Companies have some mistaken notions about how to comply with the new data protection and privacy regulation - and that could cost them.

1 of 7

Image Source: Pixabay

We've now hit the six-month mark with GDPR, and all indications show companies are taking the data protection and privacy regulation seriously. In fact, a study by TrustArc published in the summer found that 74% of those surveyed in the US, UK, and throughout the EU expected to be compliant by the end of 2018 and 93% by the end of 2019.

All good news, but there's always dirt under the rug. Companies are making some serious oversights that could hurt them down the road.

"Keep in mind that the required implementation takes time, money, resources, and energy, but organizations need to realize that the $1 million spent to enact stronger security measures may be necessary to avoid a $10 million fine," says Matt Radolec, head of security architecture and incident response at Varonis.

Another important point: Many companies think that GDPR applies mainly to customer data, but its protections also apply to their own employee data and data about their customers' customers.

"Many think that if they are a B2B company, GDPR is not for them, but that's not the case," says Enza Iannopollo, a senior analyst on Forrester's Security & Risk team.

What other points should your company keep in mind? Read on for six tips on how improve your GDPR program.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md.View Full Bio

1 of 7

A co-worker showed me a really neat trick the other day. We deal with a lot of connection problems and one of the first places I look is the connection string. Now I’ve gotten pretty good at it over the years and more often than not I can point to problems. However, those other times can be a real pain. There is a great reference for connection strings but even it doesn’t always help. So what was the trick?

It turns out that udl files are mapped to something called OLE DB Core Services .

This neat little tool will let you test or create connection strings.

I haven’t found a way to just open the tool but if you create a udl file and double click on it then it will open.

Currently, it’s blank, and the first step is to confirm the provider on the provider tab. I’m switching from the OLE DB provider for MS SQL to SQL Server Native Client 11.0 .

Next fill in the server, login (trusted or SQL Id) and the initial database if any.

Last but not least you have the Advanced options (only the connection time in this case) and then you can hit Test Connection . Assuming it tests correctly you can now close the tool and open the udl file with a text editor. In this case here are the contents:

And you’ll see that line 3 of the file is the connection string. Of course, there are other ways to create connection strings but this is pretty handy.

Now, my favorite part of this is the ability to test them.

First, create a UDL file just like before and open it with a text editor. Here’s where things got weird. Those first two lines? I had to copy them exactly into the new file. I’m guessing there are other options here but I don’t know them and every letter had to be exact for this to work. Once that was done however I was able to put my connection string in with very limited information.

I save the file, then double click on it and the editor comes back up. And this time I was able to just hit the connection test button and confirm that it works! I can of course also make changes, test them and then look in the file to see the results.

Day 5

25 Days of Sitecore EXM !

Today marks the beginning of the first mini-series in the 25 Days of Sitecore EXM . Sending Your First Email is designed to be a short, step by step guide for creating your first Sitecore Email Experience Manager message. Following this 4 part series, we’ll expand more on how to create a custom message template. For now, we’ll focus on the out of the box message templates that come with Sitecore EXM.

Sending a message in the Sitecore Experience Platform 9 Email Experience Manager is actually very simple to do as a marketer. That seems like a really simple statement, but the reality is as long as the delivery service configuration, as described in yesterday’s post, is set correctly, there should be no issue creating and dispatching emails in EXM.

To begin, open up the Email Experience Manager application from the Sitecore Launch pad. Once there, click on the large blue “Create” button in the top left. This will open up a mega-menu of sorts for choosing various activities.

In this mini-series for creating your first email, we’re going to be clicking on the Regular email campaign . As we learned in the introduction to EXM post on Day 2, there are two different message types to EXM. Regular email campaigns are meant for mass distribution to multiple contacts at the same time, with the same email (that might have some personalization).

Additionally, this menu contains a number of options for managing lists. Every single function in the Create List menu is actually performing functions that are managed by Sitecore’s List Manager. This is an important distinction because EXM is not responsible for managing lists, List Manager is.

Another note is that List Manager calls lists Contact Lists, however, the EXM menu here calls them Recipient Lists . There is no difference between a Sitecore Contact and a Recipient. They are interchangeable.

Go ahead and click on Regular Email Campaign .

The next screen is a template selection screen. Out of the box, several options are provided, some work out better than others. However, in a “real world” point of view, my recommendation is to put a marketing plan together on what types of messages you are looking to create and build your own custom message templates. Let’s walk through the various types.

This is a fairly simple one to explain. Some companies prefer to use a marketing/advertising agency to build their marketing emails. Generally, that means there is no personalization that needed. Using the HTML file import method allows you to upload an HTML email to send.

Scaled Environment Note

In the event that you want to add editable content to an imported HTML file for EXM, Sitecore provides some guidance on how to adjust imported HTML file layouts .

This is an example email template demonstrating how to create component based message, making full use of Sitecore’s marketing capabilities such as A/B Variant testing and personalization in EXM. Out of the box, this is branded as a Sitecore Habitat message. For the purposes of this blog series, we will be using this message template as our testing template .

Jumping to Existing Page, this is a special message template in the fact that the rendering of the message can be based on another Sitecore item, such as a page item that would be viewed on the website. All CSS and javascript elements added to the rendering of this page is extracted and embedded in the HTML of the sent email message.

Item Security Note

EXM enables you to define how email campaigns are created from web pages. There are two options:

1) EXM respects the security settings. In this case, recipients with different security privileges will receive different email campaigns (if the source page has security restrictions).

2) EXM ignores the security settings. In this case, EXM renders all elements on the page and all recipients receive the same email campaign.

The other email templates are simple, predefined templates that are very simple in nature. They are meant as examples, and could be re-purposed, changed, or removed altogether from the list.

For this example, we are going to go ahead and select the Sample Newsletter item.

Give your message a name and press the Create button! Congratulations, you have just generated your first EXM Mail Message item.

After clicking the create button, you’ll be brought to the Email Experience Manager message screen, which provides a tabbed experienced.

The General Tab provides fields for defining what the message is. None of these fields will be visible to the Sitecore Contact are meant to help the marketer define and categorize emails.

Nameand Description fields are simply that. Setting up the name and the description of the email.

Locationis meant to be the location of where email campaigns are kept. These are contained in the Marketing Control Panel.

For clarity, as the image below shows, email items themselves are saved as items relative to the EXM Root that it was created in. In this case, our EXM Manager Root is Email .

Campaign Groupallows the marketer to specify a campaign group for the email message. This allows the marketer to combine multiple different campaign activities together from separate channels. For more information about Campaign Groups, view Sitecore’s Campaign Group documentation .

Sender details are straightforward. The values for From name , From email , and Reply to setup the message header that is shown to the Sitecore Contact. These fields are also copied from the EXM Manager Root settings. Unless you need to change the name that a particular email message is sent from, you generally don’t need to modify these settings.

当代社交，见招拆招。当代病毒，勒索无度。

隔壁的病毒木马都削尖了脑袋往虚拟货币世界里钻，一款新的勒索病毒却逆流而行，转而走“人性化定制”挣钱路线，闪转腾挪最终聚焦在了“微信支付”上，从事的依旧是加密文件、勒索赎金的反社会活动，受感染用户需通过微信扫一扫支付110元赎金才能解密。

可以说它既是勒索主义的创新先锋，也算得上“因材施教”的实践派鼻祖，但即便它抄了小道随风奔跑，却还是马失前蹄跪在了杀软的洪流里―360安全卫士发布病毒紧急预警并于12月2日凌晨2点上线解密工具-360解密大师，中招用户可通过360解密大师一招破解。

对于以往的勒索病毒，且不说比特币群体并不够庞大，就比特币最近暴跌的势头而言，“微信支付”勒索病毒就更加急功近利。用户在遭遇该勒索病毒攻击后，加密文件中会留下一个“解密工具”的图标，引导用户支付赎金。用户点击这个图标后，会跳转到一个二维码页面。用户通过微信“扫一扫”功能支付110元赎金，黑客描述称收到赎金后方可解密。（幸好，该收款二维码已被微信官方冻结。）

那么易语言什么呢？ 易语言 是一门以中文字符作为程序代码的编程语言，其以“易”著称，方便中国人以中国人的思维编写程序，极大的降低了编程的门槛和学习的难度。从2000年以来，易语言的用户数量已经发展到较大的规模。

360安全专家追踪发现，该勒索病毒的源头来自于一款易语言的开发模块被插入恶意代码，程序猿用此开发模块编译的软件都自动装入了病毒。目前证实，有大量的外挂工具、刷量软件、打码软件、私服等第三方开发的应用程序已经中招。

（多款外挂工具含有“微信支付”勒索病毒）

随后通过QQ、QQ群共享、网盘分享、论坛贴吧等形式将这些“高危”应用程序发送给受害者。受害者运行后机器上就会感染下载器木马，之后再由下载器木马安装其它恶意程序，这其中就有闹得沸沸扬扬的“微信支付”勒索病毒。

该工具为灰色产业从业人群使用的工具，这部分人群使用的工具有许多会被杀毒软件查杀，他们常常会无视杀毒软件的拦截提示。因而，这个勒索病毒针对灰产从业者的定向传播十分奏效。

“微信支付”勒索病毒是怎么赶上移动支付这股潮流的呢？稍等我扒给你看~

360安全专家本着刨根问底、杜绝后患的精神，从多个用户反馈信息和后台数据数据追溯发现，此款“微信支付”勒索病毒的作者均指向一个95后白羊黑客，另外，这个传播勒索病毒的下载者木马作者与勒索病毒的作者，怀疑是同一个人，具体分析如下：

中招的你，应该如何自救呢？360专家提醒：

1. 不要相信刷量、外挂、打码、私服等一些较为灰色的软件所声称的“杀毒软件误报论”。360不会针对任何特定类型的程序进行“误报”。

2. 对来自即时通讯软件或邮件附件中的陌生软件要提高警惕。尽可能不下载、不运行，如确实需要，一定要提前用安全软件进行查杀以保障安全。

3. 养成良好的安全习惯，即使更新系统和软件，修补漏洞。不给黑客和恶意程序可乘之机。

此外，360安全卫士在12月2日凌晨2点已经紧急上线360解密大师，率先支持“微信支付”勒索病毒的解密！安全专家提醒，对于已经中招的用户，下载安装360安全卫士，及时拦截危险链接，查杀病毒木马；一旦中招，可以使用360安全卫士的“解密大师”功能，无需交付赎金，便可恢复被加密文件。

目前，360安全卫士可破解勒索病毒达近百种，比如最近异常活跃的GrandCrab系列、Satan勒索病毒全系、GlobeImposter勒索病毒家族等均可破解，是全球最大最有效的勒索病毒恢复工具。PC端复制下方链接http://weishi.360.cn/，安装并使用安全卫士“解密大师”功能，抵御勒索，保障电脑安全。

With SentinelOne's acclaimed multi-tenant console, enterprises and service providers can customize endpoint firewall control and device control settings to best fit their organizations' security needs without compromising end user productivity. To learn more about how SentinelOne's Firewall Control and Device Control features are replacing legacy AV solutions, please visit https://www.sentinelone.com/category/spotlight/ .

Wanted: a security exec responsible for identifying and mitigating the attack vectors and vulnerabilities specifically targeting and involving people.

It is clear that end users are a major, if not the primary, attack vector for most significant attacks. Whether using phishing, traditional social engineering, or physical compromise, sophisticated attackers know that it is easier for them to find a successful entry point into an organization by targeting users instead of by probing for technology weaknesses. As important, well-meaning users cause more damage in aggregate than malicious parties ever could. In response, there is a focus on trying to make users more resilient through awareness.

The reality is that this works to an extent, but more is required.

Technology is in place to stop user actions in advance, as it should be. In the safety field, it is believed that around 90% of workplace accidents are avoided by creating an environment that prevents employees from being exposed to situations where they can be injured. For example, in one factory where employees were frequently struck by forklifts, they painted a line down aisles, creating distinct walkways. This one change alone reduced almost all accidents involving forklifts. The remainder of the incidents were the result of walkers who were looking at their cellphones and drifted into the forklift because they weren't paying attention.

In the cybersecurity world, one equivalent of creating a secure environment is anti-malware software, spam filters, and PC protections that prevent users from installing software. Creating a secure environment filters out more than 99.9% of potential attacks before they can reach the user, or stops the user from causing damage. But clearly, attacks still make it through, which means awareness is still necessary to reduce the risk.

The truth is thatawareness programs should focus on how users should do their jobs properly and not on what they should be afraid of. This requires a definition of proper governance. You cannot expect users to detect every possible trick, but they should at least be able to follow proper procedures in how to act appropriately.

Focus on the User

While in general most companies have some form of software to defend against attacks reaching users, some form of awareness, and something that resembles policies and procedures, these efforts are uncoordinated and haphazard. There is no focused effort to stop specific attacks or user actions.

To address this concern, what is required is a position that I call the human security officer (HSO), who is responsible for specifically identifying the different attack vectors and vulnerabilities involving people. The HSO examines where problems may arise and identifies the optimal ways to prevent, detect, and respond to the attacks or user actions.

Some people may contend that this is the job of the CISO or perhaps an awareness manager. The reality is that awareness people have a very specific role and focus on providing information to people in an attempt to get them to improve their security-related behaviors. The awareness team does not have the responsibility -- and especially not the authority -- to account for all aspects of preventing and mitigating vulnerabilities. The awareness team should report to the HSO.

The HSO would be responsible for determining where human-related vulnerabilities exist and focus on a coordinated method for mitigating the vulnerabilities. This would involve an examination of underlying business processes and the determination of the best combination of technology operational processes that most effectively mitigate vulnerabilities. The HSO would then ensure that the awareness team focuses on ensuring that the awareness program primarily addresses how people should perform their jobs correctly.

While it would be good for a CISO to take on the role of an HSO, in any company of reasonable size, the CISO has a team of people to whom she can delegate responsibilities. Much like there are individuals reporting to the CISO responsible for network security, incident response, and governance, there should be an HSO specifically responsible for all aspects dealing with human-related vulnerabilities. The role should be treated distinctly and go well beyond the traditional awareness roles.

New research released by security awareness and email protection company Mimecast finds that more than two-thirds of employees admit to personal use of work devices during office hours.

Mimecast surveyed more than 1,000 people who use company-issued devices (such as mobile phones, desktop computers or laptops) in the workplace, in order to understand their behavior, but also their awareness of basic threats plaguing organizations.

The top three personal uses are reading the news (53 percent), checking personal email (33 percent) and browsing social media (23 percent). Additionally, nearly 28 percent say they use their company-issued device for personal reasons for at least one hour a day, with the number rising to 40 percent among younger workers (18-24-year-olds).

The findings show that one in four respondents aren't familiar with the most common threats like phishing attacks and ransomware, and 15 percent say they could be more cautious when it comes to cybersecurity or that just blindly trust emails that they receive.

There's a high level of ignorance about usage policy too. 60 percent of respondents either aren't aware of their companies having a formal policy on their personal web use at work or say there isn't one in place at all.

In addition only 45 percent of modern businesses provide mandatory, formal cybersecurity training. Another 10 percent do offer this, but on an optional basis. Among businesses that do offer cybersecurity training and education, just six percent do so monthly, while four percent do so quarterly.

Michael Madon, SVP and GM of Mimecast Security Awareness writes on the company's blog:

You can read more about the findings on the Mimecast blog .

Image credit: AllaSerebrina / depositphotos.com

据cointelegraph12月4日报道，超级账本(Hyperledger)技术指导委员会已经发布了最新项目Ursa，这是一个模块化的加密软件库。

（图片来源：cointelegraph）

Hyperledger的公告称，随着该平台的发展成熟，已经开始出现对复杂加密工具的需求。该公告称Ursa能帮助每个项目实现从独自开发协议到在共享库中协作开发的重大转变。

Ursa旨在避免在重复项目上浪费时间，通过简化分析来增强安全性，并且避免“经验不足的人创建不太安全的协议”的情况出现。

此外，由于多个项目将使用相同的软件库，因此该项目应该具备对所有加密代码的专业审查能力，并简化跨平台互操作性。

Hyperledger指出，通过这个新加密软件库，区块链开发人员可以通过简化的文件配置选择和修改他们的加密方案。此外，Ursa据称将拥有更新、更先进的加密技术。

这个新加密软件库分为两个较小的子库。第一个包含简单、标准化和模块化的加密算法，第二个包含更独特的高级加密算法，例如基于配对的签名、SNARKs和聚合签名。

该软件将主要用编程语言Rust编写，但将配备Hyperledger中常用的所有语言的接口。

Hyperledger预计，Ursa将简化开发，它使得每个项目可以在无需理解基础数学算法的情况下，轻松使用各种可变的加密算法。

Hyperledger在机构之间和商业领域越来越受欢迎。上周消息，俄罗斯联邦储蓄银行(Sberbank)最近通过在Hyperledger Fabric平台上部署智能合约，完成了一项场外外汇回购协议。

来源/31QU

文/林君

熊市来临后，DApp一度被认为接过了公链的棒，成为解开区块链迷局的关键。

是不是区块链的良药还无法确定，但现在，DApp正深陷黑客攻击、安全的困扰。

自主网上线以来，大型的漏洞攻击就在逐个上演，有数据统计，一系列攻击事件导致项目方累计损失达数十万 EOS，价值超百万元。

“DApp已成黑客提款机”，有人如此评价。

曾经号称安全、可靠的区块链系统，反而成了黑客肆虐的场所，不计其数的Token流入黑客钱包，成为黑客的囊中之物。

除了黑客攻击，DApp的发展还遇到其他的问题，比如类型单一，用户稀缺。这些挑战，DApp开发团队应该如何应对？

1、DApp迎井喷式爆发

11月份以来，加密货币持续走熊。据CoinMarketCap数据显示，目前加密货币总市值约1300亿美元，较2017年12月17日最高市值8100亿美元，足足跌去了将近84%，众多加密货币与最高点相比，纷纷遭遇腰斩、甚至归零。

加密货币的寒冬与DApp的火热形成鲜明对比。

“之前的社群不是沦为广告群，就是没人说话，死掉了，但是我目前加的微信群中，最活跃的要数DApp交流群。”

区块链从业者冉华介绍说，由于工作关系，他基本上都会加入行业的各种微信群，随着加密货币行情骤冷，之前热火朝天讨论币价、热点的现象已经销声匿迹，目前还能保持每天近千条讨论的群组，只剩下DApp。

在经历公链、交易所、稳定币热潮后，基于公链开发的DApp开始后来居上。

据统计网站DappReview的数据，截止12月3日，基于以太坊开发的DApp共计1347个，单个DApp24小时最高活跃用户为751。

而今年6月底刚刚上线主网的EOS，DApp数量则呈现迅猛增长的态势，目前链上DApp项目超250个；另据IMEOS统计，目前EOS上排名前6的菠菜类DApp，周流水额均超过百万EOS。

一场EOS线下活动会上，EOS节点EOSbeijing创始人玉石曾热情洋溢地表示，目前EOS生态已经开始进入快车道，“从菜园到森林，是未来EOS将实现的目标。”

一切都是欣欣向荣的景象。

不过，生机盎然的另一边是岌岌可危的安全问题。

9月10日，黑客破解DEOSGames 游戏，短时间内，黑客利用随机数漏洞，赢走4000个EOS。9月12日，黑客发起攻击，导致一账户损失5000 个EOS。同一天，Fair Dice 被同一个种攻击手法攻破，损失 4000 EOS。9月14日，黑客在EOSBet 上，利用假币投注赢取真币，并将这部分假币转至交易所，最终挂单交易成功。

“EOS主网启动以来，平均每周被披露的至少1.5起DApp项目被黑事件……”慢雾科技创始人曾在朋友圈点评EOS当前的安全。

2、区块链安全：一牌两面

区块链信仰“Code is Law”，认为代码即法律，分布式技术可确保链上数据不可篡改，最大程度保证系统安全，尤其是区块链游戏，将资产上链，能在最大程度上保证用户资产。

但现在，基于此技术开发的DApp正深受安全问题困扰。

从今年7月25日到11月初，IMEOS共监测到18起EOS安全事件，每一起事件均导致EOS资产损失，有的损失达数万枚EOS。

“因为安全问题凉凉的DApp，我见过不少。”资深玩家墨客告诉31QU。

“据我了解，DApp的安全问题主要有以下几方面，一是游戏的逻辑设计问题，本身出现Bug；二是DApp遭遇黑客攻击，资产被盗走；最后一类是菠菜类游戏随机算法被攻破，黑客盗走大量资产。”墨客分析说，安全问题很致命，一但资产账户被攻破，黑客将资产转移，这个游戏“基本上就废了”。

“对于玩家来说，遇见这样的情况，也只能自认倒霉了。”墨客告诉31QU，虽然安全问题频出，但玩家也没有什么好的应对之策，“这种算是阶段性问题，只能靠时间去解决。”

玉石分析称，如果EOS上的DApp黑客攻击被及时发现，玩家还是可以通过EOS核心仲裁论坛裁决、回滚找回丢失的资产。

3、DApp安全攻防

DApp安全事件频出，成为区块链被诟病的原因之一。

“我不担心DApp目前存在的安全问题，因为这样的问题并不是区块链独有的，只不过区块链产品的金融属性强，与资金绑定紧密，一旦发生安全事件，直接涉及到玩家的切身利益。”慢雾联合创始人余弦告诉31QU，安全问题并非没有破解之道。

“区块链还处在非常早期的阶段，还没有统一的DApp开发标准情况下，问题出现、解决、迭代是必经的阶段。”余弦表示，在这样的情况下，DApp团队一定要在项目启动前，就做好安全架构规划，对于同类项目已经出现过的漏洞，要参考，避免“再入坑”。

“同类DApp被攻击后，要及时确认自己的合约是否也存在类似漏洞。”给出如此建议的原因是，在短时间内，EOS上曾出现了多起采用同种手法、攻击不同DApp的安全事件。

9月14日，代码未开源的掷骰子游戏EOSBet被攻击，黑客通过创建名字为EOS的“假币”，套取了项目账号中真的EOS；随后，相同手法又被用在了 EOS.win上；就连去中心化交易所Newdex也难逃“假币攻击”，用户损失了近万枚EOS。

另外，黑客通过找到竞猜游戏中“随机数”规律，顺走大额奖金的案例也屡见不鲜。因此，有人评论称，DApp漏洞频发，俨然已成黑客的提款机。

“互联网产品在安全方面的支出占比大概在10%~15%，但对于区块链产品来说，我们认为这个数据至少要上调5个百分点，达到15%~20%。”余弦认为，由于DApp的特殊属性，要求团队必须拨出足够精力，来思考安全问题。

4、深陷困难境地

除了安全，DApp还面临众多问题。

首先是高企的门槛，加上玩法并不高级的游戏，让DApp沦为菠菜类游戏的天堂。

“要想玩DApp，你至少得知道加密货币吧，然后你得有EOS账号吧，还得了解CPU、RAM、Scatter吧。”墨客分析说，这样的高门槛挡住了普通玩家，即便了解这些问题的圈内人士，也会有一大部分会对目前市面上设计粗糙、逻辑简单的游戏提不起兴趣。

“风险偏好高的玩家希望收益快，而能满足这两个条件的只能是菠菜类游戏。”墨客认为短时间内，DApp还是逃不开菠菜类游戏肆虐的魔咒。

有媒体统计，截止12月1日，在EOS活跃前10DApp中，菠菜/资金盘类游戏占了7席；波场更甚，前10DApp中，菠菜/资金盘游戏占了8席。

“现在的DApp游戏，完全是存量用户在玩的零和游戏。”余弦对当前的DApp生态做出如此评价。

12月1日，安全团队PeckShield 发布了一份报告，报告显示，截止11月19日，EOS主网一共有506310个EOS账号，其中沉默账号达39%，群控账号占23%，活跃的账号仅占37%。

也就是说，号称50万用户的EOS，真正活跃人数不超过20万。

“有时候新游戏上线，在新组建的玩家群里，大家发现进来的都是熟人。”墨客调侃地说，这样的现象见怪不怪。“可能500个人分散在不同的群，话题从这个群聊完，再到另一个群接着聊，完全不违和。有人评论说‘DApp只是一小撮人的狂欢’，有时候确实会有这样的感觉。”

新用户太少，日活几百，菠菜类游戏占主导地位，DApp面临的众多问题亟待解决。

结语

以太坊的吞吐量限制了DApp用户数量和增长速度，EOS、波场等公链出现后，极大改善了DApp低延迟、实时互动问题，低廉、甚至免费的交易让用户多频操作成为可能，DApp似乎正朝着肆意生长的方向发展。

但黑客攻击等安全事件，犹如拦路虎，横亘在DApp发展面前，成了目前不得不解决的问题。

每次安全事件发生，区块链DApp是否可靠的观点就会被重提。

“DApp本身不安全，用户自然而然就缺乏安全感。”余弦认为，开发团队自然要重视安全，除此之外，还应该关注公链的可持续发展问题，包括技术迭代、如何保持生态良性发展等。

“也许DApp不会很快迎来大规模爆发，但可以确定的是，它不会很快死，像加密猫、Fomo3D的爆款肯定还会出现。”

墨客告诉31QU，虽然目前菠菜类游戏占多数，但好玩的DApp还在后头呢。

Dec 5, 2018

| In With Chinese Characteristics

| ByBailey Hu

Creators of illicit software may have been the most vulnerable targets of a recent, apparently homegrown, ransomware effort in China.

Attacks were first reported on the night of December 1, according to antivirus software provider Huorong Security . The software encrypted important files in .doc, .txt, .jpg, and other formats, and also stole 20,000 passwords and other pieces of data from Taobao and Alipay platform users, among others. The attack affected only PCs, The Paper reports, and a majority of victims were likely illicit software creators or purveyors who often don’t use security software.

The incident marks the first time Chinese ransomware creators have used a (traceable) WeChat QR code to demand payment, with users asked for RMB 110 (around $16) to unlock their documents.

Software security companies including Huorong, Tencent, 360, and others moved quickly to upgrade their security systems and provide decryption keys to affected users. By the night of December 2, Tencent states, the account receiving payments had been shut down.

A company representative told TechNode that the QR payment code has also been frozen, and neither WeChat users’ money nor their account safety had been affected. The company’s claims could not be verified by TechNode.

Alipay made similar assertions, saying that there were no signs the hack affected its users’ accounts. It added that in the “unlikely” case of data theft, losses would be paid back in full.

As of Tuesday night, Huorong stated, 100,000 computers had been infected by the ransomware, although those who had upgraded their security systems should be safe.

Following the data trail to its source on GitHub, Huorong found that the malware originated from a person surnamed Luo. His identity has since been shared with police.

According to Huorong, the malware entered various software products and programs developed using Chinese programming language EPL (literally, Easy Programming Language).

Although the hack eventually affected multiple popular platforms, Huorong determined that WeChat Pay and Alipay played no direct roles in spreading or creating the virus, and the companies’ platforms also didn’t have any significant security weaknesses.

Researchers discovered a critical remote code execution vulnerability in two Schneider Electric industrial control related products that could give attackers the ability to disrupt or shut down plant operations.

Tenable Research, who discovered the vulnerability ( CVE-2018-8840) and created a proof-of-concept attack scenario, said that the bug was in Schneider Electric products InduSoft Web Studio and InTouch Machine Edition. Schneider Electric has since issued patches for the vulnerability.

InduSoft Web Studio is a suite of tools to develop industrial control systems such as human-machine interfaces or Supervisory Control and Data Acquisition systems. InTouch Machine Edition is a software toolset to develop applications connecting automation systems, and to develop interfaces for web browsers and tablets.

“This software is commonly deployed across several heavy industries, including manufacturing, oil and gas and automotive,” according to Tenable’s report released Wednesday . “With the growing adoption of distributed and remote monitoring in industrial environments, OT and IT are converging. As OT becomes increasingly connected and boundary-less, these safety-critical systems are increasingly vulnerable to cyberattacks.”

Schneider Electric said in a security bulletin it has released InduSoft Web Studio v8.1 SP1 and InTouch Machine Edition 2017 v8.1 SP1 to address this vulnerability. Impacted users are strongly advised to apply patches as soon as possible.

“An unauthenticated remote attacker can leverage this attack to execute arbitrary code on vulnerable systems, potentially leading to full compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” according to Tenable’s report. “A threat actor can use the compromised machine to laterally transfer within the victims’ network and to execute further attacks. Additionally, connected HMI clients can be exposed to attack.”

The vulnerability stems from a stack-based buffer overflow in the two products. Tenable said that a threat actor could send a crafted packet to exploit the buffer overflow vulnerability using a tag, alarm, event, read or write action to execute code.Packet crafting is a method usually allowing network administrators to check firewall rule-sets and find entry points into a targeted system.

“In order to validate the vulnerability, we developed a proof of concept that uses a simple linux terminal and standard Linux command line utilities,” Tenable told Threatpost.

The vulnerability is similar to CVE-2017-14024 , another stack-based buffer overflow issue discovered in Schneider Electric InduSoft Web Studio v8.0 SP2 Patch 1 and prior versions, and InTouch Machine Edition v8.0 SP2 Patch 1 and prior versions, said Tenable.

“While researching CVE-2017-14024 for a Nessus plugin, Tenable found a new stack buffer overflow in InduSoft Web Studio and InTouch Machine Edition. The vulnerability is similar to CVE-2017-14024 in that it involves calling mbstowcs() inTCPServer.dll. However, this new vulnerability leverages command 50 instead of command 49,” researchers wrote .

The vulnerability can be remotely exploited without authentication and targets the IWS Runtime Data Server service by default on TCP port 1234.

Tenable told Threatpost that an attacker would likely develop a custom script that connects to the vulnerable application on port 1234 and would send a malicious string of characters over a network connection to exploit the vulnerability.

So far, there is no evidence to suggest that the vulnerabilities have been exploited in the wild, a Tenable Research spokesperson told Threatpost. The vulnerability is rated 9.8 out of 10 using the Common VulnerabilityScoringSystem (CVSS).

The vulnerability is just one example of the road bumps that industrial manufacturers face as their industrial control systems, such as programmable logic controllers and HVAC systems, become connected to the network.

“The OT industry has historically been somewhat insulated from the attention of most security researchers…With IT and OT converging and now sharing more standardized protocols and libraries, this is quickly changing,” a Tenable Research spokesperson told Threatpost. “Understanding the new risks associated with this digital transformation will take some time. So far, the necessary paradigm change has been slow in coming, but we are seeing some vendors begin to take this more seriously.”

Focus around industrial control system security has tightened in particular since FireEye researchers in December found amalwarecalled Triton targeting Schneider Electric’s Triconex Safety Instrumented System controllers.

But Schneider Electric and other industrial manufacturers have faced cybersecurity issues long before that. In2016, a critical vulnerability was found in Schneider Electric’s industrial controller management software, Unity Pro, while in2017a critical vulnerability was found in Schneider Electric’s WonderWare Historian.

“The cost and difficulty of gaining access to OT devices for research purposes and the fact that they often use proprietary protocols, has given OT the benefit of security through obscurity. In addition, as OT devices have traditionally not been connected to the internet, OT developers have not had to take malicious attacks from remote users into consideration,” the Tenable spokesperson said.

The disclosure timeline for this most recent (CVE-2018-8840)vulnerability includes discovery of the bug by Tenable on Jan. 18.Tenable reported the vulnerability to Schneider on Jan. 28 and on March 15 the company issued a patch to affected customers. Public disclosure of the patch is today.

More on the subject:

In modern computing, it’s not how much data you collect and report, or how efficient, or how durable your monitoring solution is. Sure, those are all important considerations, but it’s how effective and useful your monitoring is that makes the difference. It’s how much value to the business it creates, and how well the data can be exploited to identify and resolve critical issues. Monitoring is never a completed effort.

It evolves. It is enhanced by tools and by integrations. Often enough, the journey to improve monitoring is what creates and accentuates the tool sprawl problem. In this article, I’d like to examine how monitoring tool sprawl can become a serious issue for modern, engineering-driven companies.

The task of monitoring modern IT environments is too complex to properly handle without tools. The days of allowing logs to sit on servers and fishing through them to find answers are long gone. Alerting on an operating system issue and manually clearing out all the noise from old vendor solutions for sysadmins (think HP, Dell, IBM) no longer scales in the world of cloud computing.

Luckily, there are plenty of modern tools to solve modern issues. But like any type of software, every monitoring tool has weaknesses and strengths in their own right. Organizations will often patch together multiple monitoring tools based on their strengths and just deal with the sprawl.

So what are the modern problems to solve and tools to solve them?

Log data is considered an extremely valuable data source for monitoring and troubleshooting both applications and the infrastructure they are installed on. Most log management tools on the market provide analysis capabilities. Some provide advanced analytics such as machine learning and anomaly detection. Most of these tools now include plugins and integrations with cloud vendors to provide greater insight into cloud-based applications.

The world’s leading open source log management tool is, of course, the ELK Stack ― an extremely popular and powerful platform but one that often requires more engineering effort and expertise to scale .

Metrics, or time-series data, is another type of telemetry data used for monitoring. Used primarily for APM (Application Performance Monitoring), ITIM (IT Infrastructure Monitoring) and NPM (Network Performance Monitoring), metrics introduce another kind of challenge being more verbose in nature and requiring more elaborate data storage and retention strategies as well as analysis features.

Open source solutions are often comprised of a time series database such as Prometheus, InfluxDB or Graphite with Grafana playing the role of the analysis and visualization layer. Plenty of SaaS vendors offer their own APM and monitoring solutions, including premade dashboards for monitoring specific services or platforms.

The increase in cyber threats means organizations must operate with security in mind. A big part of security is active monitoring and reactive controls. Triggering alarms on root or administrator login is an example, or signaling a Puppet run when a security-controlled configuration is changed via an automated response to a security incident. To be able to build this kind of solution requires a very specific kind of tool, usually falling under the category of SIEM or Security Analytics. Again, there are both open source and proprietary solutions on the market but the skills gap is proving to be as big a challenge as integrating and deploying these solutions.

SOC, PCI, HIPAA, SOX, GDPR, ISO, and CODA are just a few regulatory and compliance certifications companies must contend with to remain in business. All of them require some level of auditable data to show that their required checks and controls are being maintained. This means companies must find tools to capture, store, and retrieve data for compliance. Some tools excel at configuring controls or capturing security data but aren’t as strong at capturing application logs and transforming them into formats that mesh well with security logs to have an overlay picture.

Again, most tools provide canned reports, most also allow you to build your own reports. The key difference is some provider’s reports will be more relevant to an organization than others. An example of where the tool sprawl can become real is an organization with a security team that prefers the tailored security event reports from Alertlogic, an operations team that uses Datadog’s metrics for capacity planning and the developers use the ELK Stack to determine API performance issues. All three tools can create all three reports, but they do not specialize in providing all three. This key difference is what creates a tool sprawl challenge, in this case for reporting and alerting.

After reading the previous section, it is easy to see how companies choose multiple tools and vendors to solve their monitoring needs. In the following section, I’d like to examine some of issues that can result from having multiple monitoring solutions.

Having security data flow to one tool, systems performance data to another, and application data to a third makes correlation much more difficult. Even if you are able to have data sources feed multiple frontend tools, it still requires additional “stitching” to deliver the data in a meaningful way and the systems still present information differently. This can force the need to build translation jobs between solutions, or lengthy exports and manual correlation in spreadsheets. Nobody wants to do that.

This means managing permissions through RBAC, customization of data feed sources, plug-in management, and supporting infrastructure must be considered. The resources and cost burden can become extremely heavy pretty quickly when designing for scale, high availability, and storage.

Written by

Dec 5, 2018 | CYBERSCOOP

Cybersecurity giant Symantec on Wednesday announced a new product meant to protect industrial control networks from a pernicious threat: USB flash drives.

Numerous studies have determined that roughly half the population is likely to plug a USB drivefound in the parking lot into their computer, presenting hackers with an invaluable opportunity to infiltrate sensitive networks. Symantec is trying to solve that problem with Industrial Control System Protection (ISCP) Neural, a USB-scanning station meant to help energy, oil, gas and manufacturing organizations ― which often use USB drives to update legacy systems ― check for malicious software.

ISCP Neural utilizes artificial intelligence capabilities to malware on USB drives in a way that will increase detection efficacy by up to 15 percent, the company claims. The devices are scheduled to be available for shipping in early 2019 at a rate of $25,000, the company told SecurityWeek .

The product announcement comes amid internal changes at Symantec, an established security player that’s shifting away from traditional antivirus technology to enterprise security products.

USB drives, much like weak passwords, have for a generation presented a significant threat to international cybersecurity.Flash drives infected with malicious software have been used to carry out attacks like Stuxnet, which destroyed equipment at an Iranian nuclear facility, and Trisis, which targeted a Saudi chemical plant before creeping to U.S. networks.Schneider Electric, a major ICS supplier, announced in September that it hadaccidentally shipped malware-infected USB drives with a product.

The Symantec product is the latest in a number of emerging technologies focused on securing industrial facilities from USB-based threats, including a similar solution unveiled last year by Honeywell. Numerous cybersecurity companies also offer USB security products for individual consumers.

Symantec’s ISCP Neural announcement also comes at a time when the established security vendor appears to be on the precipice of change. Three executives including Chief Operating Officer Michael Fey have left the company, and the firm is in the process of transitioning from the consumer market to enterprise sales, according to Bloomberg .

The Mountain View, California, company last month announced it has acquired Appthority, a mobile application security company, and Javelin Networks, which protects businesses from active directory attacks.

New research shows how attackers can abuse security questions in windows 10 to maintain domain privileges.

Attackers targeting Windows are typically after domain admin privileges. Once they have it, researchers say, the security questions feature built into Windows can help them keep it.

In a presentation at this week's Black Hat Europe, security researchers from Illusive Networks demonstrated a new method for maintaining domain persistence by exploiting Windows 10 security questions. Despite good intentions, the feature, introduced in April, has the potential to turn into a durable, low-profile backdoor for attackers who know how to exploit it.

Windows admins are prompted to set up security questions as part of the Windows 10 account setup process. Tom Sela, head of security research at Illusive Networks, said the addition reflects a broader effort by Microsoft to build security into Windows 10. However, it also shows the delicate balance companies must strike in maintaining usability while improving protection.

"I think Microsoft also wants to introduce new usability features," Sela explained in an interview with Dark Reading. "There is a fine line with advancing security but also adding new usability features that may compromise security."

Magal Baz, security researcher at Illusive Networks, said the questions are more of a usability feature, designed for convenience, than a security mechanism. Today, if you forget your Windows login password, you're locked out of your machine and have to reinstall the operating system to regain access, hesaid. The questions feature lets users log back into their accounts by providing the name of their first pet, for example, in lieu of their password.

"Now in terms of security ... I don't think that it is well-protected," he explained. Because those questions and answers have the same power as a password, you'd think they would be as secure. However, unlike passwords, answers to security questions are not long and complex, they don't expire, and most of the time they don't change. "All the limitations that make passwords safer are not applied on the security questions," Baz pointed out.

In addition to having answers that can be found on social networks,the security questions"are not monitored. There are no policies around it it's just there," he continued. "It allows you to regain access to the local administrative account." There's a reason why companies including Facebook and Google have stopped using security questions to secure accounts,Baz added.

Unlocking Admins' Answers

To turn the questions feature into a backdoor, an attacker must first find a way to enable and edit security questions and answers remotely, without the need to execute code on the target machine. The attacker must also find a way to use preset Q&A to gain access to a machine while leaving as few traces as possible, Baz and Sela explained in their presentation.

Windows 10 security questions and answers are stored as LSA Secrets, where Windows stores passwords and other data for everyday operations. With administrative access to the registry, one can read and write LSA Secrets. One can change a user's security questions and answers, installing a backdoor to access the same system in the future.

An attacker could remotely use this feature, for any and all of the Windows 10 machines in the domain, to control security questions and answers to be something he chooses, Baz said. The implications for someone abusing this without the account holder's knowledge are huge. Unlike passwords, which eventually expire and can be edited any time, security questions are static. The name of your first pet or mother's maiden name, for example, don't change, Baz pointed out.

Sela and Baz described use cases in which this tactic can be useful for an attacker. Someone could "spray" security questions across all Windows 10 machines and ensure a persistent hold in the network by ensuring everyone's dog is named Fluffy and Fluffy is the name of everybody's birthplace, place where their parents met, model of their first car, etc.

Best Practices and Deleting Security Questions

"Even before the question of security questions, it's a good practice to have as few local admins as possible on the network," Baz said.

Security admins don't feel good about the tool, the researchers said, noting how many people are looking for ways to get rid of it. As part of their presentation, Baz and Sela also shared an open-source tool they developed that can control or disable the security questions feature and mitigate the risk of questions being used as a backdoor into a Windows 10 machine.

该勒索病毒入侵用户电脑后会对用户文件进行加密，用户支付赎金才可解密。此外，病毒还会窃取记录用户的键盘行为，窃取用户在各平台的账号密码，包括淘宝、天猫、阿里旺旺、支付宝、163邮箱、百度云盘、京东、QQ等。

不过，此前流行的勒索病毒多是通过数字货币支付赎金，而这款勒索病毒的支付方式竟然是微信支付。

目前，微信方面已经封杀了该病毒提供的付款二维码。此外，多位安全领域专家对记者表示，该勒索病毒极有可能是国人开发，其加密方式相较于其他勒索病毒破解较为简单，传播量有限，目前国内主流的安全软件已纷纷推出相应的解密工具。

2017年，一款名为WannaCry的勒索病毒利用windows系统漏洞在全球蔓延，病毒要求支付价值等同于300美元的比特币才可解密所有被加密文件。

相关资料显示，全球有超过23万台计算机被病毒感染，有超过10万家组织及机构被攻陷，我国的中石油、公安内网及不少大学的校园网也纷纷中招。

与WannaCry相比，此次在国内蔓延的勒索病毒的传播量及破解难度均不及前者。

360互联网安全中心安全研究员王亮对记者表示，该勒索病毒主要通过捆绑在外挂辅助软件、刷量软件等第三方开发的应用程序传播，通过QQ群、网盘分享等形式发送给受害者。

当用户运行相关外挂软件之后，软件内置的木马下载器就会安装到用户电脑中，并下载恶意程序到用户电脑。病毒并非在用户下载软件的第一时间就开始进行感染。王亮称，病毒在被下载至用户电脑后，潜伏了较长时间，直至11月底才开始大规模感染。

不过，外挂软件开发者并非病毒的制作者。王亮称，该病毒最早发布于某开发者论坛，当软件开发者使用了含有病毒的代码或模块之后，其编译出的程序均会携带病毒。

火绒安全团队同样解释称，该病毒的特点是利用“供应链污染”的方式进行传播，在感染编译者的编译环境后，再通过编译者编译的程序传播到外界，所以感染量不及WannaCry。

WannaCry主要是利用了Windows系统的“永恒之蓝”漏洞进行传播，属于计算机系统的自有漏洞，理论上只要电脑联网就存在被感染的可能，故波及面更广。

通过对病毒进行分析溯源，火绒安全发现，该病毒主要针对的是使用“易语言”编程的开发者，这是一种以中文为程序代码的编程语言。加之勒索界面为中文，并且使用微信二维码支付赎金，所以病毒极有可能是国人开发。

此前，勒索病毒多是通过数字货币等方式收取赎金，匿名且不易追踪，但此次竟然是使用微信二维码收取赎金。

微信团队回应称，已第一时间对所涉勒索病毒作者账户进行封禁、收款二维码予以紧急冻结。微信用户财产和账户安全将不受任何威胁。

同时，该病毒还会记录用户的键盘行为，窃取用户在各平台的账号密码，包括淘宝、天猫、阿里旺旺、支付宝、163邮箱、百度云盘、京东、QQ等。

事发后，支付宝方面回应称，目前尚未收到受波及的支付宝账户反馈，并表示该病毒仅出现在PC端，建议用户及时安装杀毒软件查杀病毒。

此外，相对于此前的勒索病毒而言，此次国内散播的病毒在破解上也较为容易。

王亮对记者表示，一般勒索病毒会使用通用的加密算法加密用户文件，使用“规范”的话，几乎无法破解。目前多数安全软件都能杀掉勒索病毒，但在破解上常常无能为力，被感染用户只能通过支付赎金才能解密文件。

但国内此次散播的病毒是制作者自行开发的一套算法，“存在不少漏洞”，所以破解较为容易。目前国内主流的安全软件均推出了自家的破解方案，被感染用户可以自行下载解密。

王亮分析，病毒制作者很可能是个“新手”，以为只是在论坛小规模散播，根本没想到会蔓延到现在的地步。

目前，携带该病毒的部分外挂软件仍在互联网上传播，他建议用户不要轻易下载来源不明的软件，在下载时建议使用杀毒软件进行查毒。

同时，应定期更新系统及软件，修补漏洞。针对重要文件做到定期备份，以确保被感染后损失可以降到最低。

If you’re building applications or deploying infrastructure in the cloud, you need a central place to help understand your security posture, put it in a business context, and act on changes. In March, we announced Cloud Security Command Center in alpha, becoming the first major cloud provider to offer organization-level visibility into assets, vulnerabilities, and threats. Starting today, this security service is available to Google Cloud Platform (GCP) customers in beta.

This beta release comes with a number of new features, including:

Cloud Security Command Center (Cloud SCC) provides security teams with insight into infrastructure, configuration, application and data risk so that you can quickly address vulnerabilities, mitigate threats to your cloud resources and evaluate your overall security posture. With Cloud SCC, you can view and monitor an inventory of your cloud assets, be alerted to security anomalies, scan cloud storage to discover where you are storing sensitive data, detect common web vulnerabilities, and review access rights to your critical resources, all from a single, centralized data platform and dashboard.

5分钟前 Nugget 89

金色财经 比特币1月30日讯根据网络安全公司趋势科技发布的一份报告指出，谷歌的DoubleClick广告服务已经被挖矿恶意软件利用，波及到欧洲和亚洲地区很多用户。

在趋势科技旗下“Security and Intelligence”官方博客中，他们透露一款基于javascript的恶意软件CoinHive能够利用计算机处理能力来挖掘门罗币，然后再通过谷歌DoubleClick进行病毒扩散。更重要的是，像CoinHive这样的挖矿恶意软件，能够在未经用户同意的情况下运作。

根据ArsTechnica透露，谷歌的DoubleClick广告服务也被全球最大的视频共享服务YouTube使用，因此不少YouTube用户也受到了影响。

根据趋势科技的报告显示，CoinHive恶意软件会把独立网络矿工连接到一个私人矿池，此外这个“恶意广告”内还包含了两个不同的网页挖矿脚本。

趋势科技表示：

“受影响的网页会显示合法广告，然后这两个挖矿脚本就会在后台秘密执行挖矿任务。我们推测，攻击者在合法网站上使用这些广告其实是一种策略，目的就是为了针对更多用户。1月18日之前， DoubleClick 广告流量就开始不断攀升。而到了1月24日，Coinhive 矿工数量已经开始大幅增加。”

根据安全报告显示，一旦计算机感染了病毒，其80%的处理能力都会被用来挖矿，继而导致设备性能下降。

正如此前报道，最近几个月，数字货币挖矿行业非常火爆，就连石油管道巨头Transneft这样的公司都发现自己系统受到恶意软件影响。根据去年十一月发布的报告显示，CoinHive已经成为目前最流行的恶意软件之一了。

责任编辑： Golder 分享到：

比特币实时价格 ￥ 71994.72 (数据来源：火币Pro)

声明：本文系金色财经原创稿件，版权属金色财经所有，未经授权不得转载，已经协议授权的媒体下载使用时须注明"稿件来源：金色财经"，违者将依法追究责任。

I’ve recently been updating a website that was written a long time ago that has not been touched in a meaningful way in many years. In addition to the actual work I was asked to do, I took the opportunity to update the password hashing routines.

This site is so old that the passwords are stored using MD5 hashes and that’s not really good enough today, so I included updating to bcrypt hashing with password_hash() and password_verify() in my statement of work.

I’ve done this process before, but don’t seem to have documented it, so thought I’d write it the steps I took in case it helps anyone else.

The first thing I did was hash all the passwords in the database to bcrypt with password_hash . As the current passwords are stored in hashed form, we don’t have the original plain-text passwords, so we end up with bcrypt hashes containing the MD5 hashes. This is okay as we can handle this in the login process.

This update is a one-off php script:

This website uses ADOdb so I just continued using it. The principles apply regardless of whether you’re using PDO or any other database abstraction library.

I also had to update the database schema and change the password column from varchar(32) to varchar(255) . The 255 characters is recommenced by the PHP manual page as it allows for the algorithm to change again.

The authentication code needs updating to deal with bcrypt passwords. It currently looks like this:

In this code, there is a single step that only retrieves the user if and only if the email address and the MD5 of the plain text password match in the database record. If precisely one record is returned, it is assigned to the session.

To use password_verify() , we need a two step process:

For the first step, I can retrieve the user by removing the password check from the SQL query:

I now need to check the password, which I do with password_hash() :

This works great for all users who have an updated singly hashed plain text password, but none of my existing users can log in! This is because their bcrypt passwords are an MD5 hash of their plain text password.

To allow all users to log in, we need to also check for an MD5 hash if the password_verify() fails:

In this code, we MD5 the password supplied by the user and check again with password_verify against the database record. If it succeeds this time, then the credentials are verified.

Now all our users can successfully log in.

As the login process is the only time when we have the user’s plain text password available to us, this is the ideal time to migrate the user’s password in the database from a hashed MD5 string to a hashed plain text password.

I did this in the code where we checked for the MD5 version, but only if the check was successful:

Now, every time a user logs in with an MD5 hashed password, we will automatically re-hash their plain text password to bcrypt.

Finally, I went through and fixed all the code that created a password in the database. This was in the user admin section and the user’s change-password and reset-password pages.

In all cases, I changed:

to

password_hash() requires a second parameter which is the algorithm to use. Unless you have a specific reason not to, use PASSWORD_DEFAULT .

That’s all the steps that I went though. I would expect that for applications actively maintained, that most if not all have been updated by now as PHP 5.5 came out in 2009! However it wouldn’t surprise me if there’s many sites out there that were built by an agency in the past where the client doesn’t actively maintain it, but only asks for updates when changes are required as in this case.

我们站在 Server 的角度来看「保持状态」这个事儿，

Session 方式 ：Client 过来打了个招呼（登录），那好，我生成一个随机串，你 Client 存一份，我 Server 存一份，你下次再过来，只要和我这的号对上了，没错，你就是登录过的那个人。

Token 方式 ： 就是要确定某一 Client 嘛 为什么要用额外的内容（session 用的随机串），我们这样，Client 过来打了个招呼（登录），我使用加密算法把你 Client 的名称以及时间等登录相关信息加密一下，生成一个加密串，你 Client 每次过来带着这个加密串，我 Server 用加密算法一验证，用户没问题，时间没问题，没错，你就是登录过的那个人。

Session 方式是用另外一套机制（保存 sessionID）专门去处理「登录」这个事儿；

Token 方式就是用「登录信息」本身来处理「登录」这个事儿

The world of DDoS is dynamic and evolving. So, when considering the most important features that a DDoS Mitigation should have, it’s always worth examining them in light of recent trends and applying some lessons learned.

That, however, can be a rather time-consuming assignment. But worry not. We’ve done the hard work for you. Here’s a list of our top six ‘lessons learned’ you’ll want to apply if you want to ensure that any mention of the term ‘DDoS’ doesn’t keep you awake at night.

The biggest and baddest attack , Memcached, came as a surprise with a record breaking attack in terms of throughput. Reports claim that it surpassed 1 Tbps by using a new, previously unused attack vector: vulnerable Memcached servers exposed to the Internet.

If there’s one thing this teaches us, it’s to always expect the unexpected. In other words, prepare for the worst with an always-on scalable mitigation solution that can handle big Tera attacks at any moment.

Protecting against unknown threats is way more important than known threats.

Here’s why. During February 2018, the Memcached attack hit its first targets: around 50,000 unsecured Memcached installations on the Internet that were used as DDoS reflectors. Given the element of surprise, the potential to launch a damaging attack was high. Soon after, however, the quantity of exposed servers dropped significantly. Today there are just 3,500 Memcached installations, and so the amplification factor and risk of a damaging attack are much lower.

The lesson learned: Unknown threats have greater potential to be much more harmful. Make sure that your DDoS Mitigation solution uses technologies such as NBAD and machine learning, as they can detect and block previously unseen attacks.

Remember Mirai, the famous digital Godzilla? Mirai increased the frequency of massive attacks because it could easily propagate to compromised IoT devices. Even more importantly, it introduced a new attack technique known as pulse wave attacks which produced massive spikes to the target and lasted only a few minutes. These attacks challenged traditional scrubbing center solutions that divert traffic, and often take 10 to 15 minutes to mitigate and attack. By the time the scrubbing center detected an attack, it was already over.

Lesson learned: With subscribers expecting the best QoE and minimal disruption, any DDoS mitigation needs to react in seconds rather than minutes. The faster the better.

The Mirai botnet also intensified an old problem that needs addressing: outbound attacks originating from within the network. With the botnet propagating so quickly, it infected many devices. So much so that when commanded to launch a DDoS attack, they not only threatened the target victim but also the source network infrastructure where the compromised IoT reside. Consequently, it generated enough congestion to jeopardize users’ QoE and also resulted in getting into DNS IP blacklists.

Lesson learned: To avoid such large-scale damage, a DDoS Mitigation solution should be able to protect the network from both internal and external threats.

Why should anyone care about small attacks, after all their impact is insignificant, right?

Wrong!

In fact, the majority of attacks are small. And many simultaneous small attacks add up to a lot of unused bandwidth. This is what drives an operator to make unnecessary upgrades to infrastructure. While a single small attack of say 200 Mbps may not be felt in the operator network, it may disrupt an Enterprise network.

If you are an enterprise or a CSP providing a managed anti-DDoS service to enterprise customers, small attacks are very important to detect and mitigate.

Lesson learned: Solutions which rely on NetFlow sampling usually deliver a 1:10,000 sampling ratio and therefore cannot detect attacks below 1Gbps. Inline devices, however, inspect 100% of network traffic and are far more likely to detect and mitigate even the smallest attacks.

During May 2018, a new hacker’s evasion technique was published. It enabled reflective amplified floods to bypass traditional DDoS mitigation techniques. The randomized nature of attack traffic made it extremely challenging to filter. This technique used DNS floods leveraging a uPnP exploit.

Lesson learned: Even if you have a solution that can handle any threat, known and previously unknown, you still need a solution that can inspect the traffic deep enough into the payload (DPI) to be able to form a distinctive pattern in spite of the randomization employed to the TCP/IP packet header.

There are a lot of DDoS Mitigation solutions out there. Many of which apply some of the ‘lessons learned’ mentioned above. But you’ll be heard pressed to find one that applies them all. Unless of course, you turn to Allot .