We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.

Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.

The simplest requirement for performing this kind of regular maintenance is knowing that the device exists. Ad hoc devices find their way onto large networks all the time. Sometimes through employees, either via BYOD programs or rogue devices, like routers, added to the network. Other times through third party contractors, who install networked devices like building management systems without coordinating with IT.

If a device is in a critical position, but unmanaged, ongoing lack of maintenance can result in a breakdown. As anyone who has used a computer long enough knows, malfunctions occur without help from an attacker.

An unmanaged computer or device can also be vulnerable to attack. For example, through outdated and vulnerable firmware or easily guessed default passwords. A successful attack can disable the machine, or use it as an origin point for further attacks.

In the video below, we took a look through the eye of our product to show what can happen with a malicious new addition to the network.

For more context, check out the blog post Why Are My Devices Surfing The Web? , and come back soon for more information on securing your network.

(This article was first published on r-bloggers STATWORX , and kindly contributed toR-bloggers)

We at STATWORX work a lot with R and we often use the same little helper functions within our projects. These functions ease our daily work life by reducing repetitive code parts or by creating overviews of our projects. At first, there was no plan to make a package, but soon I realised, that it will be much easier to share and improve those functions, if they are within a package. Up till the 24th December I will present one function each day from helfRlein . So, on the 4th day of Christmas my true love gave to me…

This little helper splits a given string into smaller parts with a fixed length. But why? Well I needed this function whilst creating a plot with a long title. The text was too long for one line and instead of just cutting it or let it run over the edges, I wanted to separate it nicely.

Given a long string like

We want to split it after split = "," with a maximum length of char = 60 .

The function has two possible output formats, which can be chosen by setting newlines = TRUE or FALSE :

An other use case could be a message that is printed at the console with cat() :

To see all the other functions you can either check out our GitHub or you can read about them here .

Have a merry advent season!

Numbers were always my passion and as a data scientist and statistician at STATWORX I can fullfill my nerdy needs. Also I am responsable for our blog. So if you have any questions or suggestions, just send me an email!

STATWORX

Sign Up Now!

前几天看到个PbootCMS，然后打算审计一波，网上找了这个cms之前的漏洞，看到有表哥审计过这个文章了， https://bbs.ichunqiu.com/forum.php?mod=viewthread&tid=45649&page=1#pid506915 ，可能别的表哥也发现了这个漏洞，这里简单说下我的思路。

这个漏洞目前找到5处，新版本和老版本不同的是新版本加了过滤，但是可以绕过，漏洞函数在ParserController.php里。在2330多行这里，parserIfLabel()方法中调用了eval函数。而且前面有过滤。先忽略过滤内容，一会回来看，看下哪里调用了parserfLabel方法。

找到了parserIfLabel()方法，而且从下面可以看到在ParserController.php中parserAfter()方法调用了parserIfLabel()方法。

再跟进下parserAfter()方法。根据注释和代码可以分析出这是这个模板在前端渲染的时候，解析标签步骤如下：解析框架标签，解析前置公共标签，解析当前位置标签，解析分类信息标签，解析内容标签，解析公共后置标签。问题出在最后一步“解析公共后置标签”这里，这里存在eval()函数调用。这个函数存在的地方其实可以用一句话表示：

只要存在把用户输入输出到前端的地方，就会有代码执行漏洞。

这个是新版本增加的过滤，这里有很多绕过方法，下面说三个：

下面找一下调用parserAfter()方法的地方，Index，About，Content，List，Search

验证下是否可以控制前端输出，以Index试一下，可以看到已经可以控制前端输出，说明存在漏洞

其他几处同理

POC:

留言那里还有一处，但是需要管理员开启留言展示，利用有限。

这个注入在1.3.2已经修复了，简单说下，漏洞存在于ParserController.php中parserSearchLabel()方法。新版本已经修复，参数名不能含有除了“-”，“.”外的特殊字符。

这个注入点在参数名，前面有AND，可以用报错注入。

目前FOFA客户端平台已经更新该漏洞检测POC。

本文由白帽汇编写，转载请注明 来自白帽汇Nosec： https://nosec.org/home/detail/2001.html

The hiring of a data protection officer is a key element of compliance with GDPR, but it's also an opportunity to differentiate your company.

The 2018 deadline for compliance with the General Data Protection Regulation (GDPR) is well behind us and we are adjusting to life under the European law. While the new set of rules aims to give EU citizens more control over their personal data, our borderless world economy means GDPR impacts any company that conducts business in Europe or collects data from EU citizens.

Businesses found to be in violation of the GDPR face a fine of 20 million ($22.1 million) or four percent of global revenues, whichever is greater. One requirement is the designation of a data protection officer (DPO). GDPR introduces this new DPO role and makes it mandatory for companies that meet certain criteria to have a DPO in place.

Your first step is to establish if you even need a DPO in order to comply with GDPR rules. You may be asking: Does this even apply to my company? The answer: It depends. It depends on how you are processing data, how much you are processing, and how you are retaining it. Article 37 of GDPR states that there are three scenarios under which a DPO is mandatory, they are:

But even with these guidelines, as Daniel Newman, Principal Analyst of Futurum Research, points out, the answer is not always clear cut. He does advise however that if your company is regularly gathering and processing large amounts of data without tossing it out once it is used, you should probably have a DPO.

Does your business process large amounts of personal data and retain it? Unfortunately, there is no clear definition of “large scale” in this instance, but much of the analysis to date advises that any company that collects and retains personal data on EU residents should consider their risk exposure and appoint a DPO.

If you’ve established that you need to designate a DPO, you need to ensure that person can work independently to conduct privacy assessments without any conflict so that your practices around data protection and compliance are up-to-date. The DPO must report to the top, without an intermediary in between the DPO and the highest management level.

Who should you place in this role? Article 37 states that the DPO may be a staff member of the controller or processor or fulfill the tasks based on a service contract. Many organizations are handling this by appointing existing people within the company and simply expanding roles. This is often the most efficient way to get a handle on this requirement for smaller businesses.

If adding the data protection oversight to an existing employee’s responsibilities is the chosen approach, this person must be given the appropriate training and GDPR education to manage the compliance framework. There are training programs to achieve DPO certification.

Small-to-medium-sized businesses who cannot hire a DPO in house may consider using a managed service provider for their DPO and outsourcing the responsibilities. This is not a violation of the law. A contract-service DPO may be the best option depending on the size of your organization and the available resources.

But for a large, multinational organization, this approach simply won’t do. A dedicated C-level data protection officer is a must, and they should have “expert knowledge of data protection law and practices.” The law does not specify what kind of background that entails.

Still, it is certain you will need someone with a deep understanding of GDPR, data privacy and processing, and how these new rules will continue to have an impact on future business operations. You will want someone with a long history in cybersecurity, risk and privacy who is experienced in audit and risk assessment practices.

Your DPO should also view the responsibilities of GDPR compliance as an opportunity to drive your business forward. Data privacy is not just an essential for compliance, it’s also a competitive advantage.

An estimate from the International Association of Privacy Professionals recently found that the GDPR would generate demand for 28,000 DPOs in Europe and America, and 75,000 worldwide. In a tight labor market, what will your organization bring to the table to these in-demand DPO candidates?

Now is the time to get your security and privacy vision articulated to make your company the place to be, and to recruit a privacy professional who is ready to take that vision into the future.

Jody Paterson is a trusted advisor and security thought leader who is a Certified Information Security Specialist (CISSP), a Certified Information Security Auditor (CISA), and CEO of ERP Maestro .

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT ...View Full Bio

Everyone agrees that an enterprise’s application ecosystem must be protected, especially when data breaches are reported with alarming frequency and the average total cost of a breach comes in at $3.62 million . However, defeating increasingly severe threats requires a holistic approach to security , one that places an emphasis on managing not only application vulnerabilities but all software exposure.

In fact, the term “application security” should drop from every organization’s vocabulary and be replaced with the broader term “ software security .” Software serves as the backbone to much of the digital transformation taking place within organizations today, which is why it’s time for CIOs, security leaders, and DevOps team leaders to come together and plan for an evolution in the approach to securing software.

Mobile, cloud, the Internet of Things (IoT), microservices, and artificial intelligence have made software more complex. However, for most organizations the emphasis remains on speed over security, rather than building security into the DevOps process. Traditional security approaches have slowed the speed of development in the past, which is why developers may focus less on security requirements that required that they check off specific steps before resuming coding activities. Greater complexity requires a more holistic approach to software security, without compromising the need to deliver at the speed of DevOps.

Read more in this DarkReading article to learn why application security must be re-envisioned to support software security.

Living in the city of Atlanta, we have seen first hand what happens when an organization is not aggressive in addressing known vulnerabilities within their infrastructure. In addition, the recent Marriott breach proves the brand impact when cybersecurity programs aren’t actively managed and hackers have extended periods of time to linger in a system. With all of these breaches in the news, I recently walked out of a meeting with an Atlanta area municipality and the conversation turned to the 2020 budget season. The Director of IT made a point of saying that the City of Atlanta breach that occurred in March 2018 did indeed raise awareness for him and his peers. It also emphasized the need for maintaining a clearly articulated cybersecurity program. This awareness has loosened up some additional budget to fund some of his cybersecurity initiatives. However, he also made a point of clarifying this doesn’t mean unlimited access to funds.

With more and more of these breaches of cybersecurity occurring, it reinforces the importance of having a clear cybersecurity plan and budget laid out. One that can effectively communicate the program, the gaps, and the progress made year over year with the additional budget being used to fuel initiatives. According to Security Magazine , budgets are expected to increase by 15 percent over the next three years for cybersecurity across organizations small and large. Utilizing a transparent and organized plan will allow you to clearly present the need for an increased budget allocation for cybersecurity at your next board meeting.

Source: Billington Cybersecurity

There are plenty of reasons why organizations are slow to act, with a lack of budget and resources being at the top of the list. In today’s world where threats are constant, it is no longer just “Name Brands” that are being hacked. Any company or municipality that has gaps within its security is at risk. It is proving to be too costly to cross your fingers and hope it doesn’t happen to you. If you create a cybersecurity budget and plan that everyone in your organization is involved in it will help save you very costly hits to productivity, manpower, and other resources.

Organizations must fight for the budget to mitigate risk or they are essentially putting their head in the sand. In the City of Atlanta example, a $50k ransomware attack cost the city $2.6M to recover , far more than the hackers $50k ransom demand. Although politically unpopular to request more tax dollars or budget for cybersecurity, the changing landscape is requiring it. The City of Atlanta’s lost productivity, delayed revenues to the city coffers, and the negative press will end up costing the taxpayers way more than an increased investment on the front end.

For many organizations, auditors and consultants play a fleeting role. Once the audit is complete, they provide a report of their findings aligned to a control framework like NIST or ISO27001 and move on to the next account. These reports (like the one received by the COA) often provide glaring insights into the gaps in an organization’s cybersecurity posture. Unfortunately, without ongoing oversight or political will to invest in changes, these reports get put in the drawer when the next organizational fire drill takes precedence. Without an active, ongoing Cybersecurity Management plan with transparent executive oversight, many organizations are able to collectively “put their head back in the sand” and hope and pray that nobody exploits any of the known vulnerabilities.

There are plenty of reasons your organization should have sufficient cybersecurity budget in place. Here are three key points to justify the desired expense and why you should be creating your cybersecurity management plan right now:

Source: Health IT Security

To be able to get more money allocated for the cybersecurity budget you must clearly present the problems that are present without cybersecurity, the plan you will implement to protect the company’s assets, and justifications for the cost. Luckily, this is really not as intimidating to accomplish as it may sound. Organizations must build an ongoing Cybersecurity Management Program in order to communicate with their investors (be it a corporate board or taxpayer). Once you have this, it will be a lot easier to manage, as well as attain funding for. It is up to the organization to create a centrally organized “program” and use that as ammunition to justify increasing Cybersecurity budget requests. The challenge for many organizations is exactly how to start a Cybersecurity Management Program and prove it is worth the cost. Let’s take a look at the ways to make this happen:

This acquisition will help Netwrix customers adopt a data-centric security approach and focus on protecting their most valuable assets

Irvine, CA, December 4, 2018 ― Netwrix Corporation , provider of a visibility platform for data security and risk mitigation in hybrid environments, announced today the acquisition of Concept Searching, a global leader in semantic metadata generation, auto-classification and taxonomy management software.

After a year of successful technology partnership, Netwrix acquiredConcept Searchingto enhance customers’ contextual awareness into sensitive structured and unstructured data, both on premises and in the cloud. This investment firmly positions Netwrix in the data-centric audit and protection market and offers organizations seeking solutions a real alternative ― one with lower TCO, shorter time to value and significantly lower false positive rates. Together, Netwrix and Concept Searching deliver an integrated solution that will help organizations detect and mitigate data security threats in time to prevent real damage and slash compliance costs. Concept Searching will continue to support its existing customers and solutions.

Gartneradvisesend-user organizations to“identify the data security controls required to mitigate the risks and threats to each sensitive data type.Then, coordinate with each silo’s management team and data owners to apply the controls consistently across all silos and applications.” 1

“The acquisition of Concept Searching is a natural next step for our organization, enabling us to provide our customers with the ability to discover the sensitive data in their environment, and understand who has access to it and who is actually accessing it,” said Steve Dickson, CEO of Netwrix.

“We are excited to join the Netwrix team and bring our expertise and technology to help address the increasingly critical cybersecurity requirements of organizations worldwide. Our flexible metadata framework will continue to resolve a wide range of issues in the management of unstructured content for new and existing clients. The ability to integrate this unique technology with Netwrix’s leading offering will enable us to deliver an unrivaled solution to our clients and partners as we expand our leadership into the data-centric audit and protection market,” said Martin Garland, President of Concept Searching.

Terms of the transaction were not disclosed.

For more information on the acquisition, visit our FAQ page here:

https://www.netwrix.com/faq_concept_searching.html

For more information onNetwrix Auditor Discovery and Classification,visit ournew releasepage here:

https://www.netwrix.com/data_discovery_and_classification.html

1 Gartner, Market Insight: The Future of Data Security, October 2017, refreshed December 2018

Netwrix Corporation is a software company focused exclusively on providing IT security and

operations teams with pervasive visibility into user behavior, system configurations and data

sensitivity across hybrid IT infrastructures to protect data regardless of its location. Over

10,000 organizations worldwide rely on Netwrix to detect and proactively mitigate data

security threats, pass compliance audits with less effort and expense, and increase the

productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to

both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies

in the U.S. For more information, visit www.netwrix.com .

Concept Searching is the industry leader in semantic metadata generation, auto-

classification, and taxonomy management. It has a Microsoft Gold Application

Development competency and offers a complete suite of platform-agnostic content

analytics, insight and discovery solutions that address the entire portfolio of unstructured

information assets in on-premises, cloud or hybrid environments. The intelligent,

metadata-enabled solutions improve search, records management, identification and

protection of sensitive data, content optimization, migration, text mining, and eDiscovery.

Concept Searching is headquartered in the U.S with offices in the UK, Canada and South

Africa.

For more information about Concept Searching’s solutions and technologies, visit

www.conceptsearching.com .

###

Sponsored Content

Featured eBook

The State of DevOps Tools, A Primer

<Back to Blog Home

The latest talk in managing security programs is the ability to make “shift left” in terms of implementing controls. This concept translates to being able to not apply security controls post-implementation but rather during pre-implementation phases in a System or Software Development Lifecycle.

These stages (such as the Definition, Design, or even Development phase) can allow for security requirements to be conceptualized and applied before an Implementation phase.

The rise of regulations and demand for more agile engineering practices is forcing CISOs and security programs to develop more sophisticated ways to adhere to security requirements from regulations, internal governance, and clients.

The webinar will focus on how DevSecOps efforts are changing how we govern security controls via greater automation tools that are readily available to leverage. In addition, this webinar will show how the future can support for more cost effective governance models, regardless of industry or size of IT environment.

NASHUA, N.H. (BUSINESS WIRE) Respond Software teams up with ForeScout Technologies, Inc., a leading

IoT security company, to roll out a new technical integration called

Virtual ICS Threat Analyst Logic (VITAL). The partnership was initiated

by SecurityMatters, now part of ForeScout, to help automate threat

analyst decision-making processes for industrial control system (ICS)

asset owners.

The complexity of industrial environments has led to an increasing

number of ICS-specific cyber-threats, in which asset owners have no

visibility. Finding and scaling a team of skilled ICS security operation

center analysts, threat hunters, incident responders, and forensic

analysts is a challenge for all asset owners. The lack of available

skilled security personnel, combined with the fact that today’s security

teams are incredibly busy, makes it challenging to focus on priority

issues. The integration between ForeScout’s SilentDefense and The

Respond Analyst streamlines ICS security operations for critical

infrastructure asset owners by escalating and prioritizing critical

incidents, while eliminating false positive alerts.

“Ensuring the availability of critical infrastructure means being able

to defend these systems against malicious intent. It’s not feasible to

hire enough security experts that understand the nuances of ICS systems

and cyber threats,” says Curley Henry, deputy CISO, Southern Company.

“We need solutions that bridge the gap and give us the capability to

continuously monitor and analyze key networks and quickly make

appropriate decisions.”

ForeScout analyzes industrial network communications, provides rich

information about network assets and generates alerts in real time in

response to cyber threats. Respond Analyst is the first-of-its-kind

security decision automation software. Joint customers who implement

VITAL can feed detailed ICS analytics data from SilentDefense to Respond

Analyst. The Respond Analysts’ Intelligent Decision Engine comes

pre-built and ready to analyze and triage ICS alerts and escalate

detailed security incidents that require immediate response by a

security team.

“The success that leading ICS asset owners in the U.S. are already

having with VITAL is very exciting,” said Damiano Bolzini, vice

president of industrial and OT business unit, ForeScout. “Since today’s

security teams are working harder than ever, this integration between

ForeScout’s SilentDefense and Respond Analyst is strengthening our joint

customers’ ICS security teams by allowing them to focus on the serious

security issues.”

“It’s becoming increasingly important to protect our nation’s ICS

infrastructure with consistent and continuous monitoring,” said Chris

Triolo, vice president of customer success, Respond Software. “The

Respond Analyst decision engine has the combined experience of Respond

Software and ForeScout built in. Customers can add the critical capacity

and capability necessary to protect ICS assets without adding

additional staff.”

About ForeScout:

ForeScout Technologies, Inc. helps make the

invisible visible. Our company focuses on providing Global 2000

enterprises and government agencies with agentless visibility and

control of traditional andIoTdevices the instant they connect to the

network. Our technology integrates with disparate security tools to help

organizations accelerate incident response, break down silos, automate

workflows and optimize existing investments. Learn more at www.forescout.com

About Respond Software:

Respond Software delivers instant

ROI to organizations in their battle against cyber-crime. With its

patent-pending intelligent decision engine, PGO, Respond Software’s

product uniquely combines the best of human expert judgement with the

scale, thoroughness, and consistency of software. This

quick-to-implement, cyber-security decision automation software delivers

the equivalent of a virtual, best-of-breed analyst team that

dramatically increases capacity and improves monitoring and triage

Respond

veterans.

Contacts

Jane Callahan

Account Director, Press Friendly

Erin Anderson

ForeScout

Marketing Communications- US

Laura Lindeman

We’ve had a great year on the conference circuit, with close to 100 Salesforce employees highlighting their work externally in a talk! We’re sharing a roundup of some of the talks that were captured on tape in a series of three posts, organized by category. Feel free to bookmark the posts and come back later when you need a little break from holiday craziness to spend some time learning.

Up first: Security and DevOps.

Talk by John Althouse at DerbyCon

Last year we open sourced JA3, a method for fingerprinting client applications over TLS, and we saw that it was good. This year we tried fingerprinting the server side of the encrypted communication, and it’s even better. Fingerprinting both ends of the channel creates a unique TLS communication fingerprint between client and server making detection of TLS C2 channels exceedingly easy. I’ll explain how in this talk. What about non-TLS encrypted channels? The same principal can be applied. I’ll talk about fingerprinting SSH clients and servers and what we’ve observed in our research. Are those SSH clients what they say they are? Maybe not.

Tweet about it:

@ DerbyCon

@ 4A4133

#Security

Talk by Martin Vigo at DEFCON 2018

Voicemail systems have been with us since the 80s. They played a big role in the earlier hacking scene and re-reading those e-zines, articles and tutorials paints an interesting picture. Not much has changed. Not in the technology nor in the attack vectors. Can we leverage the last 30 years innovations to further compromise voicemail systems? And what is the real impact today of pwning these? In this talk I will cover voicemail systems, it’s security and how we can use oldskool techniques and new ones on top of current technology to compromise them. I will discuss the broader impact of gaining unauthorized access to voicemail systems today and introduce a new tool that automates the process.

Tweet about it:

@ defcon

@ martin_vigo

#Security

Talk by Sam Harwin at ACoD

Security professionals often struggle with getting buy-in, influencing their organizations and helping define the value of security tools. Further, we often focus on the technical aspects to the detriment of the ‘people’ and ‘process’ resulting in solutions that don’t get implemented to support the organization’s purpose or for security.

Also onour blog!

Talk by Maksim Shudrak at DEFCON

Practice shows that even the most secure software written by the best engineers contain bugs. Malware is not an exception. In most cases their authors do not follow the best secure software development practices thereby introducing an interesting attack scenario which can be used to stop or slow-down malware spreading, defend against DDoS attacks and take control over C&Cs and botnets. Several previous researches have demonstrated that such bugs exist and can be exploited. To find those bugs it would be reasonable to use coverage-guided fuzzing. This talk aims to answer the following two questions: ___ we defend against malware by exploiting bugs in them? How can we use fuzzing to find those bugs automatically? The author will show how we can apply coverage-guided fuzzing to automatically find bugs in sophisticated malicious samples such as botnet Mirai which was used to conduct one of the most destructive DDoS in history and various banking trojans. A new cross-platform tool implemented on top of WinAFL will be released and a set of 0day vulnerabilities will be presented. Do you want to see how a small addition to HTTP-response can stop a large-scale DDoS attack or how a smart bitflipping can cause RCE in a sophisticated banking trojan? If the answer is yes, this is definitely your talk.

Tweet about it:

@ defcon

@ MShudrak

#Security

Stella Cotton | Distributed tracing: From theory to practice

Traditional application performance monitoring is great for debugging a single app but how do you debug a system with… slideslive.com

Traditional application performance monitoring is great for debugging a single app but how do you debug a system with multiple services? Distributed tracing can help! You’ll learn the theory behind how distributed tracing works. But we’ll also dive into other practical considerations you won’t get from a README, like choosing libraries for your polyglot systems, infrastructure considerations, and security.

Tweet about it:

@ WebExpo

@ practice_cactus

#Monitoring

Watch the talk by Tuli Nivas at Velocity Conference(O’Reilly login required)

Automated anomaly detection in production using simple data science techniques enables you to more quickly identify an issue and reduce the time it takes to get customers out of an outage. Tuli Nivas shows how to apply simple statistics to change how performance data is viewed and how to easily and effectively identify issues in production.

Tweet about it:

@ VelocityConf

@ TuliNivas

#DevOps

Check back next week for another roundup post, featuring talks on Machine Learning, AI, and Big Data.

Researchers have discovered over 415,000 routers across the globe have been infected with malware designed to steal their computing power and secretly mine cryptocurrency.

The attack, which is still ongoing, affects MikroTikrouters in particular. For the record, the string of crypto-jacking attacks on the brand first began in August, when security experts discovered over 200,000 devices had been infected. The number has more than doubled since then.

While the majority of affected devices was initially concentrated in Brazil, data suggests there are tons of affected devices worldwide.

It is worth pointing out that the number of breacheddevices might be slightly off, since the data reflects IP addresses known to have been infected with crypto-jacking scripts. Still, the total amount of compromised routers is still pretty high.

“I t wouldn’t surprise me if the actual number of actual infected routers in total would be somewhere around 350,000 to 400,000,” security researcher VriesHD told Hard Fork.

Interestingly, while attackersused to favor CoinHive a mining software for privacy-oriented cryptocurrency Monero (XMR) the researcher notes there has been a significant shift to other mining software.

“ CoinHive, Omine, and CoinImp are the biggest services used,” VriesHD told Hard Fork. “It used to be like 80-90 percent CoinHive, but a big actor has shifted to using Omine in recent months.”

The swath of compromised routers was first discovered in August, after researchers reportedover 200,000 devicesin Brazil had been hijacked to secretly mine cryptocurrency.

By September, the total number of vulnerable devices had increased to a staggering 280,000 .

The good thing is that there is something victims can do to protect themselves. Security expert Troy Mursch from Bad Packets Report advises owners of the affected MikroTik devices to immediately download the latest firmware version available for their device.

VriesHD additionally points out that internet service providers (ISPs) can also help battle the spread of malware by forcing over-the-air updates to the routers.

“ Users should indeed update their routers, yet the biggest bunch of them are distributed by ISPs to their customers, who often have no idea what to do or how to update the router,” the researcher told Hard Fork. “Often these distributed routers are limited in their rights as well, not allowing users to update the routers themselves.”

“The patch for this specific problem has been out for months and I’ve seen ISPs with thousands of infections disappear from the list,” he added. Unfortunately, it appears tons of ISPs simply won’t take action to mitigate the attacks.

You can find the latest version of RouterOS on MikroTik’s website here .

Published December 4, 2018 ― 17:38 UTC

ZUG, Switzerland (BUSINESS WIRE) #blockchain ― Vereign

( https://www.vereign.com/ ),

the blockchain-powered solution for email security and identity

management, is launching its beta. Vereign’s seamless browser plugin

enables a security overlay in email clients, office programs, chat apps,

and more, that brings true confidentiality and authenticity to online

communication without interrupting workflows.

With 3.8 billion users worldwide, email is the most important means of

communication today. It’s extremely influential and vulnerable to

abuse. Malware and scams have caused billions of dollars in damage, and

over 90% of these scams initially travelled through email.

Vereign meets these challenges, transforming email authentication and

identity management with a range of features:

“I strongly believe in the viral power of Vereign,” says Georg Greve,

Co-Founder and Chairman of Vereign. “Email is one of the most powerful

tools given to us by the age of technology, and our mission is to

greatly enhance it with the advanced solutions available today.”

The Vereign beta is available on Gmail, and soon on Roundcube and

LibreOffice, and early access can be requested here: beta.vereign.com

About Vereign:

Vereign’s blockchain-based plugin solution brings integrity,

authenticity and confidentiality to online identities, data and

collaboration. Empowering businesses and individuals alike, Vereign is a

self-sovereign identity (SSI) and personal data store that answers to

the user.

Contacts

Company Media Contact:

Sharon Kaslassi

Blonde 2.0 for Vereign

扫码支付赎金勒索病毒被破解

腾讯电脑管家将提供解密工具和人工服务

北京晨报讯（记者 韩元佳）根据网友求助和多家安全机构确认，近日国内出现了要求扫码支付赎金的勒索病毒。该病毒入侵用户电脑后会加密用户文件，并要求受害者扫描弹出的微信支付二维码支付110元赎金，获得解密钥匙。微信支付表示，已第一时间对所涉勒索病毒作者账户进行封禁、收款二维码予以紧急冻结。微信用户财产和账户安全不受任何威胁。腾讯电脑管家也表示，经过紧急处置，第一时间对该病毒进行破解，并发布解决方案。

腾讯电脑管家团队表示，从多个用户机器提取和后台数据追溯看，该病毒的传播源是一款叫“账号操作V3.1的易语言软件，可以直接登录多个QQ账号实现切换管理。一经感染，该勒索病毒会加密用户电脑中的txt、office文档等有价值数据，并在桌面释放一个“你的电脑文件已被加密，点此解密”的快捷方式后，弹出解密教程和收款二维码，强迫受害用户通过手机转账缴付解密酬金。

据火绒安全团队监测，截止到12月3日，已有超两万用户感染该病毒，被感染电脑数量还在增长。该病毒还窃取用户的各类账户密码，包括淘宝、天猫、阿里旺旺、支付宝、163邮箱、百度云盘、京东、QQ账号，建议被感染用户尽快修改上述平台密码。

腾讯电脑管家团队表示，经过紧急处置，第一时间对该病毒进行破解，并连夜研发解密工具，首创无密钥解密工具，即便用户重装系统或者其他原因丢失密钥也能完美恢复被加密的文件。除此以外，腾讯电脑管家内置的勒索病毒行为拦截、文档守护者等功能，可以最大限度帮助已中招的网友查杀病毒并修复被加密破坏的文档。需要注意的是，该勒索病毒可能通过任何形式的支付方式索要转账，若遭遇勒索，不要付款，及时报警。腾讯电脑管家表示，将提供解密工具和人工服务，协助用户处理相关情况。

Marriott Breach Encryption Exploited

kdobieski

Tue, 12/04/2018 09:12

And now Marriott reveals that intruder tactics included encrypting information from the hacked database, a move that is often used to avoid detection when removing the stolen information from a company’s network. This type of blind spot is not as uncommon as we’d like to think. A recent Venafi study revealed that “Nearly a quarter (23%) of security professionals don’t know how much of their encrypted traffic is decrypted and inspected.”

According to Michael Thelander, Director of Product Marketing at Venafi, “Session logging might tell where SSH keys were used while the attackers were in the network, but there’s a real possibility that keys could have been exfiltrated in parallel with the data. If that’s the case, we may not know it happened until newly-decrypted payment card data begins to drive new fraud schemes.”

Even worse, the company cannot confirm that stolen keys are all accounted for. According to Krebs on Security , “customer payment card data was protected by encryption technology, but that the company couldn’t rule out the possibility the attackers had also made off with the encryption keys needed to decrypt the data.”

As Robyn Weisman states in her coverage of the GAO report on the Equifax breach, “what should have been a secure tunnel for the safe transmission of legitimate data became a secure tunnel for exfiltrating stolen private financial records.” In the case of Marriott, the information includes some combination of name, mailing address, phone number, email address, passport number.

To me, this only underscores why organizations need to have a complete an accurate accounting of all of their machine identities, such as TLS certificates and SSH keys. Continuous monitoring of all keys and certificates is the only way that organizations can detect when any of these machine identities is doing something that may indicate suspicious activity. Any key or certificate that is out of your control is one that is available for use by attackers.

As Thelander sums up, “Without constant visibility into the location of the keys and certificates that protect machine identities, there’s no way of knowing what systems are vulnerable, where pivots have occurred, and where new attacks will be pointed.”

Related Posts

Scott Carter

Every time I see a breach such as the recent one at Marriott, I look for details of how encryption was misused to hide or prolong the breach and the resulting exfiltration. (It’s an occupational hazard of working for the leader in machine identity protection). But even though I know that encryption plays a critical role in many of these breaches, details about how keys and certificates were misused in attacks are not often forthcoming.

Earlier this year, we did see an example of how a certificate gone wrong may have prolonged a breach. The U.S. Government Accountability Office (GAO) released a comprehensive report that revealed that an expired certificate on an SSL/TLS inspection system was not replaced for 10 months or so. This may have allowed attackers to exfiltrate data undetected for an extended period of time.

Read here to find out.

Explore now.

Recent Articles By Author

What Executives Need to Know about New NIST Guidelines for TLS Management Sennheiser Debacle: The Consequences of Poorly Secured Certificates OCSP Must-Staple; Revocation Solution More from kdobieski

*** This is a Security Bloggers Network syndicated blog from Rss blog authored bykdobieski. Read the original post at: https://www.venafi.com/blog/marriott-breach-encryption-exploited

近年来，云计算受到广泛关注，它拥有强大的计算能力，可以帮助人们执行复杂的计算。 但是，在保护用户数据私密性的前提下，如何利用云计算的强大计算能力是云计算从理论走向实用必须解决的关键问题。在此迫切需求下，全同态加密如约而至。从数学上说，同态就是 保持运算，即先运算再同态与先同态再运算所得到的结果是一样的。而全同态加密是一类特 殊的加密方案，它允许用户通过加密保护数据的私密性，同时允许服务器(比如“云”)对密文执行任意可计算的运算 ( 同时包含加法、乘法 )，得到的结果是对相应明文执行相应运算结果的某个有效密文。这个特性对保护信息的安全具有重要意义：利用全同态加密可对多个密文进行同态计算之后再解密，不必对每个密文 解密而花费高昂的计算代价;利用全同态加密可以实现无密钥方对密文的计算，既可以减少通信代价，又可以转移计算任务，由此可平衡各方的计算代价;利用全同态加密可以实现让解密方只能获知最后的结果，而无法获得每个密文的消息与同态计算方式，可以提高信息的安全性。正是由于全同态加密技术在计算复杂性、通信复杂性与安全性上的优势，越来越多的研究力量投入到其理论和应用的探索中。

鉴于全同态加密的强大功能，一经提出便成为密码界的公开问题，被誉为“密码学圣杯”， 由 Gentry 在 2009 年摘取。之后，全同态加密迅速吸引了一批资深专家、学者对之进行广泛、深 入的研究，并取得了一系列的成果。目前可以构造全同态加密的密码学假设主要有:理想格上的 理想陪集问题(Ideal Coset Problem, ICP)、整数 上的近似最大公因子问题(Approximate Greatest Common Devisior, AGCD)、带错学习问题(Learning with Errors, LWE)等等。

下面我们先从构造技术的发展来分类介绍全同态加密的研究进展，然后给出一个简单易懂的全同态加密实例，最后介绍全同态加密的典型应用。

这些被称为第一代全同态加密方案。

随着 Gentry 全同态加密方案的提出，人们开始尝试基于 (R)LWE 构造全同态加密方案，并 结合理想格的代数结构、快速运算等优良性质 来进行方案的优化和实现，最终取得了巨大的成功。

以上方案与第一代方案相比，无需压缩解密电路，也就不需要稀疏子集和假设。这样一来， 方案的效率与安全性都得到极大的提升，但在同态计算时仍然需要计算密钥的辅助，故被称为第二代全同态加密方案。

上述所有方案无论是层次型的还是纯的全同态加密，都需要“计算密钥”(私钥信息的加密， 可以看做公钥的一部分)的辅助才能达到全同态的目的。但是计算密钥的尺寸一般来说都很大，是制约全同态加密效率的一大瓶颈。

在全同态加密领域，有时不但要保护好数 据的私密性，而且要保护好电路的私密性。电路的私密性是指同态计算出来的密文不泄露电路的任何信息，也就是说只有执行同态运算的人才知道电路，而其他人 ( 包括解密者 ) 都不能从同态计算出来的密文挖掘出电路的信息。

在短短的 10 年内，国际上在全同态加密技术方面已经取得了丰硕的成果，全同态加密也从第一代发展到了第三代，其效率与安全性都得到了极大地提升。

全同态加密除了传统公钥加密拥有的密钥生成、加密、解密等算法外，还有一个同态计算算法。为了清晰地叙述 GSW，我们增加了参数设置算法 Setup，并把密钥生成算法分解为私钥生成算法和公钥生成算法。注意到任意电路可以分解为一系列的加法和乘法运算，因此我们还把同态计算算法分解为同态加法和同态乘法。

考虑有限域 Zq, 判定型 LWE 就是区分(B,sB+e)与(B,u)，这里B←Zq(n-1)m,s←Zqn-1,e ← Dm, u ← Zqm。Regev 证明了 LWE 是困难的。 目前人们普遍认为 LWE 甚至是抵抗量子攻击的。

设 G 是一个具有下面性质的公开矩阵: 对任意的 u，容易抽取满足 G G-1(u) = u 的短向量 G-1(u)。

现在我们详细描述 GSW 方案:

Setup(1n,1L): 给定安全参数 n，最大同 态深度 L，选取公共参数 prms = (n,m,q,D), 令 K=" logq 」+1。

SKGen(prms): 随机选取 s ← Zqn-1, 令私钥 sk = t = (-s||1) ∈ Zqn 。

PKGen(sk): 随机选取矩阵 B ← Zq(n-1)×m, 抽 取高斯错误e←Dm, 计算b = sB+e, 令公钥pk = A = (B, b) ∈ Zqn×m。

Enc(μ,pk): 给定明文消息 μ ∈ {0,1}， 随机选取矩阵R←Z2m×nk, 计算密文C= AR+μG ∈ Zqn×nk。

Dec(sk, C): 令 w = (0,0,...,q/2)T, 先 计 算 tC- G-1(w) =μtw+e=μq/2 + e，再根据该数值的大小 判定出消息是 0 还是 1。

注意:只要密文满足形式 C = AR+μG(称 为解密形式)且 R 是一个小矩阵，就可以成功 解密。

Add: C1"

Following last week's indictment, federal governments issues pointers for how security pros can combat the SamSam ransomware.

The Department of Homeland Security (DHS) and the FBI issued an advisoryyesterday for organizations looking to combat the SamSam ransomware.

The advisory comes on the heels of last week's six-countindictment of two Iranian men that alleges they have collected more than $6 million in ransomware payments and have caused more than $30 million in losses to victims.

Jon DiMaggio, senior threat intelligence analyst at Symantec, says the security vendor has documented that out of 67 attacks in 2018, 56 were conducted in the United States. The federal indictment cites more than 200 victims, primarily in government, critical infrastructure, and healthcare.

The DHS/FBI advisory offers 14 tips for security pros, many of them standard best practices, such as keeping good off-site backup and enabling strong passwords and account lockout policies to prevent brute-force attacks.

"Keep in mind that the attackers are basically doing what pen testers do: They are scanning for open ports," DiMaggio explains.

Out of the list of 14 points, these three will do the most to keep the SamSam ransomware at bay, he says:

"By taking these steps, security pros will force the attackers to change their tactics," DiMaggio says. "By blocking off the publicly accessbile endpoints, the attackers will have to go to a more sophisticated type of attack, like spear-phishing with a back door.”

The SamSam ransomware hit the city ofAtlanta especially hard last spring, infecting five of the city's 13 departments. As of now, the motive for the attacks has been financial, but no other details have been released.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md.View Full Bio

The latest innovation for intelligent security, the Salient Security

Platform, is a unified platform that is simple, scalable and secure with

seamless migration services

AUSTIN, Texas (BUSINESS WIRE) Salient Systems Corporation , an industry-leading innovator of

unified security solutions , today announced the launch of

its new CompleteView 20/20 Video Management Solution.

With Salient’s robust and flexible UI, users can manage and

administer enterprise security solutions up to 30% faster. Superior

command and control tools, seamless third-party integrations, and

advanced analytics enable Salient’s comprehensive management solution to

meet security needs today and tomorrow.

Take advantage of:

GeoView supports both satellite and image-based maps to provide

flexible map management

Auto Map Switching enables operators to switch a camera

and map view in relation to the monitored facility

Custom Tabs creates tabs for individual cameras and view

layouts for instant access

Global Text Search instant keyword search of events, cameras,

views and servers

Advantaged Remote Investigations accelerated playback and search

Advanced Video Analytics AI based video synopsis

“We are pleased to offer this sophisticated and powerful security

solution. Our commitment toour customers will enable them to benefit

from a truly unified, open architecture platform and to take advantage

of the latest in video technology innovations,” says Chris Meiter,

President of Salient Systems. “True to our corporate history, we

continue to provide flexible and user-friendly software, open access,

integration and interoperability with comprehensive support,” says

Meiter.

As customer demand and behavior drive digital transformation, video

technologies become increasingly important. Leveraging intelligent video

technology to mitigate risk, improve services delivery and drive

positive business outcomes are cornerstones of the Salient Security

Platform. Industries such as retail, banking, education, manufacturing

and more, trust Salient to deliver advanced solutions.

To review the full feature set for CompleteView 20/20 or to schedule a

demo. https://www.salientsys.com/products/cv20-20

About Salient

Salient is a leading provider of comprehensive enterprise video

surveillance management systems. Salient Security Platform provides a

full range of applications for unmatched scalability, a fully open

architecture, ease of use, and the lowest total cost of ownership.

CompleteView 20/20, Salient’s next generation of intelligent video

management software provides both the simplest path to move from analog

to digital video and the power to control your security installations

from a unified interface.

Contacts

Mary Wilbur

This week, hijacking printers to promote a YouTube channel, fake iOS apps that steal money, Google patches 11 critical RCE Android Vulnerabilities, Marriott hack hits 500 million Starwood guests, and getting Pwned through an oscilloscope! Jason Wood from Paladin Security joins us for expert commentary to discuss how the “Iceman” hacker was charged with running a drone-smuggling ring from jail!

Those buying flowers for Mother’s Day or looking to send a plant for a birthday could find their thoughtful gestures reaping a crop of misery: Payment card data has been lifted from the Canadian online outpost of 1-800-Flowers, in an incident that has persisted for four years.

The site’s operating company, Ontario Inc., filed a notice with the attorney general’s office in California in accordance with the Golden State’s data breach notification requirements. It said that its security team noticed suspicious activity, and upon investigation discovered in October that there had been unauthorized access to payment card data used to make purchases on the Canadian website.

The impacted data consisted of basic card info: First and last name, payment card number, expiration date and card security code.

The standout point here though is how long shoppers were affected: Ontario said that it thinks that the data exposure lasted from August 15, 2014 to September 15 of this year. The obvious culprit would be card-skimming malware, which raises the question of how it could be installed and active for that long without detection; however, a misconfiguration or a website vulnerability could also be to blame, which would better account for the long window.

Ontario didn’t say how many were impacted, but California’s law requires a notification if 500 or more state residents are affected. And, the Canadian Post reported that 75,000 Canadian orders were involved. A spokesperson characterized the issue as affecting “a small number of orders.” The main U.S. website was not affected.

“We take the security of our customers’ personal information very seriously,” Ontario said. “To help prevent a similar incident from occurring in the future, we have redesigned the Canadian website and implemented additional security measures. We are also working with the payment card networks so that banks and other entities that issue payment cards can be made aware.”

This is the latest in araftof data breaches over the past week, includingthose impacting United States Postal Service , Dell EMC , Dunkin Donuts ,Marriott andQuora.

Threatpost will continue to update this developing story with any additional coverage.

Customers of Dutch clothing company OppoSuits have been warned to monitor their credit card accounts after the firm reported that malware planted on its website could have stolen the details of customers who made purchases from its Australian, Canadian, EU and UK websites.

In a statement on Monday (Tuesday Australian time), the firm said that those who had made purchases from its American, German, Dutch, Belgian and French sites were not affected.

An OppoSuits spokesperson told iTWire that 7000 customers whose data may have been compromised had been contacted on Monday. The rogue software was discovered on 22 November.

While the company did not detail the malware planted, it appears to have been another attack by one of the Magecart groups that inject code into payment pages on shopping sites and steal credit card details.

on Magecart which they said included several groups.

In the statement, OppoSuits said the information which could have been compromised included names, addresses, email addresses, telephone numbers and credit card details.

"We have been working with appropriate local and international authorities, security experts, and payment service providers to understand how the data was compromised, and have taken security measures as described in the next bullet point," OppoSuits said.

"Our security experts have removed the malignant software from the affected websites upon discovery. The check-out page on all our websites is now diverted to the Hosted Payment Page of our payment service provider Adyen where an extra layer of security is added.

"Our server files dating back to the first day of the breach have been secured and we have initiated an in-depth security audit."

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!