Data collaboration company, IXUP, has signed a one-year partnership agreement with Australian-based data and analytics consulting firm Servian.

The partnership agreement will deliver Servian access to IXUP’s secure data collaboration platform, with Servian providing IT solutions and consulting services to an extensive array of Australian tier-one and two companies as well as state and federal government institutions.

The two companies say the contract is significant to IXUP’s growth strategy enabling immediate access to Servian’s client base in the data analytics space.

"Helping organisations leverage data for their competitive advantage is core to Servian's mission. Our clients want to access third-party data to optimise their business, improve customer experience and grow their market presence.The IXUP Platform allows us to enhance levels of trust and security when integrating and utilising third-party data,” says Servian CEO Tony Nicol.

IXUP CEO Peter Leihn said: “We are excited to announce this partnership with Servian, which demonstrates the momentum we are building in the market. IXUP is focused on enabling superior data analytics and this partnership allows organisations to gain rich insights from their valuable data”.

“We are very pleased that Servian has recognised IXUP as an outstanding solution for achieving its clients’ data exchange needs. We look forward to working with Servian as it takes this service to its clients.”

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

Smartsheet is a software-as-a-service (SaaS) application that gives employees the ability to assign tasks, manage projects, and track their progress. According to Forbes , it is being used by 72 percent of Fortune 500 companies. However, without advanced cloud security solutions, companies put themselves at risk when working with apps like Smartsheet. Fortunately, cloud access security brokers (CASBs) like Bitglass provide organizations with the complete cybersecurity that they need to safely make use of the cloud.

At Bitglass, we began securing Smartsheet on managed and unmanaged devices long before it became a high-profile tool. When we first encountered it (when we were first asked to secure it by a customer), it was still a relatively new application. However, thanks to our any-app capabilities, we were able to give said customer granular control over data within the app in just a few short minutes. Shortly thereafter, we began to secure Smartsheet for other customers who were using the app in a variety of industries.

Bitglass can tokenize and encrypt sensitive field-level data within the spreadsheet apps that organizations need to secure. Through contextual access control, administrators can also create policies that govern access through a variety of factors, including geographical location, user group, access method, device type, time of day, and more.

Our mission, as a leader in the CASB space, is to give companies complete visibility over data, robust identity management, as well as comprehensive data and threat protection . These four elements are essential in data security and, at Bitglass, are at the top of our priority list. Whether you are working with Smartsheet, something as common as Office 365 , or an application that is new and obscure, Bitglass is here to secure your corporate data and protect you from zero-day threats.

Watch a video of how Bitglass can secure Smartsheet by clicking the button below.

By James Taylor, Strategic Development Manager, UK and Ireland, for Nuvias

If only I could manufacture a ‘Security Culture’ solution, package it and market it, I would have the most effective security product on sale today. Engendering a strong awareness and commitment to cybersecurity within an organisation is critical, yet still sadly neglected by many.

Most of my presentations today start with the question “What is the Board’s appetite for resolving your security issues?” This is usually followed up with “What have you done to help yourselves?”

The responses vary, yet it is still surprising just how many boards seem completely unaware of the positive impact they could play in encouraging and improving security in their organisations. Allow me to suggest the following an organisation’s security is significantly elevated when a privacy and security culture is present. The advice from all the leading authorities is clear. The National Cyber Security Centre (NCSC) for example, advises focus on Risk Management Regime:

‘Assess the risks to your organisation’s information and systems with the same vigour you would for legal, regulatory, financial or operational risks. To achieve this, embed a Risk Management Regime across your organisation, supported by the Board and senior managers’.

Having recently attended a privacy and security conference with a deep desire to discover fresh tools and techniques to assist organisations obtain optimum security levels, the two key takeaways from the event were not technology driven. They were the current low level of a security culture within organisations; and the importance of trust. It was rather refreshing to know that I am on a similar page on how to achieve privacy and security as some of the presenters at the conference.

Despite the risk management advice above from the NCSC having been available for quite some time, one statistic presented to the privacy and security conference delegates was very interesting. It stated that only just over a quarter of the Top 100 companies in the UK make any mention of privacy and security in their corporate social responsibilities publications. A surprising statistic. The best security advice we can give an organisation is freely achievable yet 75% of companies are not clearly communicating their privacy and security policies internally.

The other key takeaway was trust. The presentation gave some interesting statistics on trust and how consumers react when we trust a brand and what happens when we don’t. Guess what? Predictably, a trustworthy brand makes for a far more positive relationship with its customers. Trust must be earned. We can build trust, we can demonstrate a commitment to trust but the foundation must be an active privacy and security culture.

Whilst GDPR generated a lot of FUD in the security industry, perhaps it is the catalyst to encourage us to get our house in order. By applying some basic principles of security awareness and commitment, we have a golden opportunity to not only improve our security position, but possibly to give ourselves a key market differentiator that consumers will appreciate over the competition.

Now, if only I could bottle that Security Culture! There’s a ready-made market out there.

Australian-listed Israel-based semiconductor company Weebit Nano has appointed Jackson Lam as vice-president Strategic Alliances, China, in an advisory capacity.

Lam, who has almost 40 years of experience in the Chinese semiconductor industry, will be responsible for Weebit Nano’s partnerships in China, including customers, potential industry partners, and investors.

He also spent 15 years with Panasonic in business development, and established an R&D and manufacturing company providing services for many well-known international semiconductor companies. In the past 12 years, Lam has focused on helping Israeli companies set-up and expand their business in China.

According to Weebit Nano (ASX: WBT) the Chinese semiconductor industry is growing rapidly ― faster than the rest of the world ― with revenues expected to reach almost US$129 billion by 2021, nearly a third of global revenue.

The Chinese Government recently allocated a 300 billion yuan (US$47.4 billion) fund for development of the industry and this makes China a prime target for semiconductor providers such as Weebit Nano.

“The Chinese market has become very important in the strategic plans of semiconductor companies and represents huge potential for Weebit Nano,” said Coby Hanoch, chief executive of Weebit Nano.

“Jackson has a very deep understanding of the dynamics of this market. His broad experience in helping Israeli companies grow in the Chinese market and connecting them to local investors, is extremely valuable to us.”

“I am very excited to join the Weebit Nano team. Weebit Nano has made rapid progress in developing its ReRAM technology, which I believe has significant potential in China to be of interest to a large number of parties,” said Lam.

“There are many companies and investors looking for good strategic investment opportunities in the semiconductor space, and now is the right time for Weebit Nano to enter this market.”

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

11月30日，万豪国际集团在官方微博账号上表示，其公司旗下喜达屋酒店的一个客房预订数据库被黑客入侵，多达5亿人次的详细信息可能遭到泄露。

万豪方面表示，一项集团内部的调查发现，自2014年以来，一名攻击者一直都能够访问该集团喜达屋（Starwood）部门的客户预订数据库，数据库中包含约5亿名客人信息，其中高达3.27亿人次的泄露信息包括名字、邮寄地址、电话号码、护照号码、生日、到达和离店信息等。

目前万豪国际已经遭遇了消费者的集体诉讼。

截至美国东部时间11月30日收盘，万豪国际酒店股价下跌5.59%。万豪集团对新京报记者表示，目前对于该事件是否波及中国酒店及中国顾客仍在调查当中。

万豪酒店信息泄露事件距离8月末发生的华住集团5亿名用户数据信息泄露仅仅过了3个月。为何酒店客人信息频频被曝泄露丑闻？网络安全专家张百川表示，目前很多酒店都有在线订房业务，这里的安全问题往往比较容易暴露出来，被黑客利用，但多数酒店却没有强有力的防范、对抗黑客的手段。

在西安邮电大学副教授任方看来，对于酒店泄露客人信息，具体泄露到什么程度算违法，应该怎么处罚，都不好界定。另一方面，如果要求酒店提高安全性，则需要专业的技术，会造成管理系统的复杂化，还需要专业的技术和管理人员，这将提高酒店的成本，这肯定是大多数商家不愿意看到的。对此，将来需要增加这一块的立法，以及加强监管。

腾讯安全云鼎实验室首席架构师李滨认为，酒店和其他航旅服务如航空运输等具备强关联性和相似性，安全问题可能会相互影响和蔓延，整个航空旅行业的信息安全和公众的安全利益息息相关，需要引起重视和注意。

1 为何酒店客人信息屡遭泄露？

酒店防御黑客手段大多较为初级

Q：分析认为，目前很多酒店都有在线订房业务，这里的安全问题比较容易暴露出来，被黑客利用。此外，高端酒店的客户数据被利用来做灰产、黑产的价值更高一些。

根据万豪国际发布的声明，自2014年起，即存在第三方对其旗下喜达屋网络未经授权的访问，该第三方“已复制并加密了某些信息，并采取措施试图将该信息移出”。2018年11月19日，万豪国际解密该信息发现，确定信息内容来自喜达屋宾客预订数据库。

“这属于APT，即高级可持续性威胁攻击。”12月2日，张百川对新京报记者表示，“黑客入侵后不破坏数据，只潜伏，以获取更多的、实时的数据，谋取更深层次的利益。”

据了解，黑客入侵系统后，可以在服务器里安置“后门”，达到源源不断获取最新数据的目的。

而对于最初黑客是如何“入侵”喜达屋系统的，任方认为，目前针对企业数据库的攻击手段很多，简单的如弱口令暴力破解、SQL注入等，还可以利用数据库本身的漏洞甚至是人工窃取等方式获得数据库的数据。根据所使用的数据库类型和管理系统的安全性不同，攻击手段不同。

在张百川看来，由于万豪国际在声明中并没有给出更多资讯，所以无法知晓黑客从何入侵，可能是订房系统。“目前很多酒店都有在线订房业务，这里的安全问题往往比较容易暴露出来，被黑客利用。据我所知，多数酒店没有强有力的防范、对抗黑客的手段。有的会买传统防火墙，但传统防火墙对新型攻击几乎无能为力。web安全、邮件安全、数据库安全、WiFi安全，都是问题。”

另一方面，相比较为初级的酒店信息防护，酒店客户数据却“价值连城”。

此前，华住集团泄露的5亿条客户信息在暗网上以37万元的价格“打包”出售。在曾经做过房地产销售的罗先生看来，酒店客户信息的价值远不止此。“目前黑市上房产业主的电话号码可以卖到2000元一万条，而此次泄露的信息更多，价值更大”。罗先生说，最简单的，如果信息泄露涉及中国的客户，黑客将数据中消费金额高、住址为北上广等一线城市的人筛选出来，可以作为高端人士数据在市场上买卖。此外，由于酒店有开房记录和家庭住址这些敏感信息，也有可能被诈骗分子利用。

张百川表示，高端酒店的客户往往“有钱”，所以被利用来做灰产、黑产的价值更高一些。

2 数据泄露有哪些途径？

内外部威胁、第三方数据处理可能泄露信息

Q：腾讯安全云鼎实验室首席架构师李滨表示，数据安全的威胁不仅可能来自于外部的黑客攻击，更多可能来自于内部人员的疏忽大意和蓄意越权访问，以及内外部业务系统的关联接口。

李滨对新京报记者表示，一般而言，数据在三个途径上有泄露的风险：外部威胁、内部威胁、第三方数据处理。

李滨认为，外部威胁包括来自互联网和企业外部的黑客攻击等行为。在这个攻击途径上，黑客对数据系统的攻击主要是利用开发运维人员因为一时疏忽而暴露在互联网上的数据访问接口和访问凭据对数据进行违规访问；或者利用应用系统编程的漏洞，例如SQL注入或XSS脚本绕过数据库的认证机制越权访问信息。

内部威胁主要来源于企业内部员工的无意或蓄意的违规访问数据造成的信息泄露，根据IBM2018年威胁情报指数的报道，2017年内发生的数据泄露事件，60%和内部原因有关。来源于企业内部的数据安全攻击又分为两类情况，一类是内部恶意员工利用合法的权限或非法获取他人的权限，进行数据访问和窃取。当前的经济环境中对于高价值的企业数据来说，商业间谍和“内鬼”造成的数据失窃事件频率越来越高，加强内部安全管控值得注意。

另一类情况是由于企业内部人员的一时疏忽，在日常IT使用过程中，业务终端被导入木马，或企业的内部业务系统因为应用漏洞被黑客通过近场进行内部攻击，然后进一步用这些设备作为跳板，来获取系统内的访问权限。现在随着移动办公、无线网络等新技术的广泛应用，原来传统企业概念中的物理安全边界并不可靠，来源于内部的访问也不一定就安全可靠，内网系统和用户终端的安全防护需要考虑，用户和关键数据的访问行为也需要持续监控。

同时，值得注意的途径还有企业与第三方的数据交换和外包。现在很多企业会进行数据处理的外包，或因业务连接而进行数据的交换。在与第三方进行数据交换和处理的过程中安全保护措施的疏忽也会是一个重要的直接或间接泄露途径，2018年初Facebook5000万用户数据泄露事件就是第三方数据处理因素造成的典型案例。

对于酒店业数据库保护，李滨认为，从企业层面来说，要做好数据安全的防范至少要做到识别关键数据，做好数据分类分级，清晰地了解企业内的关键数据和价值，知晓数据的位置、边界和关系，并制定针对性的保护策略，以及持续监控，主动发现，对网络边界、业务终端和数据库的异常访问行为进行持续性监控，及时分析和处理。此外，还要做到对外和对内的安全防控，做到关键数据保护等。

3 客人信息泄露是否追究酒店责任？

国内酒店信息泄露问责力度欠缺

Q：有律师认为，如果酒店泄露客人信息，应该追究酒店的责任。但专家认为，目前的法律条款尚不足以提高酒店管理者对信息安全保护问题的重视。需要增加立法和加强监管。

律师杨继先认为，如果酒店泄露客人的信息，应该追究酒店的责任，因为酒店有保障客人信息安全的义务。

杨继先说，《消费者权益保护法》规定：在入住并且提供个人信息时客户就已经与酒店形成了合同关系，表面上看两者之间只是住客支付费用，酒店提供住处，但实际上还有一些基于这个合同而产生的附加条件，其中就包括住客提供的个人隐私信息应该得到酒店的保护。假如因为信息泄露而给消费者带来损失，酒店则应承担民事赔偿责任。

公安部发布的《旅馆业治安管理条例》也对酒店住客入住、监控、信息安全等做出了详细规定。其中明确指出，旅馆及其工作人员，不得向任何单位和个人提供住宿人员相关信息和视频监控资料。若向有关部门、单位或个人提供住宿人员相关的情况应当进行登记。

但在任方看来，目前的法律条款尚不足以提高酒店管理者对信息安全保护问题的重视。

“目前，国内法律法规对酒店泄露客人信息的惩罚力度并不大，我没有听说哪一家酒店或者服务性公司因为这类事受到过很大的处罚。”任方说，“信息安全问题这几年突然集中式爆发，各方面都没有做好准备，服务行业从业者都应该提高安全服务意识，但他们往往做不到。”

任方认为，如果要求酒店提高安全性，则需要专业的技术，会造成管理系统的复杂化，还需要专业的技术和管理人员，这将提高酒店的成本，这肯定是大多数商家不愿意看到的。对此，将来需要增加这一方面的立法，以及加强监管。

当11月30日万豪国际信息泄露事件曝光后不久，Murphy等诉讼集团就代表消费者对万豪国际提起了集体诉讼。诉讼指出，万豪国际疏于处理客户数据，且“等了太久才通知他们”。诉讼称，万豪提出的一年信用监控计划是不够的，因为它无法保护客人的个人信息免受长期威胁。

同济大学法学教授金泽刚认为，在美国，如果有大公司的不当行为对公众造成损失，会有律师事务所主动联系受害者，然后提起集体诉讼，受害者只需签字授权即可。这可资借鉴。就当下看，若大量住客信息泄露的事件发生在我国，受害者如何维权，律师如何介入并不明晰。这已被部分外国公司在发生损害消费者利益事件后，对中外消费者持明显不同的两种态度所印证。鉴于此，如何利用好消费者诉讼的方式对此形成制衡，需要继续探索。

新京报记者 罗亦丹 张泽炎 白金蕾

（责任编辑：张洋 HN080）

常见的XSS攻击、SQL注入、CSRF攻击等攻击方式和防御手段，这些都是针对代码或系统本身发生的攻击，另外还有一些攻击方式发生在网络层或者潜在的攻击漏洞在这里也总结一下。

DOS攻击不是说攻击DOS系统，或者通过DOS系统攻击。

DOS攻击全称为Denial of service，即拒绝服务，其主要攻击目的是使计算机硬件或网络宽带资源耗尽从而造成服务器无法提供正常服务，而DDOS攻击就是Distributed denial of service，即分布式的拒绝服务攻击，攻击者利用多台服务器资源对同一个目标服务器发起攻击，从而使目的服务器快速陷入崩溃。

不管是DOS还是DDOS，它们的本质都是通过各种手段消耗目标服务器资源，从而使目标服务器瘫痪不能接受用户的服务。

一般租用像阿里云或者其他的服务器资源都是有web应用防火墙能阻止dos攻击的，如果是自己的服务器需要专业的运维人员对服务器进行相关设置以防止DOS攻击。

DNS攻击包括有DNS劫持和DNS污染。

DNS劫持即通过某种手段控制DNS服务器，篡改域名真实的解析结果，并返回攻击者的ip地址，从而跳到了攻击者的页面。像我们宽带快到期了或者有什么推广信息，电信总会弹出一个营销界面提示我们宽带快到期了或者什么活动的，这其实就是运营商DN劫持搞的鬼。像在我们本地，也经常会配置host文件以开发测试联调，或者访问那些访问不了你又想访问的网址。

防止DNS劫持可以用国外知名的DNS服务器，像google的8.8.8.8，或者准备两个域名，一个被劫持了引导用户去访问另一个。

DNS污染发生在请求DNS解析前第一步，直接在协议上对DNS解析请求进行干扰，因为DNS查询是基于不可靠无连接的UDP协议，它是没有经过认证的，很容易被篡改，所以攻击者通过在UDP的53端口进行DNS查询检测，并返回攻击者错误的解析结果给用户，这就是DNS污染。

DNS污染可以通过自己搭建DNS服务器，采用TCP加密的形式，但可能延迟比较大。

这个在SQL注入防御篇幅中有描述，就是不能把数据库表及代码关键信息输出到用户浏览器，这里不再详细描述。

为了开发或联调的便利性，我们经常在代码使用注释，某些注释可能包括重要信息，给攻击者以可乘之机，所以这个最好养成良好的习惯及时删除敏感的注释或者开发完成对代码进行审视。

一般的网站都会有文件上传功能，如人才网就会有包括用户的头像、简历附件什么的，如果攻击者上传一个.exe可执行程序到服务器，那么这个执行程序很有可能操控这个服务器，或者通过这个服务器间接攻击其他内部服务器群，后果是十分严重的。

所以，针对上传功能要限制用户可上传的文件类型，比如头像肯定是jpg等图片格式；文件最好分开存储，一是能提高系统性能，二是就算攻击者攻击了文件服务器也不一定能攻击到别的服务器；另外，存储采用重命名方式，像QQ之间传送文件一般会在文件名后面加上一个".重命令"后缀，就是为了防止用户点击.exe文件造成病毒攻击。

提起 RSA 大家一定不陌生，在开发中经常使用，也经常听同事说道。

话说很久以前，人们就懂的了加密这个技术。在战争时期，间谍就会拿着 密文 和 密匙 来对信息就行传递。 这种简单的 密文 + 密匙（key） 就是 对称加密

加密: 明文 + 密匙

解密: 密文 + 密匙

由于这种加密方式过于简单，所以后来引入了数学算法。 RSA 就是由特殊的数学算法构成的，也是 非对称加密算法 。非对称加密需要两个密钥： 公钥（public key） + 私钥（private key）

用公钥加密，私钥解密

私钥加密，公钥解密

一下是几种情况

定理0 算术函数f如果满足对于任意两个互质的正整数m和n，均有f(mn)=f(m)f(n)，就称f为积性函数（或乘性函数）。 如果对于任意两个正整数m和n，均有f(mn)=f(m)f(n)，就称为完全积性函数。

定理1 对于素数p，(p)=p1。

定理2 (pn)=pnpn1，因为素数幂pn不互质的只有p的倍数，一共有pn/p=pn1个。

定理3 若m、n互质，(mn)=(m)(n)，所以欧拉函数是积性函数。 因为mn互质NN，和m互质的数乘上和n互质的数就会和mn互质。

定理4 设n=p1a1p2a2...pkak为正整数n的素数幂分解，那么(n)=n(11/p1)(11/p2)...(11/pk)。 由定理2，(pn)=pnpn1=pn (1-1/p)，又由定理3，(n)=p1a1p2a2...pkak(11/p1)(11/p2)...(11/pk)=n(11/p1)(11/p2)...(11/pk)

如果两个正整数e和x互质，那么一定可以找到整数d，使得 ed-1 被x整除。 那么d就是e对于x的“模反元素”

那么，通过一系列的数学转换，最终得出了RSA算法

公钥：e 和 n 私钥：d 和 n 明文：m 密文：c 复制代码

CSRF（Cross-site request forgery）跨站请求伪造，也被称为“One Click Attack”或者Session Riding，通常缩写为CSRF或者XSRF，是一种对网站的恶意利用。尽管听起来像跨站脚本（XSS），但它与XSS非常不同，XSS利用站点内的信任用户，而CSRF则通过伪装来自受信任用户的请求来利用受信任的网站。与XSS攻击相比，CSRF攻击往往不大流行（因此对其进行防范的资源也相当稀少）和难以防范，所以被认为比XSS更具危险性。

XSS攻击全称跨站脚本攻击，是为不和层叠样式表(Cascading Style Sheets, CSS)的缩写混淆，故将跨站脚本攻击缩写为XSS，XSS是一种在web应用中的计算机安全漏洞，它允许恶意web用户将代码植入到提供给其它用户使用的页面中。

反射型xss攻击 正常发送消息： http://www.test.com/message.php?send=Hello 接收者将会接收信息并显示 Hello 非正常发送消息： http://www.test.com/message.php?send=<script>alert(‘foolish!’)</script> 这时接收者的窗口就会弹出 foolish 弹窗。 以上，只是简单的示例，实际上，xss攻击可以做得更加复杂，窃取用户账号密码也是正常的

存贮型xss攻击 在输入框里填写 you are foolish! 那么表单里要发送的的input框就会变成这样 <input type=“text” name=“content” value="you are foolish!"> 不做任何过滤的话，这个会当成正常数据入库 当要用到这个数据，从库取出来的时候，就会出现 you are foolish 的弹窗。

所谓SQL注入，就是通过把SQL命令插入到Web表单提交或输入域名或页面请求的查询字符串，最终达到欺骗服务器执行恶意的SQL命令。具体来说，它是利用现有应用程序，将（恶意的）SQL命令注入到后台数据库引擎执行的能力，它可以通过在Web表单中输入（恶意）SQL语句得到一个存在安全漏洞的网站上的数据库，而不是按照设计者意图去执行SQL语句。比如先前的很多影视网站泄露VIP会员密码大多就是通过WEB表单递交查询字符暴出的，这类表单特别容易受到SQL注入式攻击．

struts2从开发出来到现在，很多互联网企业，公司，平台都在使用apache struts2系统来开发网站，以及应用系统，这几年来因为使用较多，被攻击者挖掘出来的struts2漏洞也越来越，从最一开始S2-001到现在的最新的s2-057漏洞，本文着重的给大家介绍一下struts2漏洞的利用详情以及漏洞修复办法。

先从1开始吧，S2-001影响的版本是Struts 2.0.0 - Struts 2.0.8版本，最早开始的版本漏洞太低级，当时的apache官方并没有设置安全机制，导致在提交参数的时候紧接的执行了递归化查询数据，导致可以插入恶意参数进行SQL注入攻击。

s2-001漏洞的修复是将struts2的默认altsyntax功能进行关闭使用其他方式进行递归化的查询，为什么要关闭altsyntax功能是因为这个功能的标签会自动的进行表达式的安全解析，关闭该功能就不会进行解析恶意参数了。

s2-003漏洞是没有过滤恶意参数，导致可以进行参数注入，影响的版本是Struts 2.0.0 - Struts 2.0.11.2版本，这次的版本新添加了一个功能就是安全拦截器，在参数传输过程中进行了关键词安全检测，一些非法注入的参数可以被过滤掉，但是apache官方并没有过滤掉特殊编码的方式进行提交，导致伪造编码进行了sql注入攻击，该漏洞的修复方案是关于编码注入这里进行详细的过滤，并使用了正则表达式进行过滤非法的注入参数。

s2-005漏洞产生的原因也跟上次的S2-003大致相同，也是在传入参数值的时候带进了恶意非法注入参数，导致可以使用ognl解析的方式来进行远程代码的注入执行。关于该漏洞的修复是需要将apache系统参数值denyMethodExecution设置为关闭，然后将参数的拦截过滤系统进行了升级，更为严格的一个正则表达式过滤。

S2-007，S2-008,S2-009漏洞详情是需要开启decmode开发模式，在调试开发代码过程中存在了注入的漏洞，甚至对于单引号并没有进行安全限制，导致可以提交到后台进行转义，造成变量上的转义注入，S2-009也是POST提交参数的注入攻击，跟S2-005，S2-003的参数注入不同的是，没有对其参数里的安全值进行过滤，导致可以插入恶意参数进行SQL数据库注入攻击。 同样的官方修复方案是对其过滤系统进行升级，严格执行正则表达式过滤一些可能导致注入的非法参数。

S2-012漏洞的产生原因是默认的apache 配置文件struts.xml对默认的对象进行了重定向的一个功能设置，导致该重定向之解析表达式的过程中产生了远程代码执行漏洞，关于该漏洞的修复官方进行了表达式解析的安全过滤。

S2-013漏洞利用是因为标签属性的原因，标签设置参数里竟然可以执行表达式，会让URL值的参数进行传递表达式，漏洞的修复也很简单对其标签属性进行了删除。S2-015的漏洞是因为系统配置里的任意通配符映射导致二次执行ognl表达式进行了远程代码的执行漏洞，首先该系统没有对网站URL进行白名单的安全检测，当使用一些特殊符号叹号，百分号的时候可以直接提交上去。造成了恶意代码的远程执行。漏洞的修补办法是对DefaultActionMapper的类进行了安全检测，过滤非法的注入代码。

如果您对网站的漏洞不懂的话，建议让网站安全公司帮您修复网站漏洞，以及清除木马后门，做好网站安全加固防止被入侵，国内的网站安全公司，像SINE安全公司、绿盟安全公司、启明星辰、都是比较专业的。

以上是S2-001到S2-015漏洞的产生原因，以及漏洞修复的办法介绍，因为文章字数限制，其他版本的struts2漏洞将会在下一篇文章中给大家讲解。

渗透测试，web安全动态

-安全文章

-安全漏洞

-移动安全

-代码审计

https://mp.weixin.qq.com/s/1iSUSofBZsG2mopjLYg4Ow

https://mp.weixin.qq.com/s/WmL5n33VTxkt1emK2Oxi4A

https://mp.weixin.qq.com/s/zw28b5AzhljTnEedBnPMYw

https://mp.weixin.qq.com/s/YKyt5N1SG1k5zfZRh2E1zQ

https://mp.weixin.qq.com/s/nybyb7zMMgD0oiYZq9QV1w

https://mp.weixin.qq.com/s/WZoo3E8SYDnMkBGRYQlOrg

https://mp.weixin.qq.com/s/83LzZOInKHX3bYEUIirtKw

https://mp.weixin.qq.com/s/4LZWnpL9uuwN4aCVEOtNdw

https://mp.weixin.qq.com/s/Tn11KY4KsIGzOH5j5oqNWg

https://mp.weixin.qq.com/s/0tCL0FJCVOLQJ0Uq9PGfqg

https://mp.weixin.qq.com/s/0_XLx0RtJNYHhGv43XQ-1Q

https://mp.weixin.qq.com/s/i_tuDQ8kw4Nwm_26qMkswg

https://mp.weixin.qq.com/s/pNWF1PNmW6Le_179xFJoUQ

https://mp.weixin.qq.com/s/KaOdqIgjaEPO3jDGGVsu9Q

https://mp.weixin.qq.com/s/3_xSCJEsDf8qunLzBoCq0Q

https://mp.weixin.qq.com/s/WYepZUFQ3JxTzKDjE0tVOg

https://mp.weixin.qq.com/s/-i9077FibVNpxGPDT6A5Xg

https://mp.weixin.qq.com/s/zfK2MIP2vKNPcWbxtQaNCg

https://mp.weixin.qq.com/s/-Df0oYyt8oXmDQN_EpVdIA

https://mp.weixin.qq.com/s/VWltD-X3O0kuTp2X-grKIA

https://mp.weixin.qq.com/s/myNm8OOC020iDyx1O6tD7w

https://mp.weixin.qq.com/s/Dy2mbfMiCXbU9aSLQ3PrAA

https://mp.weixin.qq.com/s/fSBZPkO0-HNYfLgmYWJKCg

https://mp.weixin.qq.com/s/fqQX9MPayNg3XUQp-a2f1A

https://mp.weixin.qq.com/s/JDUYCy18-KPaLr8lZdcBfg

https://mp.weixin.qq.com/s/d_4gUc3Ay_He4fintNXw6Q

https://mp.weixin.qq.com/s/rSYXqJzgPYWwP30wYTnKcg

https://mp.weixin.qq.com/s/OcC9dY62bUVrexAp7lms-A

https://mp.weixin.qq.com/s/OmYdGaLDwvZ0iOJ9sbUskA

https://mp.weixin.qq.com/s/0o6HZ0LsZwYaj0bcVTvlkQ

https://mp.weixin.qq.com/s/3gGM0O9j6N_zK9IinUu3DA

https://mp.weixin.qq.com/s/VkltDc3yip-Lvc1-QfnuiA

https://mp.weixin.qq.com/s/SPu6BN6shjdzkVsK-CjHbw

https://mp.weixin.qq.com/s/XebHMnAQTp8nU3KUMW4RLw

https://mp.weixin.qq.com/s/IpAJ9ZT5v2FV_7dGie_1lQ

https://mp.weixin.qq.com/s/4EvFtOuN8EN5SJciverkaQ

https://mp.weixin.qq.com/s/t8-EglLZwpKno8goS1s9gw

https://mp.weixin.qq.com/s/0k8gKO6Rjq8PtRt56Shcbg

https://mp.weixin.qq.com/s/F2gQmeKiAvuJ7tYcRIlz0A

https://mp.weixin.qq.com/s/ahtG9ZH76sqgrsNzbuL0FQ

https://mp.weixin.qq.com/s/VGOfZoDxCNd2HB3tJ1rDxA

https://mp.weixin.qq.com/s/tdbmJ4__L150Ss68LB_6wQ

https://mp.weixin.qq.com/s/bipLZBp4I8NUHzrLK32yZA

It was once a widely held belief among Apple enthusiasts that macOS (or OSX as it was then known) was a far more secure system than its windows or linux counterparts. Malware outbreaks were rarely heard of, and most legacy AV solutions were known more for their high rate of false positives and greedy consumption of resources than they were for preventing any real adversaries. Asked “do you really need antivirus software for macOS”? about the only reason Mac users would say “yes” would be to catch Windows-based malware in email attachments. Why? In the words of this forum poster, as a public service to the unfortunate!

All that began to change from 2011 onwards, a fact reflected by Apple’s increasing hardening of the OS. In every release of macOS since then, we’ve seen the introduction of more security technologies and a locking down of the system: Gatekeeper, codesigning, Xprotect, Malware Removal Tools and more. With the release of macOS Mojave this year, Apple once again introduced new security features in response to the evolving threatscape facing the platform, restricting Apple Events and hardening user data protections .

Apple, of course, should be commended for taking security seriously, something even they are aware that their users often do not. Apple says that macOS “provides security by design” and

The company are proud of their security posture, and are keen for customers to feel reassured that safety is a top concern:

Fantastic. It’s just what you want to hear from your OS vendor.

Except, it’s all a bit of a myth.

As it turns out, malware can easily defeat macOS security protections. Let’s take a quick look at the main reasons why relying solely on Apple’s built-in protections is dangerous for your business.

You’ve probably got Gatekeeper turned on even if you don’t know it. It comes enabled by default to allow you to download and run applications that are either from Apple’s App Store or Identified Developers (in other words, developers who are part of Apple’s Developer program).

Gatekeeper is great, except for one thing: it’s only protecting one gate: downloads that come in through GUI apps like Safari, Mail and so on. But there’s a few other gates that malware can use that Gatekeeper is blind to, like curl , ssh , and package managers such as brew . Download something through these channels, and Gatekeeper will never know. Note line 13 in this typical adware installer script, which bypasses Gatekeeper with ease:

You have likely heard of XProtect, and some may think that XProtect will plug the holes left open by Gatekeeper, but that’s not the case. XProtect relies on Gatekeeper to tag downloads with a special attribute or “quarantine bit” which effectively says to XProtect: “be sure to check this against your malware signatures”. Without that attribute, XProtect doesn’t kick in. What’s worse, even software that is tagged with this special quarantine bit can be unquarantined by any other process without elevated permissions. In short, one piece of malware can let in any other piece of malware, too. Even if Apple have revoked a rogue Developer ID, such as occurs when malware strikes from the App Store , removing the quarantine bit will still allow that malware to run.

And then there’s the paucity of XProtect’s “Yara” based rules. At last count, XProtect had less than 100 malware signatures. Although there was a minor bump in October of 2018, it hasn’t had a significant update since March 2018.

There’s also the transparency of XProtect’s “Yara” based rules. Any malware author can see exactly how Apple are detecting their binary and change it accordingly, so the rules can become invalid as soon as they are pushed out to users.

There’s a third level of App Security built-in to macOS that is not so widely known called MRT, the Malware Removal Tool. According to Apple, in the event that malware should

But there’s two problems with Apple’s malware removal tool which make malware unafraid of it: first, it’s based on hard-coded paths, and most malware will use random or changing path names; second, it only runs once each boot.

By that time, a malware infection may have come and gone, taking your data with it, or encrypting it and leaving you a nice ransom note .

Central to access control on modern Macs is System Integrity Protection or “SIP”, aka “rootless”, which prevents malware from attacking system files. SIP is enabled by default, and it means that even the root user cannot modify or delete any files under its protection. In macOS Mojave, SIP can even be extended to 3rd party apps if they opt-in to the new hardened runtime.

SIP is an essential technology, but SIP bypasses are not unknown . It’s also worth noting that if you have legacy AV software that simply whitelists everything in the /System/Library folder, you could be in for a shock, since not everything in there is actually protected by SIP. The following are all excluded from “rootless” protection:

Another core aspect of access control is kernel security. As Apple have themselves noted, kernel security is essential to the security of the entire operating system. Unfortunately, their recognition of that is undermined by the fact that any unprivileged user can approve installing new kernel extensions. Combined with security holes that allow processes to simulate user clicks, therein lies an open door for malware. Apple have made several attempts to lock down simulated user clicking in the past, only for new 0day exploits to appear that have bypassed them.

If you’re using a Mac that’s enrolled in Apple’s Device Enrollment Program, you will be familiar with MDM and Config profiles as a means of controlling access to applications, services and preferences. Malware authors are also aware of them, and have taken to slipping managed preferences onto user’s machines to control and reset things like Safari preferences. Adware like Chill Tab and MyShopcoupon have been plaguing macOS users since mid-2017 through this same mechanism.

Arguably, these are becoming more common, or at least more widely publicised, as Apple pushes the limits of quality assurance in trying to keep up with its self-imposed annual update cycle. First, High Sierra and then Mojave introduced embarrassing bugs that could have given malware open season to infect and exploit macOS users.

We hope that the answer to this is self-evident by now. The built-in protections are “nice to have”, but they do not really address the complexity or sophistication of modern malware, especially when combined with Apple’s determination to rush out a minimally-tested new version of the entire OS every 12 months.

If you have endpoints running macOS, you need a security solution that does more than scan a few static signatures and prevent downloads from one or two different sources. You need a solution that has defence in-depth: a modern Next-Gen solution like SentinelOne that uses machine learning to automate detection across your entire network, regardless of whether the endpoint is running macOS, Windows or Linux.

Like this article? Follow us on LinkedIn , Twitter , YouTube or Facebook to see the content we post.

Last week, a popular Hospitality company, Marriott International, unveiled details about a massive data breach, which exposed the personal and financial information of its customers. According to Marriott, this breach was happening over the past four years and collected information about customers who made reservations in its Starwood subsidiary.

The information which was subject to the breach included details of approximately 500 million guests. For approximately 327 million of these guests, the information breached includes a combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences.

Marriott, on September 8, 2018, received an alert from an internal security tool which reported that attempts had been taken to access the Starwood guest reservation database in the United States. Following this, Marriott carried out an investigation which revealed that their Starwood network had been accessed by attackers since 2014.

According to Marriott’s news center , “On November 19, 2018, the investigation determined that there was unauthorized access to the database, which contained guest information relating to reservations at Starwood properties* on or before September 10, 2018.”

For some users out of the 500 million, the information includes payment card details such as numbers and expiration dates. However, “the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128). There are two components needed to decrypt the payment card numbers, and at this point, Marriott has not been able to rule out the possibility that both were taken. For the remaining guests, the information was limited to name and sometimes other data such as mailing address, email address, or other information”, stated the Marriott News release.

Arne Sorenson, Marriott’s President, and Chief Executive Officer said, “We will continue to support the efforts of law enforcement and to work with leading security experts to improve. Finally, we are devoting the resources necessary to phase out Starwood systems and accelerate the ongoing security enhancements to our network”. Marriott also reported this incident to law enforcement and are notifying regulatory authorities.

Marriott hoteliers did not exactly mention when the breach hit them four years ago in 2014. However, its subsidiary Starwood revealed that, a few days after being acquired by Marriott, more than 50 of Starwood’s properties were breached in November 2015. According to Starwood’s disclosure at the time, that earlier breach stretched back at least one year, i.e., November 2014.

According to Krebs on Security, “Back in 2015, Starwood said the intrusion involved malicious software installed on cash registers at some of its resort restaurants, gift shops and other payment systems that were not part of its guest reservations or membership systems.”

In Dec. 2016, KrebsOnSecurity stated, “banks were detecting a pattern of fraudulent transactions on credit cards that had one thing in common: They’d all been used during a short window of time at InterContinental Hotels Group (IHG) properties, including Holiday Inns and other popular chains across the United States.”

Marriott said that its own network has not been affected by this four-year data breach and that the investigation only identified unauthorized access to the separate Starwood network.

“Marriott is providing its affected guests in the United States, Canada, and the United Kingdom a free year’s worth of service from WebWatcher, one of several companies that advertise the ability to monitor the cybercrime underground for signs that the customer’s personal information is being traded or sold”, said Krebs on Security.

Companies affected by the breach or as a defense measure pay threat hunters to look out for new intrusions. They can even test their own networks and employees for weaknesses, and arrange for a drill in order to combat their breach response preparedness.

For individuals who re-use the same password should try using password managers, which helps remember strong passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

According to a Krebs on Security’s “assume you’re compromised” philosophy “involves freezing your credit files with the major credit bureaus and regularly ordering free copies of your credit file from annualcreditreport.com to make sure nobody is monkeying with your credit (except you).”

Rob Rosenberger, Co-founder of Vmyths, urged everyone who booked a room at their properties since 2014 by tweeting advice that the affected users should change their mother’s maiden name and the social security number soon.

BREAKING: #Marriott ‘s Global Chief Information Security Officer, @BAHoffmeister , urges everyone who booked a room at their properties since 2014 to “change your mother’s maiden name and your social security number as soon as you possibly can” https://t.co/2VEkkoKOzS

― Rob Rosenberger (@vmyths) December 2, 2018

To know more about the Marriott breach in detail, visit Marriott’s official website .

Uber fined by British ICO and Dutch DPA for nearly $1.2m over a data breach from 2016

Dell reveals details on its recent security breach

Twitter on the GDPR radar for refusing to provide a user his data due to ‘disproportionate effort’ involved

James Halladay

Transactions per second. Network speed. Scaling. Whatever guise it comes in, the crypto community seems obsessed with transaction speed ― especially when it comes to Ethereum.* So much so, that some people think scaling ‘problems’ are to blame for Ether’s recent bear market.

“PayPal, the global monolith, makes millions of transactions every day ― but runs at an average of 193 persecond.”

But is our obsession with transaction speed shortsighted? Of course, speedy stable transactions are essential for the future of all but the most specialist projects. Yet in the wider world of FinTech, there’s no such obsession. PayPal, the global monolith, makes millions of transactions every day ― but runs at an average of 193 per second. This is a long way off blockchain’s ‘holy grail’ of one million transactions per second and yet no one’s calling into question PayPal’s entire future.

I was recently discussing this with Ian Worrall, the CEO and Founder of MyBit , a non-profit blockchain startup. Since the project relies on the Ethereum network, you’d expect he’d be pretty bothered about transactions per second. He wasn’t.

His thoughts on the subject came down to one thing above all others: security. Of course, rapidly scaling the Ethereum network would be fantastic ― no one’s disputing that ― but making it the goal seems misguided. It’s all a bit of a smokescreen, a distraction. And here’s why.

“Of course, rapidly scaling the Ethereum network would be fantastic ― no one’s disputing that ― but making it the goal seems misguided.”

For starters, actual usage of the Ethereum network is lower than you might think. A quick look at DappRadar shows average daily users in the hundreds and transactions in the thousands for the entire Ethereum network. If we return to the example of PayPal, a platform that processes some five million transactions a day at an average of 193 per second, it really puts the ‘holy grail’ of one million in perspective. The whole Ethereum network doesn’t need that kind of speed ― never mind a single project or dApp. Yet, at least.

But that’s not the only reason the transactions per second myth is problematic.

Crucially, most projects running on Ethereum are financial platforms. Here, security and stability is by far the biggest concern. It’s why so many within the financial industry have been slow to adopt blockchain. And while many platforms ― think gaming or social media apps ― need speed, even here security remains paramount.

Whether we like it or not, security (or the idea of security) is a major barrier to mainstream adoption. Yet, paradoxically, it’s security ― not speed ― that holds the wider promise of blockchain technology. And it’s easy to forget this; while it’ll be some time before Ethereum can match PayPal’s speed, that’s simply not the case when it comes to security.

“Paradoxically, it’s security ― not speed ― that holds the wider promise of blockchain technology.”

This makes sense in theory, right, but what about in practice?

Well, we’re already seeing developers grapple with the paradox of speed versus security ― and, in practice, they tend to prioritise the latter.

One of the more high profile solutions currently in development is ‘Plasma chains’ . While they cannot store smart contracts, Plasma chains can send simple transactions quickly and cheaply. It’s a way to scale the network while maintaining the security offered by the Ethereum ‘main chain’. A win-win, then.

But, crucially, what the Plasma project shows is that, when it comes down to it, speed doesn’t need to come at the cost of security. That’s still the real gold.

And it’s why reframing the debate with security at the fore, rather than some ‘holy grail’ of one million transactions per second, can only be a good thing. Otherwise, we’re getting ahead of ourselves ― and forgetting what made blockchain technology so appealing in the first place.

*It’s worth noting this article focuses on Ethereum, but I believe the points raised can be applied to the wider blockchain space.

Please feel free to share your thoughts in the comments below and, if you enjoyed this article, hit the clap button to help others find it.

以 “工业互联网安全” 为主题，中国信息协会信息安全专业委员会 （以下简称：信安委） 2018年年会，暨第八期网络安全创新发展高端论坛，上周四下午在北京召开。

作为信安委今年换届后的首次会员大会，会议主办方，信安委主任 叶红 在致辞时表示，工业互联网是先进制造的重要承载，但不断涌现的工控系统安全漏洞也在切实的危及公共安全。作为重要的信息基础设施，未来除了增强安全认识、落实安全责任和技术防范能力，弥补自主可控的的短板外，企业和科研单位更应展开多方的协同合作，共建工业互联网安全保障体系。这也是信安委设置工控安全工作部和召开此次论坛的重要愿景。

IT和OT的融合，让工业控制系统中来自网络的安全隐患日益凸显。从工业控制系统安全到工业互联网安全，如何理解两者的区别？业界又是如何看待工业互联网背后的安全市场？安全挑战以及应对思路？

我们以普通群众较能感同身受的能源行业举例。

能源，特别是以电网为代表的电力场景，是重要的工控场景，也是《关键信息基础设施安全保护条例（征求意见稿）》中明确的关键信息基础设施。无论是在发电、输/变电还是配电，如何一个环节，即使只是诸如信号异常的问题，轻则短暂停电，重则区域电网整体瘫痪，甚至发生难以想象的“人祸”。

公安部网络安全保卫局的 祝国邦 处长在论坛致辞时明确提及，特别是对电力等重要行业，未来会持续增加执法检查的力度，和攻防演练的频率，并推动安全能力的关键技术落地。这是工控安全的背景。

再谈谈能源互联网。

据统计，截至2017年，我国发电总装机17亿度，居世界首位。在国家电网的经营范围内，火电装机仍高达65%。但未来，以光伏和风力发电等清洁能源场景，预计到2050年，能源占比降超过60%。能源互联网所具备的对多种可再生能源的接入，协调，以及用户多样化能源消费需求的满足，使之成为未来能源变革的重要支撑手段。

可以说，能源互联网是现代电网的升级。

中国工程院 汤广福 院士在谈及能源互联网的发展时表示，能源互联网的构建需要在柔性送电、能源转化和信息通信等关键方面展开技术探索。在信息通信技术方面，智能互动和安全可控，是两个重要要求。

安全可控，是电力系统高度稳定和可靠运行的重要保障。通过网络攻击实现的，针对电网、电力监控系统的破坏，是电网安全的重要威胁。能源转型，能源互联网的构建，使得电力系统的网络结构更加复杂，接入边界模糊；多实现形态的通信网络，持续增加的双向互动，也会不断扩大电网在信息安全威胁面前的暴露面。

这是能源互联网的发展的必然性，和随之而来且必须正视的信息安全挑战。

国家电网是对信息化高度重视且有持续投入的央企。在“十一五”以来，国资委开展的4次中央企业信息化水平评价调研中，国家电网最终拿到了综合排名第一的评价。先进的信息化水平，从另一面看，增加了对电力信息系统的依赖，也增大了任意环节网络安全风险所带来的隐患。

国家网安依托国网信通集团组建的国网网安（北京），是国家电网应对网络安全挑战的重要力量。

据国网网安（北京）董事长 殷树刚 介绍，立足电力行业核心需求，为电力行业提供自主可控、安全可靠的技术产品，自主发展核心技术（如电力专用芯片）和基础支撑性技术（如结合北斗时空位置网服务的电网GIS平台），加强与企业、高校和科研机构的合作，是应对电力系统网络安全挑战的核心思路。

能源互联网是工业互联网一个垂直场景。行业垂直性强是工业互联网（安全）的一个重要属性。我们如何认识到工业互联网安全及其市场的一般性？

作为信安委2018年年会的承办方，立思辰CEO 周西柱 在会上分享时表示，发展工业互联网已经成为一项国家战略，未来其体量可能将远超目前的消费互联网。这也就意味着，工业互联网的安全可靠，是随之而来、由国家层面推动的重要基础能力和庞大市场。这一论断，与国家信息中心副主任 马忠玉 致辞时提及的数字，2017年我国工业互联网产业规模为5700亿元，以18%的增速预计，到2020年我国工业互联网产业规模将达到万亿元规模以上，是相吻合的。

立思辰CEO周西柱

目前，漏洞、勒索病毒和精准打击的APT攻击，是阻碍工业互联网发展最为凸显的三大威胁。除了被推测为国家行为的APT攻击外，其余两个的难点都不是防护技术。意识才是最重要的。信息化的投入需要前瞻性，工业互联网和安全也是。

周西柱认为，供给侧和需求侧的紧密结合，是工业互联网安全市场快速发展的重要前提。从供给侧看，目前研发投入大，市场体量小，小企业很难支撑持续性的高研发投入；从需求侧看，目前走在较前面大力发展工业互联网的行业相对封闭，责权划分不够清晰，安全预算不足。但未来，在以发展工业互联网为核心市场中，安全投入的占比相信会不断增加。

市场的发展离不开技术保障。

信安委工控安全工作部主任，立思辰工业互联网事业部总经理 赵峰 ，在会上详细介绍了工业互联网的具体安全挑战和更具一般性的解决方案。

赵峰表示，目前可以看到，工业互联网的主要安全挑战包括：

工业互联网安全的整体目标是“数据不丢，应用不断”。所以在解决方案上，赵峰认为，首先是意识先行，跟进相关的人员培训的管理制度制定。技术保障方面，现阶段以监测、审计和“白名单”的防护理念为主，以最大程度减少对生产过程的扰动。同时，企业主要可从云/端互信（单向隔离&流量审计），数据安全（加密/脱敏/备份），应用安全（应用冗余/Web防护），访问授权（签名认证），云安全防护和安全可视化等角度，构建工业互联网的安全保障体系。对各层级不同的防护需求，实现分级保护，不做过度防护。

Written by

Dec 3, 2018 | CYBERSCOOP

Cybersecurity sales teams often spread the idea that companies with the most sophisticated data protection strategies got that way by spending the most money on the latest and greatest security products.

Truthfully, that’s usually not the case.

U.S. companies have begun in recent years toenter strategic partnerships withcybersecurity startups, which often offer products at lower rates and more flexible terms than established market leaders. The technique allows companies like insurance giant Aetna health and New Jersey-based telecommunications firm IDT Corp. to more aggressively experiment with the services security startups offer, sometimes even stitching together technology from multiple distinct organizations.

“I tend to choose innovators that are developing capabilities that have the potential to be game-changing, whereas leading enterprise security companies have a commitment to serve the broadest needs of the overall market,” said Jim Routh, chief security officer at Aetna. “Those needs don’t look a whole lot like our needs.”

Nearly four years ago, Aetna began exploring ways to further secure customers’ ability to access their health information via the company’s app and website. Larger security vendors suggested the company use multi-factor authentication, now an industry standard. But that binary technique would have allowed Aetna to verify users’ identities only when they logged on to the app, rather than on a continuous basis.

Instead, the health company entered into agreements with four startups that each specialized in different services, ranging from a risk-assessment engine to an identity management tool (Routh declined to name any of the security vendors Aetna works with). Aetna cobbled together those four tools into a single service the health care company now uses to verify users as they browse Aetna’s app, Routh said.

“Each of those technologies was totally different and offered something totally compelling,” Routh said. “Because they were still early stage companies, they were willing to work together.”

Aetna has saved millions of dollars by entering into agreements with startups, he added. Aetna also uses more established security vendors, albeit in a limited capacity. “They do have their place,” Routh said.

Aetna also is working with smaller firms to customize anti-phishing technology, and to test machine learning technology across different security controls, Routh said. Thehealth care company takes equity in some of the security startups it chooses to work with.

Working with smaller, more nimble startups also has companies adjust to emerging technologies like the cloud. IDT earlier this year began working with ShieldX, a cloud security vendor with roughly 60 employees, to apply machine learning to web traffic flowing through IDT’s environment. By signing up with the fledgling ShieldX, IDT saved money while allowing the young company to usethe company’s network as a quasi-test laboratory, according to ShieldX founder Ratinder Ahuja.

“Larger partners can benefit from the innovations we bring in, and we benefit from their global footprint,” Ahuja said, adding that Golan Ben-Oni, IDT’s global chief information officer, provided expertise ShieldX incorporated into a patent.

“He guided us and works with us very closely as a joint development partner in some of the technologies,” Ahuja said.

In any given area of operations, IDT typically works with one or two more established firms and one startup, Ben-Oni said via email. Working with startups often means faster response times and more collaboration between IDT and vendors’ product management teams, leading to more IDT control over the final product. Unlike Aetna’s approach, IDT does not have equity in ShieldX.

“It can sometimes be challenging for an incumbent to rethink security from the ground up, which often can mean starting over or creating an entirely different approach to solve a given problem,” he wrote. “Startups on the other hand can be more nimble and are not held back by legacy technological systems or thinking.”

The notion of corporate security executives entering into these kinds of strategic partnerships is an emerging concept, according to Routh. While chief information security officers at large companies might have the flexibility totry out smaller firms, CISOs at small and medium-sized firmsdon’t yet have room in their budget to invest precious resources in a startup that might fail.

The trend will accelerate in the years ahead as cyberthreats become more complicated, forcing companies to adjust to new problems more quickly,Ahuja predicted.

“There always will be early adopters willing to address their pain points with newer technologies like us,” he said.

Mobile security is important for a number of reasons, no less because most of our personal lives now reside on our smartphones. From photographs to social media, anybody with malicious access to your device could, in theory, cause a number of problems in your life. That’s why it’s important to make sure you have the latest security patches and to be sure not to install anything that could steal your data or damage your phone. While some vulnerabilities are in AOSP, some vulnerabilities may be in the custom software used by device OEMs likeEMUI. As such, Huwaei has opened up the vulnerability reward program in partnership with 360 Mobile Security that has a maximum payout of 1RMB (roughly $143,000) should it be deemed serious enough once reported.

The partnership was announced at Huawei’s terminal security award program conference and is open to all invited security researchers.Zhou Mingjian, head of the 360 Mobile Security C0RE team, said that vendor drivers account for 90% of all vulnerabilities found in Android devices. He also said that the 360 C0RE team was responsible for the finding of 138 Android vulnerabilities in the past two years, a little more than 12% of all vulnerabilities found in that timeframe.

It’s a shame that the reward program is not open to any developer out there, but it’s a start and is a similar approach to what many other companies in the world have done in the past . While it’s not in the best interests of the development community, a bug bounty reward program often offers an incentive to developers to release their exploits to the company involved rather than the developer community, thanks to monetary gain. Obviously, it’s also generally better for consumers as it means vulnerabilities get patched as well. It’s unknown if Huawei intends to expand the program, or if they will announce it in the west or not.

Note: Huawei has stopped providing bootloader unlock codes for their devices. Therefore, the bootloader of their phones cannot be unlocked, which means that users cannot root or install custom ROMs.

A hacker claims to have commandeered 50,000 printers globally in order to print pamphlets promoting YouTube star “PewDiePie.” The alleged widespread hack sheds light on just how insecure printers are, and how precarious printer vulnerabilities could be when theyoffer an easy route into the enterprise network.

The hacker under the Twitter handle @HackerGiraffe said he hacked over 50,000 printers to promote Felix Kjellberg, also known as PewDiePie, a Swedish YouTuber, comedian and video game commentator.

The famed YouTuber is currently going head-to-head with T-Series, an Indian music record label and film company, for the top YouTube spot . Both YouTubers’ channels have at least 73 million subscribers, though PewDiePie , at the time of this writing, is currently leading by 300,000.

On Friday, @HackerGiraffe took to his Twitter account to explain how he carried out the hack.

Here is how the entire #pewdiepie printer hack went down:

1. I was bored after playing Destiny 2 for a continous 4 hours, and decided I wanted to hack something. So I thought of any vulnerable protocols I could find on shodan

(1/)

― TheHackerGiraffe (@HackerGiraffe) December 1, 2018

According to the hacker, he found vulnerable three different printing protocols on Shodan (IPP, LPD, and JetDirect) with up to 800,000 vulnerable printers in total.

“I was horrified to see over 800,000 results show up in total. I was baffled, but determined to try and fix this. So I picked the first 50,000 printers I found running on port 9100 and downloaded the list off Shodan,” he said in a tweet.

The hacker then used Printer Exploitation Toolkit on Github which also gives hackers the ability to access files, damage the printer, or access the internal network.

PewDiePie

However, @HackerGiraffe said that he merely wanted to use the kit to print out messages about PewDiePie, so that he could spread awareness.

The hacker typed up a bash script, which runs an exploit kit against the impacted IP with commands to print a message then quit. He then uploaded the script onto his server and left it running.

The printed message said: “PewDiePie is in trouble and he needs your help to defeat T-Series! PewDiePie, the currently most subscribed to channel on Youtube, is at stake of losing his position as the number one position by an Indian company called T-Series, that simply uploads videos of Bollywood trailers and songs.”

The message then urged readers to unsubscribe from T-Series and subscribe to PewDiePie, and concluded the message by telling readers to tell everyone they know.

Impacted printer users, for their part, took to social media to tweet at PewDiePie that they received the message. Those impacted ranged from students trying to print their college work, to those using work computers even a ticket printer at a police station.

This is what came out of my printer when I tried to print my college assignment @pewdiepie

Is this ur new propoganda ?? pic.twitter.com/1mj66FN5VD

― Shone Kelkar (@shonex112) December 1, 2018

@pewdiepie Some hacker is using unsecured work printers to print out this message pic.twitter.com/t701kfBwIP

― Shahmeer Khan (@Shahmee65121534) November 30, 2018

@pewdiepie this just came through the ticket printer for the police station next door #savepewdiepie pic.twitter.com/7cGX3VmUIt

― Danny Boitano (@TFGHighlights) November 27, 2018

PewDiePie for his part addressed the incident briefly on his Twitter account, saying “Desperate times calls for desperate measures..”

Desperate times calls for desperate measures.. https://t.co/ltWSh9RPOs

― ω (@pewdiepie) November 30, 2018

Printers continue to pose a dangerous security target for companies particularly when the printers are owned by enterprises that lack strict network device management.

An HP-sponsored study by the Ponemon Institute (PDF), found that, out of 2,000 IT security practitioners, up to 56 percent believe employees in their organizations do not see printers as an area of high security risk. Meanwhile, only 44 percent of those surveyed said their company security policies include security for network-connected printers.

That goes to show why printer-related security incidents are so widespread. Just this past summer, researchers at Check Point found avulnerabilityenabling attackers to compromise printers with fax capabilities, merely by sending a fax. Meanwhile, in August, HP Inc. patched hundreds of inkjet models that were open to two different remote code execution flaws (CVE-2018-5924, CVE-2018-5925).

Last September my colleague Alex Tay tackled the state of cybersecurity in Singapore and reasons for critical information infrastructure (CIIs) sectors to comply with the recent mandates from the Cyber Security Agency (CSA). As one of the 11 CIIs covered under Singapore’s cybersecurity bill, the banking and finance sector isn’t exempt to the new regulatory mandates for compliance―in fact, the Monetary Authority of Singapore (MAS) recently tightened cybersecurity rules to further protect their IT systems. How will the financial sector cope with compliance considering today’s ever-evolving guidelines, rules, and its various interpretations?

In a move to tighten cybersecurity rules and framework for financial institutions, the Monetary Authority of Singapore (MAS) proposed to make six (6) essential cybersecurity measures legally binding on top of the existing measures in place. These measures are meant to serve as a baseline hygiene standard for cybersecurity according to the MAS Technology Risk Management guidelines, in addition to enhancing the security of financial institutions’ systems and networks, and its resiliency to cyber attacks.

As indicated on the MAS website , financial institutions (FIs) are ordered to comply with the following cybersecurity measures:

Address system security flaws in a timely manner

Establish and implement robust security for systems

Deploy security devices to secure system connections

Install antivirus software to mitigate the risk of malware infection

Restrict the use of system administrator accounts that can modify system configurations

Strengthen user authentication for system administrator accounts on critical systems

With more financial processes today being done digitally, what does this mean for FIs in the face of increasing cyber attacks?

Cyber attacks and data breaches are often a result of unsecured or faulty system configurations. The proposed measures outline a “ clear and common cybersecurity waterline ” to increase readiness and response for FIs to address persistent cybersecurity issues.

Mitigating risks, however, is no easy task. Over the past years, the needs of IT systems, too, continue to evolve along with the increasing number of infrastructure and assets that need to be protected. As part of compliance with cyber hygiene requirements, the draft notice by the MAS mandates additional measures to enhance the security of administrative accounts ―namely, to keep records of all administrative accounts; implement strong password controls; and to give access to administrative accounts to only authorized staff. As an added measure, we believe that relevant entities should enact a separation of duties policy to prevent insider attacks. This type of policy will effectively allow system administrators to carry out their administrative tasks without having access to sensitive stored information. We recommend implementing the M of N control policy to administrative functions of critical resources, which prevent a single administrator from making unauthorized critical changes.

Another important point to understand in the proposed mandate is the MAS’s requirement to enhance security standards in relation to its configuration and procedures. According to the draft notice, its measures include compliance with security standards established by relevant entities and taking steps to reduce any sort of risk. For FIs to meet this audit requirement, we recommend that relevant entities adopt the right authentication methods to address machine-to-machine or application-to-application transactions.

Furthermore, digital identities (private keys) and digital signatures can be used in conjunction with multi-factor authentication (MFA) to play a role in the fight against cybercrime. To enhance the effectiveness of MFA , entities should adopt risk-based authentication, which uses continuous passive behavioral biometrics and context-based signals to analyze the authenticity of transactions in real time.

Understanding these compliances and regulations as stipulated in the MAS notice is crucial to strengthen financial services’ security posture while providing convenience to all end users and customers alike.

Cybersecurity still very much remains a persistent theme in the history of financial regulation despite having regulations in place to address current security concerns in the financial industry. Early this year, MAS managing director, Ravi Menon, emphasized the financial losses brought about by AI-enabled malware to infiltrate banks across the world, moving cyber risk management “front and center of the international regulatory agenda.”

No matter what the affected industry is or how old and new the government mandates are, the pressure, effort, and cost required to achieve and sustain compliance remains.

We believe that implementing an infrastructure to support, manage, and enforce policy is the most effective approach for meeting compliance regulations and passing audits. Our suite of SafeNet Identity and Data Protection solutions aid in meeting compliance obligations, whether you’re facing an audit or applying new regulations.

Implementing an infrastructure to centrally support, manage, and enforce policy is key. At Gemalto, we can help build compliance infrastructures to avoid data security creep and silos with components like role-based access control, enterprise key management, and our data encryption services. Data ownership is becoming a gray area―but you can rest assured that our solutions will enable you to securely manage and store sensitive data in the event of a breach .

Find your path to data compliance now. Contact me or leave a comment below if you’d like to hear more about our data compliance solutions.

Today’s security teams are struggling to keep pace with the changes in their networks. Multi-cloud , virtualization, the explosion of IoT and BYOD devices, agile software development, and the crushing volume and speed of data―not to mention Shadow IT― have resources stretched thin. Meanwhile, cybercriminals have been undergoing their own digital transformation. Machine learning and agile development, new sophisticated attacks like ransomware and cryptomining, combined with Dark Web crime-as-a-service offerings mean that attacks are faster, harder to detect, and better at finding and exploiting vulnerabilities.

Effectively defending against cyberattacks in this new environment requires security teams to work smarter rather than harder. Today’s cybercriminal strategies target every link in an attack chain, from gathering information and gaining access, to moving laterally across the network to discover resources to target, to evading detection while exfiltrating data. Traditional security strategies, however, tend to only focus on a handful of attack components, which gives criminals a significant advantage.

To address today’s challenges, security teams need a combination of tools, strategy, automation, and skilled professionals to monitor the entire attack chain and automate as much of the process as possible so that human resources can be focused on higher order analysis and response. Choosing such tools, however, requires understanding the entire length of the attack chain and how vulnerabilities in each of its links can compromise the security of your network.

To assist with this, MITRE has mapped the attack chain into eleven discrete links, along with examples of the types of attacks that target each link in that chain. To effectively counter today’s advanced threats, security teams need to familiarize themselves with each link in the chain and map them directly to functional areas and tools within their own networks.

Critical links in the attack chain described in the MITRE model include:

Initial Access : Exploiting known vulnerabilities in servers, compromising websites or applications, or taking advantage of successful spearphishing attacks allow attackers to wedge a foothold into the edge of the network.

Execution : This is the point where an attacker executes a binary, command, or script to begin their network reconnaissance and exploitation process.

Privilege Escalation : Basic access does not allow an attacker much opportunity to explore the network. To move around the network and access resources worth stealing, an attacker needs higher network privileges.

Defense Evasion : To move through a network undetected, especially when exfiltrating data, attacks need to avoid detection by things like behavioral analytics and IPS tools. Techniques such as clearing files, learning and mimicking normal traffic behaviors, or disabling security tools are just a few of the full range of tools available to today's hackers.

Credential Access : In many organizations, critical data and other resources are protected behind a wall of security that require appropriate credentials for access. Unfortunately, gaining access to credentials isn't always that difficult. They are stored in files or in a registry that attackers can exploit, techniques like hooking allow cybercriminals to intercept traffic to uncover credentials, and account manipulation can involve things like adding or modifying the permissions to the account being used to access the network.

Discovery and Lateral Movement : Not all data exists in the segment of the network that was broken into. Many of the same techniques used to this point are used again to determine where valuable resources exist and to then allow an attacker to move laterally between network segments, whether they are local to the breach or at some remote physical or virtual data center.

Collection and Exfiltration : Once an attacker has identified a payload, they need to collect that data needs and extract it from the network without being detected. This is often the trickiest part of the process, as this may involve massive amounts of data. But if a cybercriminal has carefully crafted each attack element to this point, they are often able to remain inside a compromised network for months, slowly moving data to other resources that are under less scrutiny, and eventually out of the network.

Command and Control : The final step is for attackers to cover their tracks completely. Multi-hop proxies, data obfuscation, and multi-stage exfiltration are just a few of the techniques cybercriminals use to ensure that stolen data cannot be tracked and traced back to them.

Addressing the entire attack chain needs to be combined with understanding how the network functions, including the impact that future business requirements will have on the network. Mapping those functions to the attack chain allows security teams to think comprehensively about security threats.

Breaking security down into the eleven MITRE attack chain links has two goals.

The first is to engineer as much risk out of the network as possible by addressing weaknesses inherent in each link of the attack chain before an attack occurs. This may include hardening protocols to prevent their exploitation, turning off unused ports, and baselining all known traffic so that new applications or escalating privileges can be identified. Each of these activities can be mapped to multiple attack chain links. So can behavioral analytics, which can identify when a device begins behaving strangely, such as FTPing data out of the network. Even activities such as patching or replacing vulnerable devices, and subscribing to threat intelligence feeds so you are tuned to current attack methodologies and malware can be mapped to multiple links in the attack chain.

The second goal is to apply security strategically so that fewer security tools can address more challenges. This allows you to keep the number of management and orchestration consoles you need to monitor under control. It also enhances your ability to implement AI and machine learning to address challenges at digital speeds. Tools like Network Access Control ensure that you are aware of every device on your network, while SIEM devices ensure that threat intelligence is dynamically collected and correlated from every devices deployed in every corner of your network.

I’ve always been a loner, avoiding crowds as much as possible, but last Friday I found myself in the company of 500 million people. The breach of the personal accounts of Marriott and Starwood customers forced us to join the 34% of U.S. consumers who experienced a compromise of their personal information over the last year . Viewed another way, there were 2,216 data breaches and more than 53,000 cybersecurity incidents reported in 65 countries in the 12 months ending in March 2018.

How many data breaches we will see in 2019 and how big are they going to be?

No one has a crystal ball this accurate and it’s difficult to make predictions, especially about the future. Still, I made a brilliant, contrarian, and very accurate prediction last year, stating unequivocally that “there will be more spectacular data breaches” in 2018 .

Just like last year, this year’s 60 predictions reveal the state-of-mind of key participants in the cybersecurity industry (on the defense team, of course) and cover all that’s hot today. Topics include the use and misuse of data; artificial intelligence (AI) and machine learning as a double-edge sword helping both attackers and defenders; whether we are going to finally “get over privacy” or see our data finally being treated as a private and protected asset; how the cloud changes everything and how connected and moving devices add numerous security risks; the emerging global cyber war conducted by terrorists, criminals, and countries; and the changing skills and landscape of cybersecurity.

It’s the data, stupid

“While data has created an explosion of opportunities for the enterprise, the ability to collaborate on sensitive data and take full advance of artificial intelligence opportunities to generate insights is currently inhibited by privacy risks, compliance and regulation controls. The security challenge of ‘data in use’ will be overcome by applying the most universal truth of all-time―mathematics―to facilitate data collaboration without the need for trust from either side . For example, ‘zero-knowledge proof’ allows proof of a claim without revealing any other information beyond what is claimed. Software that is beyond trust and based on math will propel this trend forward”―Nadav Zafrir, CEO, Team8

“IT security in 2019 is no longer going to simply be about protecting sensitive data and keeping hackers out of our systems. In this day and age of big data and artificial intelligence―where cooperation on data can lead to enormous business opportunities and scientific and medical breakthroughs―security is also going have to focus on enabling organizations to leverage, collaborate on and monetize their data without being exposed to privacy breaches, giving up their intellectual property or having their data misused. Cybersecurity alone is not going to be enough to secure our most sensitive data or our privacy. Data must be protected and enforced by technology itself, not just by cyber or regulation. The very technology compromising our privacy must itself be leveraged to bring real privacy to this data-driven age”―Rina Shainski, Co-founder and Chairwoman, Duality Technologies

AI is a dual-use technology

“ AI-driven chatbots will go rogue . In 2019, cyber criminals and black hat hackers will create malicious chatbots that try to socially engineer victims into clicking links, downloading files or sharing private information. A hijacked chatbot could misdirect victims to nefarious links rather than legitimate ones. Attackers could also leverage web application flaws in legitimate websites to insert a malicious chatbot into a site that doesn’t have one. In short, next year attackers will start to experiment with malicious chatbots to socially engineer victims. They will start with basic text-based bots, but in the future, they could use human speech bots to socially engineer victims over the phone or other voice connections”―Corey Nachreiner, CTO, WatchGuard Technologies

“While next-gen technology like Artificial Intelligence (AI) and Machine Learning (ML) are transforming many enterprises for the better, they’ve also given rise to a new breed of ‘smart’ attacks. The ability to scale and carry out attacks is extremely enticing to cybercriminals , including use of intelligent malware. The rise in next-gen threats means that security professionals must be extra vigilant with detection and training against these threats, while also adopting new methods of automated prevention methods”―John Samuel, Senior Vice President and Global Chief Information Officer, CGS

“Cyber defenders have been researching and working on their machine learning/AI/deep Learning for a long time.We expect over the next 5 years that these technologies will also empower adversaries to create more powerful and elusive attacks through a new generation of tools, tactics and procedures . While AI/ML-savvy offensive cybercriminals are in their infancy, this is like any other business.They will invest in whatever provides them the greatest return.Unlike defenders, those on the offense are willing to collaborateand share innovation freely, which could increase rapid development and innovation”―David Capuano, CMO and VP Sales, BluVector

“Automation is the name of the game in security and machine learning is here to help. AI is all about automating expert systems, and security is all about experts answering some form of the question: ‘Does this matter? Does this alert matter? Is this vulnerability risky?’ Machine learning will help filter out the noise , so that the limited number of practitioners out there can use their time most efficiently”―Michael Roytman, chief data scientist, Kenna Security

“Recent updates to exploit kits, specifically natural language and artificial intelligence capabilities, has made the automation of highly convincing and unique social engineering emails a very simple process . Meaning, an attacker can upload a file with one million email addresses and can automate the creation of effective and unique phishing messages to send out to victims”―Brian Hussey, VP of Cyber Threat Detection and Response, Trustwave SpiderLabs