swift action in response to security advisories. The prompt action from GitHub, though implying a significant security event, also showcases their commitment to transparency and securing their ecosystem by guiding customers through the necessary remediation steps to

2026-05-29 原文 →