The entire point of purchasing a security suite is so you know it has your back. You want it to be assured the company has invested heavily in development to make sure it can counter the latest threats.

German-based independent security institute AV-Test regularly tests the latest security suites, pushing them through a range of measures including performance against the latest threats, plus how they impact your system. You don’t want a security suite to slow your PC.

The latest October 2018 report displays some interesting results. From our experience, and regular comments we read on our own posts, Malwarebytes is an American-developed security tool which can do almost no wrong, yet its performance in the October 2018 results are borderline shocking. Indeed, we’re not talking about Malwarebytes Free either, this is the paid Premium edition.

Malwarebytes has just been found to offer the worst protection against the latest security threats, compared to a range of other security suites from regular brands such as Norton, Kaspersky, AVG, Bidefender, Avast and somewhat lesser known solutions such as eScan, G-Data and Ahnlab.

Worryingly, Malwarebytes performed less effectively than windows Defender, which is built-in to Windows 10 and turned on by default. It also came below the likes of Avast Free, which you could install alongside Windows Defender.

If you want to go through the results yourself, in detail, read the AV-Test October 2018 report.

As to how other suites did in the tests, Kaspersky Internet Security 2019 (v19) was up at the top, as is Bitdefender Internet Security 2019 (v23) . Avira Antivirus Pro v15 performed admirably, as did Norton Security 2019 (v22) . eScan Internet Security v14 , which few people we know would recommend, was also one of the strongest performers, offering 100 percent protection against 0-day malware attacks, detection of the latest malware (all available in the last 4 weeks), with limited slowdown on the test PCs, whilst offering 0 false website warnings and 0 false detections of legitimate software through October 2018.

Comparing these results, Malwarebytes Premium delivered 97.2 percent protection against the latest 0-day threats, a 40 percent slowdown when accessing frequently-used apps and 4 incorrect detections of legitimate software as malware (13 in September) through October 2018.

The AV-Test October 2018 report is publicly available now.

In reviewing my browser bookmarks I see this blog https://reversatronics.blogspot.com/ is still active. I’m examining the blog entry at https://reversatronics.blogspot.com/2013/10/sunluxy-dvr-backdoor.html to learn and document my own adventures in embedded device security.

The author (Billy) has a Sunluxy CCTV DVR. The company website no longer exists but is basically a JuanDVR. You can still find these devices if you search on Ebay or Alibaba. The author’s link for the company no longer works but can be found at www.juancctv.com . No photos were posted in the blog. Based on the the author identifying 5v TTL and references found in the blog comments the unit referenced would be similar to the stock image from DX.com.

The author does not go into detail on how he identified a vulnerable CGI that provided root access to the device but he links to a pair of Craig Heffner blog articles (see references below). While reading Craig’s blog we are going to try and recreate the work discussed on two stand-alone security cameras. I will reference one more Craig Heffner blog post as we will attempt to identify the UART serial ports on the cameras. I also include links and will document my use of the JTAGulator to identify UART.

I own two security cameras that I had previously used as toddler monitors to watch my young kids. I have a SRICAM AP001 and ESCAM QF100.

The AP001 uses a Ralink RT5350F. This same chipset is used in the Vocore v1.0. The QF001 uses a Hisilcon Hi3518E which is used by the RobinCore v0.2. Because these chipsets are used in open source hardware projects identifying the pinout and where to find RX/TX is a lot easier otherwise. The resource section below details other individuals who opened up their security cameras and had an easy time finding UART because there were pinouts or they were otherwise easily identified. This is not the case with the AP001 and QF100. So far this blog will be a document of my failures in identifying UART. The attempts are educational and could have succeeded if I had gotten lucky. For details on the successful use of a JTAGulator see my post on working with the Linksys WRT54GL v1.1. Also see Joe Grande’s YouTube tutorial linked below.

You will need to remove two of the rubber feet to unscrew and pop off the bottom of both cameras. The following images so the circuit boards for the QF100 and AP001

SRICAM AP001 with bottom cover removed exposing the bottom of the circuit board. Nothing to see here.

The circuit board removed from the SRICAM AP001. The chip driving everything is connected to the main board via a header.

SRICAM AP001 circuit board with RalinkRT5350F circuit board removed.

Examining the AP001 board does not show any candidates for UART. I soldered wires to each pin of the header that was not 3.3v or GND. I determined GND by doing a continuity test with my multi-meter. I then determined the potential voltage by powering on the device and testing the voltage for each pin. I soldered twenty (20) potential candidates and attached them to the JTAGulator. I had no success in identifying UART.

ESCAM QF100 with the bottom cover removed exposing the bottom of the circuit board. On the board you see 0.5 mm pitch ribbon cables for communication with the camera as well as connectors the mic, speaker, and motor.Examining the board does not show any candidates for UART.

After examining the pinout and placement of TX/RX on the RobinCore I determined that two traces coming from the upper right corner of the Hi3518E could be UART. I could not determine where these traces went so I took a new X-ACTO knife and carefully shaved the top coating of the traces until I saw copper. Using a magnifying glass I carefully soldered a pair of wires to the traces. I’ve had success with this method on other projects or when I’ve accidentally pulled a pad up like on the TP-Link WR703n. I attached the wires to the JTAGulator but had no luck in identifying UART.

A last ditch attempt, based on a comment from blog post referenced below, I attached a 20-pin ribbon cable and breakout board to the cameras connectors and tested with the JTAGulator.

So no luck so far in identifying UART. This is just an educational tutorial as there are so many issues already documented with these two cameras. Part 2 will go over telnet access and the command-line injection vulnerabilities that have been documented for these two devices. I will document examination of the web code and binaries. Maybe we will find new issues with these devices.

All images I took of the devices can be found in mycoppermine gallery.

Resources

https://www.unifore.net/ip-video-surveillance/ip-camera-soc-hi3518e-vs-hi3518c.html

https://acassis.wordpress.com/2014/08/10/i-got-a-new-hi3518-ip-camera-modules/

https://acassis.wordpress.com/2014/05/25/boot-log-for-a-cheap-hi3518-chinese-ip-camera/

http://www.openipcam.com

Craig Heffner Blog

http://www.devttys0.com/2013/10/from-china-with-love/

http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Hacking IP Cameras

https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

https://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and-found.html

by Stephen Hilt, Numaan Huq, Vladimir Kropotov,Robert McArdle, Cedric Pernet, and Roel Reyes

In our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries , we not only found exposed industrial control system (ICS) human machine interfaces (HMIs) but also pointed out how these systems were at risk. This risk is corroborated by the active interest in water and energy ICSs shown by different kinds of cybercriminal groups.

Looking at past incidents shows how real this interest was, enough to lead to attacks like the one on the Ukrainian Power grid in 2015 . The reported cases imply that the water and energy sectors are indeed targets, whether of sophisticated criminal groups or state-sponsored actors. However, our exploration into underground forums revealed attention coming from other groups like lone actors as well.

We categorized underground forum posts on water and energy ICSs into groups based on the context of the discussion, specifically the reason and motivation behind the posting.

Knowledge about ICS/SCADA

Part of the chatter on the ICS/supervisory control and data acquisition systems (SCADA) of energy and water infrastructure stem from people who want to know more about these systems. The kind of information they discussed in the forums like proofs of concept (POCs), vulnerabilities and exploits of ICS/SCADA would be dangerous in the wrong hands. Interestingly, some people go to such forums to learn about SCADA for free, too, to avoid fees for professional training. Some of the other examples we found did not reveal why they needed new information.

Figure 1. Post asking about SCADA information to avoid expensive professional training

Opportunities for personal gain

Other conversations in the forums were more actionable, exploring ideas for possible opportunities and gains from ICS/SCADA systems. One of the more general discussions brought up Shodan and Censys within the larger conversation on industrial equipment being profitable IoT devices to exploit.

Some forums had more specific topics and were outright discussions on access and credentials for certain ICS/SCADA systems. An example of such discussions involved a hacker who apparently had success in getting into a system and is looking to sell acquired information. Other such discussions involved groups who are in the reconnaissance phase of a campaign; employees willing to use illicit means to get ahead; and organizations requesting attacks on competitors.

Figure 2. Hacker selling acquired information on a forum

On the other hand, bug bounty programs of legitimate organizations hoping to test the security of their equipment in the wild are reposted by forum users. Bug bounties are a valid means to earn from vulnerability discoveries; however, they could also attract malicious actors seeking to gain more than the rewards offered.

Whether these discussions have already turned or will turn into active campaigns is still to be determined. The fact that they exist already puts greater urgency on improving security for organizations in the water and energy sectors. Given that our research uncovered exposed systems in small and medium businesses (SMBs), these findings drive the point that no organization in any sector, of any size, is immune to attack.

Organizations need to keep in mind that cybercriminals will not stop at simply observing exposed systems they discover. As organizations in critical sectors (CI) like water and energy continue to incorporate the industrial internet of things (IIoT) in their operations, they should start with security in mind. Awareness of the different vulnerabilities that might exist in ICS can help pinpoint necessary improvements, not just at the beginning but throughout operations. They should also assess for possible areas of exposure and vulnerability and start improvements from there. After all, a strong security posture can ensure that IIoT systems are used as tools in enhancing CIs instead of the opposite― as avenues for malicious campaigns.

For more insights on exposed CI HMIs, in-depth descriptions of threat actors, and defensive strategies, read our research Exposed and Vulnerable Critical Infrastructure: Water and Energy Industries .

随着互联网科技的日益发展，互联网违法犯罪滋生了新的破坏方式即黑客攻击，从频度和技术手段上都有了明显提升。

昨天上午，杭州市公安局召开 “净网”2018专项行动暨打击网络黑客犯罪新闻通报会。

今年以来，杭州市公安机关以市、区二级网警主导推进的全市打击整治黑客攻击破坏违法犯罪行动中，共破获各类涉黑客犯罪案件 40起，采取强制措施77人，批捕25人，移诉45人。公安部督办案件3起，省公安厅督办案件3起。

今年 8月，滨江公安分局网警大队破获一起破坏计算机信息系统案件，抓获了一个“自学成才”的黑客。

8月初，网警大队接滨江某集团上市公司报案称，公司网站被人DDOS攻击（占用大量网络资源，使用户无法得到服务的响应，是目前最强大、最难防御的攻击之一），导致网络堵塞，造成公司主干网络瘫痪，大量交货单无法发货,损失近千万。

网站被攻击发生不久后，该公司相关负责人随即接到境外电话号码发来的勒索短信以及勒索电话，要求支付 1个比特币，同时声称若在规定时间内不进行支付，则将继续加大攻击流量并涨价至2个比特币。

网警部门调查发现，这起 DDOS攻击案件，流量源非常复杂，既有来自重庆、山东等地的境内流量，也有来自境外的流量。

警方锁定嫌疑人后更惊讶： 40岁男性，初中文化，没有任何互联网从业经历，曾因强奸罪被判处有期徒刑十年，还有多年吸毒史，被公安机关多次处理。

嫌疑人具有较强反侦查意识。为了躲避公安机关的侦查，跑到国外购买电话卡，并试图使用比特币洗钱。

一旦发现可疑情况或发现在其生活区域出现陌生人，立刻外出躲避，通过朋友在酒店开房后再行入住。为躲避警方抓捕，嫌疑人频繁更换住所。

犯罪嫌疑人通过跳板服务器，利用非法软件控制大量境内外 “肉鸡”，对网站发起流量攻击。

8月29日，滨江警方成功将犯罪嫌疑人抓获归案。

杭州警方介绍，目前网络黑客犯罪呈现出新型犯罪的 4个明显特征：攻击目标明显转移、犯罪技术手段越加专业、作案手段越加隐蔽伪装性强、犯罪成员呈年轻化趋势。

模型选择和超参数优化是机器学习技术应用过程中的关键步骤。给定个机器学习任务，人工参与模型选择以及超参数优化通常是个耗时、繁琐的过程。为了解决这样的问题，些关于自动化机器学习的研究工作被提出，比如 Auto-WEKA 、Auto-Sklearn 和 Auto-Keras 等。

另外近几年 NIPS、PAKDD 等会议已经开始举办 AutoML 比赛，这一新兴领域已经获得学术界和工业界的广泛关注。

以往 AutoML 的工作通常侧重于监督学习问题，需要解决包括特征工程、模型选择、和超参数优化等问题。已有的 AutoML 系统已经可以得到不错的模型预测性能。例如，Auto-WEKA 结合了机器学习框架 WEKA，并利用贝叶斯优化方法对新数据集进行模型以及超参数的选择。

Auto-Sklearn 改进了 Auto-WEKA，它使用元学习来初始化学习算法以及超参数，并集成了评估过程中产生的模型，从而得到鲁棒的模型选择结果。另外，谷歌也开发了一套针对图像分类的自动机器学习产品 Cloud AutoML。以上研究表明 AutoML 可以自动地选择一个适合当前任务的监督学习模型以及超参数。

然而在些实际的应场景中，获取有标记数据会常困难。例如，在网页分类、医学图像分类等领域中通常只能获得大量的未标记数据以及少量标记数据。因此能利用未标注信息的半监督学习（SSL）在现实应用中普遍存在，但自动化的 SSL 研究仍然有限。在本文工作中，我们主要研究了现有 AutoML 技术无法直接解决的 SSL 问题。

首先，已有的元学习主要从大量有标记数据提取元特征，从而初始化学习算法以及超参数。对于含有大量未标记数据以及少量有标记数据的数据集，提取能刻画数据分布的元特征对于半监督学习算法的选择至关重要。

其次，SSL 在实施过程中可能会出现性能的严重下降，也就是说 SSL 利用了未标记数据以后的模型预测性能还不如仅仅利用有标记数据的监督学习算法。最近一些关于安全半监督的方法已经提出，然而这些研究方法通常侧重学习过程的某一个方面，并没有关注一个自动化的 SSL 解决方案。

为了解决以上问题，本文针对 SSL 提出了自动半监督学习方法（AUTO-SSL）。首先，受到 Auto-Sklearn 的启发，本文使用元学习以快速初始化 SSL 算法。考虑到未标记的数据分布对于 SSL 算法的选择至关重要，本文使用多种无监督聚类算法提取簇内和簇间的统计信息以增强元学习的表现。

其次，本文使用一种大间隔方法，用于微调超参数以缓解 SSL 可能出现的性能降低问题。这种方法的基本思想是，如果某个超参数较好，其在未标记数据上的模型预测结果分类间隔较大。在不同领域的 40 个数据集上，实验结果表明本文提出的方法相比以往的系统有较大的性能提升，包括 AutoML 系统 AUTO-SKLEARN 以及经典 SSL 方法。此外不同于传统的 SSL 方法会出现性能下降的情况，本文提出的方法几乎不会出现这样的情况。

论文地址：http://lamda.nju.edu.cn/liyf/paper/aaai19-autossl.pdf

对于 SSL，数据分布信息对于 SSL 算法选择至关重要，例如，基于图的半监督学习算法要求数据具有平滑性假设，即相似的样本具有相同的标记；而半监督支持向量机要求数据具有低密度假设，即半监督支持向量机试图找到能将两类数据分开，且穿过数据低密度区域的划分超平面。本文通过无监督学习算法提取数据的分布信息，详细的聚类算法以及提取的特征如下表所示：

元学习能够有效地给目标任务初始化 SSL 算法，但无法对超参数进行优化。然而，实际的应用场景中，超参数优化虽然可以得到不错的性能调整，但效率低下，通常需要消耗大量的时间。传统的 AutoML 系统通过贝叶斯优化调整超参数，需要大量的标记数据切分验证集并多次进行模型评估，对于 SSL，标记数据通常不足以用来切分验证集进行模型评估。本文提出了一种大间隔的方法来优化超参数，基本思想是，如果某个超参数较好，其在未标记数据上的模型预测结果分类间隔较大，反之亦然。下图给出了大间隔方法用于优化超参数的示例。

为了充分考察 AUTO-SSL 在实际场景中的效果，本文在 40 个数据集上同 AUTO-SKLEARN、传统 SSL 方法以及监督学习方法进行了对比实验。其中数据集涵盖了商业、生命科学、物理、社交、金融、计算机等各种不同的应用领域。因为有标记数据数量是影响 SSL 性能的重要因素之一，我们展示了 AUTO-SSL 在多种场景下可以获得同传统 SSL 方法相比更加鲁棒的结果。

图 3 给出了在 20 个有标记数据情况下，AUTO-SSL 与 AUTO-SKLEARN 模型预测性能的比较结果，其中绿色部分表示性能的提升量，红色部分表示性能的下降量。可以看出，AUTO-SSL 利用了未标记数据辅助提升模型预测性能，相比仅仅利用标记数据的 AUTO-SKLEARN 在多数情况下会有比较大的性能提升。

表 2-3 给出了 40 数据集上 AUTO-SSL 与传统 SSL 方法的详细比较结果，ASSL 表示本文提出的方法。图 4 给出了 AUTO-SSL 和传统 SSL 方法相比基准监督学习方法 SVM 的比较结果，从图中可以看出，传统 SSL 方法存在一些情况下，利用未标记数据以后的模型预测性能不如仅仅利用有标记数据的监督学习方法，而 AUTO-SSL 能够避免这种情况的出现。

图 5 给出了不同有标记数据情况下，AUTO-SSL 与对比方法的平均预测性能。表 4 给出了不同有标记数据情况下，AUTO-SSL 与传统 SSL 方法相比于基准监督学习方法「胜/平/负」的统计情况；其中，「胜/平/负」表示该方法得到的模型预测性能相比基准监督学习方法 SVM 有」显著提升/无显著性/显著下降」。从实验结果可以看出，AUTO-SSL 相比各个比较方法更能够得到鲁棒的模型预测结果。

Just two weeks after the initial rollout of Samsung’s One UI beta program , the first update is on its way. For Galaxy S9 and Galaxy S9+ users testing out the One UI beta, here’s what to expect from the first update.

Rolling out over the past 24 hours or so, Samsung’s One UI beta 2 update for Galaxy S9 brings a huge list of improvements. This update doesn’t include any major interface changes, but the changelog notes over two dozen bug fixes for the OS. You can take a look at the full changelog below for more details, but some of the biggest fixes include:

Users on Reddit have also noted some other miscellaneouschanges in this Samsung One UI update. One user notes how Samsung’s gesture navigation no longer has a fluid transition when swiping to the homescreen. Others note that some UI elements are broken or missing after this update is installed until the phone is rebooted. Hopefully, these are issues Samsung can continue to iron out in further releases.

One UI is set to arrive in full on the Galaxy S9 and Galaxy Note 9 starting in January. Beta testing will continue in the meantime, and it already seems to be available for some Galaxy Note 9 owners as well.

Full Samsung One UI beta 2 update changelog

by Will Bengtson

Previously we wrote about a method for detecting credential compromise in your AWS environment. The methodology focused on a continuous learning model and first use principle. This solution still is reactive in nature ― we only detect credential compromise after it has already happened.. Even with detection capabilities, there is a risk that exposed credentials can provide access to sensitive data and/or the ability to cause damage in our environment.

Today, we would like to share two additional layers of security: API enforcement and metadata protection. These layers can be used to help prevent credential compromise in your environment.

In this post, we’ll discuss how to prevent or mitigate compromise of credentials due to certain classes of vulnerabilities such as Server Side Request Forgery (SSRF) and XML External Entity (XXE) injection. If an attacker has remote code execution (RCE) or local presence on the AWS server, these methods discussed will not prevent compromise. For more information on how the AWS services mentioned work, see the Background section at the end of this post.

There are many ways that you can protect your AWS temporary credentials. The two methods covered here are:

Credential enforcement only allows API calls to succeed if they originate from a known environment. In AWS, this can be achieved by creating an IAM policy that checks the origin of the API call. To achieve this, it is important to understand where API calls come from (described below in Background). An example policy is shown below.

One way to deploy this is to create a managed policy that encompasses your entire account across all regions. To do this, describe each region and collect your NAT gateway IPs, VPC IDs, and VPC endpoint IDs to create the policy language for the managed policy (similar to the example above) that can be attached to the IAM Roles that you want to protect. The limitation of this method is that you can only protect IAM Roles that are used on EC2 instances deployed to the internal subnet. IAM Roles that are associated with EC2 instances in the external subnet should be excluded. Exposing your service publicly through a Load Balancer would allow you to deploy your EC2 instance into the internal subnet and allow you to attach this policy to your IAM Role.

Another limitation to this method is that AWS often makes calls on your behalf that are triggered by certain API calls. For example, when you restore an encrypted RDS instance, AWS will make KMS calls on your behalf to figure out which key should be used in the restore process. When these services make calls for you, the AWS credentials that are tied to the IAM Role that made the first call are used. The originating IP address will be one from AWS and not reflect what is in your policy. You can see this in CloudTrail by looking from events with sourceIPAddress resembling <service>.amazonaws.com . Even with this limitation, you will find that you can protect most IAM Roles and find workarounds to address this.

As described above, the EC2 Metadata service is the mechanism for providing credentials to your application running on an EC2 instance in AWS. It is available by making a request to the IP address of 169.254.169.254. The current AWS Metadata service does not require any HTTP headers to be present and allows any process to make HTTP requests.

Server Side Request Forgery (SSRF) is a vulnerability that allows an attacker to trick the application into making a HTTP/HTTPS requests on their behalf. One of the most common attacks against applications that are vulnerable to SSRF target the Metadata service credential path. When an attacker exploits a SSRF vulnerability, they cannot control which HTTP headers are sent in the request. The lack of header control by an attacker enables a required header on the metadata service to mitigate this class of vulnerability. If an attacker is able to set HTTP headers, such as having a shell on the server and controlling headers in a curl command, the header protection is useful in protecting against an attacker that does not realize there is a header required.

If the Metadata service required a HTTP Header when talking to it, the SSRF attack vector that aims to steal your AWS credentials can be mitigated. In the past it was not possible to create your own Metadata proxy to protect the Metadata service from attacks such as SSRF. The Metadata proxies you might find in open source are typically scoped to providing credentials for containers running on your hosts and not able to protect against these attacks. We have been working with AWS to enable the ability to protect against this attack by setting the User-Agent HTTP Header when making requests to the Metadata service from the AWS SDKs to something known. By knowing what User-Agents will be set when official AWS SDKs make requests to the Metadata service and combining this with the fact that in the SSRF vulnerability scenario you cannot control HTTP Headers, we are now able to proxy traffic to the Metadata service and reject requests without the appropriate User-Agent HTTP Header, thus mitigating the SSRF attack vector on AWS Credentials.

The current User-Agents that you will see when proxying traffic from the SDKs start with the following strings:

Default configuration in the cloud leaves your environment at increased risk in the event of a credential exposure/compromise. Coupling a Metadata proxy with API enforcement increases the security stance of your AWS environment, implementing defense in depth protections. Combining this approach with Detecting Credential Compromise in AWS paves a road for protecting IAM in your cloud environment.

Be sure to let us know if you implement this, or something better, in your own environment.

Will Bengtson, for Netflix Security Tools and Operations

“Credential” in this post is the Amazon Web Services (AWS) API key that is used to describe and make changes within an AWS account.

The year’s busiest period for retailing has begun and once again will test the effectiveness of retailing cybersecurity and just as the World Economic Forum has produced a new report stating North American business executives rank cyber attacks among their top risks. While retailing cybersecurity is improving to some extent, its breadth and quality still has ample room to grow.

This means retailers may not be fully able to protect customers amid holiday season sales almost certain to ring in sales north of $700 billion in the U.S. alone.

Merchants often don’t spend their cybersecurity dollars as efficiently as they should. More importantly, retailers don’t spend enough; about four percent annually of their IT budgets are devoted to cybersecurity , according to Gartner less than the healthcare industry, another tight-fisted spender. By contrast, the financial services industry spends more than 5.5 percent on cybersecurity annually.

In part, this is why giant retailers such as Home Depot, Neiman Marcus and Target have suffered breaches in recent years. This year alone, Saks Fifth Avenue, Lord & Taylor, Sears and Under Armour have also fallen victim to major data breaches. In total, nearly one in three retailers have suffered revenue losses stemming from cyber attacks, according to the Cisco 2017 Annual Cybersecurity Report.

Retail Cybersecurity Ranks near the Bottom

SecurityScorecard, which monitors more than 200,000 businesses globally and grades the cybersecurity effectiveness of various industries, ranks the retail industry second from the bottom. One big problem is that merchants are enticing targets of personally identifiable information and associated financial information. Another is that big retailers have complex networks, making them more vulnerable.

In addition, retail is a rich target of social engineering attacks, according to SecurityScorecard. A SecurityScorecard report also found a retail industry failure to sufficiently comply with PCI DSS standards for the protection of cardholder data.

Because the fifth anniversary of the Target breach in December 2013 the biggest retail breach in history - is on the horizon, merchants this year are more fidgety about the state of their cybersecurity protection. Point-of-sales terminals at Target were compromised by hackers for more than two weeks, enabling them to steal credit and debit cards from more than 40 million customers. The company paid dearly on multiple fronts, including breach-related cumulative expenses of $162 million.

The Cisco cybersecurity report found that that just 52 percent of retail organizations consider their security infrastructure up-to-date and upgraded with the best technology tools. Among other industries, this figure averaged 59 percent.

The online retailing industry, in particular, has become a choice hunting ground for cyber criminals, especially with new payment technologies that are transforming the way consumer shop, whether online, via mobile or in the store. These technologies provide new entry points for cyber criminals.

Also newly at risk are large volumes of business-related data regarding operations, business management, procurement and logistics all a profitable source of data for cyber criminals.

Other substantial threats are point-of-sale (POS) breaches, ransomware and distributed denial-of-service (DDos) and credential stuffing attacks.

In the last two arenas, at least, multiple companies now offer effective defenses in one or both, including Shape Security, Akamai, Netacea and F5.

POS Systems Get Little Attention

Many companies, in particular, fail to maintain their POS system. This means they use outdated operating systems. In addition, POS systems lack point-to-point encryption, which is why retailers are implementing less effective endpoint protection. Meanwhile, DDoS attacks are growing in concert with the rise of the Internet of Things (IoT). And ransomware, an older retailing threat, is experiencing a resurgence. To help combat these attacks, retailers are increasingly automating data backup.

Retailers must take a number of other steps to successfully thwart malicious actors. Here are the key things they must do:

RBS Leading the Cutting Edge

A leader in this space is The Royal Bank of Scotland. When clients log in to their RBS accounts, software begins recording 2,000 interactive gestures. On phones, it measures the fingers they use to swipe and tap, the pressure they apply, and how quickly their scroll. On a computer, the software records the rhythm of keystrokes and the way the mouse is wiggled.

Among all the security vulnerabilities confronting retailers, the single biggest problem is unmistakably obvious: stores often don’t realize they have been attacked until far too late.

Often, they don’t learn about an attack until receiving a call from a credit card company regarding seemingly strange activity. In the interim, according to the 2018 Crowdstrike Global Threat Report, the average attacker’s “breakout time” in 2017 was 118 minutes, and it continues to narrow. The upshot: Once an intruder compromises a network, he can move to other machines in the network in less than two hours.

This is unacceptable, and retailers must confront this vulnerability immediately and head-on. It’s too late to act this holiday season. But this needs to be their top priority for the holiday season in 2019, and preferably much sooner.

<原文见https://blogs.technet.microsoft.com/gcrsec/2018/01/04/cpu_microcode_vul>

各位新年好！2018年的首个重要安全公告是影响CPU 和操作系统的 ――“猜测执行边信道攻击安全漏洞”。这类漏洞刚被公开披露。它们影响了整个行业、多个厂商的不同硬件（Intel, AMD和ARM）、软件（windows, linux,Android, Chrome, iOS, Mac OS）等 。

微软作为行业重要一员，一直以来始终把用户安全放在首位。我们积极展开研究开发工作，并以最快速度推出缓解漏洞影响的各种安全更新。这些更新除了修复针对本地计算平台，也对云平台（Azure, Office 365, Dynamic等）做了相应修复处理。

微软安全通告北京时间今早(第一时间)发布。

ADV180002 | Vulnerability in CPU Microcode Could Allow Information Disclosure

中文链接： https://portal.msrc.microsoft.com/zh-cn/security-guidance/advisory/ADV180002

英文链接： https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002

对应的安全漏洞、受到影响的产品(包括物理机和虚拟机)，是否已经观测到活跃的攻击，这些信息都在上述安全通告中得到发布。

这里我们提请大家注意，因为这个安全问题影响到硬件，因此是否需要升级固件，请大家一定要关注对应硬件厂商的官方准确信息。仅仅完成软件修复并不完整。

对于安全修复潜在的性能影响，我们恳请大家不要因为潜在的性能影响而无视安全。尤其对企业用户，请有计划地测试。如果发现问题，及时联络软硬件厂商研究解决。

“大吉大利，今晚吃鸡”。在最近几个月，以《绝地求生》为代表的“吃鸡”类游戏在全球特别是国内火爆度大增，很多人甚至下载外挂等辅助性工具，谋求胜利“吃鸡”。但是，这些脱离了安全监管、游走在灰色市场的辅助类软件却隐藏着大量的恶意代码，不但能够窃取玩家的账号密码等个人信息、推动垃圾广告，还能植入“挖矿木马”等恶意软件，拖慢电脑或手机的运行速度不说，甚至将玩家变成“肉鸡”。趋势科技提醒玩家不要下载外挂类软件，在安装其它游戏辅助工具的时候要严格关注其安全性，并使用趋势科技等安全软件来封堵恶意软件。

游戏外挂已经成为恶意程序的重灾区

根据游戏开发商公布的数据，《绝地求生》PC版在近日已经成为了史上最畅销的PC游戏，手机上的同类型游戏也成为当前最火的游戏类型。与之同时到来的是外挂软件的泛滥，为了躲避监管，这些外挂大部分都是通过地下灰色市场传播，这也给恶意代码传播创造了极佳的机遇。安全研究人员发现，很多外挂在直接售卖牟利的同时，还成为病毒木马的藏身之处，一款名为“tlMiner”的挖矿病毒就通过《绝地求生》外挂来传播，一旦成功感染玩家的电脑，病毒就会窃取电脑的计算能力来进行挖矿，高负荷的挖矿负载不仅会带来电脑卡顿，还会让电费的消耗量大增。此外，还有网络犯罪分子还在外挂中植入勒索软件，在感染成功之后会向玩家勒索钱财以解开系统及文件。

被勒索软件加密的系统界面

“吃鸡”类手游同样无法置身事外，很多网络不法分子已经瞄准了日渐火爆的“吃鸡”类手游，以“游戏辅助”、“游戏抢号神器”或者官方的外衣，在论坛、社交网站上散播植入了恶意代码的软件，诱使急于求胜的玩家下载。一旦玩家中招，这些恶意软件便会通过锁屏勒索、恶意扣费、捆绑恶意代码等方式来感染用户手机、勒索钱财。

趋势科技移动安全产品总监余凯表示：“在恶意软件日渐猖獗的背景下，通过灰色市场传播的软件安全风险极高。而且，这些软件本身并不合法，网络犯罪分子在诱使用户安装的时候，往往还会‘提醒’用户关闭杀毒软件以顺利安装。不少用户为了成功安装，都选择遵循网络犯罪分子的指示，这让恶意软件的感染成功率大幅提升。”

安全专家提醒玩家在“吃鸡”的同时，一定要注意安全防护，并遵循以下建议：

◆不要使用外挂等作弊类程序，这不仅会影响游戏体验，而且还会因为其不在安全审查的范围之内，而带来极大的安全风险。

◆不要随意通过论坛等不安全的渠道下载游戏辅助类工具，即使是在第三方应用商店下载游戏，玩家也应该审查该应用的开发商。要警惕那些没有留下信息或者只留下很少信息的开发商，他们开发的应用可能就是恶意软件。

◆此外，玩家最好能够安装趋势科技PC-cillin云安全软件等安全软件对个人设备进行保护。趋势科技PC-cillin云安全软件可以同步支持windows、Mac、Android、iOS 操作系统，并采用全球第一主动式云端截毒技术，在云端就能主动侦测通过各种途径传送的恶意程序，实时、快速地防御各种以游戏为幌子的木马和病毒，保护玩家的金钱与个人信息免遭损失。

引：风暴中心将会陆续在安全客平台，发布各类专题技术报告、年度安全报告及最新技术研究，欢迎各位关注我们，参与交流和讨论。

本次我们用数据说话，依据安恒十一月先后参加的中国国际进口博览会、第五届世界互联网大会以及联合国世界地理信息大会这三大国际型会议的安全态势报告，带大家走进安恒技术！安恒提供专业、稳定的云防护服务，网站所有攻击均被有效阻断，未造成攻击成功或篡改成功的安全事件，有效地保障网站安全、平稳地运行。

2018-10-23至2018-11-11, 玄武盾参与防护上海区域网站群共计受到攻击448.27万次。

以下是部分攻击趋势图：

根据风暴中心拦截攻击趋势分析，会议期间的攻击数据保持较高的态势，而在活动前的预热阶段与活动闭幕后的余热阶段，每日攻击态势依旧不容乐观。如图，攻击时间段趋势如下：

根据时间段攻击趋势分析，白天的攻击量明显高于夜晚，且白天的攻击量与活动举办的时间段有关，如9：00-11：00，13：00-17：00这两阶段的攻击数据明显高于其他时间段。17：00-23：00，攻击态势依旧保持较高的状态，介于15万-20万之间，而在凌晨的0：00-8：00，攻击态势处于全天中的低谷阶段。

与此同时，根据风暴中心数据大脑安全分析，境外攻击源主要是通过肉鸡、跳板机对网站发起恶意攻击，具体攻击区域分布见下图：

此间，网站群累计遭受515个IP的扫描攻击，封锁次数为11,632次，玄武盾识别到扫描行为后立即封锁IP，未对网站造成影响。

2018-11-01至2018-11-10，玄武盾对省重点网站开展远程安全扫描监测，根据后台统计数据显示，期间监测防护站点累计遭受866.99万次攻击。

注：深红色段为世界互联网大会举办期间攻击趋势

上图是11月1日-10日重点网站所受到的攻击趋势图，可以看出：会议筹备前夕，网络攻击趋势比较平稳，平均保持在50万次/天；在世界互联网大会开幕的前一天，攻击量开始攀升，达到112.71万次，同比增长约2倍。

而在世界互联网大会举办期间，网络攻击数量大增，攻防对抗激烈，攻击态势整体保持在170万次左右。大会闭幕期间，相比会议期间，网络攻击的数据下降，但总体攻击依旧较高，平均处于65万次/天，依旧高于前期会议筹备阶段的攻击数量。

由此可见，在大型国际会议或活动时期，网络空间的安全威胁不容小觑，网络攻击流量巨大，网络攻防势力对抗激烈。

值守全天总体态势分析：攻击数据最高时段集中在10：00―12：00，14：00―17：00，18：00―20：00；攻击低时段处于凌晨2：00―7：00，该时段的攻击数量均处于30万以下；其中，12：00，13：00，17：00，这三个节点明显出现洼地现象。

趋势解析：全天候时间段攻击数量的多少，与大会召开的时间段相关，也与网络攻击者的生活习性有关。

期间Web攻击类型以SQL注入攻击、命令注入攻击、漏洞防护等居多，主要攻击类型分布如图：

根据风暴中心数据大脑安全分析，境外攻击源主要是通过肉鸡、跳板机对网站发起恶意攻击，具体攻击区域分布见下图：

2018-11-18至2018-11-23，玄武盾省重点网站开展远程安全扫描监测，根据后台统计数据显示，期间监测防护网站群共计遭受1817.29万次攻击。以下是部分时间段网站群安全态势：

注：深红色段为联合国世界地理信息大会举办期间攻击趋势

本届联合国世界地理信息大会的网络攻击趋势严峻，从11月18-23日，网络攻击态势一直居高不下，平均保持在300万/天，网络空间的安全保障攻坚战异常艰巨。

安恒信息安保小组实行7×24小时全天候的安全值守，制定周密的应急响应机制，结合机器学习技术、网络攻防技术、威胁情报技术与人工经验分析，积极打击网络攻击势头，确保防护站点的安全性。攻击时间段趋势如下：

从时间分布上看，9：00-11：00，14：00-17：00，23：00-凌晨1：00，是网络安全攻防的高峰期；凌晨2：00-8：00，网络攻击相对较为平缓，保持在65万/小时左右。

本次时间分布趋势图比较独特的地方在于：午夜时间段，网络攻击态势处于猛烈状态，22：00-23：00的攻击量超过100万次，与白天攻击态势最高峰的数据量几乎持平。

扫描攻击详情：累计遭受1,014个IP的扫描攻击，封锁次数为43,885次，玄武盾识别到扫描行为后立即封锁IP，未对网站造成影响。

根据风暴中心数据大脑安全分析，境外攻击源主要是通过肉鸡、跳板机对网站发起恶意攻击，具体攻击区域分布见下图：

从以上三次大型安全保重事件中得出经验，风暴中心建议网络运营方应该多关注攻击者常用的攻击类型，查漏补缺，定期对网络资产进行风险扫描与分析，及时修补漏洞；重视代码审计与渗透测试技术的重要性，有效管理网络资产安全；同时，注重安全能力的提升，完善安全机制。

加固网站服务器安全

加强网站服务器的日常维护，做好网站服务器的访问控制，限定开放访问IP白名单，限定开放高危端口/服务，定期对网站服务器进行安全体检，及时消除可能存在的安全隐患。

加强网站弱点修复

定期对网站开展安全风险评估，进行风险扫描与分析，及时消除网站的漏洞风险，提升网站本身的安全性。

及时清理网页后门

网站发布、升级、迁移前和日常运维过程中，都要对网站源文件进行网页后门扫描和彻底清理。

加强管理账号管理

加强对网站管理后台账号、FTP/SSH/VNC/远程桌面等远程维护工具账号的管理，尽量使用强密码，并定期更新密码。

据国外媒体报道，普林斯顿大学的计算机科学教授Arvind Narayanan评估，比特币挖矿每天耗掉5吉瓦的电力，接近全球耗电量的1%。然而，这其中并不包括隐形的“挖矿病毒”，许多“中招”的数据中心，以及无法精确统计的僵尸网络，正在贪婪的吞噬电力、拖慢企业的计算能力。针对“挖矿病毒”大肆泛滥的情况，亚信安全建议企业用户，在增强安全教育，倡导员工提高安全意识的同时，更应建立行之有效的病毒治理体系，严防内网出现“矿工”。

（图片来自：包图网）

在近一段时间，比特币、以太币等数字货币的币值出现了大幅降低，但这并不意味着网络不法分子就会放弃这块“肥肉”。对于普通用户来说，则需要警惕“电脑越用越卡”的情况。

作为吞噬PC资源的“大户”，挖矿病毒通过控制PC的处理器、显卡等硬件，执行高负载的挖矿计算脚本来进行挖矿。一旦成功入侵到用户PC，往往会导致CPU或是显卡的负载上升数倍，不仅应用的运行速度被极大的拖慢，电力功耗也会剧烈增加。

亚信安全季度安全报告显示，政府、医疗、石油和天然气等网络安全相对薄弱的企事业单位是挖矿病毒的优先攻击目标。虽然大部分PC在挖矿效率上完全无法同专业的“矿机”相提并论，但是“聚沙成塔”，一旦其控制的PC数量达到几千台甚至几万台，其收益就是极其可观了。这也是黑客将主要目标锁定为企事业单位的主要原因。

挖矿病毒的风险还在于，其目的并非局限在窃取PC的计算能力方面，而是会利用自己善于隐匿的优势，为威胁更大的APT攻击预留了空间。一旦挖矿变得无利可图，其很有可能将目标转化为组织的数据资产与业务，带来更严峻的威胁。

斩断入侵路径是防范挖矿病毒最有效的方法，而社交工程就是黑客最常用的入侵方式。黑客会向组织内部的员工大量发送精心伪造的垃圾邮件，这些垃圾邮件一般会在附件中植入挖矿相关的恶意代码，并使用具有诱惑力的标题和内容诱惑员工下载并打开。一旦成功侵入，病毒往往会注入系统进程，并读取挖矿配置信息进行挖矿。

因此，对于挖矿病毒来说，生存时间是衡量其销量的最重要标准。为了达到这一目标，网络犯罪分子采取的战术策略也在不断演变，更多的是使用了免杀机制。在对抗挖矿病毒的过程中，持续的监察与发现能力至关重要，因此亚信安全建议组织用户建立多层次、联动的安全策略，部署防火墙、邮件网关等产品作为第一道防线，并部署行为监控和漏洞防护产品，有效阻止威胁到达客户端。

对于面临挖矿病毒威胁的组织来说，可以综合部署亚信安全深度威胁发现平台(Deep Discovery，DD)、发挥深度威胁发现设备(TDA)、深度威胁安全网关(DE)、深度威胁邮件网关(DDEI)、深度威胁分析设备(DDAN)、深度威胁终端取证及行为分析系统(DDES )等产品，发挥其联动效果，在挖矿病毒传播的各个环节建立“抑制点”。

其中，亚信安全邮件安全网关IMSA与亚信安全深度威胁邮件网关DDEI组成的主动防护体系，可对邮件整体的安全生命周期进行主动控制与多层次的风险控制，对终端系统进行主动监控，可以用于侦测社交工程邮件携带的挖矿软件,对于挖矿病毒的行为给予主动阻止运行，尽可能的降低终端感染恶意软件的几率。

在挖矿病毒发现与防范过程中，“人”会扮演重要的角色，组织的IT人员应该加强对于组织网络资产的监测，对于出现的异常情况进行及时排查与处理。另外，强化员工的网络安全教育也有利于员工降低点击不明邮件、链接与文件的几率，并能通过及时的自查与事件上报降低PC的染毒几率。

此外，亚信安全还提醒企业用户要构建覆盖全网的终端威胁发现系统，特别防范未知安全威胁，加强安全态势感知能力提升，并通过精密编排的防御体系提升网络安全恢复补救能力。

【责任编辑：蓝雨泪 TEL：（010）68476606】

近两年市场对比特币、门罗币等各种虚拟货币的热情，催生了繁荣的挖矿产业，也滋生了大批挖矿木马。挖矿木马通过转嫁挖矿成本实现非法利益的最大化，而中招的个人用户则要承担挖矿计算带来的经济损失。

挖矿木马经常伪装成正常软件，而且会提醒用户，声称本软件绝对无毒，杀毒软件报警属于误报现象，并建议用户将软件添加到信任列表或诱导用户关闭安全软件。个人用户很难鉴别软件是否有害，出于使用需求，有些用户会忽略安全软件的风险提示仍然使用报毒的软件。

360安全专家对容易被个人用户放行的挖矿陷阱进行了分析，总结了几种个人用户最易中招的挖矿陷阱及应对措施。

利用满足用户特定需求的工具类软件下发或捆绑挖矿木马。

下面是某论坛用户分享的用于“翻墙”的第三方免费VPN软件，帖子的最后回帖时间是2018年11月24日。软件官网声称是为学生党，上班族定制的免费加速器。不明真相的个人用户以为是天上掉馅饼的好事，很多用户在回帖感谢，实际上这是挖矿木马设置的陷阱。软件中除了提供给用户VPN服务外还会偷偷挖矿。

运行软件后，出现明显的系统资源占用异常升高，经分析这款VPN软件内部可以清楚看到连接矿池挖取门罗币的功能。

特别注意的是，并不只是windows系统的用户是挖矿木马的目标，很多挖矿木马是从开源挖矿项目修改而来，可以支持不同的平台。在该VPN软件的官网上（在如下图），提供了针对Windows，MacOS和linux三种系统的版本，在三个版本的程序中都发现有挖矿相关代码。

个人用户在使用电脑过程中，经常会用到一些特殊的工具软件，比如激活工具、翻墙软件、外挂辅助等。个人用户往往会按照木马提醒忽略安全软件的风险提示，对这类风险工具放行。这些软件不规范也不合法，但总能满足用户的某些需求，是挖矿木马的良好隐蔽目标。个人用户在使用这些软件时还是要擦亮眼睛。

挂机网赚软件一般打着无需任何投资，轻松挂机赚钱的名号博取用户信任，通过网赚社区或群组传播。许多个人用户只是希望能够赚点零花钱，却不知道有些挂机软件实际是在用用户电脑挖矿，一不小心就落入陷阱。

比如上图这款之前曝光过的披着网赚外衣的“三合一”挖矿木马挂机软件，运行起来时疯狂占用CPU资源挖矿，具有修改MBR添加开机密码的功能，还有传播木马的隐患。挂机网赚软件挖矿并不是个例，通常这些网赚挂机软件并不会明确告诉用户“我是挖矿软件”，而是像下图这样打着利用闲置计算能力，做分布式计算的幌子挖矿。

网赚软件属于灰色产业，缺乏规范和约束，挖矿只是冰山一角，还有可能潜藏其他木马或后门。用个人电脑挂机网赚的蝇头小利和被偷偷挖矿带来的无法估计的后患相比得不偿失。

网页挖矿，主要是在网页中嵌入挖矿代码，借助浏览器解析页面来执行挖矿计算。

网页挖矿很常用的一种方式是利用一些类似coinhive的项目，不需要向个人电脑释放挖矿软件，只需要在网页中嵌入调用JS接口的代码（如上图）。有用户打开网页时就可以通过浏览器在浏览页面的用户电脑上执行挖矿请求，此时浏览器进程就会占用大量系统资源挖矿，电脑会出现明显卡顿。

这种方式可移植性很强，操作方便，许多不正规的网站或者弹窗广告中都可能隐藏着这些代码。包含挖矿代码的网站借助一些特殊内容吸引眼球，当个人用户主动访问这些网站时就会落入陷阱，防不胜防。

挖矿木马利用中招的个人用户的电脑挖矿，节省了硬件成本和电力支出，几乎是坐着数钱，却给中招的个人用户带来不小的危害。

挖矿木马善于利用各种手段伪装和欺骗，个人电脑不知不觉的就沦为矿机。天上掉馅饼的事多半是陷阱，个人用户如何避免落入挖矿木马的各种陷阱呢？

The Open Web Application Security Project ( OWASP ), is an online community that produces free, publicly-available articles, methodologies, documentation, tools, and technologies in the field of web application security .

Open source components have become an integral part of software development. According to WhiteSource’s Annual State of Vulnerabilities Report , 96.8% of developers rely on open source components. The increasingly widespread use of open source components requires that developers take a more proactive approach to open source security management. They need to make sure throughout the development process that the software products that they are creating and maintaining don’t contain vulnerable components.

In hopes of making working with open source components more secure, the good folks at OWASP have released their OWASP Dependency-Check , a free utility created for developers, that identifies project dependencies and checks if they contain any known, publicly disclosed, open source vulnerabilities.

We’ve taken a look at the OWASP Dependency-Check’s functionality, along with its features and integrations, and I’m here to share what we found.

The OWASP Dependency-Check currently supports five different programming languages. Java and .NET are fully supported and additional experimental support is provided for Ruby, Node.js, and python.

The widespread adoption of open source requires developers concerned with the security of their software projects to integrate open source management tools into the Software Development Lifecycle (SDLC). Dependency-Check enables developers to stay on top of their open source components early in the development process with support for command-line integration. This allows seamless integration with other tools, build systems and APIs, helping developers to detect security vulnerabilities as early on in the CI/CD process as possible, without interfering with development time.

The OWASP’s tool also supports the Jenkins plugin, and can fail the build process, allowing you to make (Read more...)

*** This is a Security Bloggers Network syndicated blog from Blog WhiteSource authored byShiri Ivtsan. Read the original post at: https://resources.whitesourcesoftware.com/blog-whitesource/owasp-dependency-check

Regardless of perimeter and architecture, there are few things more important to a secure posture than protecting admins. This is because a compromised admin account would cause a much greater impact on the organization than a compromised non-privileged user account.

Once you start cataloging all the high-value assets and who can impact them, it quickly becomes clear that we arent just talking about traditional IT admins when we talk about privileged accounts. There are people who manage social media accounts rich with customer data, cloud services admins, and those that manage directories or financial data. All of these user accounts need to be secured (though most organizations start with IT admins first and then progress to others, prioritized based on risk or the ability to secure the account quickly).

Protecting the privileged access lifecycle is also more than just vaulting the credentials. Organizations need to take a complete and thoughtful approach to isolate the organizations systems from risks. It requires changes to:

Securing all aspects of the privileged lifecycle really comes down to the following principles:

Strengthen authentication:

Reduce the attack surface:

To illustrate the importance we place on privileged access controls, Ive included a diagram that shows how Microsoft protects itself. Youll see we have instituted traditional defenses for securing the network, as well as made extensive investments into development security, continuous monitoring, and processes to ensure we are looking at our systems with an attackers eye. You can also see how we place a very high priority on security for privileged users, with extensive training, rigorous processes, separate workstations, as well as strong authentication.

To help our customers get the most protection for their investment of time/resources, we have created prescriptive roadmaps to kickstart your planning. These will help you plan out your initiatives in phases, so you can knock out quick wins first and then incrementally increase your security over time.

Check out the Azure Active Directory (Azure AD) roadmap to plan out protections for the administration of this critical system. We also have an on-premises roadmap focused on Active Directory admins, which Ive included below. Since many organizations run hybrid networks, we will soon merge these two roadmaps.

There are three stages to secure privileged access for an on-premises AD.

Stage 1 of the roadmap is focused on quickly mitigating the most frequently used attack techniques of credential theft and abuse.

1. Separate accounts: This is the first step to mitigate the risk of an internet attack (phishing attacks, web browsing) from impacting administrative privileges.

2 and 3. Unique passwords for workstations and servers: This is a critical containment step to protect against adversaries stealing and re-using password hashes for local admin accounts to gain access to other computers.

4. Privileged access workstations (PAW) stage 1: This reduces internet risks by ensuring that the workstations admins use every day are protected at a very high level.

5. Identity attack detection: Ensures that security operations have visibility into well-known attack techniques on admins.

These capabilities build on the mitigations from the 30-day plan and provide a broader spectrum of mitigations, including increased visibility and control of administrative rights.

1. Require windows Hello for business: Replace hard-to-remember and easy-to-hack passwords with strong, easy-to-use authentication for your admins.

2. PAW stage 2: Requiring separate admin workstations significantly increases the security of the accounts your admins use to do their work. This makes it extremely difficult for adversaries to get access to your admins and is modeled on the systems we use to protect Azure and other sensitive systems at Microsoft (described earlier).

3. Just in time privileges: Lowers the exposure of privileges and increases visibility into privilege use by providing them to admins as they need it. This same principle is applied rigorously to admins of our cloud.

4. Enable credential guard on Windows 10 workstations: This isolates secrets for legacy authentication protocols like Kerberos and NTLM on all Windows 10 user workstations to make it more difficult for attackers to operate there and reach the admins.

5. Leaked credentials 1: This enables you to detect a risk of a leaked password by synchronizing password hashes to Azure AD where it can compare them to known leaked credentials.

6. Lateral movement vulnerability detection: Discover which sensitive accounts in your network are exposed because of their connection to non-sensitive accounts, groups, and machines.

These capabilities build on the mitigations from previous phases and move your defenses into a proactive posture. While there will never be perfect security, this represents the strongest protections against privilege attacks currently known and available today.

1. Review role-based access control: Protect identity and management systems using a set of buffer zones between full control of the environment (Tier 0) and the high-risk workstation assets that attackers frequently compromise.

2. PAW stage 3: Expands your protection by separating internet risks (phishing attacks, web browsing) from all administrative privileges, not just AD admins.

3. Lowersthe attack surface of domain and domain controller: This hardens these sensitive assets to make it difficult for attackers to compromise them with classic attacks like unpatched vulnerabilities and exploiting configuration weaknesses.

4. Leaked credentials 2: This steps up the protection of admin accounts against leaked credentials by forcing a reset of passwords using conditional access and self-service password reset (versus requiring someone to review the leaked credentials reports and manually take action).

Securing your administrative accounts will reduce your risk significantly. Stay tuned for the hybrid roadmap, which will be completed in early 2019.

The post Secure your privileged administrative accounts with a phased roadmap appeared first on Microsoft Secure .

Forces potentially affected DD Perks customers to reset their passwords after learning of unauthorized access to their personal data.

Dunkin' Donuts has alerted DD Perks account holders to a security incident after learning an unauthorized party accessed some of their usernames and passwords, NBC News reports.

DD Perks is a rewards program that lets Dunkin' customers purchase food and beverages for pickup and receive free drinks via rewards points and on their birthdays. On Oct. 31, a security vendor detected a third party accessing users' accounts. It believes these actors stole usernames and passwords from other companies and used them to attempt DD Perks logins.

Information exposed varies from user to user, depending on what was in their accounts. Dunkin' reports third parties may have been able to access first and last names, email addresses (which are used as usernames), the 16-digit DD Perks account numbers, and DD Perks QR codes.

Dunkin' reports its security vendor successfully blocked most of the attempted logins, but it is possible some accounts were accessed. It has launched an internal investigation and forced all potentially affected DD Perks users to reset their passwords and log back in with new ones. It has also taken steps to replace any stored DD Perks cards with new account numbers while retaining the cards' values. Law enforcement is helping identify the parties responsible.

Users are advised to create unique passwords for their DD Perks accounts, as well as all online accounts, and to never use the same password twice.

Read more details here .

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article.View Full Bio

WebAssembly, a newer type of “low-level” code that can be run by modern web browsers, is aimed at improving the web experience. The catch: Regular browsers execute such code locally. WebAssembly merely a faster way for web-borne exploits to reach the local browser?

WebAssembly (WASM) is currently supported by major browsers including Firefox, Chrome, WebKit/Safari, and Microsoft Edge. Because the browser is running the WebAssembly code locally, any problems with that code also end up on the user’s machine and potentially pose a threat to the local IT environment.

How does WebAssembly work? WASM is not a high-level language. It is a way for language compilers (like those that read C, C++, and Rust high-level code) to express their assembly-level output in a different format. This output then can be directly executed by the browser.

Source: LogRocket Blog

By itself, WebAssembly code isn’t supposed to be able to do anything. It’s run inside a sandboxed virtual machine. WASM depends on other parts of its surrounding environment (javascript or the browser itself) to actually handle tasks and passes information to these other helpers via an API.

There’s a logic behind this. Javascript (or the browser that can execute WASM code) already has the glue in place to deal with external tasks like writing to a screen. So why not take advantage of what’s already there?

However, WebAssembly was specified to be run in a sandboxed execution environment for safety purposes. WebAssembly will additionally enforce the browser’s same-origin and permissions policies. There was some thought given by the language’s designers to basic security safeguards, especially in how memory is managed.

Yet in spite of the initial consideration, security problems have arisen with WASM. And not surprisingly, they are related to the inherent security weakness of the traditional browser model. WebAssembly code has been found, for example, to be a major component of cryptomining malware designed to hijack local browsers.

WASM has been a boon for cryptominers. The developers of Coinhive (one of the major miners) even stated that “Our miner uses WebAssembly and runs with about 65% of the performance of a native Miner.” They were drawn to WebAssembly for the performance boost it promised in the execution of the malware.

One of the most obvious problems with WebAssembly is that there is not currently a means to do integrity checking on WASM code. This means there is no way to see if the actual code has been changed or altered in some way from a known “good” state before the browser executes it.

The lack of integrity checks would mean that the possibility exists that an attacker could substitute their own WASM code inside of a module that is going to be run by the browser without tripping any alarms. Since the actual code of the module is not directly human-readable, checking integrity would require some sort of pre-processor program to read the code before execution.

So why not add that component, you ask? The simple answer is that the added processing alone might negate any performance benefits in the code execution that WebAssembly promises.

There are more potential problems with WebAssembly. CVE-2018-5093 is one recent example that affects the Firefox browser. This heap buffer overflow vulnerability may occur in WebAssembly during Memory/Table resizing, resulting in a potentially exploitable crash.

Another recent vulnerability (CVE-2018-5094), which also affects the Firefox browser, is similar in nature. A heap buffer overflow vulnerability can occur in WebAssembly when "shrinkElements" is called followed by garbage collection on memory that is now uninitialized.

One more potential problem results from the use of multiple languages that are compiled into WASM code. If a developer cross-compiles an application into WebAssembly, any security problems the original application already has may be transferred as well.

Any exploits in libraries used by the original code will then also be present in the WASM code, where they may be hard to identify. In general, any problem present in the high-level language will also become a problem with WebAssembly.

Where WASM is executed in the local browser, all of these risk factors are entirely out of the user’s and IT admin’s control, leaving them (once again) at the mercy of programmers and their ability to avoid them. However, if the history of the web is any indication, this likely won’t be enough to keep WASM from becoming a raging success.

Because of the inherent security weaknesses of regular browsers, these problems with WASM were entirely predictable. As with Flash and Java in the 1990s, extending the functionality of the traditional browser model to run arbitrary code in this case, WebAssembly once again expands the local attack surface for web-borne exploits.

So should we just throw up our hands and go with the program?

Fortunately, today you have a better way to take advantage of new code like WASM. You can do so without putting your local IT at risk. How about using a cloud browser, which processes all content securely in an isolated environment offsite?

A secure cloud browser completely insulates the local IT infrastructure from the consequences of bad WASM behavior. WASM-enhanced cryptominers won’t get a chance to gobble up local CPU resources.

The cloud browser model helps you regain control on the web. It ensures that web-borne bugs or exploits whether introduced by WASM or any other internet code are isolated and neutered in the cloud. This way, they can never reach the user’s machine and ripple from there through the local network.

Properly coded applications offering WASM must provide an asm.js fallback, which the cloud browser can execute. With a secure cloud browser, you (or your IT admin) don’t have to worry anymore about what could go wrong in the browser with WASM.

Larry Loeb has been online since uucp "bang" addressing (where the world existed relative to !decvax) and served as editor of the Macintosh Exchange on BIX and the VARBusiness Exchange. He wrote for BYTE magazine, was a senior editor for the launch of WebWeek, and authored books on the Secure Electronic Transaction Internet protocol and "Hack Proofing XML" (his latest). Larry currently writes about cybersecurity for Security Now.

The new PureSec protection layer for AWS Lambda is designed to help AWS customers further secure their serverless applications against cyber-attacks with minimal effort and no operational overhead

TEL AVIV, Israel, November 29, 2018 ― PureSec, today launches the world’s first serverless security solution, which is designed to require zero operational overhead by using a new product feature from Amazon Web Services (AWS) Lambda, called ‘AWS Lambda Layers’.

Using the new PureSec layer for AWS Lambda, customers can build and deploy secure serverless applications in a standardized and consistent way, without requiring developers to modify function code, or include any additional components into deployment packages.

The new PureSec layer for AWS Lambda also allows organizations to govern and enforce serverless security best-practices, and to tightly integrate the PureSec serverless security platform into every serverless application, with zero additional operational overhead.

In cloud environments such as AWS, the cloud provider is responsible for protecting the infrastructure that runs all of the cloud services. This infrastructure is composed of the hardware, software, networking and facilities that run cloud services. AWS Lambda takes this protection one layer higher, and also provides security for the operating system and supported languages/runtimes. At the same time, the customer is responsible for securing the application layer, which includes protecting application logic and code, configuration of the different cloud services that the application consumes, and any custom configurations.

“In AWS Lambda, application owners can control their code and configurations, while security for the application layer has to come from within the code itself,” said Ory Segal, CTO and co-founder at PureSec. “Up until today this meant that deployment of a serverless security platform such as PureSec could only be done by involving the development team and having developers embed the PureSec runtime protection into each function.”

Segal also noted that “the PureSec protection layer for AWS Lambda is the outcome of collaborative work with the AWS Lambda team. It represents our unique serverless security vision, to make serverless runtime protection more accessible and easier to consume for all AWS Lambda customers.”

PureSec’s Serverless Security Platform is designed to provide comprehensive end-to-end serverless security for AWS Lambda applications, which includes:

摘要: 国外公司面向消费推出iOS设备解锁服务：一台收费近3万据外媒报道，当地时间11月27日，DriveSavers宣布向消费者推出一项新的服务，即为那些忘记密码、多次输入错误密码后被锁住设备或需要访问已故家庭成员设备的用户解锁iOS设备。DriveSavers表示...

参考来源：

https://www.secrss.com/articles/6718

参考来源：

http://tech.ifeng.com/a/20181127/45238149_0.shtml

参考来源：

http://hackernews.cc/archives/24519

参考来源：

https://www.solidot.org/story?sid=58743

参考来源：

http://tech.huanqiu.com/it/2018-11/13660106.html?agt=61

参考来源：

https://www.easyaq.com/news/2144171509.shtml

参考来源：

http://codesafe.cn/index.php?r=news/detail&id=4590

安全帮，是中国电信北京研究院旗下安全团队，致力于成为“SaaS安全服务领导者”。目前拥有“1+4”产品体系：一个SaaS电商(www.anquanbang.vip) 、四个平台（SDS软件定义安全平台、安全能力开放平台、安全大数据平台、安全态势感知平台）。

相关文章 【安全帮】戴尔宣称发现安全漏洞 已重置所有账户密码；新西兰以国家安全为由禁止使用华为设备 【安全帮】javascript库的维护人员通过植入后门来窃取比特币资产 【安全帮】日媒：两名日本人被控间谍罪 涉嫌窃取中国军事信息 【安全帮】黑客侵入硅谷多名高管手机 从加密货币账户窃走100万美元 【安全帮】北京警方破获首起“盗挖虚拟货币”案：前员工入侵公司数百台电脑挖矿

The certificate expiration period should be kept as short as possible in a public key infrastructure. But the cost of resigning certificates must not be too high. This trade off causes a lot of problems. Every now and then a certificate expires without anybody noticing it or the same certificate is used for 10 years, which is obviously a security risk. In order to avoid this problem you either use Let’s Encrypt or another fully automated certificate management system. If this is not available you must know at least which certificates are going to expire soon.

In my case I had a project with multiple certificate and dynamically built key stores. I had to find the certificates in the project folder structure that expire soon and need to be resigned. In order to automate this process I’ve built the following bash script.

Categories:Scripting