【知识】9月22日 - 每日安全知识热点

热点概要：针对联网智能灯泡的安全性分析、维基解密公布新文档 揭露俄罗斯实施的大规模监控活动、[Project Zero]模糊测试5个最常用的浏览器DOM引擎 、蓝牙安全向导、针对CVE-2016-10190的详细分析、浅析Python对象注入

国内热词（以下内容部分来自：http://www.solidot.org/ ）

CCleaner 攻击者以思科微软等公司为目标

CEO 下班后逮住一个陌生人，引发经济间谍调查

资讯类：

攻击者控制WordPress、Joomla、JBoss服务器挖掘门罗币

https://www.bleepingcomputer.com/news/security/attackers-take-over-wordpress-joomla-jboss-servers-to-mine-monero/ 

维基解密公布新文档 揭露俄罗斯实施的大规模监控活动

http://securityaffairs.co/wordpress/63189/intelligence/wikileaks-russia-peter-service.html 

技术类：

针对联网智能灯泡的安全性分析

https://www.contextis.com/blog/hacking-into-internet-connected-light-bulbs 

Realmode Assembly – Writing bootable stuff – Part 5

https://0x00sec.org/t/realmode-assembly-writing-bootable-stuff-part-5/3667 

[Project Zero]模糊测试5个最常用的浏览器DOM引擎 

https://googleprojectzero.blogspot.de/2017/09/the-great-dom-fuzz-off-of-2017.html 

Windows kernel pool spraying fun – Part 4 – object & pool headers, kex & putting it all together 

https://theevilbit.blogspot.hu/2017/09/windows-kernel-pool-spraying-fun-part-4.html 

蓝牙安全向导

https://csrc.nist.gov/csrc/media/publications/sp/800-121/rev-2/draft/documents/sp800_121_r2_draft.pdf 

How I hacked hundreds of companies through their helpdesk

https://medium.freecodecamp.org/how-i-hacked-hundreds-of-companies-through-their-helpdesk-b7680ddc2d4c 

通过CISSP考试后的分享

https://secvul.com/topics/804.html 

新的FinFisher监控活动：是否涉及互联网提供商？

https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/ 

小心Bashware：恶意软件绕过杀软的新方法

https://research.checkpoint.com/beware-bashware-new-method-malware-bypass-security-solutions/ 

uTest：针对Scala的测试框架

http://www.lihaoyi.com/post/uTesttheEssentialTestFrameworkforScala.html 

CVE-2016-10190详细分析

https://nandynarwhals.org/cve-2016-10190/ 

在Windows上编译Classic  POSIX子系统的可执行文件

https://blog.ret2.io/2017/09/20/subsystem-posix/ 

浅析Python对象注入

http://defencely.com/blog/defencely-clarifies-python-object-injection-exploitation/ 

metasploit low-level overview (encoders/paylaods review)

https://www.exploit-db.com/docs/18532.pdf 

CSP bypass by setting innerHTML on a same-origin page lacking CSP 

https://bugs.chromium.org/p/chromium/issues/detail?id=764518 

Controlling an RC car using GNU Radio and HackRF

https://www.youtube.com/watch?v=IOKOJIK2kU8&feature=youtu.be 

OS X Kernel Exploit 기초 (OS X 10.12 Sierra)

http://theori.io/research/korean/osx-kernel-exploit-1 

Email attachment using CVE-2017-8759 exploit targets Argentina 

https://isc.sans.edu/diary.html 

dorkbot:Command-line tool to scan Google search results for vulnerabilities 

https://github.com/utiso/dorkbot