The cybersecurity industry had been in the news recently after some tech giants faced some of the biggest data breaches. This has given rise to numerous startups ready to protect companies from cyber threats.

Singapore-headquartered information security risk management start-up CloudSEK offers cybersecurity platform powered by machine learning and promises to build a risk-free digital security ecosystem.

The startup’s SaaS-based flagship product X-Vigil is a unified risk management platform, and the result of the company’s four years of diligent research and development efforts. Another product named Cloudmon, tracks network and application related security issues associated with the client. CloudSEK, recently, raised $1.97 Million in its Pre-Series A investment led by Exfinity Venture Partners and StartupXseed.

Expanding The Global Footprint

The startup will leverage the freshly raised funds to evolve its product XVigil. Furthermore, it will also use the funds to expand its footprints in India and South East Asia. After establishing itself as a preferred cybersecurity solution in the financial, e-commerce and transportation sector, CloudSEK now plans to target the pharmaceuticals, petrochemicals and retail industry. Federal Bank, Go-Jek, Bank Bazaar, HDFC Bank and Grab Taxi are in CloudSEK’s client list, five of which are unicorns.

Brainchild of Rahul Sasi, CloudSEK entails his journey from being a college dropout to becoming a successful tech entrepreneur. Being criticized for dropping out of engineering college and predicted for a career failure, Rahul continued his journey as an ethical hacker and security expert through his successful career.

Commenting on the post-funding plan Sourabh Issar, the chief executive officer, CloudSEK said, “Being a product-only organization, our revenues are primarily generated through license sales. This investment for us is a vote of confidence from some of the eminent architects of the Indian IT Industry. We plan to utilize the funds to develop the existing products and expand our presence in India as well as South East Asia.”

Building A Risk-free Ecosystem

CloudSEK has been helping organizations by providing them with timely, specific and actionable intelligence, thereby preventing digital security infractions. The start-up promises to build a risk-free cybersecurity ecosystem in Asia.

According to Chinnu Senthilkumar, General Partner & chief technology officer, Exfinity Venture Partners, the losses due to cyber-related crime, worldwide, is estimated to be upwards of USD 600 Billion. Globally, Cyber Attacks are on the rise and about 500,000+ Cyber Attacks have already been reported in India in 2018.

“Many cyber attacks are targeted towards BFSI networks, Government Departments and may potentially end up targeting power grids, oil and gas pipelines which have the potential to cripple any economy. With companies increasingly adopting cloud solutions, CloudSEK's unique non-intrusive solution can detect digital footprint leakages of any enterprise in real-time helping the CSOs to strengthen the Cyber-Defence,” he said.

Ever since the dawn of the internet, there has been a type of malicious activity almost immune to technological advancement in cybersecurity ― social engineering. Nowadays, the target of these practices can be even you and your cryptocurrencies.

Phishing is a type of attack which relies on the fallibility of human judgment and perception. Phishing, the most widespread form of attack, is regularly used to extract sensitive data such as credit card numbers, SSN, passwords, and other confidential information from unknowing users online by letting them submit this information directly to the attacker.

Your internet browser and software wallets are often susceptible to malware and tricks implemented to mislead you or lure out information which should never get online. Your Trezor device, however, stays offline and is isolated from these attempts to misdirect you. The fundamental purpose of your Trezor device is to keep your recovery seed isolated. You should always look at your device for confirmation of all operations, especially when working with your recovery seed. Your computer should never require the use of your seed without the device knowing it.

Moreover, if you ever need to use the recovery seed to access your accounts, the device will always instruct you to enter the words in a shuffled order. We recommend entering the words of your seed directly on the device to maximize the safety of this operation.

There is a variety of phishing techniques which could be used to carry out an attack. In this article, we offer you some basic knowledge and tips on how to protect yourself against these kinds of malicious attempts.

The Impersonation techniqueis one of the fastest to carry out and technologically simplest to implement. The attacker usually impersonates a Customer Service agent or Sales representative and tries to lure sensitive information from an unaware user using emails, phone communication or a spoofed website.

Trezor (SatoshiLabs) representatives will never ever ask for your recovery seed (in any form) or a credit cardnumber.

If you ever have a problem with your device or have some questions about Trezor-related issues, be sure to reach out to us only by submitting a ticket in ourSupport Center.

We do not provide phone call or live technical support. Do not call numbers who claim to be associated with the Trezor Support team.

Many phishing techniques aim to get you to a fraudulent site where all inputs are collected and controlled by the attacker. Similarly to the impersonation techniques, these are also designed to rob you of your private keys.

DNS poisoning technique takes advantage of how the Domain Name System works and sends the visitor off in the wrong direction, making the site appear to be offline or even redirecting users to a server the attacker controls. On the other hand, BGP hijacking is a process of taking control of a group of IP prefixes assigned to a potential victim. Both methods can be identified by an invalid SSL certificate, but users can skip the warning very quickly, leading them to the malicious site. It is, therefore, crucial to be wary of all signs , especially when working with something as important as cryptocurrencies.

The Unicode domain phishing attack, also known as IDN homograph attack, relies on the fact that the affected browsers show Unicode characters used in domain names as ordinary characters, making them virtually impossible to separate from legitimate domains. If an attacker can register a domain that is visually indistinguishable from a legitimate one, he can trick users into trusting the site.

Cybersquatting refers to illegal domain name registration or use. It can have many different forms, but its primary purpose is to steal or misspell a domain name. Cybersquatting can also include advertisers who mimic domain names that are similar to famous, highly trafficked websites.

Never enter your recovery seed online in a straight sequence and never disclose the order of thewords.

So, what is it you should be focusing on to protect yourself against being a victim of a phishingattack?

Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

You know that you need to be backing up your computer (and other devices). Using an online backup service is a good way to do this automatically. But how secure are online backups? Let’s see how to use a feature offered by some backup services to ensure that only you can access your data.

Get the audio podcast version of this post .

Note: this post contains affiliate links.

You run the risk of losing the data on your computer (and other devices). Here are a few ways:

A backup you keep in your home isn’t good enough, because that backup could be destroyed at the same time as your device, by many of the same causes listed above. So, it’s wise to use online backups (sometimes called cloud backups ).

When you install backup software on your device, most software will create an encryption key for you. The creator of the backup software will store that key with your account. Because the key is able to decrypt your data (make it readable), this gives the company the ability to access your data! You may think, “I trust the company, so what’s the problem?” Maybe you trust the company itself, but do you trust every one of its employees? And what if the company is hacked? Or what if a government (one in your country or a foreign one) wants to see your data? For these reasons, it’s best to use your own encryption key.

Instead of letting the backup software create your encryption key, and letting the backup company store that key, you should create your own encryption key and store it yourself. Different companies have different terms for this. You may see it called private encryption key , user-owned encryption key , user-defined encryption key , custom encryption key , or something similar.

When you create a private encryption key, your data is encrypted with that key. So if you’re the only one with the key, you’re the only one who can access your data! That means employees at the backup company can’t, hackers can’t, and governments can’t. (Note that encryption can be broken by thosewith enough resources and time. But that shouldn’t stop us from protecting our data.)

Your encryption key is like a password, so you should make it strong , just as you’d make a password strong. That means making it long (the more characters, the better), with a variety of character sets (uppercase, lowercase, numbers, special characters).

Now, this is important! If you lose your encryption key, you won’t be able to access the data you’ve backed up . Remember, the backup company doesn’t have your key, so they can’t help you. You must store your key somewhere safe . I recommend putting it in your password manager (I like LastPass ).

When choosing a cloud backup service, read the security and privacy sections of their website. Look for the words encrypt and key . Also, check their privacy policy to see how they handle requests from law enforcement. Why? What if you’re not trying to hide from law enforcement? Well, it’s not necessarily about hiding from law enforcement. The reason it matters is that if the company can give your data to law enforcement, that means the company can access your data , which means any rogue employee at the company, or anyone who hacks the company, can also access your data. So if the company says it can’t give your data to law enforcement, that usually means the company itself has no access to your data. For example, the IDrive Privacy Policy states,

In other words, if you choose the default option (let the software create your encryption key, and let the company store it), the company is able to access your data and provide it to others. But if you use your own encryption key, they can’t.

As important as they are, security and privacy aren’t the only criteria to consider in an online backup service. Here are some other questions to ask, about the company and its service:

IDrive is a cloud backup service that lets you create your own encryption key. Because of this, as well as the combination of other features and cost, I like IDrive as a provider. I also like SpiderOak , a company known for its strong stance on user privacy. There are other backup services that let you use your own encryption key. Here’s a list of a few I’m aware of:

I know there are others, and if there’s one you recommend, please leave a comment !

If you’re interested in IDrive, you can use this link to get 25% off your first year!

If you use an Apple iOS device (iPhone or iPad), you have the option of using Apple’s iCloud to back up to Apple’s servers. iCloud uses a private encryption key. According to Apple ,

LONDON (BUSINESS WIRE) #ITSecurity The global military cybersecurity market is expected to post a CAGR of

over 4% during the period 2019-2023, according to the latest market

research report by Technavio .

A key factor driving the growth of the market is an increase in the

adoption of cloud-based services. Defense agencies are adopting

cloud-based services for various applications such as authentication

processes, video management, biometric information storage, and big data

computing. The flexibility and scalability of cloud-based solutions help

military forces in meeting their varying needs. Cloud data security is

of paramount importance for these organizations as they generate massive

volumes of data on a daily basis and also need to ensure their security.

The adoption of cloud-based services is increasing as several defense

agencies do not have their own security infrastructure. Moreover, the

military sector is likely to adopt Al-based cybersecurity as it produces

and stores highly sensitive military information. This sector can become

a prime target for cybercrimes, and thus, it is important for military

organizations to protect confidential data from malicious attacks and

threats. Thus, the rising adoption of cloud-based services and growing

cloud data security concerns are expected to lead to the increased

adoption of military-grade cybersecurity solutions.

global

analysis of the most important trends expected to impact the market

outlook during the forecast period. Technavio classifies an emerging

trend as a major factor that has the potential to significantly impact

the market and contribute to its growth or decline.

This report is available at a USD 1,000 discount for a limited time

only:

View

market snapshot before purchasing

In this report, Technavio highlights the high adoption of al and machine

learning as one of the key emerging trends in the global military

cybersecurity market:

The development and adoption of Al and machine learning are expected to

drive economic growth, especially in developed economies, because of the

high degree of automation across all industries. Developed economies are

adopting Al-based solutions at a faster rate than developing countries.

This is mainly because developed countries have a more advanced

infrastructure to support the adoption of new technology. Machine

learning understands and delivers the output in a way that is similar to

human beings, but without the need for extensive programming. Autonomous

vehicles, speech recognition, and advanced web searches are some of the

technologies that use machine learning. Thus, with its growing adoption,

AI will replace human monitoring and analysis, which will eventually

reduce the probability of human error. This will result in more

effective cybersecurity solutions.

“Apart from the high adoption of Al and machine learning, other

factors boosting the growth of the military cybersecurity market are the

emergence of IoT analytics, rapid increase in the use of IoT devices,

Technavio for research on IT security.

This market research report segments the global military cybersecurity

market by type (network security, data security, identity and access,

and cloud security) and geographical regions (APAC, EMEA, and the

Americas).

The network security segment led the market in 2018 with a market share

of close to 38%, followed by data security, identity and access, and

cloud security respectively. However, during the forecast period, the

identity and access segment is expected to register the highest

incremental growth, followed by the cloud security segment.

Request

a free sample report

Some of the key topics covered in the report include:

Market Landscape

Market Sizing

Five Forces Analysis

Market Segmentation

Geographical Segmentation

Market Drivers

Market Challenges

Market Trends

Vendor Landscape

About Technavio

Technavio

is a leading global technology research and advisory company. Their

research and analysis focuses on emerging market trends and provides

actionable insights to help businesses identify market opportunities and

develop effective strategies to optimize their market positions.

With over 500 specialized analysts, Technavio’s report library consists

of more than 10,000 reports and counting, covering 800 technologies,

spanning across 50 countries. Their client base consists of enterprises

of all sizes, including more than 100 Fortune 500 companies. This

growing client base relies on Technavio’s comprehensive coverage,

extensive research, and actionable market insights to identify

opportunities in existing and potential markets and assess their

competitive positions within changing market scenarios.

If you are interested in more information, please contact our media team

at media@technavio.com .

Contacts

Technavio Research

Jesse Maida

Media & Marketing Executive

US:

+1 844 364 1100

UK: +44 203 893 3200

When the topics of cybersecurity and Christmas are combined, it’s difficult not to think of 2013, when Target was hit by the most notorious of holiday season data breaches.

The fact that we still cite a 5-year-old event hints that cybersecurity may have gotten a bit better since then. Somehow, the subsequent holiday seasons have been free of such large-scale breaches, and history suggests that Christmas actually is one of the slower times of the year on the retail cybersecurity front.

But that’s just the kind of inviting propaganda enterprising data thieves are on the lookout for, so no one should take this positive trend as an excuse to be complacent. In fact, if one needs proper motivation there are plenty of signs that retailers haven’t done enough to protect their customers. A recent report from IBM’s Security Intelligence postulates that security has gotten short shrift as retailers have invested in digitizing every part of the customer experience.

What retailers must remember as the holiday season approaches is that a breach during a time when customers most want to know that their purchases are being handled securely could destroy a company’s reputation. At best, it would certainly eat into holiday profits.

It’s with these potential potholes in mind that Multichannel Merchant has offered up 5 tips to keeping holiday shoppers’ data secure , and as with any such list of tips, it’s filled with common sense. But while suggestions such as knowing what partners are doing with customer data and where they’re storing it, employing encryption strategies, and educating employees on preventing breaches may seem obvious, there are too many examples of retailers not getting the basics right to give anyone the benefit of the doubt.

Which brings us to one of the most important truisms shoppers need to keep in mind as the holiday shopping season approaches: no one is going to make the security of your data a bigger priority than you are. In other words, if you want your data to be safe, do something about it.

Again, this seems like common sense advice that every consumer in 2018 should be well aware of. Yet, cybersecurity vendor Symantec’s list of tips for promoting online shopping safety is filled with obvious reminders of basic security indicators online shoppers should be looking for.

Apparently, we still have to be told not to click on links in suspicious emails. We have to be reminded that without the “s” after “http” in a web site URL, we can’t count on a web site being secure. We have to have it pointed out that a green URL with a little illustration of a padlock next to it implies that a site is safe.

In short, we have to be told that there might be bad people lurking in places we normally trust to be safe.

“Most of us never even think about checking the online security status of a preferred online vendor,” Symantec’s post setting up the tip list reads. “That’s because nowadays most of us take online security for granted.”

So, beyond these common-sense tips, what can online shoppers―and let’s face it, that’s all of us―do to make their upcoming holiday season a bit safer?

Well, they can start by focusing on sites known for taking cybersecurity seriously. It’s not that hard to figure out ― LastPass recently released rankings of the 10 largest online retailers , and Apple and Best Buy lead the pack, while Walmart and Wayfair bring up the rear.

LastPass also offers up some tips we can get behind, starting with looking for sites that offer two-factor authentication. It’s amazing how much that extra step brings in terms of added protection.

Avoiding social media sign-ons is also a good idea, not just when you’re shopping, but always. There is no reason to give social media sites access to ― and responsibility for ― data that they don’t need.

In the end, however, there’s one security tip that rises above all when it comes to user-friendliness and proven effectiveness: shop in a brick-and-mortar store and pay cash. It’ll feel really weird, but there’s not much a criminal can do with the serial numbers off of a $20 bill.

In all seriousness, the numbers clearly indicate that cash isn’t a realistic option with online retailers expected to ring up $120 billion in Christmas E-commerce sales this year .

That means the security of millions of American holiday shoppers may come down to them familiarizing themselves with all of those common-sense pieces of cybersecurity wisdom.

Let’s hope common sense prevails.

I do have the following problem. Trying to install typo3 6.2 on my local machine under xampp 3.2.1 Installer tells me "php OpenSSL extension not working"

What I've done so far:

I've also tried a downgrade to OpenSSL 0.9.8, but still getting the error. Btw, I've restarted xampp after every edit.

I'm running xampp on windows 8.1

From the exception linked above:

Windows 7 and Wamp

Unit 42检测到一系列武器化文件，这些文件可以加载包含恶意宏的远程模板。这种类型的武器化文件其实并不罕见，但由于其具有模块化的特点，因此自动分析系统很难将其识别为恶意文档。针对这种技术而言，如果C2服务器在代码执行时不可用，则无法检索到恶意代码，从而导致该文档会被判断为非恶意的。

最初研究人员拦截的样本是一个word文档，文件名为crash list(Lion Air Boeing 737).docx，作者Joohn。攻击的目标是欧洲处理外国食物的政府组织。一旦用户尝试打开该文档，word就会尝试加载含有恶意宏的远程模板和payload，payload在DOCX文件的settings.xml.rels的特定位置，如下所示：

如果C2没有正常运行，文档也会打开，但是word就不能提取远程模板，也就不能加载宏。这种情况下，word也会展示诱饵文件内容给受害者，如图2所示。但是不会有启用内容（enable content）的按钮。如果C2正常运行，word就会加载远程模板，如图1所示。

一旦受害者按下启用内容，嵌入的宏就会执行。传播的文档中的宏使用了一种autoclose函数方法。这是一种反分析技术，因为word不会完全执行恶意代码指导用户关闭文档。如果自动化沙箱在没有退出文档的情况下退出分析过程，沙箱可能就不能完整的分析恶意活动。宏成功执行后，研究人员看到系统中保存了诱饵文件，但是保存的诱饵文件不会再显示，也不含有和原来文件名相关的内容。宏会获取保存在系统中的文档，文档是以UserForm1.Label1.Caption保存的，并且写入：

宏会从保存在系统中的UserForm1.Label2.Caption中获取payload，并写入：

宏会以一种有趣的方式来执行payload：加载释放的~temp.docm文件，调用嵌入的宏来运行payload，研究人员认为该文档的创建者会从释放的文件中运行payload作为一种绕过技术。初始的宏使用释放的文档来执行payload可以解释为什么释放的文档中不含诱饵内容。

为了实现这一功能，将~temp.docm和~msdn.exe文件写入系统后，初始的宏会以word文档对象的形式加载~temp.docm文件，并尝试运行~temp.docm文件中的Module1macro中的functionProc1。

Module1中的Proc1函数会为释放的payload构建一个%APPDATA%\MSDN\~msdn.exe路径，并用内置的shell函数来执行：

释放到系统中的payload是用Delphi语言编写的UPX打包的Zebrocy变种。Zebrocy与之前Sofacy的攻击中使用基于Delphi的payload是非常相似的。Payload被配置为使用下面的URL来与C2进行通信：

Zebrocy木马会收集特定的系统信息，并通过HTTP POST请求发送给C2服务器。该木马会运行SYSTEMINFO & TASKLIST命令和枚举关于连接的存储设备信息来收集信息。

也有Zebrocy变种会发送受害者主机的截图（JPEG图片格式）发送给C2服务器。然后C2服务器会提供一个payload给ASCII十六进制表示的信标，木马会解码并写入%APPDATA%\Roaming\Audio\soundfix.exe。

与C2服务器通信。

研究人员获取的第二个传播的文档作者也是Joohn，C2地址为188.241.58.170到托管远程模块。结构上讲，该样本与最初分析的文档非常相似，但是payload是一个新的工具――Cannon。

Cannon是用C#编写的，namespace中的恶意代码叫做cannon，因此研究人员将其命名为Cannon。木马功能主要是一个下载器，依赖邮件来完成木马和C2服务器之间的通信。为了与C2服务器通信，木马会通过SMTPS TCP 587端口发送邮件到特定的邮件地址。Cannond的特殊功能可以参见表1，该工具主要依赖于EventHandlers和计时器来以特定顺序运行方法，以增强绕过检测的能力。

表 1 Cannon的函数和作用

Cannon的作用是使用多个邮件账号来发送系统数据给威胁单元，并最终从邮件中获取payload。如图2所示，步骤中说明了Cannon与攻击者控制的C2邮箱地址进行通信获取payload的过程：

图2 Cannon的C2处理流

Bishtr.cam47

Lobrek.chizh

Cervot.woprov

5.攻击者发送邮件到第二个邮件账户，邮件的主题是唯一系统id，附件是文件名为txt的第二个payload。

9.Cannon会通过POP3S登陆第二个邮箱地址来寻找主体与唯一系统id匹配的邮件。Cannon打开主题匹配的邮件，并保存附件为auddevc.txt。

13.Cannon会移动下载的文件到指定路径。

15.Cannon会从指定路径运行下载的文件。

Sofacy威胁组织持续攻击美国、欧盟和前苏联国家来传播Zebrocy工具作为payload。在攻击中，用来安装Zebrocy的文档会使用远程模板，这增加了分析攻击的难度。在攻击中， Sofacy组织使用了狮子航空空难作为诱饵，说明将社会热点事件应用到社会工程攻击中。

同时，研究人员发现该组织还在传播一个名为Cannon的木马，该木马使用SMTPS和POP3S作为C2的信道，而Zebrocy使用HTTP和HTTPS进行C2通信。因为SMTPS和POP3S协议提供合法的基于web的服务，这一层加密使防护者很难拦截C2信道。

For years, cybersecurity professionals across the globe have been highly alarmed by threats appearing in the form of malware, including Trojans, viruses, worms, and spear phishing attacks. And this year was no different. 2018 witnessed its fair share of attacks, including some new trends: credential theft emerged as a major concern, and although ransomware remains a major player in the cyberthreat landscape, we have observed a sharp decline in insider threats.

This especially holds true for the UK and Germany, which are now under the jurisdiction of the General Data Protection Regulation (GDPR). However, in the U.S., insider threats are on the rise , from 72% in 2017 to an alarming 80% in 2018.

When WannaCry was launched in May 2017, it caused damages worth hundreds of billions of dollars, affecting 300,000 computers in 150 nations within just a few days. According to a CyberEdge Group report , 55% of organizations around the world were victimized by ransomware in 2017; nearly 87% chose not to pay the ransom and were able to retrieve their data thanks to offline data-backup systems. Among the organizations that had no option other than paying the ransom, only half could retrieve their data.

What does this teach us? That offline data backups are a practical solution to safeguard businesses against ransomware attacks. Luckily, highly efficient and practical cloud-based backup solutions have been introduced in the market, which can help businesses adopt appropriate proactive measures to maintain data security.

However, there are concerns with regards to cloud security, as well with data privacy and data confidentiality maintenance. For instance, apprehensions regarding access control, constant and efficient threat-monitoring, risk assessment, and maintenance of regulatory compliance inhibit the holistic implementation of cloud solutions.

But while these concerns act as impediments for companies, they also serve as opportunities for security vendors to step into the scene and develop richer and more effective solutions.

And, make no mistake, there is a definite need for better solutions. According to Verizon’s 2015 Data Breach Investigations Report , even after the Common Vulnerabilities and Exposures (CVE) was published, 99.9% of exploited vulnerabilities went on to be compromised for more than a year, despite the availability of patches.

Why? Despite IT security experts’ insistence on regularly monitoring and patching vulnerabilities in a timely manner, doing so has its challenges; patching involves taking systems offline, which, in turn, affects employee productivity and company revenue. Some organizations even fail to implement patching due to lack of qualified staff. Indeed, more than 83% of companies report experiencing patching challenges.

This is all to say, today’s dearth of effective patch and vulnerability management platforms provides opportunities for vendors to explore these fields and deliver cutting-edge solutions. And with IT security budgets healthier than ever , there’s a glimmer of hope that businesses will indeed invest in these solutions.

Let’s see what 2019 brings.

Sennheiser headphone apps, HeadSetup and HeadSetup Pro, were removed from the available downloads after a security flaw was uncovered. (Wikimedia Commons)

Written byJeff Stone

Nov 28, 2018 | CYBERSCOOP

Two applications developed by Germanelectronics company Sennheiser contain vulnerabilities that could make it possible for hackers to forge digital certificates and impersonate legitimate websites.

Sennheiser’s two apps, HeadSetup and HeadSetup Pro, installed certificates on users’ computers then failed to secure the key, according to a vulnerability report published Wednesday by the German security consulting firm Secorvo. The mistake means that hackers could decrypt the key and use the certificate, a means of digital authentication, to monitor victims’ traffic and launch main-in-the-middle attacks.

“We found ― caused by a critical implementation flaw ― the secret signing key of one of the clandestine planted root certificates can be easily obtained by an attacker,” the Secorvo report states. “This allows him or her to sign up and issue technically trustworthy certificates. Users affected by this implementation bug can become victim of such a certificate forgery, allowing an attacker to send e.g. trustworthy signed software or acting as an authority authorised by Sennheiser.”

Sennheiser said this month it is aware of the issue, and has removed the two apps from its available downloads while it works on a fix. Microsoft also published a security advisory Wednesday, warning customers to update their HeadSetup and HeadSetup Pro software.

All my HTTPS traffic was sniffed and I got pwned

How?

I got a new headset

Contrary to popular belief, the S in Sennheiser doesn't stand for SSL. https://t.co/gTYW7o2AZ1

― Michal paek (@spazef0rze) November 28, 2018

The flaws bear some similarity to vulnerabilities previously uncovered in Lenovo and Dell products.

Lenovo’s so-called Superfish software came pre-installed on consumer laptops, injecting advertisements into search results and hijacking encrypted SSL/TLS web connections on user machines. The revelation that the company put so many users at risk sparked outrage in the security community. “Installing Superfish is one of the most irresponsible mistakes an established tech company has ever made,” wrote David Auerbach , a Slate technology columnist, in 2015.

Dell in 2015 disclosed an unintended security vulnerability existed in its computers. That flaw, known as eDellRoot, also made it possible for attackers to use root access to create valid certificates for malicious websites.

-In this Story- certificate , consumer electronics , man-in-the-middle , security certificates , Sennheiser , Superfish

The cyber threat environment is becoming more dangerous every day. A recent survey by the World Economic Forum revealed that cyber-attacks were the number-one concern of executives in Europe and other advanced economies. As we approach the winter holidays and the end of the year, let’s examine the top cyber security threats enterprises can expect to grapple with in 2019.

Nearly all successful cyber-attacks begin with a phishing scheme. Business email compromise (BEC), a highly targeted spear phishing technique , is responsible for over $12 billion in losses globally. Although many people still equate phishing with emails, this cyber security threat has evolved , with hackers employing text messages, phone calls, and even social media “quizzes” to trick unwitting victims.

Cloud computing has transformed the ways in which we live and conduct business, but it has also given hackers a broader attack surface and created a host of brand-new cyber security threats and vulnerabilities, from cloud malware to misconfigured AWS buckets . Cloud security must be addressed differently than on-premises security, and solid cloud security starts with a secure cloud migration.

Over 80% of employees admit to using shadow IT apps at work. Most of the time, their motivations are not malicious or negligent; they’re just trying to do their jobs better. However, shadow IT usage is a serious compliance and cyber security threat. These rogue apps may have security or compliance issues that users are unaware of, and since internal IT departments aren’t even aware of the apps, they cannot monitor access logs, ensure that regular backups are performed, or apply important software updates.

Cryptojacking malware, which allows hackers to hijack enterprise computer equipment for the purpose of “mining” cryptocurrencies, is now more common than ransomware . Once a minor annoyance that primarily targeted small consumer devices, modern cryptojacking malware is designed to go after enterprise networks, where it poses a very serious cyber security threat, crashing applications and even damaging hardware .

Cryptojacking malware may be more common, but that doesn’t mean ransomware is any less of a cyber security threat. Healthcare and critical infrastructure systems are particularly at risk. One-quarter of SamSam ransomware victims are in the healthcare sector, and SamSam was the culprit in the City of Atlanta ransomware attack. Authorities believe the SamSam hackers have earned over $6 million from their malware.

Smart devices are proliferating like rabbits, but a lack of common security standards means many devices suffer from serious security vulnerabilities. Forty-five percent of enterprise IoT buyers cite cyber security as a significant barrier to purchase, and as cases of everything from baby monitors to home security cameras being hacked hit the news, cyber security threats loom large over consumer purchases as well. Both the public and private sector are scrambling to secure the Internet of Things. In recent weeks, NIST released guidelines for securing for medical IoT devices, and Microsoft launched a public preview of its new solution for developing secure smart devices.

Cyber-attacks on operational technology (OT) the “behind-the-scenes” systems and equipment that power factories, mining operations, and critical infrastructure don’t just cripple business operations. They present threats to the health and lives of employees and the general public, and they are increasing in frequency. OT systems face vulnerabilities and cyber security threats that are starkly different from those that threaten IT systems, and air-gapping, a common fix, cannot be depended on as a standalone solution.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security. Call1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

The post The Top Cyber Security Threats Facing Enterprises in 2019 appeared first on.

美国比特币支付处理商BitPay表示，公司的Copay钱包遭到了黑客的攻击。

Bitpay周一宣布，从Copay GitHub的报告中了解到这个问题。该报告显示，这些应用程序使用的第三方javascript库被修改，加载了恶意代码。

该恶意软件被插入Copay和BitPay钱包应用程序的5.0.2到5.1.0版本上，可能被用来获取窃取比特币和比特币现金的私钥。

Bitpay要求用户在使用5.0.2到5.1.0版本时不要运行或打开Copay钱包。它现在发布了一个更新版本(5.2.0)，没有恶意代码，所有的Copay和BitPay钱包用户都可以在应用商店中下载。

BitPay强调：“用户应该假设钱包上的私钥可能已经泄露，立即将资金转移到新钱包(v5.2.0)。”

Bitpay还建议用户不要通过输入12个字的备份短语，将资金转移到新的钱包中，因为它们对应的是“可能被泄露的私钥”。

据报道，该攻击似乎是由一个名为Right9ctrl的开发人员实施的，他从离职的管理者手中接管了NodeJS库的维护任务。大约三个月前，当时Right9ctrl被授予访问存储库的权限，他在这个时候插入了恶意软件。（汇讯网）

AD：

郑重声明：本文版权归原作者所有，转载文章仅为传播更多信息之目的，如作者信息标记有误，请第一时间联系我们修改或删除，多谢。

As smart shipping and other network-connected industrial control systems (ICS) grow, the air gap loses value as a barrier against cyber attacks. What’s next?

The air gap is low-tech but still has value as a barrier against cyber attacks.

Yes, devices and systems are connected wirelessly all the time, but if industrial control systems (ICS) are segregated from enterprise networks, it’s a lot harder for malware to jump from one to the other.

As Security Week put it earlier this month, the historical use of the air gap meant that “factories and shipyards were more or less immune to cyber-attack … it didn’t matter how pernicious or effective the cyber-threat became, we felt confident that these virtual concerns couldn’t impact our physical infrastructure.”

Not so much anymore, because the use of air gaps has eroded or disappeared altogether, thanks to increasingly intertwined OT (operational technology) and IT (information technology).

The results in just one industry―shipping―are predictable. One of the most high-profile examples is the NotPetya ransomware attack that took down the computer network of the Danish container firm Maersk , affecting its shipping, tugboat, and oil tanker operations and costing it an estimated $300 million.

More recently, in just the past several months, three international ports― Long Beach , Barcelona , and San Diego ―were hit with major security breaches between July and September.

Also, Mfame reported that this past summer, a team of white hat hackers from Pen Test Partners (PTP) conducted a mock attack on a vessel “and found three different ways to intercept and modify serial data―which control steering, engine control and more―on a ship’s network.”

As in, hackers could change the heading of the ship―a real-world physical effect that could have catastrophic consequences. And even if the damage is not something like a collision, such attacks could cause economic havoc, disrupting global trade.

Could the rigorous use of air gaps have prevented all those attacks from succeeding? Not necessarily. Evgeny Gervis, managing consultant with Synopsys, notes that an air gap “is just one perimeter control. At the end of the day, the OT has to be secure. One cannot rely on air gapping to compensate for broken security in the OT environment.”

And Adam Brown, associate managing consultant at Synopsys, said that the reality of the impending “smart shipping” environment will soon mean that much of the time, air gapping won’t be feasible anyway.

“Smart ports using smart contracts for delivery simply won’t be able operate within an air gap,” he said. “In those cases very careful attention must be given to the security of the software running that technology.”

That is still in the future. “For now we do still rely on ship load plans and cargo information being transferred manually by USB―so there is still an air gap,” he said. “But there is no message integrity checking, so that vulnerability can still be exploited through malware or phishing.”

He also noted that air gaps can’t protect against “an ill-informed person’s actions,” as was the case with the notorious 2010 Stuxnet attack on Iran’s nuclear facilities. In that attack, the malware was delivered physically, via a thumb drive.

But that doesn’t mean the air gap is worthless either.

“It would be more effective if there was actual air gapping,” Gervis said. “In reality, business use cases often require that OT and IT become more intertwined. It’s not that air gapping is not feasible technically; it’s that we choose to intentionally break it to support these business use cases. The decision of whether the risk is worth the reward comes down to risk management.”

With use of the air gap declining, some ICS organizations are turning to AI (artificial intelligence) to “learn” what is normal behavior and detect when there are anomalies. But that is not a magic bullet either.

And to keep it up-to-date as well. As numerous experts have noted, a lot of the vulnerabilities in ICS are due to the use of outdated (and unsupported) operating systems like windows XP and failure to install patches and updates―the kinds of things frequently called “basic security hygiene.”

But Brown notes that the more fundamental problem is the use of broken software―software that has been broken for a very long time.

He said research by cyber security firms has shown that there are “some super-basic design flaws in the software running that technology―things that I was surprised to see still in the wild today.”

“Basically the technology is created broken, and without total overhaul of the software, it will stay broken.”

So for the shipping industry and other ICS operators, Brown said there needs to be another gap―this one in how data are stored and managed.

“And where possible, many of these devices should be kept well away from the standard ship network, which is normally internet-connected, and, if possible, run in isolation,” he said.

Learn more about red teaming

The concept of data lakes has been around for a long time, but being able to set up one of these systems, which store vasts amount of raw data in its native formats, was never easy. AWS wants to change this with the launch of AWS Lake Formation. At its core, this new service, which is available today, allows developers to create a secure data lake within a few days.

While ‘a few days’ may still sound like a long time in this age of instant gratification, it’s nothing in the world of enterprise software.

“Everybody is excited about data lakes,” said AWS CEO Andy Jassy in today’s keynote. “People realize that there is significant value in moving all that disparate data that lives in your company in different silos and make it much easier by consolidating it in a data lake.”

Setting up a data lake today means you have to, among other things, configure your storage and (on AWS) S3 buckets, move your data, add metadata and add that to a catalog. And then you have to clean up that data and set up the right security policies for the data lake. “This is a lot of work and for most companies, it takes them several months to set up a data lake. It’s frustrating,” said Jassy.

Lake Formation is meant to handle all of these complications with just a few clicks. It sets up the right tags and cleans up and dedupes the data automatically. And it provides admins with a list of security policies to help secure that data.

“This is a step-level change for how easy it is to set up data lakes,” said Jassy.

(AWS) unveiled its latest updates to security on its cloud services platform today at AWS re:Invent, the company’s annual conference for database storage enthusiasts.

AWS Security Hub is a new place for businesses to centrally manage compliance and identify security threats across the AWS environment, says AWS chief executive officer Andy Jassy. The service will help AWS users derive insights from attack patterns and techniques so they can take action quicker.

“This is going to pretty radically change how easy it is to look at what’s happening security wise across … AWS,” Jassy said. “Whether you’re using AWS security services like Inspector for vulnerability scanning or GuardDuty for network intrusion or Macie for anomalous data patterns or whether you’re using a very large number of third-party software security services in our ecosystem.”

AWS has signed up a number of its partners for the initial roll-out, includingSymantec and Tenable.

Alert

AWS re:Invent 2018 in Las Vegas, that it is supporting the

just-announced AWS Security Hub. Alert Logic’s integration is designed

to allow AWS Security Hub customers to incorporate verified security

Security

security

and compliance

AWS Security Hub is designed to provide users with a comprehensive view

of their high-priority security alerts and compliance status by

aggregating, organizing, and prioritizing alerts, or findings, from

multiple AWS services, such as Amazon GuardDuty, Amazon Inspector, and

Amazon Macie as well as security solutions from the AWS Partner Network

(APN). The findings are then visually summarized on integrated

dashboards with actionable graphs and tables.

“AWS is designed to allow customers to scale and innovate,” said Dan

Plastina, Vice President, Security Services, Amazon Web Services, Inc.

threat

to the already secure AWS cloud.”

“AWS Security Hub is designed to help AWS customers quickly aggregate,

categorize and prioritize the findings of AWS-native security tools that

run natively on AWS,” said Chris Noell, Senior Vice President,

Engineering at Alert Logic. “We are excited to work with AWS to support

AWS Security Hub. AWS Security Hub enhances our existing capabilities to

web

application security

network

vulnerability scanning

log

correlation

As a Launch APN Partner for AWS Security Hub, Alert Logic’s capabilities

can be searched for by AWS customers directly in the AWS Security Hub

user interface with a direct link to purchase them via the AWS

Marketplace if they are not yet an Alert Logic customer. For more

@AlertLogic

on Twitter

blog

post

About Alert Logic

Alert Logic seamlessly connects an award-winning security platform,

cutting-edge threat intelligence, and expert defenders to provide the

best security and peace of mind for businesses 24/7, regardless of their

size or technology environment. More than 4,000 organizations rely on

Alert Logic SIEMless Threat Management to ensure the right level of

security and compliance coverage at a lower total cost than point

solutions, SIEM tools, or traditional MSSP outsourcing. Founded in 2002,

Alert Logic is headquartered in Houston, Texas, with offices in Austin,

Seattle, Dallas, Cardiff, Belfast, London and Cali, Colombia. For more

information, visit www.alertlogic.com .

Contacts

For Alert Logic Inquiries:

Christine Blake

Relations

W2 Communications

703-877-8114

Hillel Solow

Hillel Solow is the CTO and co-founder of Protego. Prior to this, he was CTO in Cisco’s IoT Security Group, where he worked on innovative security solutions for new technology markets.

I had something of an epiphany recently about how to look at permissions and roles in serverless applications. Maybe to some of you, this won’t be as “Soylent Green is People” as it was to me. If so, kudos. If not, let me open your eyes.

Let’s start with some housekeeping. IAM (Identity & Access Management) is the idea that actors in a system like a cloud account have a limited set of permissions, and this scopes what they can do. While it starts out as a concept for defining what your users can do, it quickly gets co-opted to scope the capabilities of other things as well.

For example, if you spin up an EC2 instance in the AWS cloud environment, you need to assign an IAM role to that instance. AWS will enforce that role for you, ensuring that regardless of what logic finds its way into that instance, it will not be able to bypass those restrictions. The same is true for ECS containers, Fargate containers, and Lambda functions. Each has a role that defines what it can and can’t do.

IAM roles were not an AppSec thing, historically. By that I mean, you didn’t really think to yourself, “what do I do to prevent those pesky OWASP A1 injection attacks? I know, I will configure an IAM role.” IAM roles were an infrastructure thing. They were used to broadly restrict certain evils (or they weren’t), but they had very little to do with what your developers wrote in code, other than that they had better not get in the way. Want proof? It took a while until the cloud providers let you assign a unique role to each serverless function. Some still don’t (yes, Google, I am looking at you). That’s because if all you want from workload IAM roles is to carve out areas you don’t want to touch, you might be satisfied doing that for all the workloads in one common policy.

For a bunch of interesting reasons, the shift to cloud native development, that is, the idea that you build your applications for the cloud from day one, has also brought in a new affinity for small micro-services. For etymological evidence, track the sentiment associated with the term nano-service . Two years ago, it was a term synonymous with a failed transition to cloud, as in “careful you don’t go overboard and end up with nano-services”. Today it is the design choice de jour.

An interesting side effect of this transition into far finer-grained microservices is the opportunity to assign a separate IAM role to each small function. I’ve written about this in the past; that serverless applications give you the opportunity to shrink wrap your permissions. I’ve even talked about how at Protego we use automated analysis of application code and behavior to apply least privilege to each piece of your application.

The thing that crystalized for me recently is why this is so important. It’s because when you do IAM at the granularity of functions, IAM becomes an AppSec tool . It’s your AppSec people who should be driving this need, not your cloud infrastructure security people. If you can restrict the roles and policies of each function, container, bucket and table in your application to the minimum necessary, you will have prevented a large class of application attacks you worry about.

There are two reasons why this shift happened. Let me try to illustrate by re-imagining the Equifax breach.

You’ll recall that in 2017 Equifax was hacked and over 140 million people had sensitive data such as Social Security Numbers and driver’s license information stolen. Equifax was running a vulnerable version of Apache Struts on a series of VMs, and attackers were easily able to execute malicious code on these servers. From there, it was relatively easy for them to access sensitive data in the adjacent databases. In this monolithic application, the machines running Struts likely had full access to all the database tables.

Imagine, instead, that you are the Equifax team leader that just finished rebuilding the Equifax application in a cloud native fashion on Amazon Web Services, leveraging the latest technologies and architectures. This would mean you designed it for the cloud and used cloud native resources like S3, DynamoDb and Kinesis. It would also mean the large Apache Struts based application would have been re-architected as a plethora of small single-purpose functions, responding to events via API Gateway.

Ok, you’re thinking, where’s the big IAM earthquake? I’ll tell you. The first piece is that instead of five VM images housing the application, you might have 150 Lambda functions and 12 Fargate container images. Instead of creating a large risky role for each of those five VMs, you were able to craft 162 different roles, each of which can be scoped down to the bare minimum needed for that single function or container.

The second piece is that you stopped deploying your own databases, file systems and data processing pipelines, and refactored these to use cloud native resources. Cloud native resources that IAM policies can govern.

So, imagine those same attackers from 2017 came to steal SSNs from your cool new application. One big advantage is that replacing something you need to manage, like Apache Struts, with something Amazon manages, like API Gateway, means they are handling the patching that you might forget. Even more powerfully, you are now able to use IAM to be very specific about what each function can do, and that IAM is much more effective at preventing access to data you don’t need to touch in each function. Even if attacker find a way to execute malicious remote code in one of your functions, chances are IAM is going to prevent that function from accessing 140 million records in a bunch of different databases.

So, in fine-grained cloud native applications that use things like Lambda and Fargate, properly crafted IAM roles, customized for each function, will mitigate huge swaths of your attack surface, even before you get to making your developers write better code. The primary challenge we see here is getting organizations to own the shift to customized minimal roles. Technologies, like some of the capabilities of our platform, can be pivotal at enabling this change to happen in the real world where we don’t have thousands of security engineers who do review code and APIs to determine optimal policy.

Cloud native applications can be a huge leap forward in AppSec, not least because of how we now use IAM, but doing it right is both an opportunity and a challenge.

Quantstamp is a security-auditing protocol for smart contracts. As a dapps platform, Ethereum has proven its security time and again. However, dapps and smart contracts on top of Ethereum may still have bugs in which malicious players can cause havoc on the network. The two most notable examples of these being the $55 million DAO hack and the $30 million Parity wallet bug. These issues not only affect the people who’ve had their funds stolen, but they also diminish the credibility of the entire ecosystem.

Writing smart contracts is already a tough job. Like any other computer programming, writing them without any bugs is near impossible. To add fuel to the fire, the rate at which smart contracts are being written (estimated 10 million by the end of 2018) is outpacing the resources needed to audit them. Even with robust security auditing, a small bug could slip through the cracks causing catastrophe down the road.

Here’s where Quantstamp comes into play. The protocol includes a cost-effective, scalable system to easily audit your Ethereum-based smart contracts. In this Quantstamp protocol guide, we’ll talk about:

Although the team is focusing on Ethereum now, they’re building the Quantstamp protocol in a way that’s platform agnostic . This means that it can eventually be used on other smart contract platforms like Lisk and NEO . The Quantstamp protocol has a two-pronged approach to security auditing:

Quantstamp’s Validation Node applies audit techniques from formal methods submitted by Contributors . These techniques include security checks such as concolic tests, static analysis, and symbolic execution as well as automated reasoning tools like SAT and SMT. As a reward for submitting verification software, contributors (who are primarily security experts), receive Quantstamp Protocol (QSP) tokens.

To ensure no bad actors are submitting malicious validation software, Contributors must be voted in according to the governance mechanism (more on this later).

Running the Validation Node takes a significant amount of computing power. Because of this, Validators also receive QSP payment for providing computing power to the network. To ensure that Validators don’t act maliciously, they must stake their QSP tokens to earn their reward.

An Example

As a developer, you want to deploy a smart contract on Ethereum . Considering you don’t want to go down in history as the guy who lost millions of people’s money, you have your contract audited. To do so, you send your smart contract, with the source code in the data field, directly from your wallet to Quantstamp, including QSP tokens with the transaction. On the next Ethereum block, Validators perform security checks. After they reach consensus, they append the proof-of-audit and report data to the next block.

You can choose whether your security report is made public or private.

UPDATE:It appears as if, now, the Quanstamp team also offers manual audits in exchange for ETH or USD.

Quantstamp Audit System

When you submit your smart contract for auditing, you also include a set of QSP tokens for bounty rewards and a deadline for when Bug Finders can submit issues. The bounty deadline reward size is up to you. If the deadline passes with no found bugs, the QSP bounty reward is returned to you.

Quantstamp doesn’t guarantee flawless code after this process, but they do assure users that the automated testing and crowdsourced bug-hunting greatly reduce issues.

QSP token holders control protocol, validation smart contracts, and Validation Node upgrades. The governance model uses a time-locked multisig in which any token holder can propose a change. The more votes a change has, the quicker it occurs. Changes approved by all members occur within an hour. This time doubles with each 5% of members that don’t vote and quadruples for each 5% that vote against it.

Earlier in 2018, Quantstamp implemented an in-house Proof-of-Caring system to reward community members and loyal QSP token holders. Once you submitted your proof, you’d receive an airdrop from an ICO that Quantstamp has audited. This proof consisted of holding your tokens in a wallet (not an exchange) for a certain amount of time, contributing to social media outreach, and/or any other community activities.

The Quantstamp team has since ended this program and no longer rewards community members with ICO airdrops. It’s been a point of contention in the community.

The Quantstamp team consists of 30+ members and advisors with over 500 Google Scholar citations. Steven Stuart (CTO) and Richard Ma (CEO) founded the team in June 2017. Stuart worked 5 years in Canada’s cryptologic agency in the Department of National Defense and previously founded Many Trees, a start-up that uses GPUs for Big Data analytics and machine learning. Ma built production-grade integration and validation testing software at the Bitcoin HFT Fund. During his time there, his trading systems had no notable issues and handled millions of dollars in investment capital.

The Quantstamp Co-Founders

本报告由火币区块链研究院出品，报告发布时间2018年5月4日，作者：袁煜明、李慧

2018年4月23日BEC（美链）爆出ERC20协议安全漏洞，攻击者利用整数溢出BUG，可无限生成代币，直接导致BEC币值跳水，几乎归零。作为一个价值流通的底层平台，安全性是区块链的重中之重，也是区块链能被社会广为接受的基石之一。如何通过良好的漏洞治理生态来降低风险事件的发生将变的尤为重要。

回望区块链九年的发展历程，安全事件引发的巨额资金损失、公司破产等问题不胜枚举。让我们先来分析一下比特币、以太坊和交易所这三类安全事件重灾区现状，再探讨一下如何从项目团队、项目生态和投资者防范这三个方面去全面构建区块链安全生态，切实降低安全风险。

1.安全问题现状

1.1比特币安全问题

比特币区块链自2009年1月4日运行以来，截止到今日已经稳定地运行了3405天，其安全性可谓是固若金汤，不过随着加密技术的发展，比特币的安全机制也越来越受到挑战。一个由加密算法爱好者构成的组织（Large Bitcoin Collider（LBC）），正在进行一番堂吉诃德式的努力：暴力破解创建比特币钱包地址的加密算法。LBC上线运作还不到一年，项目方表示，他们已生成了3000万亿条密钥，并将其和现有的比特币钱包地址进行比对。目前总共筛选出了30个匹配的密钥，去除“钓鱼”秘钥，真正包含比特币的匹配密钥已有3个。

除了暴力破解法，比特币最大的安全隐患来自于交易所平台监守自盗或被黑客攻击，亦或是用户账户被盗。一旦被盗，黑客会通过混币等手段进行洗白，追回的可能性几乎为零。

1.2 以太坊安全问题

相较于比特币，以太坊最大的提升莫过于一方面引入了智能合约，其图灵完备的编程机制使得平台可以支持复杂的应用，大大丰富了平台应用的多样性；另一方面以太坊引入了虚拟机中间层，使得多种语言开发的智能合约都能在平台运行，提高了平台的可扩展性。

但恰恰也是这两大机制为以太坊的安全问题增添了更多的不确定性。图灵完备的编程方式固然更灵活，但同时也更复杂和不可控；虚拟机机制使得以太坊支持多种语言，当然也引入了更多语言的不确定性、复杂性和固有的缺陷；这些因素都是黑客寻找猎物的温床。

以太坊架构示意图

作为区块链最活跃的公链平台以太坊，目前已知存在Solidity漏洞、短地址漏洞、交易顺序依赖、时间戳依赖、可重入攻击等漏洞，在调用合约时漏洞可能被利用，而智能合约部署后难以更新的特性也让漏洞的影响更加广泛持久。有研究机构运用分析工具Maian分析基于以太坊的近100万个智能合}，发现有34,200个合约含有安全漏洞，可窃取或是冻结资产、甚至R*除合约。

1.3 交易所安全问题

交易所作为巨大的数字资产集中池，成为黑客们攻击的重要目标，若是安全控制做的不到位，任何一次攻击都将是损失惨重，破产倒闭也只是一夜之间。

除了来自外部的攻击，源于交易所内部的监守自盗或是信息泄露也是非常致命和可怕的。2018年4月，总部位于印度的交易所Coinsecure宣布，价值330万美元的438.318个比特币被盗，据称就是由于一名员工所为。

据外媒cointelegraph报道，韩国媒体网站MBC聘请了一家安全公司来测试包括Bithumb在的五家韩国比特币交易所安全性设置，结果令人堪忧。安全公司使用了一些所谓的基本黑客工具就成功绕开了这些比特币交易所的安全程序，该公司称他们能够成功入侵所有五个目标平台，获取用户数据和资金。

2. 构建区块链安全生态

区块链安全生态不仅仅需要项目团队、开发人员，更需要多方的通力合作，因此，本文主要从项目团队内控、项目生态激励和投资者自我防范这三个方面去探讨区块链安全生态的建设。

2.1 完善代码安全审查机制

回顾ERC20漏洞事件，可知毁掉BEC的仅仅是一个整数溢出漏洞，学过计算机的同学可能知道，这类漏洞是程序中最为常见和普遍的漏洞了，完全可以通过有效的代码安全审查机制来避免。漏洞事件一出，经过核查，使用ERC20协议的项目竟然有20余个都存在类似的问题，代码质量很是堪忧！

瞬息万变的币圈确实发展的太快，每一个人都是飞奔着前进，都赶着写白皮书、赶着募资、赶着上项目，自然而然就很少有人沉下心来好好做测试，好好做安全审查，导致漏洞频出、安全事件频发。

区块链作为一个分布式的去中心化系统，代码一旦部署将很难更新，需通过硬分叉或者软分叉来对代码进行升级，成本不可谓不高。THE DAO事件则直接将以太坊分裂成为ETH和ETC，是对以太坊生态的重大破坏。所以在项目发布之前，充足的测试和代码审核变得十分关键和必要。比如说多人代码审核、内部测评小组、外部专家评测等。

1）多人代码审核

由于一个人的能力和认知总是有限的，所以对于同一段代码，不同的人将会发现不同的问题，多人代码审核机制能使得代码的BUG率和漏洞率大大降低。这种方式也是软件行业降低错误率最为通用和有效的方式之一。

2）内部测评小组

项目组建立内部安全测评小组，梳理业界常见的安全问题清单，并逐一对发布的项目进行安全审计，通过简单的梳理和测评便能将常见的基本漏洞一扫而空，大大增加了系统的可靠性。

3）外部专家评测

对于某些新型的，特殊性的漏洞，项目组可以借助于外部安全专家的帮助进行梳理和测评，争取在项目发布前将安全隐患降到最低程度。

2.2 发展白帽黑客激励机制

世界无非两极，一阴一阳、一黑一白、一正一邪，有黑客肆意破坏，就有白帽黑客维护世界正义。随着各类数字资产的市值越来越高，黑客们从中套取的收益也越来越客观，相比之下，白帽黑客们却穷酸的多。这种巨大的收入差导致越来越多人加入的黑客的阵营，而白帽黑客们则为数稀少。通过激励白帽黑客来抑制或者是平衡黑客越来越肆无忌惮的破坏行为或许将成为一种有效的手段。

那么如何激励白帽黑客们为平台做出贡献呢？我想主要可以从两方面入手，一是物质激励，二是精神激励。

1）物质激励

对于发行通证的公链来说，最实在的物质激励自然就是通证。它既是区块链平台的价值载体，也是平台生态治理的重要手段。比如COSMOS，为了鼓励发现并及时报告缺陷，Cosmos Hub允许黑客通过ReportHackTx交易来“邀功”，主要就是说明，“这个节点已被攻击，请将奖金发到这个地址”。黑客可以收到击中资产的5%作为赏金。

除此之外我们也可以通过设立黑客奖金池、黑客基金或者项目特别顾问等方式来激励白帽黑客主动挖掘漏洞，帮助平台持久安全地运行。

2）精神激励

除了物质奖励，对于Hacker这一非常另类、有性格的群体来说，精神上的激励或许是更持久有效的方式。对于每一个为平台或者项目作出贡献的黑客来说，项目组、基金会或者社区都应将给与其相应的荣誉奖励。可以是排行榜、贡献值亦或是某种稀缺头衔等等，使其不仅能被社区其它成员知晓，更能明显区别于普通会员，增强其在社区的存在感、参与感和荣誉感。

2.3 选择靠谱交易所

交易所之所以成为安全事件的重灾区，一方面是由于交易所存储了投资者的巨额数字资产；另一方面，区块链行业发展迅速，中心化交易所的安防建设赶不上其业务的发展速度，特别是各类交易所参差不齐，安全问题非常突出，投资者利益难以得到保障。

为此，去中心化交易所喊的火热，但由于其交易效率难以提升，技术实现难度较大，目前还不能完全取代中心化交易所。因此，从保护切身利益出发，投资者们选择运行持久、可靠有保障的交易平台非常重要。

关于我们：

火币区块链应用研究院（简称“火币研究院”）成立于2016年4月，于2018年3月起全面拓展区块链各领域的研究与探索，主要研究内容包括区块链领域的技术研究、行业分析、应用创新、模式探索等。我们希望搭建涵盖区块链完整产业链的研究平台，为区块链产业人士提供坚实的理论基础与趋势判断，推动整个区块链行业的发展。

火线视点是火币研究院推出的区块链市场热点类研究报告。该系列聚焦区块链行业最新热点新闻事件、热门话题事件，以专业、客观的视角解读事件的本质，为广大读者提供及时且通俗易懂的分析。

免责声明：

1、火币区块链研究院与本报告中所涉及的数字资产或其他第三方不存在任何影响报告客观性、独立性、公正性的关联关系。

2、本报告所引用的资料及数据均来自合规渠道，资料及数据的出处皆被火币区块链研究院认为可靠，且已对其真实性、准确性及完整性进行了必要的核查，但火币区块链研究院不对其真实性、准确性或完整性做出任何保证。

3、报告的内容仅供参考，报告中的事实和观点不构成相关数字资产的任何投资建议。火币区块链研究院不对因使用本报告内容而导致的损失承担任何责任，除非法律法规有明确规定。读者不应仅依据本报告作出投资决策，也不应依据本报告丧失独立判断的能力。

4、本报告所载资料、意见及推测仅反映研究人员于定稿本报告当日的判断，未来基于行业变化和数据信息的更新，存在观点与判断更新的可能性。

5、本报告版权仅为火币区块链研究院所有，如需引用本报告内容，请注明出处。如需大幅引用请事先告知，并在允许的范围内使用。在任何情况下不得对本报告进行任何有悖原意的引用、删节和修改。

随着瓜子二手车相关业务的发展，公司有多个业务线都接入了IM系统，IM系统中的Socket长连接的安全问题变得越来越重要。本次分享正是基于此次解决Socket长连接身份安全认证的实践总结而来，方案可能并不完美，但愿能起到抛砖引玉的作用，希望能给您的IM系统开发带来启发。

学习交流：

- 移动端IM开发入门文章：《 新手入门一篇就够：从零开发移动端IM 》

（本文同步发布于： http://www.52im.net/thread-2106-1-1.html ）

封宇： 瓜子二手车技术专家，中国计算机学会专业会员。主要负责瓜子即时消息解决方案及相关系统研发工作。曾供职于58同城、华北计算技术研究所，参与到家消息系统、58爬虫系统以及多个国家级军工科研项目的架构及研发工作。

封宇同时还分享了其它IM方面的技术实践和总结，您可能也会感兴趣：

《 一套海量在线用户的移动端IM架构设计实践分享(含详细图文) 》

《 一个低成本确保IM消息时序的方法探讨 》

《 移动端IM中大规模群消息的推送如何保证效率、实时性？ 》

本文是IM通讯安全知识系列文章中的第7篇，总目录如下：

《 即时通讯安全篇（一）：正确地理解和使用Android端加密算法 》

《 即时通讯安全篇（二）：探讨组合加密算法在IM中的应用 》

《 即时通讯安全篇（三）：常用加解密算法与通讯安全讲解 》

《 即时通讯安全篇（四）：实例分析Android中密钥硬编码的风险 》

《 即时通讯安全篇（五）：对称加密技术在Android上的应用实践 》

《 即时通讯安全篇（六）：非对称加密技术的原理与应用实践 》

《 即时通讯安全篇（七）：用JWT技术解决IM系统Socket长连接的身份认证痛点 》（本文）

4、我们面临的技术痛点

针对我们IM系统中的Socket长连接的身份认证安全问题，瓜子有统一登录认证系统SSO（即单点登陆系统，原理详见《 IM开发基础知识补课(一)：正确理解前置HTTP SSO单点登陆接口的原理 》）。

我们的IM长连接通道也利用这个系统做安全认证，结构如下图：

如上图所示，整个认证步骤如下：

1）用户登录App，App从业务后台拿到单点登陆系统SSO颁发的token；

2）当App需要使用IM功能时，将token传给IM客服端SDK；

3）客服端SDK跟IM Server建立长连接的时候用token进行认证；

4）IM Server请求SSO单点登陆系统，确认token合法性。

* 补充： 如您对SSO单点登陆系统的了解知之甚少，请务必先阅读《 IM开发基础知识补课(一)：正确理解前置HTTP SSO单点登陆接口的原理 》。

咋一看，这个过程没有什么问题，但是IM（尤其是移动端IM）业务的特殊性，这个流程结构并不好。

为什么说上面的流程结构对于移动端的IM来说并不好呢？原因如下：

1）网络不稳定： 手机（移动端）的网络很不稳定，进出地铁可能断网，挪动位置也可能换基站；

2）长连接频繁建立和释放： 正因为1）中的原因，在一个聊天会话过程中，会经常重新建立长连接，从而导致上图里的第3步会被频繁执行，进而第4步也会频繁执行；

3）系统压力会增大： 鉴于2）中的表现，将大大增加了SSO单点登陆系统的压力（因为IM实例需要频繁的调用SSO系统，从而完全客户端长连接的身份合法性检查）；

4）用户体验也不好： 长连接建立过程中，因SSO单点登陆系统并不属于IM服务端实例范围之内，IM服务端实例与SSO系统的通信等，带来的额外通信链路延迟对于用户的体验也是一种伤害（而且SSO系统也可能短暂开小差）。

如果不通过上图中的第4步就能完成IM长连接的身份合法性验证，那这个痛点会得到极大缓解。于是，我们便想到了JWT技术。

* 题外话： 如果您对移动端弱网络的物理特性还不了解，那么下面的文章有助于您建立起这方面的认知：

《 现代移动端网络短连接的优化手段总结：请求速度、弱网适应、安全保障 》

《 移动端IM开发者必读(一)：通俗易懂，理解移动网络的“弱”和“慢” 》

《 移动端IM开发者必读(二)：史上最全移动弱网络优化方法总结 》

JSON Web Token（简称JWT），是一个开放安全的行业标准（详见 RFC7519 ），可以用于多个系统之间传递安全可靠的信息（也包括本文中将要用到的传递身份认证信息的场景）。

一个完整的JWT的token字符串是什么样子的结构？

▲ JWT说到底也是一个token字符串，它由三部分组成：头部、载荷与签名

正如上图中所示，一个JWT的token字符串组成如下：

1）红色的为Header：指定token类型与签名类型；

2）紫色的为载荷（playload）：存储用户id等关键信息；

3）蓝色的为签名：保证整个信息的完整性、可靠性（这个签名字符串，相当于是一段被加密了的密文文本，安全性就是由它来决定的）。

5.2解密JWT的头部（Header）

JWT的头部用于描述关于该JWT的最基本的信息，例如其类型以及签名所用的算法等。

这可以被表示成一个JSON对象：

▲ 在这个头信息里，标明了这是一个JWT字符串，并且所用的签名算法是HS256算法

对它进行Base64编码，之后的字符串就成了JWT的Header（头部），也就是你在5.1节中看到的红色部分：

（你可以自已试着进行Base64的加密和解决，比如用这个在线工具： http://tool.oschina.net/encrypt?type=3 ）

在载荷（playload）中可以定义以下属性：

1）iss: 该JWT的签发者；

2）sub: 该JWT所面向的用户；

3）aud: 接收该JWT的一方；

4）exp(expires): 什么时候过期，这里是一个Unix时间戳；

5）iat(issued at): 在什么时候签发的。

上面的信息也可以用一个JSON对象来描述，将上面的JSON对象进行base64编码，可以得到下面的字符串。

这个字符串我们将它称作JWT的Payload（载荷），以下字串样例就是你在5.1节中看到的紫色部分：

（你可以自已试着进行Base64的加密和解决，比如用这个在线工具： http://tool.oschina.net/encrypt?type=3 ）

JWT的签名部分，在 官方文档 中是如下描述的：

上述伪码的意义，即如下操作:

▲ 将上面的两个base64编码后的字符串都用句号‘ . ’连接在一起（头部在前），就形成了如下字符串

最后，我们将上面拼接完的字符串用HS256算法进行加密。在加密的时候，我们还需要提供一个密钥（secret）。

那么，按照 RFC7519 上描述的方法，就可以得到我们加密后的内容：

▲ 这个就是我们需要的JWT的签名部分了

生成JWT的token字符串的最后一步签名过程，实际上是对头部以及载荷内容进行加密。

一般而言： 加密算法对于不同的输入产生的输出总是不一样的。所以，如果有人对头部以及载荷的内容解码之后进行修改，再进行编码的话，那么新的头部和载荷的签名和之前的签名就将是不一样的。而且，如果不知道服务器加密的时候用的密钥的话，得出来的签名也一定会是不一样的。

换句话说： 你的JWT字符串的安全强度，基本上就是由这个签名部分来决定的。

使用时： 服务器端在接受到JWT的token字符串后，会首先用开发者指明的secret（可以理解为密码）对头部和载荷的内容用同一算法再次签名。那么服务器应用是怎么知道我们用的是哪一种算法呢？别忘了，我们在JWT的头部中已经用alg字段指明了我们的加密算法了。

如果服务器端对头部和载荷再次以同样方法签名之后发现，自己计算出来的签名和接受到的签名不一样，那么就说明这个Token的内容被别人动过的，我们应该拒绝这个JWT Token，返回一个HTTP 401 Unauthorized响应。

JWT是一个怎样的流程? 先上个官方文档的图：

如上图所示，整个应用流程描述如下：

1）客户端使用账户密码请求登录接口；

2）登录成功后服务器使用签名密钥生成JWT ,然后返回JWT给客户端；

3）客户端再次向服务端请求其他接口时带上JWT；

4）服务端接收到JWT后验证签名的有效性.对客户端做出相应的响应。

JWT的整个技术原理，就是一个很典型的对称加密应用过程，通俗的说也就是用开发者在服务端保存的密码，对用户的id等信息进行加密并按照JWT的规则（见5.1节）组成字符串返回给用户。用户在使用时将这个字符串提交给对应的服务端，服务端取出JWT字串的头信息、载荷，用开发者指明的密码试着进行加密并得到一个字符串（即合法的JWT token），两相比较，相同则认为用户提交上来的JWT合法，否则不合法。这就是JWT的全部原理，相当简单易懂。

JWT技术的价值不在于具体的技术实现，而在于它的思想本身，尤其在异构系统、分布式系统方面，可以极大的简化安全认证的成本，包括简化架构复杂性、降低使用门槛等，因为JWT的技术原理决定了认证的过程不需要其它系统的参与，由当前实例自已就可以完成，而成认证代码极小（就是一个加密字符串的比较而已）。

它的技术思路在当前的各种开发系统中应用广泛，比如下图中微信公众号的服务接口配置里，也用到了类似的思想：

另外，苹果著名的APNs推送服务，也支持JWT技术，详见《 基于APNs最新HTTP/2接口实现iOS的高性能消息推送(服务端篇) 》第6.2节：

▲ 上述截图内容摘录自 苹果官方开发者文档

上一章节，我们详细理解了JWT技术的原理，那么回到本文的初衷：我们该如何使用JWT技术来解决上面所提到的通点呢？

我们采用JWT验证IM的Socket长连接流程如下：

如上图所示，整个验证过程描述如下：

1） 用户登录App（使用IM客服端SDK），App从业务后台拿到SSO单点登陆系统颁发的token（注意：此token还不是JWT的token，它将在第3）步中被使用并生成真正的JWT token）；

2） 当App需要使用IM功能时，将token传给IM客服端SDK（这是在客户端完成的，即当App的功能调用IM客服端SDK时传入）；

3） IM客服端SDK将用户名及第2步中得到的token发给后台的JWT Server（签发JWT token的模块），请求JWT token；

4） 收到第3）步中提交过来的token后，JWT Server会通过RPC等技术向SSO系统提交验证此token的合法性，如果合法，将用跟IM Server约定的Secret（你可以理解为这就是一个固定的密码而已），根据业务需要签发JWT token，并最终返回给IM客服端SDK（即完成第3步中的请求）。

5） 后绪，IM客服端SDK将使用得到的JWT token请求IM Server验证长连接，IM Server根据约定的算法（不依赖其他系统直接用JWT的规则，加上第4）步中与JWT Server 约定的Secret）即可完成jwttoken合法性验证。

通过上述努力，移动端在弱网情况下的频繁建立长连接的身份验证痛点得到了解决。

当然，我们之所以选择JWT技术，主要看重的还是它简单易用，但或许正因为如此，某种程度上来说这也恰是居致它的缺点的原因所在。

JWT技术的缺点及建议的解决方法主要有：

1）JWT的最大缺点是服务器不保存会话状态，所以在使用期间不可能取消token或更改token的权限。也就是说，一旦JWT签发，在有效期内将会一直有效；

2）JWT本身包含认证信息（即你在第5.1节中看到的头信息、负载信息），因此一旦信息泄露，任何人都可以获得token的所有权限。为了减少盗用，JWT的有效期不宜设置太长。对于某些重要操作，用户在使用时应该每次都进行进行身份验证；

3）为了减少盗用和窃取，JWT不建议使用HTTP协议来传输代码，而是使用加密的HTTPS（SSL）协议进行传输。

以下这篇文章列了一些适用JWT的应用场景，仅供参考：

https://www.jianshu.com/p/af8360b83a9f

JWT其实是一项比较有争议的技术，夸它的人会说它简单易用、成本低，极度贬低它的人会说它的安全性就像一层窗户纸――捅一下就破了。

不可否认，跟当前流行的非对称加密技术（大家最熟悉的 HTTPS协议 就是一个典型的非对称加密应用场景）相比，JWT技术的安全系数确实相对要低一些，因为JWT技术的本质就是对称加密技术的应用，而非对称加密技术出现的原因也就是为了提升对称加密技术所不具有的一些安全性。

但非对称加密技术这么好，也并不意味着对称加密技术就一无是处，因为并不是所有场景都需要用性能、架构的复杂性、运维成本来换取高安全性，还是那句话：“安全这东西，够用就行”，而这也正是JWT这种技术仍然有其价值的原因所在。

非对称加密技术虽然安全，但也并非理论上的无懈可击，这世上还没有绝对安全的算法，总之，不苛责级极致安全的情况下，够用便好，你说呢？

如果您对对称加密和非对称加密技术的还不是太了解，可以阅读以下文章：

《 即时通讯安全篇（三）：常用加解密算法与通讯安全讲解 》

《 即时通讯安全篇（六）：非对称加密技术的原理与应用实践 》

如果您是IM开发初学者，强烈建议首先阅读:

《 新手入门一篇就够：从零开发移动端IM 》

即时通讯安全方面的文章汇总如下：

《 即时通讯安全篇（一）：正确地理解和使用Android端加密算法 》

《 即时通讯安全篇（二）：探讨组合加密算法在IM中的应用 》

《 即时通讯安全篇（三）：常用加解密算法与通讯安全讲解 》

《 即时通讯安全篇（四）：实例分析Android中密钥硬编码的风险 》

《 即时通讯安全篇（五）：对称加密技术在Android平台上的应用实践 》

《 即时通讯安全篇（六）：非对称加密技术的原理与应用实践 》

《 即时通讯安全篇（七）：用JWT技术解决IM系统Socket长连接的身份认证痛点 》

《 传输层安全协议SSL/TLS的Java平台实现简介和Demo演示 》

《 理论联系实际：一套典型的IM通信协议设计详解（含安全层设计） 》

《 微信新一代通信安全解决方案：基于TLS1.3的MMTLS详解 》

《 来自阿里OpenIM：打造安全可靠即时通讯服务的技术实践分享 》

《 简述实时音视频聊天中端到端加密（E2EE）的工作原理 》

《 移动端安全通信的利器――端到端加密（E2EE）技术详解 》

《 Web端即时通讯安全：跨站点WebSocket劫持漏洞详解(含示例代码) 》

《 通俗易懂：一篇掌握即时通讯的消息传输安全原理 》

《 IM开发基础知识补课(四)：正确理解HTTP短连接中的Cookie、Session和Token 》

《 快速读懂量子通信、量子加密技术 》

《 即时通讯安全篇（七）：如果这样来理解HTTPS原理，一篇就够了 》

《 一分钟理解 HTTPS 到底解决了什么问题 》

>> 更多同类文章 ……

（本文同步发布于： http://www.52im.net/thread-2106-1-1.html ）

项目退出功能 ，简单地说就是在HackerOne平台中，白帽子们在加入某个漏洞测试项目之后，如果发现这个项目的测试范围或领域并不是你感兴趣或擅长的，那么，可以选择点击 “Leave Program”来退出该项目。在测试项目的主页（Security Page）中，可以找到“Leave Program”按钮。

You helped out us by filling out a survey，in return you will be fast-tracked for invites, with the first one arriving in the next 24 hours.（感谢你为我们完成了调查问卷，作为回报，我们会把你加入快速邀请行列，你将在24小时内收到一个邀请）

那么，在这种设计逻辑下，能否存在一种可利用的空子呢？可以让 HackerOne 自动不断地向我发送测试项目邀请？答案是肯定的。

假设你现在未收到任何测试项目邀请，也就是邀请数为0。那么可以用以下几步来进行漏洞复现：

3.这个邮箱也就是你能收到HackerOne测试邀请的关键，所以我们就向其发送一封测试邮件；

4.之后，你会通过HackerOne平台，收到一封来自厂商安全团队的测试邀请，如下图所示：

6.现在，选择项目退出（Leave Program），完成项目退出问卷调查并确认退出；

7.之后，你又被HackerOne加入快速邀请行列，在接下来的24小时之内，又可以接收到关于另一项目的测试邀请了；

8.重复以上第2步到第第7步，就会不断得到不同项目的漏洞测试邀请。

下图是这个过程的简单逻辑描述：

攻击者可以不需要与厂商进行任何交互，就可以得到各种漏洞测试项目的邀请，向上述我那样重复，几个月之内就能收到100多个测试邀请，从而得到你想要的邀请。

现在，HackerOne已成功修复了这个逻辑Bug，退出项目的白帽再也不会再收到其它厂商的测试邀请了。

更多技术信息，请参考原HackerOne漏洞报告 https://hackerone.com/reports/334205

*参考来源： medium ，clouds编译，转载请注明来自CodeSec.Net