Aggregator

随着 MCP 的广泛应用，其潜在的安全漏洞和攻击面也日益受到研究人员和安全专家的关注

文章探讨了一次性密码（OTP）的安全性及其交付渠道的漏洞。短信、电子邮件和语音通话等常见交付方式各有风险：短信易受拦截或SIM卡交换攻击，电子邮件易受钓鱼攻击和账户泄露，语音通话则可能被社会工程学攻击或号码 spoofing。文章还提供了缓解这些风险的方法，并强调了选择合适交付渠道的重要性以及采用多因素认证和无密码方案的趋势。

Explore the security of OTP delivery channels like SMS, Email, and Voice. Learn about vulnerabilities and best practices for secure authentication.

The post Securing Your OTP Fortress A Deep Dive into Delivery Channel Vulnerabilities appeared first on Security Boulevard.

Pentera通过AI技术重新定义网络安全测试，实现情境化红队测试、智能API控制、动态报告生成及无阻碍支持体验。AI赋能从攻击模拟到结果分析的全生命周期，使安全验证更智能、灵活且高效。

Proxmox VE 9.0 基于 Debian 13 开发，采用最新 Linux 内核，提升硬件兼容性和性能。新增厚置备 LVM 共享存储快照支持和 SDN Fabric 功能，优化存储与网络管理。同时改进高可用性集群规则和移动界面体验。

用户在尝试将ex4文件转换为mql4时遇到困难，并请求帮助破解软件以绕过已结束的试用期。

本文探讨了 SMS OTP 在安全认证中的应用及其面临的挑战。通过分析网络拥塞、运营商过滤等问题，并提出选择可靠提供商、设计重试机制等优化策略。此外，还介绍了语音 OTP 和 AI 预测等高级技术，并展望了与生物识别结合的未来趋势。

Learn how to optimize SMS OTP delivery for secure passwordless authentication. Improve deliverability, reduce latency, and enhance user experience with OTP services.

The post Mastering SMS OTP Delivery for Secure Authentication appeared first on Security Boulevard.

Persistent trend in open-source offensive tooling & implications for defenders

Persistent trend in open-source offensive tooling & implications for defenders

文章探讨了一次性密码（OTP）在现代身份验证中的重要性，介绍了HOTP和TOTP两种生成方式及其应用，并分析了它们的优缺点和未来发展。

Explore OTP generation algorithms like TOTP and HOTP. Understand their implementation, security, and use in modern authentication systems for enhanced security.

The post Unlocking Security Mastering OTP Generation with TOTP and HOTP appeared first on Security Boulevard.

A vulnerability classified as problematic has been found in Unisite CMS 5.0. This affects an unknown part of the component Report. The manipulation leads to cross site scripting. This vulnerability is uniquely identified as CVE-2025-50754. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in LiquidFiles up to 4.1.1 and classified as very critical. Affected by this issue is some unknown functionality of the component Actionscript Feature. The manipulation leads to incorrect permission assignment. This vulnerability is handled as CVE-2025-46093. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in LiquidFiles up to 4.1.1. Affected is an unknown function of the component Actionscript File Handler. The manipulation leads to path traversal: '../filedir'. This vulnerability is traded as CVE-2025-46094. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Emsisoft Anti-Malware 2018.8.1.8923. This affects an unknown part of the component Scanning Module. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2025-29745. The attack can only be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Exrick xboot up to 3.3.4. It has been classified as problematic. This affects an unknown part of the component Spring Boot Admin/Spring Actuator. The manipulation leads to information disclosure. This vulnerability is uniquely identified as CVE-2025-8525. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

文章探讨了推送通知 OTP 的安全风险及其替代方案。传统 OTP 方法如短信、邮件和 TOTP 各有优缺点；新兴技术包括 passkeys、WebAuthn/FIDO2 和生物识别技术（如指纹、面部识别）。选择合适的 OTP 方法需平衡安全性与用户体验，并考虑合规性和威胁模型。此外，需实施备用机制以应对 OTP 失效情况。

Explore secure OTP alternatives to push notifications, including SMS, email, TOTP, and passkeys. Enhance your application's authentication with robust security measures.

The post Beyond Push Notifications Exploring Robust OTP Alternatives appeared first on Security Boulevard.

本文链接

主流安全大模型及应用场景侧重于非结构化数据的整理、总结、分析和建议，但还缺少最后一步——如何让大模型参与安全响应的决策，并在决策后自动化完成动作的执行。本议题将介绍，安全专家如何借助大模型，自动生成网络安全响应流程（安全剧本），并自动完成剧本的执行，由此在安全运营场景最后一公里完成大模型应用场景落地。

演讲提纲 1. 大模型在网络安全领域应用

• 发布 SecGPT 的安全厂商
• 大模型在安全领域的应用场景
• 共性不足（重分析，轻决策）

2. 安全大模型在智能决策领域应用探索

• 模型是否有能力给出合理建议
• 如何让模型给出更高质量的决策
• 模型决策结果的潜在风险

3. 安全大模型实战应用实践案例

• OWASP TOP 10 典型场景
• 大模型在 Web 攻击攻击领域的应用效果
• 降低模型决策风险的实践思路

4. 未来展望

• 让模型设计剧本 VS 让模型选择剧本
• 大模型落地安全最后一公里（能力调度）如何实现
• 终极目标：零值守无人安全运营中心

实践痛点

• 针对特定性的安全事件，如何设计响应策略
• 人工智能设计的安全策略是否可以实现全自动执行
• 距离真正零值守还有哪些问题没有解决

前沿亮点

不仅仅使用大模型对安全事件做分析，还通过安全大模型对安全事件响应作出决策，安全大模型完全决策，并最终付诸实施通过安全能力实现安全策略的落地，该环节减少对人工的依赖，减少对安全专家的依赖，是未来零值守安全运营中心的重要基础。

听众收益

• 传统安全运营的场景，痛点和困境
• 有别于安全大厂的安全运营智能化实践
• 安全大模型最后一公里所解决的问题和价值