首先创建 KeyPairGenerator 类的对象，用于生成公钥和私钥对

然后初始化密钥对的长度，最低长度512位，并且长度不能低于明文的长度

利用 keyPairGen 对象生成密钥对，保存在 KeyPair 类中

从 keyPair 类中获取公钥和私钥

运行结果见下面的GIF：

11月30日，英国间谍机构政府通信总部(GCHQ)及其信息安全部门NCSC发布了安全漏洞披露策略，概述了其是如何确定是否将漏洞追捕结果告知厂商的。

NCSC去年向微软披露了 3 个漏洞，包括两个 windows Defender 关键漏洞和一个Edge及IE11浏览器脚本引擎远程代码执行漏洞。

向微软报告的这三个漏洞都经过了30号公布的“漏洞公平裁决过程”，该过程由3层决策系统组成，英国政府用以权衡是否向厂商报告其发现的安全漏洞。

但为什么要在这个时候公开这一漏洞披露决策过程呢？GCHQ称，出于让公众放心的目的，英国调查权专员已同意监察该公平裁决过程的实际操作。

这一解释与当天生效的一项要求不谋而合：使用《调查权法案》“最具侵入性的调查权力”需经过法官的批准。

GCHQ表示，其默认立场是漏洞披露需与国家利益一致。毕竟，GCHQ和NCSC知道自己可能不具备某一漏洞的专门知识。披露漏洞可以让供应商为政府机构、公司企业和消费者提供能够保护其计算机的补丁。

是否披露的问题是政府和科技行业间的棘手难题。去年的WannaCry勒索软件攻击将这一问题摆到了公众面前，因为该勒索软件是依赖美国国家安全局(NSA)泄露的Windows漏洞利用代码打造的。

面对WannaCry的可怕后果，微软总裁 Brad Smith 抨击美国间谍机构“囤积”漏洞危害消费者的行为，呼吁制定新的规则迫使政府向厂商报告漏洞。1个月后，使用同一NSA漏洞利用代码的NotPetya勒索软件爆发，给欧洲和美国公司企业带来了超过 10亿美元 的损失。

GCHQ的公平裁决过程裁定该机构或其下属机构发现的零日漏洞是否报告给相关方。

3层决策系统包括安全专家、情报机构成员、政府机构代表和由NCSC首席执行官 Ciaran Martin 出任主席的公平监管委员会。NCSC于2016年10月组建，旨在帮助英国公司企业响应网络攻击，在公平裁决过程中起到重要作用。

被发现的零日漏洞提交到公平裁决技术专家组，如果专家组内情报机构和NCSC成员一致认为该漏洞应披露，该漏洞就会被报告给厂商。

如果专家组不能达成一致，问题会被提交到由政府机构代表组成的公平裁决理事会，在Martin的代理人主导下进行裁决。如果理事会还不能达成一致，问题就上交给Martin亲自执掌的公平裁决监管委员会。委员会的作用就是确保公平裁决过程按照指定的程序恰当运行。

GCHQ称，所有保留的漏洞至少每12个月会审查一次。

但也有漏洞没有经过该公平裁决过程审议。GCHQ没有提供任何硬性规定，但指出3种情况下会出现这一现象：

1)合作政府已确认漏洞并与GCHQ共享了该信息；

2)产品已不再提供支持；

3)产品从设计上就是脆弱的，产品中存在显而易见的脆弱配置。

NCSC技术总监称，认为所有漏洞都要披露的想法非常天真，NCSC与情报机构参与到公平裁决过程中能起到更好的国家安全保护左右。

英国的漏洞公平裁决过程每一步都偏向于披露漏洞，但披露漏洞并不能实质上改变从根本上就不安全产品的安全状况。所以，有时候漏洞发现会被用于与相关公司展开更战略性的对话，帮助他们提升其产品的整体安全性。

SINE安全公司在对phpcms2008网站代码进行安全检测与审计的时候发现该phpcms存在远程代码写入缓存文件的一个SQL注入漏洞，该phpcms漏洞危害较大，可以导致网站被黑，以及服务器遭受黑客的攻击，关于这次发现的phpcms漏洞细节以及如何利用提权我们来详细剖析。

phpcms2008是国内深受站长建站使用的一个内容CMS管理系统，phpcms的开源话，免费，动态，静态生成，API接口，模板免费下载，自定义内容设计，可提供程序的二次开发与设计，大大方便了整个互联网站长的建站使用与优化。整个phpcms采用PHP+mysql数据库作为架构，稳定，并发高，承载量大。

phpcms2008漏洞详情

在对代码的安全检测与审计当中，发现type.php文件代码存在漏洞，代码如下:

以上代码if(empty($template)) 在进行变量定义的时候可以跟进来看下，通过extract进行变量的声明与注册，如果当前的注册已经有了，就不会覆盖当前已有的声明，导致可以变量伪造与注入。

我们再来跟踪该代码找到template函数，看到调用到了include目录下的global.func.php文件，该代码里的function template会对传递过来的定义值进行判断，默认TPL_REFRESH是为1的参数值，也就是说自动开启了模板缓存功能。当需要更新缓存的时候就会先判断有没有变量注册，如果有就会进行更新缓存。

该漏洞利用的就是缓存的更新，将网站木马代码插入到缓存文件当中去。可以看出$template没有进行过滤就可以直接写入到缓存模板中，我们可以指定TAG内容，post提交过去，如下代码：

我们在自己的本地电脑搭建了一套phpcms2008系统的环境，进行漏洞测试，提交post参数过去，我们看下本地的漏洞结果，可以执行phpinfo代码。也可以插入一句话木马后门进行上传webshell。

phpcms漏洞修复与安全建议

目前phpcms官方已经修复该漏洞，请各大网站运营者尽快升级phpcms2008到最新版本，有些二次开发的网站可以针对缓存目录进行安全限制，禁止PHP脚本文件的执行，data,cache_template目录进行安全加固部署,对网站上的漏洞进行修复，或者是对网站安全防护参数进行重新设置，使他符合当时的网站环境。如果不懂如何修复网站漏洞，也可以找专业的网站安全公司来处理，国内也就Sinesafe和绿盟、启明星辰等安全公司比较专业.

12月2日凌晨，360互联网安全中心紧急发布了关于最新勒索病毒UNNAMED1989的传播情况和初步分析结论。2日早晨，我们还公布了解密工具帮助中招用户解密。经过一天时间，360又对该勒索病毒的传播和代码进行了进一步的深入分析。

该勒索病毒主要捆绑在刷量软件、外挂、打码软件、私服等第三方开发的应用程序传播，通过QQ、QQ群共享、网盘分享、论坛贴吧等形式将这些应用程序发送给受害者。受害者运行后机器上就会感染下载器木马，之后再由下载器木马安装其它恶意程序，这之中就包括本次传播的UNNAMED1989勒索病毒。部分参与传播本次勒索病毒的应用程序如下表所示。

应用程序文件名

MD5

大刷子.exe

8f9463f9a9e56e8f97f30cd06dd2b7be

更新器.exe

9368b4b542a275b8d0a2b19601b5823e

【苏州vip】益农社全自动邀请_se.exe

baff9b641d7baff59a33dfac1057c4a8

【白浅vip】掌上生活-20v1.0.exe

d5f9cfa306bcdd50c3b271bfe01d81ff

42651293d5e0b970521a465d2c4928a6

【夺宝头条】邀请阅读v1.0.exe

028c48146f08691ae8df95b237d39272

表1 部分参与传播本次勒索病毒的应用程序信息

经分析发现，这些下载器在代码风格上与此次勒索病毒高度一致，可能出自同一黑客（团伙）之手。下图展示了这些应用程序与勒索病毒的一段代码对照：

图1 传播程序与勒索病毒部分代码对照

从感染下载器木马，到被下发勒索病毒周期较长，部分受害者在中招多天之后才遭到勒索，很难关联到是由于之前使用的一些外挂程序造成的。当受害者运行带毒的外挂软件时，软件主程序会在多个目录下释放恶意文件，其中部分释放路径如下表所示。

%userprofile%\appdata\local\temp\9377.game\

%userprofile%\appdata\local\temp\gamedown\009\

%userprofile%\appdata\roaming\tencent\rtl\uistyle\x64\

%userprofile%\appdata\roaming\tencent\rtl\uistyle\

表2 恶意文件释放路径

释放的恶意文件是一组带有导入表DLL劫持的“白利用”组合（该技术在国内病毒制作圈中非常流行），攻击者通过DLL劫持的方式劫持合法程序执行流程，使“正常”程序执行恶意代码，试图躲避杀毒软件查杀。攻击者使用的三组“白利用”如表3所示。

合法程序MD5

“白利用”恶意程序MD5

495ae240d5cd6c9269815f3b90f0522a

43079041ef46324f86ac9afc96169104

74828b11ba45d85ccd069559a4cf56fa

847bcf6655db46673ad135997de77cf2

e59e119b3b2d3fe2a8ac8857c7dcecfc

6455b968e811041998c384d6826814df

表3 攻击者使用的三组“白利用”

这三组“白利用”被用做木马下载器使用，长期驻留用户系统。攻击者在其豆瓣主页以及github中保存一组加密的控制指令，下载器读取到指令后解密获得下阶段木马程序下载URL。图4展示了保存在攻击者豆瓣主页的加密字符串。图5则展示了字符串解密后的配置文件内容。

图4 保存在豆瓣的加密字符串

图5 解密后的配置文件内容

程序获取到的下阶段木马下载URL指向一张由正常图片和压缩包拼接而成的图片，通过截取图片并解压文件能够获取下一阶段程序。图5展示了图片的十六进制内容，可以明显看见zip压缩包的文件头部。

图6 程序下载的由正常图片和压缩包拼接而成的图片

之后的木马程序会从网络上下载更多拼接了恶意文件的图片并提取恶意文件。根据我们分析发现，攻击者不仅通过该方式往受害者机器上植入勒索病毒，还植入过盗号木马。这些恶意程序会注入到合法进程中工作，并带有更新功能，通过获取攻击者豆瓣主页上的字符串获取更新地址，以根据情况更改植入受害者计算机的恶意程序。

图7 木马程序中硬编码的下载地址

在11月19日开始，攻击者开始通过上述方式向用户计算机中植入名为realtekarm.dll.aux的恶意程序并在机器中持续驻留。之后realtekarm.dll.aux作为下载器以相同方式下载勒索病毒相关文件。并将勒索病毒写入了用户计算机的启动项，在用户下次启动计算机时，文件就会被加密。该勒索病毒同样是通过DLL劫持方式，劫持正常程序执行其病毒功能。

图8 攻击者释放的勒索病毒相关文件

图9 被加入启动项的勒索病毒及命令行

根据360互联网安全中心根据传播此次勒索病毒的下载器所请求的域名进行了统计，下图展示的就是下载器自11月16日起，对其相关域名进行请求的PV和UV波动趋势，在一定程度上也可反映出该勒索病毒的传播趋势。

图10 传播本次勒索病毒的下载器对相关域名请求的波动趋势

勒索病毒运行后，会加密桌面上以及除了C盘外的其他磁盘中的文件。在加密文件类型选择上，除了应用程序运行时所需要的文件类型――例如exe、dll、ini等――被放过之外，其他文件均被加密。这也造成用户文档、图片等重要文件被加密。

图11 勒索病毒放过的文件类型

在加密算法上，该勒索病毒选择了极为简单的异或加密。首先将特定标识符、版本信息以及随机字符串进行简单处理后存放在C:\Users\unname_1989\dataFile路径下，文件名为appCfg.cfg。

图12 生成密钥存放到appCfg.cfg中

加密文件时，从第120位读取appCfg.cfg中的密钥，与硬编码在程序中的字符串按位异或之后，作为加密密钥与待加密文件内容按位异或。

图13 勒索病毒加密过程

因为加密文件通过简单的异或算法实现，因此该勒索病毒是可解的。同时，由于appCfg.cfg中存放的密钥包含随机生成的部分，因此受害用户需要保留该文件以进行解密。

图14 360安全卫士可正常拦截本次勒索病毒

图15 360解密大师可成功解密被该勒索病毒加密的文件

566bb1d3c05d4eb94e634e16e3afcc33

8f9463f9a9e56e8f97f30cd06dd2b7be

baff9b641d7baff59a33dfac1057c4a8

d5f9cfa306bcdd50c3b271bfe01d81ff

42651293d5e0b970521a465d2c4928a6

028c48146f08691ae8df95b237d39272

43079041ef46324f86ac9afc96169104

847bcf6655db46673ad135997de77cf2

6455b968e811041998c384d6826814df

【PConline 资讯】如今，很多企业步入了异地或移动的新办公时代，员工需要远程访问公司内部系统，以便及时共享文件、访问云盘、调看视频监控等等。如何实现公司总部、分部、门店以及移动办公人员之间的高效互联互通？

我们说，传统的企业组网方式，不仅需要申请固定公网IP，还要专业IT设备，对于那那些中小型企业甚至门店而言，不仅部署复杂，且维护过程以及投入成本都很高。现在好了，蒲公英针对异地组网推出了一款新品--G300 Pro，一款小成本高性能的企业级千兆机架式路由器。

据了解，蒲公英G300 Pro拥有自主研发的云虚拟专网技术，可适用于复杂网络结构，且无需公网IP。与传统设备不同的是，通过蒲公英G300 Pro的在线云端管理页面或管理App，就可以完成异地虚拟局域网的组建。除了多台蒲公英路由器之间硬件组网外，还可搭配软件客户端用于多种场景。

外观方面，蒲公英G300 Pro采用标准的1U机箱设计，支持服务器机架的同时更减少占地，便于同其他网络设备连接与管理。在保证数据安全方面，蒲公英G300 Pro组网后支持银行等机构广泛使用的非对称RSA/AES算法加密，有效可靠的同时兼顾运算速度快、资源损耗低等优势。

配置方面，为了更好的满足办公环境下的多设备接入，及保障网络高效稳定，蒲公英G300 Pro搭载X86架构四核四线程处理器，同时具备4个全千兆网口，多网口负载均衡，满足多条线路接入的组网需求，后期还将支持WAN/LAN可配置端口；软件客户端同时兼容windows、Mac、linux、Android、iOS系统，轻松应对各种需求和场景。

(This article was first published on r-bloggers STATWORX , and kindly contributed toR-bloggers)

We at STATWORX work a lot with R and we often use the same little helper functions within our projects. These functions ease our daily work life by reducing repetitive code parts or by creating overviews of our projects. At first, there was no plan to make a package, but soon I realised, that it will be much easier to share and improve those functions, if they are within a package. Up till the 24th December I will present one function each day from helfRlein . So, on the 3rd day of Christmas my true love gave to me…

This little helper combines multiple ggplots into one plot. This is a function taken from the R cookbook .

An advantage over facets is, that you don't need all data for all plots within one object. Also you can freely create each single plot which can sometimes also be a disadvantage.

With the layout parameter you can arrange multiple plots with different sizes. Let's say you have three plots and want to arrange them like this:

With multiplot it boils down to

To see all the other functions you can either check out our GitHub or you can read about them here .

Have a merry advent season!

Numbers were always my passion and as a data scientist and statistician at STATWORX I can fullfill my nerdy needs. Also I am responsable for our blog. So if you have any questions or suggestions, just send me an email!

STATWORX

Sign Up Now!

11月30日，万豪酒店官方发布消息称，多达5亿人次预订喜达屋酒店客人的详细个人信息可能遭到泄露。万豪国际在调查过程中了解到，自2014年起即存在第三方对喜达屋网络未经授权的访问，但公司直到2018年9月才第一次收到警报。

万豪国际还表示，泄露的5亿人次的信息中，约有3.27亿人的信息包括如下信息的组合：姓名、邮寄地址、电话号码、电子邮件地址、护照号码、SPG俱乐部账户信息、出生日期、性别、到达与离开信息、预订日期和通信偏好；更为严重的是，对于某些客人而言，信息还包括支付卡号和支付卡有效期，虽然已经加密，但无法排除该第三方已经掌握密钥。

酒店集团的数据泄漏问题已经不是第一次。近些年洲际、希尔顿、凯悦、文华东方等酒店集团等不止一次遭遇过这类安全事件。上一次华住集团的数据泄露事件我们还记忆犹新。以下是最近几年发生在酒店行业的部分数据泄漏事件：

从这几起典型的酒店数据泄露事件的原因来看，主要有以下几种：

虽然万豪并未明确指出数据泄露的原因，但从官方声明中提到的”an unauthorized party”，可以猜测本次数据泄露与第三方支持人员有很大关系。酒店管理系统比较复杂，通常涉及大量第三方参与系统开发与运维支持。因此很容易出现第三方支持人员或者内部人员利用系统漏洞取得数据库访问权限。而2017年凯悦酒店集团的数据泄露事件也是一些酒店IT系统被注入第三方恶意软件代码，通过酒店管理系统的漏洞获取数据库的访问权限，从而提取酒店客户的支付卡信息并解密。

这类原因以华住集团的泄漏事件为典型代表，开发人员将包含有数据库账号和密码的代码传至了Github上，被黑客扫描到以后进行了拖库。这一类原因已经成为全行业数据泄露的主要原因之一，Uber在2107年因此泄露了5700万用户信息。

这一原因的典型事件是希尔顿和洲际酒店集团。据公开的消息，这两起数据泄露事件都是由于POS机被植入了恶意程序，导致支付卡信息被窃取。

数据安全问题是一个很大的话题，无法用一篇文章讲完。我们仅综合近些年的数据泄露事件和企业在数据安全领域最常见的几个误区，总结出以下几个最明显的问题：

内部安全意识不强，开发人员的安全红线要求缺失；

管理者对业务系统存在的漏洞和安全风险心存侥幸，不发生安全事件就假装视而不见；

对敏感数据资产梳理不清，哪些人、哪些系统有访问权限情况不明，数据安全管控无从下手；

敏感数据字段未进行加密，一旦泄露就是明文数据；或使用了数据库自身的密钥管理机制做加密，但数据库本身无法保证安全，密钥也可以被黑客所窃取；

对数据异常访问行为缺乏检测和审计手段，导致泄露发生多年后才被发现（更大的可能性是大多数企业从来没有发现过）。

当前，以数据安全生命周期进行安全管控的最佳实践已经成为业内数据安全治理的共识。

我们也深知，大部分企业不可能一次性把所有事情全部做完，我们从防丢失、防滥用、防篡改、防泄露四个方向出发，按照先易后难、风险从高到低的优先级给出如下建议：

严控代码 ：此时此刻，就立即告诉包括第三方外包服务商在内的所有开发人员，不允许将任何的开发代码上传到第三方平台，已经传上去的代码立即删除；阿里云已经看到太多企业因为代码传至Github而引发的大规模数据泄露事件；

全业务渗透测试 ：如果你的企业已经有超过半年以上没有进行过渗透测试，尽快启动一次针对全业务的渗透，堵上可能存在威胁数据安全的漏洞。为什么是全业务？因为你可能并不清楚一些不起眼的边缘业务系统里可能就有公司内部人员的账号；

权限梳理 ：尽快完成对业务系统敏感数据、访问人员和权限的梳理。对大部分中小企业来说，完成梳理并不需要太多时间，而且自己就可以完成，成本较低；

数据加密 ：对梳理出来的敏感数据进行分类分级，确定哪些字段必须加密，利用第三方的透明加密系统、云上的加密服务/密钥管理服务逐步完成系统改造；

审计与分析 ：建设数据访问控制、日志审计和异常行为分析手段，对第三方系统、外包人员和内部人员的权限进行严格限制，对数据访问行为进行审计、分析和监控；

数据脱敏 ：在开发测试和运维环节，建设数据静态/动态脱敏手段，确保生产数据的抽取、查看受到严格保护；在应用系统后台管理中严格限制数据导出落地，同时在系统中做好日志埋点；

办公网安全 ：建设办公网的数据防泄漏系统，完成数据防泄漏从生产网到办公网的闭环。

*本文作者：阿里云安全，转载请注明来自CodeSec.Net

Crypto-Mining（加密货币挖矿）攻击在2018年不断发展和演变。由于加密货币的价值和普及程度的提高，黑客越来越倾向于利用受害者设备的CPU资源来进行加密货币挖矿操作。网络安全公司Check Point表示，在整个一年中，他们看到了相关报告和攻击数量的大幅增加。尽管最近加密货币的价值趋于平稳，但这种攻击方法和技术仍然在独创性和有效性方面不断改进。

KingMiner是一种针对windows服务器的Monero-Mining（门罗币挖矿）恶意软件。该恶意软件于2018年6月中旬首次出现，并在随后迅速发布了两个改进版本。由于攻击者采用了多种逃避技术来绕过仿真环境和安全检测，因此一些反病毒引擎针对该恶意软件的检测率都普遍变现为很低。根据Check Point对其传感器日志的分析，KingMiner攻击尝试的数量一直都在稳步上升。

Check Point表示，根据他们的调查结果，他们可以肯定该恶意软件的目标是Microsoft服务器（主要是IIS\SQL），涉及到尝试猜测其密码。

一个Windows Scriptlet文件（.sct）会在受害者的设备上被下载并执行。

在执行过程中，该文件执行了以下几个步骤：

图1.HTTP响应中的“zip”payload

如上所示，这个ZIP文件包含五个文件：

图2.攻击的第一阶段

图3.config.json-一个XMRig配置文件，包含钱包地址和私有采矿池

在仿真环境中，可执行文件不会执行任何操作。

在提取所有文件之后，md5.txt文件（“zzz”）的内容将附加到相关的DLL文件（sandbox.dll\active_desktop_render_x64.dll，两者中的内容相同）。不过，Check Point表示他们还没有看到这种行为对恶意软件活动产生任何影响。

powered.exe/fix.exe文件被调用并执行，以创建XMRigminer文件和几个值为“Test”的新注册表项。

图4.DLL文件中包含的函数

可执行文件会从DLL文件中调用以下函数：

DLL文件包含四个附加函数，可能会在未来的版本中使用：

图5.函数“king1”，创建一个线程并将二进制blob y.png/x.txt作为参数。

图6.攻击的第二阶段

XMRig CPU Miner运行，并耗尽受害者设备的全部CPU资源

虽然被配置为占用75％的CPU资源，但它实际占用的是100％。

图7：恶意powered.exe文件占用了100％的CPU资源

Check Point的研究人员在KingMiner过去6个月的整个演变过程中，一直在监控它的活动。自首次出现以来，KingMiner已经发布了两个新版本。该恶意软件一直在不断地添加新的功能和逃避技术，以绕过仿真环境。

此外，作为该恶意软件不断发展的一部分，Check Point发现许多占位符被用于未来的操作或即将发布的更新，这将使得这种恶意软件更加难以检测。

逃避技术的使用是一次成功攻击的重要组成部分。几种相对简单的机制使得该恶意软件能够绕过常见的仿真环境和安全检测方法：

这些逃避技术似乎大大降低了检测率，以下是在VirusTotal中的检测结果：

KingMiner的运营者使用了私有采矿池来阻止对其活动的任何监视。目前，采矿池的API已经被关闭，所涉及的钱包也没有在任何公共采矿池中使用。Check Point表示，他们尚没有能够明确KingMiner使用了哪些域名，因为攻击者采用的是私有域名。然而，与之相关的攻击目前正在大范围蔓延，从墨西哥到印度，以及挪威和以色列。

KingMiner是一种仍在不断发展的Crypto-Mining恶意软件，它可以绕过常见的安全检测和仿真环境。通过实施简单的逃避技术，攻击者能够增加攻击成功的概率。Check Point预测，这样的逃避技术将在2019年继续发展，并成为Crypto-Mining攻击的主要（以及更常见的）组成部分。

声明：本文来自黑客视界，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

网络安全公司Yoroi在上周披露，在过去的几个月里，他们观察到了一起针对意大利用户的恶意电子邮件活动。目前，尚不清楚这些攻击尝试到底是由一个成熟的网络犯罪团伙在修改其TTP之后发起的，还是由一个全新的网络犯罪团伙发起的。但无论如何，Yoroi公司已经启用了内部代号“Sload-ITA”（TH-163）来追踪这一威胁。此外，在今年5月份，SANS ICS的研究人员在英国也观察到了类似的活动。类似的恶意软件组件投递方式以及利用压缩文件来隐藏恶意代码的技术，将这两起活动联系在了一起。

Yoroi公司收集并分析了在此次活动中使用的恶意样本，以揭示攻击者所使用的恶意软件的细节。下图总结了SLoad恶意软件的感染链。

图1. SLoad恶意软件感染链

由Yoroi公司分析的恶意样本是一个zip压缩文件，其中包含两个不同的文件：

尽管解压后的.lnk文件从表面上看是合法的，但它的“武器化”方式与APT29在近期活动中采用的方式是类似的，这也反映出这种技术已经成为了某些网络武器的一部分。事实上，当用户双击该文件时，一个批处理脚本会生成如下所示的powershell脚本：

这个powershell脚本会搜索与“documento-aggiornato-novembre - * .zip”格式匹配的所有文件。如果文件存在，脚本则会从其末尾提取一段代码，然后通过“IEX”原语调用。在下图中，你可以看到真正涉及压缩文件内容的代码被标识为粉色和黄色，而附加的恶意代码则被标识为蓝色。

图2.附加到zip压缩文件的恶意代码

zip文件的这一部分包含一段将由powershell脚本调用的可执行代码。通过滥用“bitsadmin.exe”，这段代码可以从“firetechnicaladvisor.com”下载其他脚本。然后，将所有新下载的文件存储到“%APPDATA%/ ”文件夹中。下图展示的是恶意软件组件下载后，文件夹所包含的内容：

图3.文件夹中的恶意软件组件

文件夹中的“NxPgKLnYEhMjXT.ps1”脚本用于将这些恶意软件组件安装到受害者的设备中，并在系统上注册一个计划任务，以建立持久性。然后，它会删除自身。

图4. 恶意软件组件的安装脚本

在查看了文件夹中的“CxeLtfwc.ps1”脚本之后，研究人员还注意到恶意软件组件使用cmdlet“Invoke-Expression”从文件“config.ini”加载并执行了另一段代码。

下图展示了恶意软件的其他组件是如何调用这段特定代码的：你可能会注意到，脚本是在输入参数（“1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16”）的情况下启动的，这些参数用作密码钥匙来解密“config”的内容――恶意软件的实际payload。

需要说明的是，“config.ini”和“web.ini”文件都是在运行时通过以下一组系统原语进行解密和调用的：

下图展示的是“config.ini”文件中经加密处理的代码的一部分。

图5.“config.ini”中经过加密处理的payload

Sload恶意软件会收集有关受害者设备的信息，如域名、dns缓存、正在运行的进程、ip和系统架构。此外，它还会定时抓取受害者当前桌面的屏幕截图，搜索Microsoft Outlook文件夹并收集有关用户目录中是否存在“* .ICA”Citrix文件的信息。所有这些信息都会被发送给C&C服务器。提交数据后，它会直接从攻击者那里接收到用于实施进一步攻击的PowerShell代码。这种行为是木马/间谍软件的代表特征之一，通常被用来完成入侵目标设备前的侦察工作，以及某些更复杂攻击的初始阶段。

图6.Sload恶意软件组件在VT中的检测结果

一些第三方安全公司和政府认证机构也公开披露了最近的SLoad攻击浪潮，但由于精心设计的钓鱼电子邮件主题，以及恶意软件组件本身使用的技术，导致反病毒引擎针对该恶意软件的检测率可能相对较低，这无疑对意大利用户构成了严重的威胁。

目前，尚不清楚这些攻击背后的运营者是否是网络犯罪领域中新出现的参与者，但有迹象表明，此恶意活动最早被发现可能是在2018年5月份，在当时针对的是英国用户，而最近针对意大利用户的活动是从10月份开始的，这似乎预示着该组织已经扩大了其恶意活动的规模。

声明：本文来自黑客视界，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

多年来，全球的网络安全专家都对以恶意软件形式出现的威胁保持着高度警惕，包括木马、病毒、蠕虫和鱼叉式钓鱼攻击。今年也不例外。2018年发生了相当多的攻击，其中一些攻击中还包括一些新的趋势：凭证窃取成为了主要问题，尽管勒索软件仍是网络威胁领域的主要参与者，但Radware发现，内部威胁有了大幅下降。

这一点对英国和德国尤其适用，这两个国家目前都处在通用数据保护条例(GDPR ) 的管辖之下。然而，在美国，内部威胁却在增加，从2017年的72%上升到了2018年的80%，这很令人担忧。

2017年5月， WannaCry 发布之后，造成了数千亿美元的损失，短短数天就影响到了150个国家的30万台电脑。据CyberEdge Group的一份 报告 显示，2017年，全球55%的企业都成为了勒索软件的受害者；约有87%的企业选择不支付赎金，而多亏了离线数据备份系统，他们仍然能够检索数据。而在那些除了支付赎金别无选择的企业中，只有一半的企业能够检索到数据。

这告诉我们什么？离线数据备份是保护企业免受勒索软件攻击的一种切实可行的解决方案。幸运的是，市场上还推出了高效实用的云端备份解决方案，可以帮助企业采用恰当的主动措施来维护数据安全。

然而，云安全、数据隐私和维护数据机密性方面也存在一些问题。例如，对访问控制、持续有效的威胁监控、风险评估和维护法规遵从性的担忧阻碍了云解决方案的整体实现。

但是，虽然这些担忧对企业来说是障碍，但也成为了安全厂商成功进入这一领域并开发更丰富有效的解决方案的机会。

毫无疑问，我们确实需要更好的解决方案。据Verizon的 2015年数据泄露调查报告 显示，即使发布了 通用漏洞列表 (CVE)，即使有可用补丁，仍有99.9%的被利用漏洞会被持续利用一年多的时间。

这是为什么呢？尽管IT安全专家会坚持定期监控并及时修复漏洞，但这样做也存在一些挑战；会让系统离线的补丁反过来又会影响员工生产力和企业收入。一些企业甚至因为缺少合格的工作人员而无法实现补丁。事实上， 83%以上 的企业都表示遇到过补丁问题。

也就是说，目前缺乏有效的补丁和漏洞管理平台，这也为厂商提供了探索这些领域并交付前沿解决方案的机会。由于IT安全预算比以往任何时候都更加健全，企业的确有望投资于这些解决方案。

我们可以期待2019年会带来什么改变。

The first weekend of December has been and gone, so Christmas must be just around the corner. But the blockchain doesn’t care about Christmas, it keeps on going no matter what.

Which means, there’s some catching up to do. Here are Hard Fork’s top cryptocurrency and blockchain news picks from the last weekend.

1. At the latest G20 summit in Buenos Aires, world politicians discussed a global cryptocurrency business tax . It’s currently illegal for a country to tax a business that doesn’t have a physical presence there, so it almost makes sense. If the tax does materialize, it’s a while away yet, as G20 countries are to go away and make make proposals for a final version to be created by 2020.

2. North Korean hackers are continually finding new ways to steal cryptocurrency from unsuspecting victims. The latest scandal sees hackers from the country going after the Bitcoin stashes of individuals . Previous tactics from North Korean hackers have targeted institutions likeuniversities and cryptocurrency exchanges . Analysts say that Pyongyang is using the method to generate additional income as the country buckles under international sanctions.

3. The Japanese Financial Services Agency (FSA) is looking set to deploy a regulatory framework for initial coin offerings (ICOs). According to local sources, the FSA is looking to protect citizens by limiting the amount one can invest in an ICO. The framework will also require ICOs to be registered with the agency too. While Japan may have granted the cryptocurrency industry self-regulatory status , this doesn’t prevent the FSA from setting some of the rules.

4. Venezuela’s President Maduro has done everything Satoshi Nakamoto said couldn’t be done and has manipualted the price of the country’s cryptocurrency, the Petro . Maduro has announced that the Petro has increased from 3,600 sovereign Bolivars to 9,000. That said, the cryptocurrency is barely a cryptocurrency, let alone a currency. There is still no wallet to support Petro, and purchases of the coin are issued to buyers with certificates (paper wallets). It would seem the cryptocurrency isn’t totally immune to inflation.

5. Mobile phone manufacturer, Huawei, made the launch of its Blockchain Services (BCS) earlier this month official in a press release published late last week. Much like Amazon’s recent announcement of its own blockchain cloud services, Huawei is claiming the service will help developers create, deploy, and manage blockchain applications. Huawei’s system is built on the open source blockchain software, Hyperledger Fabric.

Even though the cryptocurrency market has had one of its worst weeks this year, governments still want regulation, there are still hackers, and there are yet more talks of cryptocurrency taxes. Maybe these are the only things we can be certain of in cryptocurrency’s future.

Published December 3, 2018 ― 09:52 UTC

腾讯科技讯 据外媒报道，万豪称，在最近获悉遭遇大规模数据入侵后，它立即作出了反应。但是，网络安全专家称，该公司其实在三年前就有机会阻止这次大规模入侵事件发生。

上周五，万豪表示，从2014年到今年9月，它旗下的喜达屋酒店的订房数据库就一直遭到黑客访问而没有被察觉。

在2015年，喜达屋酒店曾报告称它遭到了一次规模相对较小的数据入侵。在这次数据入侵事件中，黑客在喜达屋酒店某些餐馆和礼品店的销售点系统中安装了很多恶意程序，以窃取支付卡信息。而在它宣布这个消息的4天前，万豪宣布斥资136亿美元收购了喜达屋酒店和全球度假屋，从而一跃成为了全球最大的酒店管理公司。

万豪称，在2015年发生的这起数据入侵事件与上周五发生的安全入侵事件完全不同，而且没有关联。但是，安全专家称，如果该公司对于2015年的安全入侵事件进行更彻底的调查，那么它很可能会发现这些黑客，而不至于让他们再在其订房系统中潜伏三年。

“他们拥有强大的资源，本可以在2015年就揪出这些黑客的。”安全公司Recorded Future Inc的研究员安德烈-巴里塞维奇（Andrei Barysevich）称。

“显而易见，此事牵涉到的各方都希望能够更早地发现这些黑客。”万豪发言人在上周日说，“在我们得知支付卡面临安全风险后，我们就立即进行了相关的调查，调查了处理支付卡的设备并收集了相关证据。”这个发言人拒绝对2015年的调查活动发表评论，声称这件事发生在万豪收购喜达屋酒店之前。而在2015年，喜达屋酒店声称，它认为，此次攻击并未影响到它的客房预订系统。

数据入侵规模只有雅虎比得上

此次数据入侵的规模只有雅虎比得上。在2014年和2013年，雅虎分别被窃取了5亿个用户和30亿个用户的个人数据。

这严重威胁到了万豪的声誉。在目前，万豪的统治地位不仅受到了传统竞争对手的冲击，而且还遭到了在线旅游房屋租赁服务公司Airbnb等新兴公司的挑战。此次数据入侵事件让万豪的股价在周五下跌了5.6%。

截至上周日，万豪还在调查此次数据入侵事件的原因和影响范围。它表示，它在今年9月8日第一次接到了安全警告，而且在11月19日确定黑客窃取喜达屋酒店客房预订数据库的信息后迅速通知了它的客户和管制机构。黑客可能获取了大约3.27亿个房客的护照本编号、旅游信息，甚至还包括信用卡信息以及姓名和地址。调查人员还发现了黑客创建的一个包含大约1.7亿个房客信息的文件，但是其中的信息量要少很多。

上周五，万豪开始给其房客发送电子邮件，这个过程可能需要数周时间。一些房客抱怨称，他们无法从万豪那里获得明确的信息：他们的信息到底有没有被窃取。上周日，万豪称，它还在鉴别第二份数据文件中的重复信息，以确定到底有哪些客户受到影响。美国联邦调查局（FBI）称，它一直在关注万豪的情况，而且纽约州、伊利诺伊州和马萨诸塞州的检察官也开始了调查。

几名民主党人士，包括弗吉尼亚州的参议员马克-华纳（Mark Warner）和马萨诸塞州的伊丽莎白-沃伦（Elizabeth Warren），均在上周五批评万豪，并呼吁建立全美国数据入侵法。“如果不设定相应的惩罚规定，这些CEO是不会认真担起保护我们的数据之责的。”参议员沃伦在微博网站Twitter上发推文说。

黑客们疯狂攻击酒店

在2014年，黑客们就开始了疯狂攻击酒店。到2015年，他们侵入到了希尔顿环球酒店、特朗普酒店和文华东方酒店等酒店的系统中。

专家称，这些黑客之所以瞄准酒店，是因为这些酒店的电脑上存有大量的信用卡数据，而且因为这个行业通常会有税收保护政策。“酒店行业从来没有成为安全的中心。”安全咨询公司Bishop Fox的合伙人文森特-刘（Vincent Liu）说。

其他标志性的数据入侵活动，例如2013年塔吉特公司遭遇的数据入侵和2014年索尼影视娱乐公司遭遇的数据入侵，均引起了广泛的注意，也激起了全行业内提高电脑安全漏洞的行动。“也许这也是整个酒店业的共同诉求。”文森特说。

虽然这些数据入侵事件导致企业在电脑安全方面的开支增加，但是它们却没有促使美国国会产生任何重大的行动。

在2011年，喜达屋酒店完成了一个代号为Valhalla的10年期项目，完成了升级其客房预订系统――这是一个大型的集中式数据库，用于为该公司在其遍布100个国家的大约1300个酒店中的大约37万个客房登记预订信息。

喜达屋酒店使用了它通过收购获得的很多不同的支付和资产管理系统，这使得其全球电脑网络很难保证安全。

“这是一个很好的攻击目标。”酒店行业顾问保罗-韦斯特（Paul West）说。尤其是支付系统最容易遭到攻击。“在某些地方，例如某些度假屋中的小酒吧，其支付系统根本没有人管理。”韦斯特说。

被窃信息还没有在黑市上叫卖

在2015年，喜达屋酒店称，这些黑客在该公司的网络中潜伏了大约8个月时间才被发现。起初，该公司称，它有54个酒店遭到数据入侵。两个月后，它又改口称，它有超过100个酒店遭到黑客攻击。

在2015年11月发布的一项声明中，喜达屋酒店称，它雇用了公司外部的安全专家来“全面调查”此次入侵事件。而且，它声称没有迹象表明喜达屋优先房客会员系统受到影响。“我们希望向我们的客户保证，我们采取了额外的安全措施来防止将来再发生类似的数据入侵事件。”一名高管说。

万豪称，这些黑客早在2014年就侵入了喜达屋的网络。黑客从该公司的系统中窃取了大量信息，并创建了两个很大的数据文件，最后设法从该公司系统中删除了这些信息。万豪称，它还不确定黑客是否也从万豪网络上删除了它们窃取的信息。

上周日，安全公司和万豪称，它们没有发现这些被窃数据在黑市上叫卖，这可能是因为黑客还无法从万豪的网络中删除它们窃取的信息。但是，安全公司Recorded Future的研究员安德烈称，考虑到此次入侵事件持续的时间，这似乎并不可能。

鉴于这些黑客并没有销售这些数据，而且这些数据本身非常敏感，例如包含护照本编号，一些政府官员和网络调查人员担心这些黑客可能是代表外国政府而不是犯罪组织在实施数据入侵。

研究员安德烈认为，这也不太可能。因为黑客通常会等待合适的机会再开始销售他们窃取的信息。“我们认为，这些数据迟早会被拿出来公开叫卖。”他说。（腾讯科技编译/乐学）

Friday’s news of Marriott’s massive breach sent shock waves throughout the cybersecurity industry and consumer sectors alike. Brian Krebs described the “colossal intrusion” and numerous other security experts joined in to analyze what missteps the chain may have taken, how the breach could have been prevented, and what we as an industry can learn from the catastrophe.

While we don’t yet know what exactly occurred, I have to say I’m not surprised. Given the nature of the hospitality industry, there’s no question that Marriott was checking the boxes on compliance―for example, they obviously were PCI compliant in order to store credit card information in member profiles. I’m not suggesting that compliance isn’t important, but a lot of people think that if they are compliant they are secure―and that simply isn’t the case.

I suspect that Marriott made compliance-driven investments rather than implementing a comprehensive security strategy that truly mitigated risk, and that’s why we’re analyzing their mistakes today.

I’ve seen it countless times across industries. This “compliance-first” mindset satisfies requirements and keeps the lawyers happy, but it also sets companies up for significant vulnerabilities and, quite often, devastating breaches. When companies are purchasing tools just to check the compliance box, security clearly is not the first priority. Worse, these products can actually take away from security value by adding the time and resource burdens of managing multiple tools to already strapped security teams.

My advice to all organizations that are analyzing their IT investments and strategies in light of the Marriott situation is to focus on security first, and as a result, you will become compliant.

Click here for a brief video from yours truly expanding on the above.

Reuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the Reuters publication, Microsoft researchers were closely tracking the same campaign.

Our sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like think tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas, chemical, and hospitality industries.

Microsoft customers using the complete Microsoft Threat Protection solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at its early stages. Office 365 Advanced Threat Protection caught the malicious URLs used in emails, driving the blocking of said emails, including first-seen samples. Meanwhile, numerous alerts in windows Defender Advanced Threat Protection exposed the attacker techniques across the attack chain.

Third-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely overlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.

Regardless, due to the nature of the victims, and because the campaign features characteristics of previously observed nation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted organizations. As part of the Defending Democracy Program , Microsoft encourages eligible organizations to participate in Microsoft AccountGuard , a service designed to help these highly targeted customers protect themselves from cybersecurity threats.

The aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on organizations that are involved with policy formulation and politics or have some influence in that area.

Phishing targets in different industry verticals

Although targets are distributed across the globe, majority are located in the United States, particularly in and around Washington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.

Phishing targets in different locations

The spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the identity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing emails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote access to the recipients machines.

Attack chain

The spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.

The emails contain a link to a legitimate, but compromised third-party website:

The random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed variants of this link redirect to a specific link on the same site:

When users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the same file name, for example, ds7002.pdf , ds7002.zip , and ds7002.lnk .

The LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-encoded payload from within the LNK file itself, starting at offset 0x5e2be and extending 16,632 bytes.

Encoded content in the LNK file

The encoded payloadanother heavily obfuscated PowerShell scriptis decoded and executed:

Decoded second script

The second script carves out two additional resources from within the .LNK file:

The first-stage DLL, cyzfc.dat , is created by the PowerShell script in the path %AppData%\Local\cyzfc.dat . It is a 64-bit DLL that exports one function: PointFunctionCall .

The second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the following steps:

The phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same XORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions in the PE header and moving control to a reflective loader:

The third payload eventually gets loaded and connects to the command-and-control (C&C) server address that is baked-in inside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:

The configuration information itself mostly contains C&C information:

CobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities, including escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI, performing reconnaissance, communicating with C&C servers over various protocols, and downloading and installing additional malware.

Microsoft Threat Protection is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data, cloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and threat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced Threat Protection quickly mitigated the threat at the onset through durable behavioral protections.

Office 365 ATP has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation systems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign emailsincluding first-seen samplesand protect targeted customers. Three existing behavioral-based detection algorithms quickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows Defender ATP, which had a durable behavior-based antivirus detection ( Behavior:Win32/Atosev.gen!A ) for the second-stage malware.If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5 trial today.

Safe Links protection in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when customers try to open them. Zero-hour Auto Purge (ZAP) actively removes emails post-delivery after they have been verified as maliciousthis is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.

All of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection components. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office 365 ATP, as well the behavior-based antivirus detection.

Windows Defender ATP detects known filesystem and network artifacts associated with the attack. In addition, the actions of the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:

Network protection blocks connections to malicious domains and IP addresses. The following attack surface reduction rule also blocks malicious activities related to this attack:

Through Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines, users, and the new Incidents view to trace the attack end-to-end. Automated investigation and response capabilities, threat analytics , as well as advanced hunting and new custom detections , empower security operations teams to defend their networks from this attack.To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, sign up for a free Windows Defender ATP trial .

The following Advanced hunting query can help security operations teams search for any related activities within the network:

The provided queries check events from the past ten days. Change EventTime to focus on a different period.

Windows Defender Research team, Microsoft Threat Intelligence Center , and Office 365 ATP research team

Files (SHA-1)

URLs

C&C servers

Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence .

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence .

The post Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers appeared first on Microsoft Secure .

One of the key aspects of the most recent Intel processor launch, its Core 9 th Generation processors, is that the new design affords some hardware-based protection for a couple of the Spectre and Meltdown family of security vulnerabilities. When these vulnerabilities were first discovered, they were patched using a combination of software and firmware, which unfortunately led to some performance regressions over an unpatched processor. The ultimate goal is for a hardware patch, which is always enabled, that loses zero performance we’re testing out what the new patches have for us today.

At the start of 2018, it was announced that two new architecture-based attack vectors had been discovered in modern computer processors . These vectors are based in what are called side-channel attacks: the ability to probe or infer what something else on the processor is doing without actually seeing the workload or its data. But more fundamentally than that, the reason these attacks can occur is down to how the processor is designed. Side-channel attacks on processor speculation, for example, can expose data that wasn’t even intended to be accessed by the program in the first place. And other side-channel attacks can break through memory permission barriers between software like a Buick through a barn.

Because security is the number one factor in all modern day computing (and unfortunately in some cases, an afterthought), this became a serious potential problem quite quickly. The specific vulnerabilities have so far mostly fallen under two broad headings which are now synonymous with these attacks: Spectre and Meltdown. For completeness, there are similar attacks that don’t fall under these headings, but side-channel security is still at the heart of what is being broken.

All vulnerable processor makers were told about these attack vectors around six months before the public, in what is known in the industry as responsible disclosure find a vulnerability, inform the vulnerable parties, and give them sufficient time to fix the issue before going public, in order to prevent any nefarious individuals exploiting it (and creating what is called a 0-day). In that time, the known attacks were analysed and software-related patches were built. For example, over the course of 2018, Intel started with its newest and high-priority platforms first, and slowly worked its way back through its product catalogue. Other companies had executed similar plans, however Intel has by far been the most high profile of them all.

One big issue surrounding these attacks is unsecured embedded systems running high-performance processors those that are deployed in the field and can be easily compromised. This is beyond the scope of this article, but it’s important to understand how many devices might still be vulnerable in ten years.

Since the disclosure of these new attack vectors, new vulnerabilities similar to them have been discovered but follow in the same vein. In order to protect against these issues, one extreme answer is a full top-to-bottom redesign of how modern computer processors are designed. This is a massive undertaking, so in the end we have a sliding scale of security patches.

Perhaps the easiest patch to implement is the operating system software patch . For home and office users, this is going to be the one that they experience first, given the prevalence of windows and Mac OS to provide regular updates to the security of their platforms.

However, not everything can be solved by a traditional software patch, especially when the offending areas of the CPU design cannot be adjusted in at a high level software. More fundamental aspects of the CPU might require a microcode update, which involves uploading very small and low-level code to the CPU to make important changes to the CPU and particularly to patch around errata.

The ideal way to distribute microcode updates is as part of a larger system firmware (e.g. BIOS) update, this way the updated microcode is available to the CPU immediately at boot. However it's also possible to distribute microcode updates at the OS level to be loaded alongside the OS and this is what has been happening given the serverity of the issue and the fact that OEMs tend to give up on firmware updates rather quickly. As a result, all the major OS vendors have been able to distribute the necessary microcode to affected CPUs through mainstream OS update mechanisms, allowing most PCs to be hardened against these attacks by combining the microcode fixes with OS changes to leverage the fixes.

But even as great as microcode is, it's still a software workaround for a hardware issue, incurring some performance penalties along the way . Ultimately there needs to be a hardware fix in place to ensure that the processor is secure at all times. This cannot happen on any current products, and requires new products over the next few years to have fixes in place.

Ultimately there are two types of hardware fix: a hardware patch or a hardware redesign . The hardware patch does the same as the software or microcode patches: stops the security issue. A hardware resign fundamentally changes the way the hardware operates, removing the issue entirely.

As stated, security is always a number one priority here. However priority one-point-five is performance. This is the reason for this review.

The reason why some of these new attack vectors have been so surprising is because they have arisen out of techniques designed to increase the performance of a modern day microprocessor. A key innovation to performance in the modern era is speculation the ability for the processor to ‘predict’ (for lack of a better word) what data will be needed by the software at a future date, saving long trips out to main memory and hiding those delays. One of the slowest things you can do on a modern processor is main memory latency, so a lot of work has gone in to optimizing the hardware that performs speculation and pre-fetching data. As a result, speculative execution is one of the cornerstones of modern, high-performance processors.

The security problem arises when data is pre-fetched but not needed. If another program can access that data or infer about what the data contains, which may have been within a secure area in main memory, it’s a security nightmare. Or even another program can access that speculative memory even during the speculation itself, it’s a nasty thing to track. In an ideal world, everyone keeps to their own lane and everything runs fast and smooth. However, in order to keep that part of the memory secure, a fix needs to occur: either a patch, or a fundamental redesign of the hardware.

The patches for security issues such as speculation, therefore, have the potential to be dire for performance. If all of a sudden one of the techniques for increasing single core performance was disabled, that’s a lot of performance out of the window. Depending on whom you ask, the performance results of the initial software and firmware patches varied.

Speaking with Intel and their own internal performance numbers on server workloads, there were three main trends to speak of: most of the performance regression happened with memory and IO-related workloads (due to what is called kernel switching, one of the fixes applied), it has more of an effect with faster storage such as NVMe-based SSD (because HDDs already take a longer time to be ready), and it affects the newest processors the least. Going through the numbers on their tests for cloud servers, an IO/compute mix workload on modern hardware, such as HHVM Wordpress, would experience a 9-10% decrease in performance. An older platform such as Broadwell-EP or Haswell-EP performs similarly in all tests before and after patch, but may experience a 30-60% decrease an synthetic IO bound workloads such as FIO (worst case scenario) Skylake-SP is less affected.

However, it was published in other media that some video game servers saw their game servers move from being 20% active to 50% active when the patches were applied. This increases costs and an inability to scale, so it has been suggested that some performance-limited deployments may not be using these fixes because of this. Others, such as compute-limited HPC, have seen no decrease in performance. Notably, it wasn’t even a topic at Supercomputing this year as to performance related issues.

The ultimate goal is to have a patch that minimizes the performance deficit, but keeps 100% of security. This has been erroneously reported in some press as the holy grail ‘hardware fix’, but those publications fail to differentiate between a hardware patch and a hardware redesign . A ‘simple’ hardware patch would still have many of the same performance issues as a software patch, just with the guarantee that said fixes are always there. But ultimately a hardware patch that minimizes performance loss is the goal.

If you have been following our coverage this year of Intel’s product portfolio, back in September it was announced that Intel’s next generation of server processors, Cascade Lake-SP, would implement a number of fixes at the hardware level . Lisa Spelman, VP of Intel’s Data Center Group, confirmed this in our interview, saying that the processor design hit the intercept for when the fixes were ready. Intel also stated that its Whiskey Lake 15W processors, built in the 14++ process, would have similar hardware fixes. And most recently, the new 9 th generation Coffee Lake Refresh process would also have the same fixes. As a result, we get a table like this of what is fixed and what is not:

Spectre and Meltdown on Intel

Families with Any Hardware Mitigations

So for the newest Core i9 Coffee Lake Refresh processors, CFL-R Intel has two hardware fixes, for Meltdown (aka Variant 3)and the closely related L1TF (aka Variant 5). All others will be covered by a mix of firmware and software patches.

As mentioned, the hardware fix is a minimum requirement for security, but says nothing about performance. The question then becomes if this fix is purely a patch, or something more. Out of all the vulnerabilities, Spectre Variant 2 has been quoted as the biggest source for performance regression.

Luckily, Intel has made this testing easy for us. The new 9 th generation Coffee Lake Refresh processors are microarchitecturally identical to the 8 th generation Coffee Lake family. As a result, we can take one processor from each, fix them to identical frequencies/core counts/memory, run them in the same motherboard with the same BIOS, and compare the benchmark results. This is what we did. If the hardware fix is more than just a patch, we should see the 9 th generation outperform the 8 th generation.

For our testing we took the newest Core i9-9900K and the special edition Core i7-8086K and initiated a face off. Each processor was set to four cores each with no hyperthreading, with the frequency set to 3.0 GHz for all workloads at all times. The motherboard of choice was our ASRock Z390 Pro Gaming Core i7, using BIOS P3.20, and we used 4x8GB of Crucial Ballistix DDR4-2666.

We ran through our whole benchmark suite, both our professional/office tests and our gaming tests using an MSI GTX 1080 at four different resolution/quality combinations. The results may shock you.

Rather than several pages of graphs with two values in each, here’s a summary of the results split up by section.

In all cases, performance was within the margin of error between both processors. The biggest single CPU test gain was 4.0% (in LuxMark C++) and the worst was -2.7% (in Agisoft). The usual culprits for this sort of test, DigiCortex and WinRAR, were both within the margin of error. As a result, this hardware fix appears to essentially be a hardware implementation of the fixes already rolled out via microcode for the current Coffee Lake processors.

Cascade Lake-SP has similar fixes, but also has a hardware patch for Spectre Variant 2. In our interview with Lisa Spelman, she stated that Cascade overall will offer higher performance than Skylake-SP.

The long and short of matters then is that based on the testing we've done thus far, it doesn't look like Coffee Lake Refresh recovers any of the performance the original Coffee Lake loses from the Meltdown and Spectre fixes. Coffee Lake was always less impacted than older architectures, but whatever performance hit it took remains in the Refresh CPU design.

But at least the security for the two variants that Coffee Lake has hardware patches for is baked in, no matter where that processor goes. And Cascade will improve that further. It will be interesting to see where the next set of hardware fixes will land. If we can get some numbers, we’ll let you know.

Cybersecurity is one of the hottest sectors in tech with Gartner predicting worldwide information security spending to reach $124 billion by the end of 2019. New startups and security solutions are coming onto the market while attackers continue to find new ways to breach systems. The security solutions market has grown at a rapid pace as a result. Our customers face immense challenges in integrating all these different solutions, tools, and intelligence. Oftentimes, the number of disconnected solutions make it more difficultrather than easierto defend and recover from attacks.

We invite you to participate in the Microsoft Graph Security Hackathon for a chance to help solve this pressing challenge and win a piece of the $15,000 cash prize pool . * This online hackathon runs from December 1, 2018 to March 1, 2019 and is open to individuals, teams, and organizations globally.

The Microsoft Graph Security API offers a unified REST endpoint that makes it easy for developers to bring security solutions together to streamline security operations and improve cyber defenses and response. Tap into other Microsoft Graph APIs as well as mash up data and APIs from other sources to extend or enrich your scenarios.

In addition to learning more about the Microsoft Graph and the security API, the hackathon offers these awesome prizes for the top projects:

In addition, all three winning projects, and the individuals or teams in the categories above, will be widely promoted on Microsoft blog channelsgiving you the opportunity for your creative solutions to be known to the masses. The criteria for the judging will consist of the quality of the idea, value to the enterprise, and technical implementation. You can find all the details you need on the Microsoft Graph Security Hackathon website.

Once the hackathon ends on March 1, 2019, judging commences immediately after by our amazing judges. Well announce the winners on or before April 1, 2019. The hackathon will be judged by a panel of Microsoft and non-Microsoft experts and influencers in the developer community and in cybersecurity, including:

We will announce more judges in the coming weeks!

Let the # graphsecurityhackathon begin

*No purchase necessary. Open only to new and existing Devpost users who are the age of majority in their country. Game ends March 1, 2019 at 5:00 PM Eastern Time. For details, see the official rules .

The post Kicking off the Microsoft Graph Security Hackathon appeared first on Microsoft Secure .

Protecting an organization from threats is becoming increasingly difficult, as the number and sophistication of threats continues to increase exponentially. A big issue is finding, prioritizing, and fixing vulnerabilities before they are exploited.

That has always been a top priority for security professionals, but the growing number of vulnerabilities makes it difficult, if not impossible, for legacy vulnerability assessment tools to be effective.

Many security tools, such as anti-malware and intrusion detection systems, have used artificial intelligence (AI) as a way to modernize and keep up with current trends, but the vulnerability assessment market has not. Infusing AI into this market would shift the market from treating all vulnerabilities as equal to enabling businesses to evaluate and prioritize them based on risk. However, one approach doesn’t replace the other, but rather complements, as both are required to protect against the widest range of attack vectors.

Vulnerability assessmenthas been a tried-and-true method for finding vulnerabilities for over a decade now. The technology looks for out of date software, operating systems that need patching, and other basic holes in software. There is obviously some value in vulnerability assessment, but it hasn’t evolved much in the past decade. vulnerability assessment tools struggle with discovering all enterprise assets, particularly with new types of enterprise assets, such as mobile devices, unmanaged assets, and Internet of Things (IoT) devicdes.

Also, vulnerability assessment doesn’t look for advanced attack vectors, such as bad passwords or phishing, which are often a bigger problem than unpatched systems.

Another issue with legacy vulnerability assessment is that it doesn’t prioritize the vulnerabilities it finds. Security teams see a massive list of vulnerabilities with no context. That means a contractor’s computer in an isolated segment would appear to have the same level of criticality as the CFO’s laptop that has out-of-date financial software. The security team is left to triage the list and determine which ones should be addressed first. This obviously wastes valuable time, is often unachievable, and exposes the company to unnecessary risk. Representative vulnerability assessment vendors include Rapid7, Qualys, and Tenable (formerly SecurityCenter). This is still important information, but it often lacks any insights to make it actionable.

Threat and vulnerability management (TVM) is a newer approach that layers on top of vulnerability assessment and uses security analytics to apply some logic and analysis to vulnerability assessment data to help understand the risk level of the associated vulnerabilities. Making sense of this data through manual inspection is impossible, as even the most seasoned security professional couldn’t connect the dots in the massive amount of data collected.

This is where analytics has value in that it analyzes the data in real time and uses multiple factors and logic to provide the security team with a list prioritized by risk. This is certainly a step function improvement from traditional vulnerability assessment, but it still doesn’t solve the whole problem.

First, one can’t forget about the information that the legacy systems provide ― it’s important because threat and vulnerability management tools don’t gather their own internal inventory data and use vulnerability assessment feeds. Like vulnerability assessment systems, threat and vulnerability management tools omit hundreds of advanced attack vectors, such as password reuse, phishing, and user behavior from their calculations. Nor do they take into account the actual business impact of assets and users. Also, there’s no sense of how to remediate the identified and prioritized issues. Many vendors play in this market, including Brinqa, Core Security, Kenna Security, and SkyBox.

So, what’s a security team to do? It looks like they need to run both a threat and vulnerability management tool and traditional vulnerability assessment. That might seem logical, but it’s suboptimal. Running dual security tools leads to something called “swivel chair management” where the administrator needs to quickly pivot between the two, and any kind of correlation must be done manually. Also, analyzing the data across systems isn’t feasible given the volume of data coming from the two systems.

A better approach is risk-based vulnerability management where both traditional vulnerability assessment and newer threat and vulnerability management capabilities are unified in a single platform. AI is used to continuously discover and update the enterprise inventory and to provide predictive risk analytics across hundreds of attack vectors, threats, business impact, and compensating controls.

This is akin to what’s happened in the anti-malware space where legacy vendors such as Symantec and McAfee catch known viruses, and AI-based companies such as Cylance are able to detect new malware. One doesn’t replace the other. Customers need both for maximum protection. Unfortunately, such a unified product doesn’t exist in the anti-malware market yet. But one does for risk-based vulnerability management. Balbix currently offers this capability, and Tenable has a defined roadmap to get there.

The Balbix/Tenable approach gives customers a complete view of the attack surface through a single pane of glass that includes vulnerability information across a very broad set of vulnerability types, as well as AI-derived risk and contextual information. The risk-based information and prioritized action list in the Balbix dashboard, for example, make it easy for security teams to ensure energy is being directed to close off the vulnerabilities and assets that could cause the most damage.

Locating vulnerabilities has been a core focus area for security professionals as long as we have had computer systems. Breaches occur when these vulnerabilities go unnoticed and unpatched. Traditional methods, such as vulnerability assessment and threat and vulnerability management,were effective in the past when the size of the attack surface was manageable. Today that's changed, and the attack surface has grown exponentially, as has the rate at which threats are hitting companies. AI-based risk-based vulnerability management provides security professionals with a complete view of the attack surface and the contextual knowledge to understand how to prioritize the security team's efforts.

Is your network ready for applications, automation, multi-cloud, containers and more? Here’s a truth bomb for you: the network that got us here today is not sufficient for tomorrow. Sorry to be sardonic, but here are the facts: today, new business models, cloud adoption, and the explosion of connected devices are now must-haves for organizations that are prioritizing digital transformation initiatives. But legacy network approaches rooted in hardware just don’t cut it anymore; technology is rapidly shifting and improving at a rate that is undeniably fast. To keep up, modern networks must be able to support operations across data centers, multiple clouds, branch locations, and edge devices while prioritizing security for the ever-growing amount of application data that flows from every point within a network.

Despite these shifts and needs, many organizations do not have a unified approach to management, automation, and security. Do you know if your network does? Find out how software-first networking can transform your business.

The Virtual Cloud Network Readiness Assessment can help you assess the current state of your network and security for free. By answering a few questions in this 10-minute survey, you’ll get a personalized report that summarizes your organization’s current capabilities against the IT priorities you share, including:

Whether the ultimate answer will lean toward “sometimes the truth hurts” or “sometimes knowing is half the battle,” this pop quiz will ultimately serve your organization, because “knowledge is power,” as they say. Put simply, the report can arm you with the knowledge you need to help take your organization to the next level. With it, you can sharpen your knowledge of how implementing networking and security entirely in software provides pervasive, end-to-end connectivity for your apps and data, wherever they are. If you’re ready to take the next steps, dive inhere.

Governance, risk, and compliance (GRC) programs are sometimes looked upon as the bureaucracy getting in the way of exciting cybersecurity work. But a good GRC program establishes the foundation for meeting security and compliance objectives. It is the proactive approach to cybersecurity that, if done well, minimizes reactive incident response.

Of the three components of cybersecurity―people, processes, and technology―technology is the viewed as the “easy button” because in relative terms, it’s simpler than drafting a policy with the right balance of flexibility and specificity or managing countless organizational principles and human behavior. Still, as much as we promote technology and automation at AWS, we also understand that automating a bad process with the latest technology doesn’t make the process or outcome better. Cybersecurity must incorporate all three aspects with a programmatic approach that scales. To reach that goal, an effective GRC program is essential because it ensures a holistic view has been taken while tackling the daunting mission of cybersecurity.

Although governance, risk, and compliance are oftentimes viewed as separate functions, there is a symbiotic relationship between them. Governance establishes the strategy and guardrails for meeting specific requirements that align and support the business. Risk management connects specific controls to governance and assessed risks, and provides business leaders with the information they need to prioritize resources and make risk-informed decisions. Compliance is the adherence and monitoring of controls to specific governance requirements. It is also the “ante” to play the game in certain industries and, with continuous monitoring, closes the feedback loop regarding effective governance. Security architecture, engineering, and operations are built upon the GRC foundation.

Without a GRC program, people tend to solely focus on technology and stove-pipe processes. For example, say a security operations employee is faced with four events to research and mitigate. In the absence of a GRC program, the staffer would have no context about the business risk or compliance impact of the events, which could lead them to prioritize the least important issue.

GRC has a symbiotic relationship

The breadth and depth of a GRC program varies with each organization. Regardless of its simplicity or complexity, there are opportunities to transform or scale that program for the adoption of cloud services, emerging technologies, and other future innovations.

Below is a checklist of best practices to help you on your journey. The key takeaways of the checklist are: base governance on objectives and capabilities, include risk context in decision-making, and automate monitoring and response.

__ Identify required compliance frameworks (such as HIPAA or PCI) and contract/agreement obligations.

__ Identify restrictions/limitations to cloud or emerging technologies.

__ Identify required or chosen standards to implement (for example NIST, ISO, COBIT, CSA, CIS, etc.).

__Conduct a program assessment based on industry processes such as the NIST Cyber Security Framework (CSF) or ISO/IEC TR 27103:2018 to understand the capability and maturity of your current profile.

__ Determine desired end-state capability and maturity, also known as target profile.

__ Document and prioritize gaps (people, process, and technologies) for resource allocation.

__ Build a Cloud Center of Excellence (CCoE) team .

__ Draft and publish a cloud strategy that includes procurement, DevSecOps, management, and security.

__ Define and assign functions, roles, and responsibilities.

__ Update policies based on objectives and desired capabilities that align to your business.

__Update processes for modern organization and management techniques such as DevSecOps and Agile, specifying how to upgrade old technologies.

__ Update procedures to integrate cloud servicesand other emerging technologies.

__Establish technical governance standards to be used to select controls and that monitor compliance.

__Conduct or update an organizational risk assessment (e.g., market, financial, reputation, legal, etc.).

__ Conduct or update a risk assessment for each business line(such as mission, market, products/services, financial, etc.).

__ Conduct or update a risk assessment for each asset type.

* The use of pre-established threat models can simplify the risk assessment process, both initial and updates.

__ Implement plans to mitigate, avoid, transfer, or accept risk at each tier, business line, and asset (for example, a business continuity plan, a continuity of operations plan, a systems security plan).

__ Implement plans for specific risk areas (such as supply chain risk, insider threat).

__ Use NIST Risk Management Framework (RMF) or other process to authorize and track systems.

__Use NIST Special Publication 800-53 , ISO ISO/IEC 27002:2013 , or other control set to select, implement, and assess controls based on risk.

__Implement continuous monitoring of controls and risk, employing automation to the greatest extent possible.

__ Link system risk to business and organizational risk

__ Automate translation of continuous system risk monitoring and status to business and org risk

__ Incorporate “What’s the risk?” (financial, cyber, legal, reputation) into leadership decision-making

__ Automate technical control monitoring and reporting (advanced maturity will lead to AI/ML).

__ Implement manual monitoring of non-technical controls (for example periodic review of visitor logs).

__ Link compliance monitoring with security information and event management (SIEM) and other tools.

__ Automate application security testing and vulnerability scans.

__ Conduct periodic self-assessments from sampling of controls, entire functional area, and pen-tests.

__ Be overly critical of assumptions, perspectives, and artifacts.

__ Integrate security operations with the compliance team for response management.

__ Establish standard operating procedures to respond to unintentional changes in controls.

__ Mitigate impact and reset affected control(s); automate as much as possible.

__ Establish a reporting tree and thresholds for each type of incident.

__ Include general counsel in reporting.

__ Ensure applicable regulatory authorities are notified when required.

__ Automate where appropriate.

Google just released the December 2018 Android security patch for Pixel and Nexus devices. It appears that we already have both factory image and OTA files ready to be downloaded for those willing to do some manual labor, or as always, you can sit back and wait for the update to arrive over-the-air (OTA) to your device.

So far, we are seeing new 9.0.0 files for Pixel 3 and Pixel 3 XL (PQ1A.181205.006) and Pixel 2 and Pixel 2 XL (PQ1A.181205.002). The regular Pixel and Pixel XL do not have December builds available just yet.

Other Google devices that still receiving security patches on Oreo are getting the following updates: Nexus 6P (OPM7.181205.001), Nexus 5X (OPM7.181205.001), and Pixel C (OPM8.181205.001).

You can grab each image or OTA file at the links below. For instructions on how to flash a factory image,here you go. For instructions on how to flash an OTA .zip file,here you go. To check for the update, head into Settings>System>Advanced>System update.

As more details arrive, we’ll update this post.