Aggregator

结合iscc一道决赛题目hachimi进行讲解

前言在当今移动应用安全领域，代码混淆技术已成为保护商业应用知识产权、抵御逆向工程的重要手段。其中，OLLVM（Obfuscator-LLVM）作为一款强大的开源混淆工具，通过多种高级混淆技术（如字符串加密、控制流程平坦化、指令替换等），显著增加了逆向分析的难度，使开发者能够有效保护核心算法与业务逻辑。然而，随着混淆技术的日益复杂，传统的静态分析方法往往难以奏效，需要借助动态分析工具进行辅助。Fri

通过分析 Web 业务逻辑，利用 OAuth 认证流程中的 CSRF 缺陷成功接管管理员权限； 利用 SQLite 数据库的 load_extension 特性加载过def的恶意dll； 利用 Windows DPAPI 机制还原用户敏感凭据，并最终定位到主机安全软件 Failure2Ban 的配置缺陷，通过编写 C 语言利用代码实施竞态条件（Race Condition）攻击，成功在服务重启间隙

延续House of Orange对Top chunk的利用思路，进行新的利用手法，可以在任意glibc版本下，通过无free函数进行堆利用

我们结合2021年的西湖论剑，讲解一下这个利用组合

Vannadium has launched Leap, a platform that combines blockchain-level data integrity with real-time, on-chain performance. As AI is adopted in sectors like healthcare, finance, and supply chain, the reliability of underlying data has become a critical concern. Leap addresses this by helping organizations prove what’s true. Leap allows secure storage and streaming of high-value data—video, documents, logs, and more, directly on chain, with full provenance and access control. It turns blockchain into a foundation for … More →

The post Vannadium’s Leap combines on-chain performance and data integrity for explainable AI appeared first on Help Net Security.

Critical vulnerabilities in ChatGPT allow attackers to exfiltrate sensitive data from connected services like Gmail, Outlook, and GitHub without user interaction. Dubbed ShadowLeak and ZombieAgent, these flaws exploit the AI’s Connectors and Memory features for zero-click attacks, persistence, and even propagation.​ OpenAI’s Connectors enable ChatGPT to integrate with external systems such as Gmail, Jira, GitHub, […]

The post New ChatGPT Flaws Allow Attackers to Exfiltrate Sensitive Data from Gmail, Outlook, and GitHub appeared first on Cyber Security News.

Cyera announced a $400 million Series F funding round, bringing its total funding to over $1.7 billion. This raise comes just over six months after the previous round and triples the company’s valuation from a year ago to $9 billion. The round was led by funds managed by Blackstone and supported by all inside investors including Accel, Coatue, Cyberstarts, Georgian, Greenoaks, Lightspeed Venture Partners, Redpoint, Sapphire, Sequoia Capital, and Spark. The adoption of AI among … More →

The post Cyera secures $400M to scale AI-native data security platform and enterprise adoption appeared first on Help Net Security.

Caracas went dark just as U.S. forces moved to seize Venezuelan leader Nicolás Maduro on Saturday. The blackout did more than hide troops; it showed how malware can shape modern battles. U.S. Cyber Command and allied units are believed to have deployed a grid‑focused payload inside Venezuela’s power operator. Once triggered, the code quietly opened […]

The post Trump Signals U.S. Cyber Role in Caracas Blackout During Maduro Capture appeared first on Cyber Security News.

В Камбодже задержали человека, которого на Западе называют одним из ключевых «архитекторов» скам-индустрии региона.

唉，时间，你慢点走呗。

In this blog, we show union-type structured output allows AI agents to handle uncertain outcomes, critical for auditable and accurate vulnerability triage.

The post Embracing Uncertainty with AI Agents: Vulnerability Assessment using Pydantic AI appeared first on Realm.Security.

The post Embracing Uncertainty with AI Agents: Vulnerability Assessment using Pydantic AI appeared first on Security Boulevard.

Microsoft has launched a native Slack-to-Teams migration tool in the Microsoft 365 admin center, simplifying the transition for organizations migrating collaboration workloads. This feature supports transferring public and private channel content directly into Teams equivalents, preserving messages and continuity.​ The tool enters public preview via Targeted Release in early December 2025, with rollout completion by […]

The post Microsoft Unveils a New Tool to Migrate from Slack to Microsoft Teams appeared first on Cyber Security News.

A powerful integration between Azul and OpenRewrite enables enterprises to automatically identify and remove unused and dead code.

The post How to Automate Safe Removal of Unused Code appeared first on Azul | Better Java Performance, Superior Java Support.

The post How to Automate Safe Removal of Unused Code appeared first on Security Boulevard.

The security landscape faced a significant challenge just before the year’s end with the emergence of ConsentFix, an ingenious OAuth-based attack that exploits legitimate authentication flows to extract authorization codes from Microsoft Entra systems. This attack represents an evolution of the ClickFix technique, demonstrating how attackers continue to refine their methods to compromise cloud-based authentication […]

The post New OAuth-Based Attack Let Hackers Bypass Microsoft Entra Authentication Flows to Steal Keys appeared first on Cyber Security News.

The internet never stays quiet. Every week, new hacks, scams, and security problems show up somewhere. This week’s stories show how fast attackers change their tricks, how small mistakes turn into big risks, and how the same old tools keep finding new ways to break in. Read on to catch up before the next wave hits. Honeypot Traps Hackers Hackers Fall for

Bryan Fleming, founder of pcTattletale, pleads guilty in a landmark federal spying case. Read how an undercover HSI sting and a data breach ended a decade of illegal stalkerware sales.

Although the list does not include what are perceived to be the more consequential multilateral bodies shaping global cyber governance and state behaviour in cyberspace, some of the organizations play a role in shaping international law broadly.

Microsoft is working to fix an Exchange Online service outage that intermittently prevents users from accessing their mailboxes via the Internet Mailbox Access Protocol 4 (IMAP4). [...]