Aggregator
CVE-2022-46364 | Oracle Communications Element Manager 9.0.0/9.0.1 SOAP server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Communications Session Report Manager 9.0.0/9.0.1 SOAP server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Banking Digital Experience 21.1/22.1/22.2 UI General server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Communications Messaging Server 8.1.0.21.0 Messaging Store server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Banking Cash Management 14.7.0.2.0/14.7.1.0.0 Accessibility server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Banking Corporate Lending Process Management 14.4/14.5/14.6/14.7 Base server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Banking Credit Facilities Process Management 14.7.1.0.0 Common server-side request forgery (Nessus ID 211909)
CVE-2022-46364 | Oracle Banking Liquidity Management 14.5.0.8.0/14.6.0.4.0/14.7.0.2.0/14.7.1.0.0 Common server-side request forgery (Nessus ID 211909)
三星One UI安全漏洞:剪贴板数据明文存储且永不过期
Pyinstaller Repack 指南
Pyinstaller Repack 指南
DeepMind's CaMeL Aims to Fight Prompt Injection Attacks
Chatbots' popularity has been tempered from the start by the prospect of prompt injection attacks. Google DeepMind's CaMeL aims to address the issue by reframing the problem, and applying proven security engineering patterns to isolate and track untrusted data.
AI Giants Adopt Anthropic's Standard to Connect Apps, Agents
Artificial intelligence developers including OpenAI, Google and Microsoft are adopting rival Anthropic's open standard to speed up the capabilities of their chatbots by allowing them to access daily-use software. Dubbed "Model Context Protocol," the open standard aims to make chatbots more useful.
Reborn: Cybercrime Marketplace Cracked Appears to Be Back
Just three months after being disrupted by an intelligence law enforcement operation, the notorious online cybercrime marketplace called Cracked appears to have patched itself up and restarted operations. The recently disrupted BreachForums also claims to be back - although experts remain skeptical.
Whistleblower Warns DOGE Secretly Building 'Master Database'
A top Democrat on the House Oversight Committee sounded the alarm after a whistleblower provided information to Congress warning that staffers for the Department of Government Efficiency violated federal data laws while building a "master database" of sensitive information across federal agencies.
Compliance weighs heavily on security and GRC teams
Only 29% of all organizations say their compliance programs consistently meet internal and external standards, according to Swimlane. Their report reveals that fragmented workflows, manual evidence gathering and poor collaboration between security and governance, risk and compliance (GRC) teams are leaving organizations vulnerable to audit failures, regulatory penalties and security gaps. 51% of organizations have either received compliance warnings or fines or are concerned they could in the near future. With the stakes this high, … More →
The post Compliance weighs heavily on security and GRC teams appeared first on Help Net Security.
How Far Should You Let Penetration Testers Go?
在DKIM重放攻击中,钓鱼者滥用Google Oauth进行欺骗活动
在一次相当巧妙的攻击中,黑客利用了一个漏洞,得以发送一封看似来自谷歌系统的虚假电子邮件,通过了所有验证,但指向了一个用于收集登录信息的欺诈页面。
攻击者利用谷歌的基础设施诱骗收件人访问一个看似合法的“支持门户”,该门户要求提供谷歌账户凭证。
这条欺诈信息看似来自“[email protected]”,并且通过了域名密钥识别邮件(DKIM)验证方法,但实际发件人却并非如此。
带有谷歌“域密钥识别邮件”印章的虚假电子邮件
以太坊域名服务(ENS)的首席开发者尼克·约翰逊收到了一封看似来自谷歌的安全警报,称执法部门已向谷歌发出传票,要求获取他的谷歌账户内容。
谷歌甚至将其与其他合法的安全提醒放在一起,以至于几乎所有东西看起来都合情合理,这很可能会欺骗那些不太懂技术、不知道从何处寻找欺诈迹象的用户。
通过谷歌系统转发的网络钓鱼邮件
然而,约翰逊敏锐发现,电子邮件中的虚假支持门户网站托管在sites.google.com——谷歌的免费网站建设平台上,这引起了人们的怀疑。
在谷歌域名上,收件人意识到他们被瞄准的机会更低。约翰逊说,这个虚假的支持门户网站“和真实的完全一样”,唯一的迹象是它托管在sites.google.com上,而不是accounts.google.com上。
假冒谷歌支持门户
开发人员认为,欺诈性网站的目的是收集凭据,以破坏收件人的帐户。
假门户在骗局中很容易解释,但聪明的部分是传递一条似乎已经通过谷歌的DKIM验证的消息,即所谓的DKIM重放网络钓鱼攻击。
仔细观察电子邮件的详细信息就会发现,mailed-by头显示的地址与谷歌的no-reply不同,收件人是一个me@地址,位于一个看起来像是由谷歌管理的域。然而,这条消息是由谷歌签署和传递的。
邮件标头显示真实的收件人和投递地址
约翰逊将线索拼凑起来,识破了骗子的伎俩。首先,他们会注册一个域名,并为“me@域名”创建一个谷歌账号。域名不是特别重要,但看起来像某种基础设施会有所帮助。选择“me”作为用户名很聪明,这位开发者解释道。
随后,攻击者创建了一个谷歌 OAuth 应用程序,并将其名称设为整个钓鱼信息。在某个时候,该信息包含大量空白,以使其看起来已经结束,并与谷歌关于攻击者 me@domain 电子邮件地址的访问权限通知区分开来。
当攻击者授权他们的OAuth应用程序访问谷歌工作区中的电子邮件地址时,谷歌会自动向该收件箱发送安全警报。
由于谷歌生成了这封电子邮件,它用一个有效的DKIM密钥签名,并通过了所有的检查。最后一步是将安全警报转发给受害者。
谷歌系统的弱点是DKIM只检查消息和头,而不检查信封。因此,假电子邮件通过了签名验证,并在收件人的收件箱中看起来是合法的。
此外,通过将欺诈地址命名为me@, Gmail将显示消息,就好像它是发送到受害者的电子邮件地址一样。
电子邮件认证公司EasyDMARC也详细介绍了约翰逊描述的DKIM重放式网络钓鱼攻击,并对每一步进行了技术解释。
PayPal选项以同样的方式被滥用
谷歌以外的其他平台也尝试过类似的技巧。今年3月,一场针对PayPal用户的攻击活动采用了同样的方法,即欺诈性信息来自这家金融公司的邮件服务器,并通过了DKIM的安全检查。
测试显示,攻击者使用“礼物地址”选项将新电子邮件链接到他们的PayPal账户。
添加新地址时有两个字段,攻击者用电子邮件填充其中一个字段,并将网络钓鱼信息粘贴到第二个字段中。
PayPal会自动向攻击者的地址发送确认信息,该地址会将其转发到一个邮件列表,该邮件列表会将其转发给群组中所有潜在的受害者。
PayPal骗局使用类似的伎俩
事后有媒体就此事联系了PayPal,但从未收到回复。Johnson还向谷歌提交了一份bug报告,而谷歌最初的回复是“这个过程是按计划进行的”。但不久后,谷歌认识到它对用户来说存在一定风险,目前正在努力修复OAuth的弱点。