如果说曾经有完美的数据泄露包装案例，那就是万豪最新披露的megabreach事件。两周前，这家连锁酒店宣布，万豪旗下的喜达屋酒店客房预订系统曾在2014年遭受过黑客攻击――就在万豪收购喜达屋酒店资产(包括瑞吉酒店、威斯汀酒店、喜来登酒店和W酒店)的两年前――此次攻击可能导致5亿顾客个人信息的泄露。

结果几乎是立竿见影的；就在宣布数据泄露当天，在早盘交易中，万豪的股价下跌了5%，并引发了两起集体诉讼(其中一起索赔125亿美元)。美国参议院也开始探讨对安全违规事件实行更严厉的罚款和规定。到目前为止，一切都很正常。

但万豪数据泄露事件中特别需要注意的是，在并购过程中明显缺乏详尽的网络安全调查。

2016年9月，万豪国际宣布，完成了对喜达屋度假酒店集团的收购，成为了全球最大的酒店集团。万豪在新闻中特别强调，两个品牌合并后，可以向会员提供一流的会员计划。

万豪国际高管们没有意识到，自2014年以来，黑客就已经获得了对喜达屋会员计划的未授权访问，顾客的个人信息暴露无遗，包括姓名、电话号码、电子邮件地址、护照号码、生日、信用卡号等。

然而，如果万豪做足了功课，或许就可以避免现在面临的巨额法律费用和合规性罚款。在当今数字时代，在任何并购过程中，详尽的网络安全调查无疑都是必不可少的。

不光只有安全专家会强调这一点。美国律师协会同样主张“了解收购目标漏洞的本质和重要性、可能发生(或已经发生的)的数据泄露事件的潜在损害范围、目标企业保护自身安全的网络防御措施的范围和有效性都是至关重要的。对这些问题的正确评估可能会对收购方对目标公司的估值以及交易结构产生重大影响。”

不可能每次都能成功缓解每一个威胁，因此网络攻击的代价确实非常大。一次成功的网络攻击以及由此引发的数据泄露会抹杀客户的信任，并摧毁品牌。

当一家公司收购另一家公司时，收购的不仅仅只是资产。还要承担目标公司的风险。简单地说，被收购公司存在的安全缺口会成为收购公司的安全缺口。

此外，缺乏详尽的网络安全调查还会破坏交易的价值驱动因素。在万豪的案例中，一个很大的驱动因素就是喜达屋高价值旅客的保留：他们都是会员计划的一部分。由于这些客户现在面临着更换信用卡号、护照等烦恼，这一价值驱动因素已经不可避免地被破坏了。

企业必须将网络安全纳入到从最高层到IT的每一个业务结构中，这是至关重要的。保护数字资产的安全不能仅仅委托给IT部门；而是必须将安全融入到产品和服务中，也许最重要的是，还要融入到研发计划和业务措施中。以万豪为例，以130亿美元收购喜达屋，就代表了一项涉及董事会、最高层高管和管理人员的战略措施――这些人现在都应该对万豪品牌亲和力的削弱负一部分责任。

正如Radware之前所提到的，当涉及到会员计划时，安全必须从被动的灾难恢复和业务连续性转变为主动防护。如果会员计划的制定针对的是最有价值的客户，那为什么安全性不能和为这些客户提供服务的其他关键业务资产和基础架构保持一致呢？

万豪喜达屋数据泄露事件是一个让人遗憾的案例，这就说明了，为什么在涉及到确保客户体验时，CEO和高管团队必须带头定下基调。如果忽视了网络安全或者将其作为事后的补救措施，潜在的损害就远不止金钱那么简单了。企业声誉就会岌岌可危。

If you’ve been developing software for a while, you know how to generate a random number and perhaps even securely with Java’s SecureRandom class. Unfortunately, generating secure random numbers is not as easy as simply using SecureRandom .

In this java example, we’ve assembled a simple checklist to help you be successful when using secure random numbers in your applications.

Read More : Generate Secure Hash in Java

Generally, random number generation depends on a source of entropy (randomness) such as signals, devices, or hardware inputs. In Java, The java.security.SecureRandom class is widely used for generating cryptographically strong random numbers.

Deterministic random numbers have been the source of many software security breaches. The idea is that an adversary (hacker) should not be able to determine the original seed given several samples of random numbers. If this restriction is violated, all future random numbers may be successfully predicted by the adversary.

If performance is a premier consideration, then use SHA1PRNG , which seeds from /dev/urandom . SHA1PRNG can be 17 times faster than NativePRNG , but seeding options are fixed.

Seeding with NativePRNG is more flexible, but it blocks if entropy is not great enough on the server since it reads from /dev/random . If you don’t know where to begin, start with SHA1PRNG .

Specify your criteria like this:

Following is additional information about supported PRNGs and providers.

The following is a list of PRNGs for the SUN provider:

For information on additional providers, see Java Cryptography Architecture Oracle Providers Documentation for JDK 8 . Oracle also provides documentation describing the providers by OS platform.

Create a new instance of SecureRandom periodically and reseed, like this:

If egdSource , a configuration parameter in the java.security file, or the java.security.egd system property is assigned with a predictable file/URL, then SecureRandom can become predictable.

JRE versions older than 1.4.2 have known problems generating SHA1PRNG secure seeds. Then again, if you’re using versions of Java this old, you have bigger security concerns.

Old versions of Java are very insecure, and staying up-to-date on patches is very important. One of the best ways to keep your customers safe is to quickly certify your software against the most recent Oracle Critical Patch Update possible.

Happy Learning !!

前言

学习iOS签名机制，可参考如下学习路线：

加密解密(对称DES 3DES AES、非对称RSA)--->单向散列函数(MD4、MD5、SHA1-3)--->数字签名--->证书--->签名机制

一、加密解密

1.1 对称和非对称

为了防止传输信息被窃听，需要对传输信息进行加解密。根据密钥的使用方法，可以将密码分为 2 种，即对称密码和非对称密码(也称公钥密码)。对称密码中使用的加密和解密密钥相同，非对称密码中使用的密钥不同。

对称密码算法有 DES、3DES、AES 等。DES 是一种将 64bit 明文加密成 64bit 密文的对称密码算法，密钥长度是 56bit 。由于 DES 每次只能加密 64bit 的数据，遇到比较大的数据，需要对DES加密进行迭代（反复），目前已经可以在短时间内被破解，所以不建议使用 DES；3DES是将DES重复 3 次所得到的一种密码算法，也叫做 3 重 DES，目前还被一些银行等机构使用，但处理速度不高，安全性逐渐暴露出问题；AES 的密钥长度有 128、192、256bit 三种，目前 AES ，已经逐步取代 DES、3DES，成为首选的对称密码算法。一般来说，我们也不应该去使用任何自制的密码算法，而是应该使用 AES，它经过了全世界密码学家所进行的高品质验证工作。

非对称密码算法中，目前使用最广泛的公钥密码算法是RSA。

1.2 如何传输密钥？

对称加密体系中，密钥不能直接传输，否则可能被截取，截获者也能破解密文。有以下几种密钥传输方式：

1、事先共享密钥：即通过非通讯手段，私下直接给出密钥。

2、密钥分配中心：所有密钥有分配中心管理，分配中心通过特殊安全手段下发。

3、借助非对称密码体系：由消息的接收者，生成一对公钥、私钥，将公钥对外公开发给消息的发送者，消息的发送者使用公钥加密消息，接受者使用私钥解密。整个过程只有消息接收者具有私钥，其他任何人没有私钥不具备解密能力。

1.3 混合密码系统（Hybrid Crypto System）

对称密码不能很好地解决密钥配送问题，但是加解密速度快；非对称密码加密解密速度比较慢，但是能很好的解决密钥配送问题。所以采取对称密码和公钥密码的优势相结合的方法（即混合密码系统），可以很好的解决对称密码密钥配送问题以及加解密速度慢的问题。包括 https 中也是采用类似的混合密码系统，https 中的服务端相当于消息接收者，客服端相当于消息发送者。具体步骤如下：

加密步骤：

1、接收者生成私钥和公钥(非对称密码体系)，并将公钥发给消息发送者；

2、发送者生成会话密钥(对称密码体系)，使用会话密钥加密消息，使用公钥加密会话密钥；

3、发送者将加密消息以及机密会话密钥一并发给消息接收者；

解密步骤：

1、消息接收者用私钥解密出会话密钥；

2、再用会话密钥解密出消息；

二、单向散列函数

2.1 单向散列函数特点

单向散列函数又被称为消息摘要函数(哈希函数)，具备以下特点：

可以根据根据消息内容计算出固定长度散列值。散列值的长度和消息的长度无关，无论消息是1bit、10M、100G，单向散列函数都会计算出固定长度的散列值；

计算速度快，能快速计算出散列值，消息不同，散列值也不同；

具备单向性，即可以根据消息计算出散列值，但是根据散列值无法计算出消息；

2.2 常见单向散列函数

MD4、MD5：MD就是Message Digest的缩写，产生128bit 的散列值，目前已经不安全。Mac 终端上默认可以使用 md5 文件名 命令获取散列值。

SHA-1：产生160bit的散列值，目前已经不安全。

SHA-2：SHA-256、SHA-384、SHA-512，散列值长度分别是 256bit、384bit、512bit。

SHA-3：全新标准，目前还在研发中。

2.3 单向散列函数的应用场景

1、单向散列函数可以监测文件是否被篡改，文件被篡改后的散列值和篡改前的散列值如果不同，则说明文件被篡改过。

2、用户密码加密，一般不会将用户密码明文传给服务器保存到服务器对应的数据库中，如果后端数据库被攻破，成千上百的用户账号信息直接将被泄露。所以通常做法是获取密码散列值传给后端，这样服务端也不知道用户密码是什么，所以一般用户忘记密码后就无法找回，只能通过重置密码解决。如果一个平台可以找回密码，说明该平台是不安全的。另外，为了防止用户密码相同或过于简单，增加安全性可以采取先加盐再获取散列值的策略。

用户密码散列值

三、数字签名

3.1 数字签名过程

消息接收者可以借助数字签名的方式来识别消息是否被篡改、保证消息发送者无法抵赖消息。数字签名，其实就是将公钥密码反过来使用。在非对称密码体系中，任何人都可以使用公钥进行加密，只有消息接收者才拥有私钥解密消息；在数字签名中，任何人都可以使用公钥验证签名，只有消息发送者才能拥有私钥，并借助私钥签名。

上图可以看出签名的制作过程，将消息生成对应的散列值，然后消息发送者使用私钥加密消息散列值。发送者会将加密消息和加密的签名一起发送个消息接收者。消息接收者接受到消息后，借助消息发送者的公钥解密消息散列值，同时再用自己的公钥解密消息并生成另一个消息散列值，比较两个散列值，若一样则说明消息没有被篡改，否则消息说明消息被篡改。

3.2 小结

数字签名的作用不是为了保证机密性，仅仅是为了能够识别内容有没有被篡改以及防止消息发送人否认。数字签名其实就是将公钥密码反过来使用。数字签名中用私钥加密，公钥解密；非对称密码中用公钥加密，私钥解密。

四、证书

4.1 证书的作用

如果出现中间人攻击，中间人冒充消息接收者，中间人自己生成公钥和私钥，并将自己的公钥发给消息接收者。所以如果想防止中间人攻击，消息发送者必须确保拿到公钥的合法性。通过证书相关手段可以确保公钥的合法性，消息发送者通常要通过权威机构获取公钥。

证书是由权威机构认证的。密码学中的证书，全称叫公钥证书（Public-key Certificate，PKC），和现实生活中的毕业证、驾驶证等类似，里面有个人信息、此人的公钥以及权威认证机构（Certificate Authority，CA）对公钥施加的数字签名三个部分组成。CA 是指能够认定“公钥确实属于此人”并能够生成数字签名的个人或者组织。

4.2 证书的利用

从上图中可以看出消息接收者需要生成密钥对，并将自己的公钥给权威认证机构，权威机构会用自己私钥对消息接收者的公钥施加数字签名，制作成证书并保存在权威机构的仓库中。于此同时，消息发送者可以通过正规渠道获取拿到权威机构公钥(一般是提前内置的，如 iPhone 设备中包含 apple 的公钥)，并能下载证书，此时可以用权威机构的公钥验证证书的合法性。映射的现实生活相当于：教育机构工作人员从教育机构获取到一个可以用于检测任意学历证书(证书)真伪的工具(权威机构公钥)。

五、iOS 签名机制

5.1 iOS 签名机制作用

iOS签名机制主要是保证安装到用户手机上的APP都是经过Apple 官方允许的，如果篡改了 App 本身的源码或资源文件，签名值将无法对应上，便无法安装。实际开发过程中不管是真机调试，还是发布APP，开发者都需要经过一系列复杂的步骤，这些步骤都是为了防止随意安装 App。

利用签名机制，也可以在原有项目中实现App自签名功能代码，对资源文件、源码、证书签名，在App 启动时做签名校验，当有人改动资源文件，签名校验就会失败，则直接调用 exit 退出 App，为了防止逆向可将该功能相关代码通过 C 语言形式实现或者整个应用实现代码混淆。网上有不少介绍 App 自签名的实现代码，但是笔者认为自签名功能很鸡肋，因为逆向的本质是通过插件的形式更改内存中的代码，一般并非是直接更改源码或资源文件。

5.2 iOS 签名机制作流程

有了上述知识作为铺垫，签名机制流程就很好理解了，如下图：

Mac 设备具有生成公钥和私钥的能力，平时操作钥匙串工具钥匙串访问-->证书助理-->从证书颁发机构请求证书主要目的就是为了生成 Mac 公私钥，之后再将公钥上传到苹果后台，用于制作证书。Apple 本身可以认为是权威机构，Apple 后台可以生成私钥，iOS 设备中有公钥。

1、当运行CMD + R的时候，此时会进行代码签名，即拿 Mac 本地的私钥对应用签名生成 ipa 安装包，ipa 安装包中主要包含应用、签名、资源文件等。

2、将 Mac 本地生成的公钥上传到 Apple 后台，Apple 后台用自己的私钥生成证书文件，证书中包含 Mac 公钥以及签名。

3、选择相应的证书、devices、app id、entitlements(权限)，然后苹果后台用自己的私钥将这些内容签名，并生成描述文件。

4、iOS 设备中包含苹果的公钥，使用公钥验证签名文件，如果验证通过则可以获取证书。于此同时，还会比对相应的devices、app id、entitlements(权限)是否一致。

5、使用iOS 设备中的苹果公钥验证证书签名，如果签名验证成功则会获取到 Mac 公钥。

6、使用 Mac 公钥验证 ipa 安装包签名，如果验证成功则直接安转应用。

5.3 线上 App 签名机制

如果 APP 是从 AppStore 下载安装的，会发现里面是没有 mobileprovision 文件。线上 app 的验证流程简单很多，应用上传到 Apple 后台，Apple 会用自己的私钥进行签名，下载应用的设备中包含 Apple 公钥，应用下载完成，直接可以用设备中的 Apple 公钥进行验证。流程如下：

作者：ZhengYaWei

链接：https://www.jianshu.com/p/fe8212d2520a

2018.12.10晚上，看到有人发tp5命令执行，第一眼看到poc大致猜到什么原因，后来看到斗鱼src公众号的分析文章。这里分析记录一下。

tp的框架启动不具体说了，这里从App::run开始分析。App.php第116行调用routeCheck函数，该函数返回的内容为：

在routeCheck调用$request->path();获取兼容模式s传入的模块/控制器/方法

在routeCheck中会读取route.php中的路由并进行匹配传入的路由，不成功会调用Route::parseUrl处理

，在parseUrl函数1226行调用parseUrlPath函数处理模块控制器方法串，使用/分割

parseurl中把parseUrlPath函数返回的数组：

回到App.php 141行进行执行阶段$data = self::exec($dispatch, $config);

type为module，case分支执行：

在module函数中578行进行了控制器实例化

在592行进行了函数调用

看完5.x我又跑回去看了3.x，从3.2.3一直找到2.2全部由下图代码

腾讯科技讯 据外媒报道，根据道德黑客平台Bugcrowd发布的新数据显示，通过搜索安全漏洞，并在特斯拉等大公司和国防部这样的组织中报告系统的问题，自由职业黑客中的精英分子每年可以赚逾50万美元。

Bugcrowd公司成立于2012年，是少数几家所谓的“漏洞赏金”公司之一，这些公司为黑客提供了一个平台，让他们在希望接受测试的公司中安全地追踪安全漏洞。

黑客们为某家公司制定了一份定义明确的合同，当他们能够在公司的架构中发现一个缺陷时，他们就会得到赏金，而赏金多少取决于问题的严重性。

Bugcrowd首席执行官凯西埃利斯(Casey Ellis)表示，随着该领域数百万个职位空缺，各公司正在越来越多地寻找网络安全测试的替代方案。

据估计，到2021年，可能会有多达350万个网络工作岗位空缺。

埃利斯说，去年，该公司为一家大型科技硬件公司发现一项漏洞而获利11.3万美元。这也是该公司发现一个漏洞而获取的最大收益。数据显示，2018年的支付金同比增长37%。

调查显示，有一半的道德黑客，或者被雇渗透网络和计算机系统的安全专家，报告称都有全职工作。

约80%的人表示，这项努力帮助他们在网络安全领域找到了一份工作。埃利斯说，对于前50名黑客来说，平均每年在这项工作上的收入约为14.5万美元。

据埃利斯说，赚最多钱的黑客有一定的基本技能。

“黑客发现了一种特殊的安全漏洞后，就在不同的公司中反复寻找。他们将走遍网络空间，努力寻找尽可能多的机会来利用这一漏洞，“埃利斯说。

“他们也有很好的侦察技能，能够理解有可能对组织造成最大损害的因素。了解企业如何运作，或其基础设施是如何建设的，对这项工作这真的很有帮助，“他补充说。

虽然Bugcrowd中94%的黑客年龄在18岁到44岁之间，但仍有几个人还在读高中或中学。埃利斯说，进入公司的门槛很低，主要看技能水平。该平台上大约四分之一的黑客没有大学学位。

为了防范网络攻击，公司一直在使用一系列方法，让拥有黑客技能的人测试他们的防御能力。一些公司使用内部渗透测试人员，经常把他们放在所谓的“红队”中，扮演恶意团体角色，以试图摧毁公司服务器或窃取信息。

其他公司则使用提供这项服务的咨询公司，或者像Bugcrowd、HackerOne、Synack和Cobalt这样的根据查找漏洞来发赏金的公司。或者，只要任何人能发现问题，只需向公司发送电子邮件即可。

埃利斯说，根据漏洞发赏金提供了一种更正式的方法，黑客必须遵守规则，例如不能从服务器跳到其他具有更敏感数据的服务器上进行测试。

IJET和特斯拉会根据黑客发现的问题的严重程度，向黑客支付1000至1.5万美元的赏金。万事达卡最多向黑客支付过3000美元。

今年10月，美国国防部将“入侵五角大楼”（Hack the Pentagon）奖项授予 Bugcrowd和HackerOne，以表彰他们的众包项目。（腾讯科技审校/羽佳）

As a big American football fan, I have always been amazed at the amount of preparation the teams and the National Football League (NFL) go through to handle all their challenges every season. There are so many things that have to be considered…especially security! There’s physical security to ensure there are no firearms or other contraband entering the stadium. There’s network security making sure that systems are up and available so that all Web and mobile communications are not impacted by cyberattacks, not to mention making sure television transmissions run smoothly. But let’s think about the energy systems. I know when I attend a Houston Texans game at NRG Stadium, I want air conditioning because…have you experienced Houston humidity? And if it’s a night game, it would be nice to have lights. Anyone remember Super Bowl 47 in 2013? The biggest game of the year was halted for over 30 minutes in the third quarter because of a power outage. Although it was ruled a power surge issue, if it had been a cyberattack, over 72,000 people would have been stuck with no temperature control, no power for food preparation, no point-of-sale systems for retail purchases, and hot beer. The list goes on and on.

The threat against our electrical grid is growing at an alarming rate. We’re just three years removed from the first-known successful attack on an Ukrainian power grid , and according to Kaspersky Labs’ Threat Landscape for Industrial Automation Systems H1 2018 report , more than 40% of Industrial Control System (ICS) components were attacked in the first half of 2018. Just last month at the CyberwarCon forum in Washington, DC, FireEye researchers noted that while the US grid is relatively well-defended, and difficult to hit with a full-scale cyberattack, Russian actors have nonetheless continued to benefit from their ongoing vetting campaign. 20+ years ago, ICS components were not connected to the broader Internet because many of them were never designed to be. Today, it’s a completely different story. With utilities adding more and more connected components, each component must be treated as a potential entry point and cybersecurity must be the number one priority.

If there’s anything that will get a person or organization to comply with anything, it’s a fine. In 2015, NFL player Marshawn Lynch responded to a potential $500,000 fine by showing up at a press conference and answering every question, “I’m just here so I don’t get fined.” Utilities in North America don’t have the luxury of just doing the bare minimum. In response to the 1965 blackout in the northeastern U.S. and southeastern Ontario, Canada that affected 30 million customers, the North American Electric Reliability Corporation (NERC) was formed to promote the reliability and adequacy of bulk power transmission in the electric utility systems of North America. NERC’s critical infrastructure protection (CIP) plan includes standards and requirements to protect the bulk power system against cybersecurity compromises that could lead to instability or power failure. Penalties for non-compliance can include fines up to $1 million USD per day, sanctions or other actions.

In late February 2018, one of the first-ever seven-digit fines against a power company was issued in connection with exposed sensitive data to the tune of $2.7 million USD. According to the penalty notice, a third-party contractor improperly copied data from the energy firm to its own network, exposing more than 30,000 records, including critical cyber assets, IP addresses, and server host names for over 70 days. With larger fines becoming more common, utility companies are caught in the middle ensuring their critical infrastructures are protected while keeping costs down and remaining competitive. Utilities must structure an end-to-end security strategy to protect and integrate both their IT and operations technology (OT) environments.

The time to hesitate is through. We haven’t seen the worst of attack attempts on our power grids.Utilities need scalable solutions to help them adapt and comply with the constantly changing NERC CIP requirements. FireMon can partner with utilities to automate their security policy workflows, optimize their vulnerability management efforts, and get their networks under control with complete visibility, real-time monitoring and continuous compliance checks.There will never be one answer for security, whether you’re trying to keep the lights on for the Super Bowl or protect your utility network. It requires a concentrated and collaborative effort across the board to ensure the physical and network security of your environment. Hopefully, it’s not the bare minimum of “I’m just here so I don’t get fined.”

with us today.

Email and data security company Mimecast has released the results of its latest Email Security Risk Assessment (ESRA) which finds that mail security systems inaccurately deemed nearly 17,000 dangerous files 'safe' this quarter.

That represents a 25 percent increase over the previous quarter. Dangerous file types like jsp, .exe, .dll and .src are rarely emailed for legitimate purposes and can be used launch a cyberattack.

The report also finds 21,183,014 spam emails, 17,403 malware attachments, 42,350 impersonation attacks and 205,363 malicious URLS, all missed by security providers and delivered to users' inboxes. This latest report concludes that an aggregate 12 percent of all secured and filtered email traffic was unwanted emails and thus were false negatives.

"Mimecast has seen an increase in security efficacy versus legacy vendors along with detailed information on the proliferation of threats of all types. The ESRA provides deep insights for our customers on the types of attacks threatening their business," says Lindsay Jack, security service director at Mimecast. "Attacks we are seeing include key executives being targeted with cloud storage services exploits, impersonation attacks targeting legal, finance and administrative assistance as well as social engineering attacks against the C-suite. Mimecast helps organizations understand how they compare with other organizations in their geography or industry vertical. Additionally, these reports provide insights on the rise of new types of malware and key trends in malicious email campaigns."

You can see more detail on the results in the infographic below.

Image credit: Pavel Ignatov / Shutterstock

The malware also overlays HTML-based phishing screens for five apps

Security researchers at Slovakia’s ESET have identified a new banking Trojan that bypasses PayPal’stwo-factor authentication (2FA) to steal funds waiting until users have fully logged in before enabling its exploit.

The multifaceted malware also has a secondary function, downloading HTML-based phishing overlay screens for five apps Google Play, WhatsApp, Skype, Viber, and Gmail an initial list that can be dynamically updated.

ESET discovered the malicious software in November. It masquerades as an Android battery optimisation application in third-party app marketplaces.Once a user downloads the battery application and launches it on their device the app terminates itself, offering no visible functions and proceeds to hide its icon.

While hidden the application carries out its two main functions. The first is the targeting of the PayPal application, if it is installed on the victim’s device.

The malicious application asks the user to give permission to ‘enable statistics’, which it says allows the user to retrieve windowed content and lets them receive notifications when they are using the app.

If the user has the official PayPal app installed the Trojan will display a notification alert asking them to open it.

ESET researcher Lukas Stefanko commented in a security blog that: “During our analysis, the app attempted to transfer 1000 euros, however, the currency used depends on the user’s location. The whole process takes about 5 seconds, and for an unsuspecting user, there is no feasible way to intervene in time.”

The real concern for PayPal customers is that the malicious application bypasses the PayPal two-factor authentication completely. The malware does not steal your PayPal login credentials, instead it waits for you to enter into the application itself before it attempts to redirect money to a different PayPal account.

Lukas Stefanko informed Computer Business Review that: “It automatically tries to send money to the account once the victim logs in. It interacts faster with the PayPal app than the user, so the user doesn’t even have a chance to click on anything to intervene.”

“The attackers fail only if the user has insufficient PayPal balance and no payment card connected to the account. The malicious Accessibility service is activated every time the PayPal app is launched, meaning the attack could take place multiple times,” he added in a blog.

With its secondary phishing function it attempts to scrape credit card details. The first four app overlays are designed to phish for these, as seen in the images below.

However the Gmail overlay is different: “We suspect this is connected to the PayPal-targeting functionality, as PayPal sends email notifications for each completed transaction. With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”

ESET security have informed PayPal about the new Trojan technique they have discovered targeting their application.

We love Greek mythology so we find the Trojan War story interesting. We like the Trojan horse but not the Trojan virus. Unfortunately, the latter is all we can experience. Actually, it’s something you don’t want to see and experience at all. The last related feature was shared last year. Remember the Loapi Trojan? We said it could literally make your Android phone go up in smoke. This time, there’s another Trojan affecting Android mobile users. Specifically, this one preys on PayPal app users and account holders.

The malware was detected last month by ESET. It was found to be misusing some Android Accessibility services. The results vary but the most controversial was the Paypal app users being targeted.

The Trojan is disguised as a battery optimization tool. Good thing it’s not available on the Play Store. You don’t get it from the Android app store but from other third-party stores.

Check if you have the Optimization Android app installed it’s a trojan malware. What happens is that the app terminates and hides the icon. It doesn’t offer any functionality but can do access and target PayPal maliciously to steal money. You may have chosen the ‘Enable statistics’ service but it only pretends to do so.

This is potentially dangerous because a PayPal user’s money may be stolen. The trojan may access PayPal and then send money to an attacker’s address without the knowledge of the account owner.

The ESET tried team to make a transfer but the currency used depends on the location of the user. A 1000 euros were supposed to be sent but good thing the transfer was unsuccessful.

It tricks the PayPal owner to log into the account and even bypasses the app’s 2FA process. The two-factor authentication is important but because of the trojan, it becomes useless.

Other things the malware can do are as follows:

Intercept and send SMS messages

Delete all SMS messages

Change the default SMS app

Obtain the contact list

Make and forward calls

Obtain the list of installed apps

Install app, run installed app

Start socket communication

This trojan isn’t installed from the Google Play Store but there are similar Accessibility Trojans lurking around. There are maliciousapps ready to target users, specifically those in Brazil. The devs already reported those malicious apps. Google did remove some of them from the Play Store.

VIA: Welivesecurity

Story Timeline New virus family discovered, more trojan than just adware Dvmap is a rooting malware, first Trojan with code injection capabilities The Loapi Trojan can literally make your Android phone go up in smoke

2018，是加密货币行业最跌宕起伏的一年，也是遭受黑客攻击最多的一年。

由于人们对加密货币的热情高涨，以及普及度越来越广泛，各种安全问题也随之而来。根据区块链安全公司CipherTrace发布的最新报告显示，今年黑客从加密货币相关平台和交易所窃取的金额高达9.27亿美元，而且黑客攻击数量也达到了去年的3.5倍。

实际上，由于CipherTrace仅统计了公开披露的数据，因此有人认为今年加密货币网络盗窃的金额可能已经超过了10亿美元。正如报告中所述，数据显示今年主要黑客行为包括：

1、定期进行的小规模抢劫；

2、专业的网络黑客利用交易所和交易平台系统暴露的漏洞实施攻击；

3、一些“社交型”工程员工在企业内部工作，泄露安全信息。

有趣的是，研究人员分析了过去五年内的加密货币黑客攻击事件，结果发现只有2018年黑客窃取的加密货币金额最多，其中最令人震惊的一起黑客事件就是日本加密货币交易所CoinCheck被攻击――在这起黑客攻击中，CoinCheck及旗下投资者一共损失了大约5.3亿美元的新经币，这一数字超过了此前著名的“头门沟”Mt. Gox黑客攻击事件，当时Mt.Gox交易所损失金额“只有”8000万美元。

许多人可能会想，为什么黑客会如此成功，轻松就攻破了一家交易所的账户？事实上，这可能是因为CoinCheck将自己的加密货币保存在“热钱包”里而导致的安全漏洞，“热钱包”是一种线上连接的数字存储工具，安全性并没有离线的“冷钱包”那么可靠。

新经币基金会通过一个硬分叉软件更新来追踪被黑客窃取的新经币，也使得那些被盗的新经币变得毫无价值。硬分叉创建了一个标记系统（tagging system），这样黑客就无法使用窃取的新经币进行交易了。

然而，就在CoinCheck交易所被黑客入侵后不到一个月，另一家意大利加密货币交易所Bigrail也遭到了攻击，损失金额高达1.95亿美元。不过有人认为Bigrail交易所内部存在“内鬼”，与黑客里外勾结。根据《财富》杂志报道，Bigrail在黑客攻击的前几周时间“忽然”暂停了所有存款和取款交易，而且还宣布将开始执行身份验证措施，这一系列意外的政策变化导致用户怀疑他们早有预谋，此后意大利政府宣布扣押Bigrail交易所的资产。

在Bigrail遭受攻击之后，黑客还盯上了一些小型加密货币交易所。基本上，这些交易所损失的金额通常在数百、或数千万美元左右。比如韩国加密货币Coinrail被黑客窃取了大约4000万美元的加密货币，幸运的是，该交易所收回了其中三分之二的被窃资金，并且重新退还给了客户。

之后，另一家韩国知名加密货币交易所Bithumb也遭到黑客攻击，虽然损失的金额比Coinrail少一些，但由于Bithumb算是业内知名的交易所，也让社区感到非常惊讶。

此外，以色列代币开发平台及加密货币交易所Bancor也遭受到黑客攻击，损失金额位列今年第五位。由于违规操作，该交易所被黑客攻击损失了2350万美元的资金。作为回应，该平台冻结了价值1000万美元的原生代币BNT，此举说明其平台并不是完全“去中心化”的，也因此一度遭到了社区的强烈抨击。

CipherTrace表示，目前97%的比特币支付都来自于一些没有严格反洗钱法律的国家，而黑客通过比特币洗钱的金额已经达到了25亿美元。不过从好的方面来看，世界上一些国家政府已经意识到问题的严重性，并且开始优化自己的监管政策。

CipherTrace首席执行官Dave Jevans表示：

“如今很多国家地区都在不断优化自己的监管法规，希望构建值得信赖的数字货币中心，以推动经济增长。由于加密货币反洗钱法规在全球范围内进一步普及，我们将看到未来十八个月内的加密货币洗钱问题将大大减少。”

不可否认，随着监管越来越成熟，2019年的加密货币市场将会变得越来越好。

Anytime an executive moves to a new company the first question they get is, “Why did you pick that company?” In the case of Onapsis, I leapt at the opportunity because we have a massive role to play in protecting everything that matters to the Global 2000. Onapsis is attacking a business-critical problem, but from a cybersecurity perspective. Global 2000 enterprises leverage ERP it’s where the crown jewels reside; Financials, Customer Data, any corporate sensitive data, etc. But these complex applications were not designed with security in mind. So guess what? They’re not secure. I’m reminded of the answer Slick Willie Sutton gave when asked why he robbed banks. He said, “Because that’s where the money is!” It’s no different when it comes to ERP.

So, when I hear about a major breach, the spotlight is typically shined on the assets that were stolen and the ways in which the adversary got in (e.g., spear phishing, email, firewall, end-point). Yet there’s very little attention paid to the security of ERP systems. I find it ironic that there seems to be a lack of focus on the fact that in most cases the adversary was targeting the crown jewels , which are largely in ERP. It demonstrates to me that hardening the inner core is the last bastion of defense for the assets which reside in ERP.

The challenge is exacerbated due to the ways companies are structured. CISOs, who know it’s open season on ERP and want to do something about it, often do not have jurisdiction over ERP. And on the operations side, CIOs are often unaware how susceptible ERP is to being compromised at will; even that they are not in compliance in many cases. During my interviews with Onapsis, which were extensive indeed, I asked how often they could prove (being verified by SAP, Oracle) that they were vulnerable to a major attack. Their answer made my jaw drop. They said, “One hundred percent of the time.” Knowing the truth stretching that happens in cybersecurity, I probed further. “Give me an example of something you typically see that is significant.” They explained that they can get onto the network and, without credentials and passwords, get into ERP systems. Once there, they can demonstrate how they could seize the passwords of executives, create an invoice for whatever amount they want, and get paid. Clearly this is not demonstrated in a production SID, but is typically shown in functional copies. That is a big deal.

When you think about what the attackers are after in organizations, it’s usually the financial, customer data or any corporate sensitive data that is considered valuable to the organization. In a company that has a large ERP implementation, all of this data resides in these systems. Once an attacker, internal or external, is past perimeter defenses, this trove of content at the inner core is exposed to any number of attacks that could be detrimental to the organization, and the hackers know it. Years ago, hacktivists started attacks on SAP, which was interesting but not critical. Then you saw more professional cyber criminal organizations come forward with more sophisticated attacks you see some of these activities coming with state sponsorship. And now DHS has issued its 2nd critical alert for business-critical applications.

Onapsis is bringing together CPOs, CIOs, and CISOs the combination of which will allow for better secured business-critical applications and better cross-functional awareness. At the same time we have proven use cases of reducing operational costs and cutting in half the time it takes an enterprise to move to the cloud. Our partnerships with SAP and Oracle are a testament to the importance Onapsis delivers.

And we have friends. Our strategic partnerships with the leading system integrators and MSSPs are natural because they have domain expertise on the operational side (ERP) and the security side. So the Onapsis solution falls perfectly into their sweet spot of service offerings, having a service specific to ERP business implementations and a separate service for information security practices.

When I learned about what the Onapsis Security Platform does for the enterprise and what the Onapsis Research Labs does for the market, I jumped at the opportunity to play a leading role in bringing it to the world. I’m looking forward to applying my expertise in serving customers to an already well-known organization.

散列函数（hash function）对一种对任意输入，都返回一个固定长度输出的函数。常被用来检测信息的完整性，常用的函数有MD5,SHA1等。下载软件时，有的网站会提供一个md5值，下载完成后可以计算软件的md5值，对比是否与网站上的一致。如果不一致，可能是没下完整，也可以是被黑客”改造后”的软件，尽量不要安装。

散列函数应该有以下特点:

同样的输入，保证会有同样的输出。

很难找到其他的输入，使得它的输出与指定的输出相等。保证如果输入的信息被篡改，那输出的散列值变化的概率几乎为1。

第二个特点被称做“弱抗碰撞性”。 碰撞 就是说两条不同的信息，散列值相等。理论上碰撞当然是不可避免的，比如MD5函数固定地返回32位字母和数字的组合。 这个组合有(26 + 10)^32种，但输入的信息是无穷多个可能。所以散列函数无法保证不碰撞，只能尽量让输出保持随机性，降低碰撞的概率。

分流算法是公司做AB测试系统时，将不同的用户分配到不同实验时使用的算法。分流算法需要做到的效果是：

随机性，保证每个实验的用户群体结构类似

指定时间内，同一个用户被分配到的实验id不会变

这两个特点刚好是散列函数的特长。只要把时间因素加入散列函数，就可以保证在指定时间内，输出的不变性，同时随机性也完全有保证。

The new funding will help Tigera accelerate its growth with the rapid

enterprise adoption of Kubernetes

SAN FRANCISCO (BUSINESS WIRE) Tigera, an enterprise software company providing security and compliance

solutions for Kubernetes platforms, today announced the closing of its

Series B funding round of $30 million led by Insight Venture Partners,

with participation from existing investors Madrona, NEA, and Wing.

Tigera plans to use the new funding to accelerate growth to meet the

growing demand of its Kubernetes security and compliance solution at a

critical time as Kubernetes gains traction in the enterprise.

“Kubernetes is gaining momentum within every progressive enterprise,”

said Ratan Tipirneni, president and CEO of Tigera. “These businesses

cannot get their applications to production without strong security

controls and the ability to prove compliance. As a result, we are being

pulled into several hundred projects and will use this funding to meet

that demand.”

Modern microservices based architectures are built using containers and

orchestrated using Kubernetes and present a unique challenge for legacy

security and compliance solutions since these new workloads are highly

dynamic and ephemeral. This new architecture creates an explosion of

internal, or east-west traffic that must be evaluated and secured by the

network and security operations teams. These teams have traditionally

used firewalls to secure network traffic which works well to defend

against external attacks but aren’t effective in handling threats from

the inside. Additionally, given the highly dynamic nature of these

workloads, traditional audit based compliance models break down and a

Continuous Compliance model is required.

Tigera Secure Enterprise Edition (TSEE) secures Kubernetes environments

and ensures continuous compliance using a declarative model similar to

Kubernetes. Under the hood, TSEE authenticates all service-to-service

communication using multiple sources of identity, authorizes each

service based on multi-factor rules, encrypts network traffic, and

enforces security policies at the edge of the host, pod, and container

within the infrastructure for a defense in depth security model. All

connection details are logged in a compliance-ready format that is also

used for incident management and security forensic analysis.

Tigera is the leader in Kubernetes security and compliance. Their

software has become ubiquitous within the Kubernetes ecosystem and is

being used by large enterprises that have adopted Kubernetes. Their

software has been OEMed by Amazon Web Services, Microsoft Azure, Google

Cloud, and IBM Cloud to run their managed Kubernetes Services; as well

as commercial Kubernetes distributions including Docker, Red Hat Open

Shift, and Canonical. Their blend of cloud and on-premises solutions

enable interoperability of security policies between multiple clouds and

on-premises environments which prevents cloud lock-in for Enterprises.

“Tigera is uniquely positioned in the security market as a vast majority

of enterprises have chosen to use the open source platform Kubernetes,”

said Jeff Horing, co-founder and managing director of Insight Venture

Partners. “The market is growing rapidly both with the adoption of

Kubernetes and also with enterprises now ready to go to production and

security and compliance are top of mind. We welcome Tigera to our

portfolio and look forward to helping them scale their business.”

About Tigera:

Tigera provides Zero Trust network security and continuous compliance

for Kubernetes platforms. Tigera Secure Enterprise Edition extends

enterprise security and compliance controls to Kubernetes environments

with support for on-premises, multi-cloud, and legacy environments.

Tigera Secure Cloud Edition is available on the AWS marketplace and

enables fine-grained security and compliance controls for Kubernetes on

AWS and Amazon EKS. Tigera powers all of the major Hosted Kubernetes

environments including Amazon EKS, Azure AKS, Google GKE, and IBM

Container Service. Tigera is also integrated with the major on-premises

Kubernetes deployments and is shipped “batteries included” in Docker EE

and fully integrated with Red Hat OpenShift. Visit us at www.tigera.io

or follow us on Twitter @tigeraio

About Insight Venture Partners:

Insight Venture Partners is a leading global venture capital and private

equity firm investing in high-growth technology and software companies

that are driving transformative change in their industries. Founded in

1995, Insight currently has over $20 billion of assets under management

and has cumulatively invested in more than 300 companies worldwide. Our

mission is to find, fund, and work successfully with visionary

executives, providing them with practical, hands-on growth expertise to

foster long-term success. Across our people and our portfolio, we

encourage a culture around a core belief: growth equals opportunity. For

more information on Insight and all its investments, visit www.insightpartners.com

or follow us on Twitter @insightpartners.

Contacts

Andy Wright

andy.wright@tigera.io

(415)

361-3594

Scott Samson

scott@samsonpr.com

(415)

781-9005

Like Ruby, I’m a big LXDE fan. It’s so light and quite configureable. Ruby is also a command line enthusiast, so it’s no surprise to see terminal listed as an essential program. It’s also interesting that Ruby has only had linux laptops and servers until recently. Anecdotally it seems like some computer users are migrating to desktops, rather than using a laptop for everything. As a home desktop user, I approve of this migration. I love a big, comfortable keyboard and screen that you can’t really move.

You can find more of The Linux Setup here .

You can follow Linux Rig on Google+ here and follow me on Twitter here .

I’m a Linux command line enthusiast! I currently work for Hurricane Labs as a security architect and I specialize in vulnerability management. I also create content related to the command line, so if you want to see my “ #1LinuxThingADay ” or other Linux stuff from me, you can do so on Twitter. I’m @theroxyd .

I’ve never really been much of a windows user except to get things done and log off. When I discovered Linux and that I could do whatever I wanted from the command line much easier than any Windows experience I have ever had, I was hooked. I’m obsessed with finding more and more things I can do with Linux.

It just makes sense to me more than any other operating system I’ve used. I like to try different distros, so I’m all about Linux in its many flavors.

For my desktop, I’m using Lubuntu with LXDE. I also have a cute purple HP Stream that I’ve just put Debian on and I’m using that to develop the command line workshop I’m creating now. Ubuntu and Debian are perfect for my desktop and laptop. Although I’m a Linux nerd, I like to keep it simple when it comes to personal computing.

LXDE. I love how simple and lightweight it is. Especially because my desktop has an Intel chip!

When I’m not surfin’ the web, I’m using terminal. I guess that should come as no surprise given that I enjoy the command line so much.

A recent discovery for me is Shotcut, which is video editing software. I’m hoping to use this more because I want to start making videos which is something I haven’t really used my Linux desktop for previously.

I’m not much of a hardware nerd so I don’t even remember. I’m using a secondhand computer with an Intel Core i5-3330 CPU that had Windows on it.

It’s now my first Linux desktop. Every other Linux OS I had was either on a laptop or server, and I went without a desktop for a long time.

Here’s my desktop screenshot.

Interview conducted February 7, 2018

The Linux Setup is a feature where I interview people about their Linux setups. The concept is borrowed, if not outright stolen, from this site . If you’d like to participate,drop me a line.

You can follow Linux Rig on Google+ here , follow me on Twitter here , and subscribe to the feed here .

Danny O’Brien :

With indecent speed, and after the barest nod to debate, the Australian Parliament has now passed the Assistance and Access Act, unopposed and unamended. The bill is a cousin to the United Kingdom’s Investigatory Powers Act , passed in 2016. The two laws vary in their details, but both now deliver a panoptic new power to their nation’s governments. Both countries now claim the right to secretly compel tech companies and individual technologists, including network administrators, sysadmins, and open source developers to re-engineer software and hardware under their control, so that it can be used to spy on their users. Engineers can be penalized for refusing to comply with fines and prison; in Australia, even counseling a technologist to oppose these orders is a crime.

Levy explained that GCHQ wants secure messaging services, like WhatsApp, Signal, Wire, and iMessage, to create deceitful user interfaces that hide who private messages are being sent to.

In the case of Apple’s iMessage, Apple would be compelled to silently add new devices to the list apps think you own: when someone sends you a message, it will no longer just go to, say, your iPhone, your iPad, and your MacBook it will go to those devices, and a new addition, a spying device owned by the government.

Via Jeffrey Goldberg :

One of the most disturbing things about the Assistance and Access Act is that it apparently authorizes the Australian government to compel someone subject to its laws to surreptitiously take actions that harm our customers’ privacy and security without revealing that to us. Would an Australian employee of 1Password be forced to lie to us and do something that we would definitely object to? We do not, at this point, know whether it will be necessary or useful to place extra monitoring on people working for 1Password who may be subject to Australian laws. Our existing security and privacy design and internal controls may well be sufficient without adding additional controls on our people in Australia. Nor do we yet know to what extent we should consider Australian nationality in hiring decisions. It may be a long time before any such internal policies and practices go into place, if they ever do, but these are discussions we have been forced to have.

December was another month of significant development for Microsoft Threat Protection capabilities. As a quick recap, Microsoft Threat Protection is an integrated solution securing the modern workplace across identities, endpoints, user data, cloud apps, and infrastructure. Last month , we shared updates on capabilities for securing identities, endpoints, user data, and cloud apps. This month, we provide an update for Azure Security Center which secures organizations from threats across hybrid cloud workloads. Additionally, we overview a real-world scenario showcasing Microsoft Threat Protection in action.

Azure Security Center is a sophisticated service designed to help organizations:

With modern organizations now adopting hybrid ecosystems, securing the infrastructure across hybrid cloud workloads becomes more critical. Azure Security Center was developed to address the complexities of the modern infrastructure by helping strengthen your security posture and protect against threats to the infrastructure. Azure Security Center can now provide better visibility over an organizations security state across virtual networks, subnets, and nodes by generating a topology map of the layout of each of these infrastructure components (Figure 1). As admins review the components of the network, Azure Security Center offers recommendations to help quickly respond to detected network issues. Additionally, Azure Security Center continuously analyzes the network security group (NSG) rules in the workload and presents a graph containing the possible reachability of every virtual machine (VM) in that workload.

Figure 1. Network topology map highlighting virtual networks, subnets, and nodes.

Another important enhancement is a new permissions model for Just in Time (JIT) VM access (Figure 2). Azure Security Center has updated its required privileges for a user to successfully request JIT access to a VM from write to read , making it easier for customers to follow the least privilegedRole-Based Access Control (RBAC) model. JIT VM access is used to reduce impact from brute force attacks targeting management ports to gain access to a VM. If successful, an attacker can take control over the VM and establish a foothold into your environment. When JIT access is enabled, Azure Security Center locks down inbound traffic to Azure VMs by creating an NSG rule. Admins select the ports on the VM to which inbound traffic will be locked down. These ports are controlled by the JIT solution. Before, when a user requested access to a VM, Azure Security Center checked a users RBAC permissions for write access for the VM, and now the user must only have read access.

Figure 2. The Azure Security Center highlighting the JIT VM access feature.

Security solutions always sound effective in theory, but in practice, often the capabilities do not match the vision. Microsoft Threat Protection was recently put to the test against a real-world threat known as Tropic Trooper (Figure 3), which has been targeting Asian enterprises in the energy and food and beverage industries since 2012.

Figure 3. Tropic Trooper attack chain.

Seamless integration between disparate services is a core differentiator of Microsoft Threat Protection. During the Tropic Trooper campaign, windows Defender Advanced Threat Protection (ATP) , Azure Active Directory (Azure AD) , and Office 365 ATP services worked in sync, helping ensure the threat was addressed quickly with no adverse impact. The campaign initiated several Windows Defender ATP alerts triggering its device risk calculation mechanism, which ascribed affected endpoints with high risk scores. These endpoints were put to the top of the list in Windows Defender Security Center leading to early detection and discovery of the attack. Windows Defender ATP seamlessly integrates with Azure AD featuring conditional access . During Tropic Trooper, conditional access blocked high-risk endpoints from accessing sensitive content, protecting other users, devices, and data in the network.

The Windows team examined the alert timeline (Figure 4) to further investigate and ultimately remediated the threat. Investigating the alerts, the Windows team uncovered the malicious document carrying the Tropic Trooper exploit. Since signal is shared between Microsoft Threat Protection services, the Windows team used Office 365 Threat Intelligences Threat Explorer to find the specific emails used to distribute the exploit. The investigation also showed that Office 365 ATP blocked the malicious emails at the onset, stopping the attacks entry point and protecting Office 365 ATP customers. Endpoints remained secure through Windows Defender ATPs sophisticated automated investigation and remediation capabilities that discovered malicious artifacts on affected endpoints and remediated them. This sequence of actions ensured that the attackers no longer had a foothold on the endpoint ecosystem and that all endpoints returned to normal working state. Importantly, Microsoft Threat Protection services collectively secured identities, endpoints, and Office 365.

Figure 4. Windows Defender ATP alert timeline for Tropic Trooper.

Take a moment to learn more about Microsoft Threat Protection . Organizations have already transitioned to Microsoft Threat Protection and partners are leveraging its powerful capabilities. Begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace.

Once a year around this time I like to do some “winter cleaning” of my personal security footprint, mostly covering passwords and internet service accounts I have that may be out-of-date, unmaintained, or unneeded.

1Password is a dream for things like this. If you don’t maintain an account, it’s well worth setting one up for the family with their 1Password for Families product tier. Worth every penny.

Good hygiene with passwords has been a perennial problem in internet-land, and the security risk only goes up with seemingly-daily announcements of the next hack or data breach. While those risks are part of our current reality, it’s possible to lower your risk profile with some simple maintenance tasks with 1Password. Here are some general best practices and my personal annual review process.

There’s no excuse not to be using highly complex passwords these days. When creating new 1P entries, you can autogenerate complex passwords. Sometimes you’ll need to tweak the generation parameters to create passwords that are acceptable for certain sites, but it’s worth making sure you’re maximizing the complexity where you can. When I review my accounts, I look for any entries that have less than 1P’s “Fantastic” rating, and sign into those and update them.

1Password has a feature called Watchtower that helps you conduct targeted review to keep yourself secure. Things like compromised or vulnerable logins, reused or weak passwords, or where 2FA isn’t enabled. It’s nice because it checks against a couple of known databases to help keep you on guard. This is the go-to spot to look for areas of attention in the review. It’s worth setting yourself a reminder (quarterly or so) to check here for any changes. If services you rarely use have security incidents, you probably won’t know, so this helps.

Iwrote previously about 1Password’s native two-factor authentication. Wherever possible and recommended I go through my account entries and enable 2FA setups with the one-time passwords configured. Another tip for this is to use a password field type to store the “recovery codes” that most services will generate for two-factor, which allow you to recover your password if something gets hosed. Web services commonly generate these codes in a text file for safe storage, which you can do in 1Password if you want, but I’ve never been a huge fan of the way file storage and linking works in the app. I prefer to copy the codes directly into the 1P database entry anyway.

Shutting down accounts for services you don’t use is another good practice to reduce your exposure to breaches. If you aren’t using or no longer need a service, might as well not have it hanging out there. Since you can sort entries by “date used”, it’s straightforward to comb through ones you haven’t used all year and assess. When I go through my annual review, I always find a couple not worth keeping, so I sign in and spin them down if possible. If they don’t have a public-facing way to delete my account, I usually reset the password to something huge and delete whatever unrequired personal info might be on file (like credit cards and the like).

A few other pointers that factor into my annual review:

With the review done, it feels good to have a renewed sense of security having checked your digital footprint. A well-organized, clean 1Password setup can also be a huge productivity boost. The more services you work within (and the more secure you want your behaviors to be), the more a clean, healthy passwords vault will help you.

“Four years!” As soon as the words left my mouth, I regretted saying them. Not because they were wrong, rather the incredulousness in my voice was instantly met with furrowed brows and folded arms. Across the table was a potential customer, and thanks to my lack of decorum (which should surprise exactly nobody who has met me), this was likely never going to become a paying one.

This organization was in their fourth year of a compliance initiative. My incredulousness was an honest response to a seemingly ludicrous situation. How can an organization spend four years working on compliance?

The answer was what holds back compliance at almost every company.

“So, where are you at with this project?” I asked, with all the sincerity I could muster.

“Well,” the security manager answered, slowly, “we’re evaluating Cylance and Crowdstrike, and Sentinel One, but we already have Symantec. And the network team really hates the LogRhythm SIEM we have, so we have a POC going with Splunk, Sumo Logic, and…”

Ah, Next Shiny Object syndrome , the most pernicious of the advanced persistent threats. Next Shiny Object (NSO) is when an organization remains mired in the endless process of evaluating technologies, rather than actually making those technologies ever fulfill any of their needs.

NSO is the number one reason why compliance and security projects take so long and lead to poor results.

If NSO stalls projects, it is false diligence that causes NSO to happen in the first place. There is this belief among IT and security professionals the more technologies you evaluate, the more likely you will find the “right one” which will solve all your compliance and security headaches.

This manifests in eternal shoot outs, proof of concept, and evaluations of technologies. Giant technology shows stoke this process with splashy demos and wild promises of massive efficiency and security gains. Of course, these promises are as hollow as the demo booths. These products seldom deliver on their promises. And even when they do create improvements, there is an equal increase to administrative overhead that, of course, the vendor never bothers to mention.

NSO is “fake work.” It feels like work. It consumes time, effort, and resources, like work. Yet it does not advance the organization forward. NSO trades the feeling of diligence, for tangible accomplishment and forward momentum.

NSO does, however, satisfy vendors and VARs. These places absolutely adore NSO. Without it, they have no hope of getting a sale. Vendor sales people are master artisans at distracting teams into perpetually looking for something new. They will undermine existing technology, merely to get a POC on the customer’s agenda. They will push an endless stream of “analyst reports” to show how amazing their technology can be. And they will use their most powerful weapon, peer pressure. Nothing gets a weak CIO to a lunch n’ learn faster than name dropping some big important somebody who is using their technology.

Like almost every problem in IT and security, NSO is ultimately the expression of weak leadership. Weak leaders fall for the belief that they must have the best of the best of the best of the best of the best of the best (you can keep adding bests to that). And of course, if the globally dominant big boy company across the street is using the newest tech, well they must have it as well so they can be part of the big boy club. Weak leaders are easily manipulated through feelings of inadequacy. They sacrifice tangible accomplishments for feeling important and adequate. Vendors and VARs feast upon these feelings of inadequacy and stoke them.

However, another reason why NSO happens is because weak leaders simply do not know how to move forward. Compliance initiatives are big, complex projects, that involve a lot of tedious detail. Perpetually evaluating new technologies can ensure than they never have to make a decision that will be scrutinized or challenged. This feeds the whole “fake work” process where they can look and sound extremely busy, without actually accomplishing anything.

Nevertheless, it is not only weak leaders who do this. IT people are unindicted co-conspirators. As a technology person myself, I will fully admit it is much more enjoyable to fiddle around with a new technology than maintain an existing one. Again, vendors and VARs know this, which is why they lavish dinners and lunches on IT people to keep them entranced with the next shiny object.

If NSO is the result of weak leaders, who fall victim to false diligence and selfish interests, the cure for this affliction is to cut off these bad behaviors.

Here is my three step anti-NSO protocol:

Just another way to get fished.

You need to cut off the influence these outsiders have on your people. I am not suggesting being hostile or rude. Rather, prohibit your team from going to vendor lunches or demos. Make the process of vendor engagement more formal. Better yet, work with solution providers like managed security service providers who can abstract the whole vendor relationship entirely.

Keep vendors and VARs away from your team. They will constantly pressure them with stories of how your competitors are wildly successful with their technology. This is solely to get you feeling inadequate and wanting what others have.

Except for payment terminals or user access points, your compliance environment should be in entirely managed in the cloud. To be blunt, there is no reason NOT to move into the cloud.

Once you commit to the cloud, you can automate the deployment, enforcement, and monitoring of security controls dramatically accelerating the compliance effort. Moreover, the number of vendors who are cloud-savvy is much smaller, thereby limiting the vendors you must evaluate in the first place.

The technology you select is largely irrelevant to compliance. The differences between products are minor. It is far more important how those technologies are configured and managed. As such, just flip a coin and go with whatever technology is easiest to acquire (probably something you already have.)

Refocus all this diligence on monitoring, management, and operations. Focus on developing metrics and tools that promote agility and quick response to problems. Promote people who optimize existing practices with automation, rather than buying yet another new tool.

Here is a sobering fact: every single company that has experienced a serious breach in the past ten years owned a NGFW (including the one you have). Most of them also had endpoint security, PCI compliance certificates, and a whole bunch of other endorsements for security.

And none of that mattered.

Your company’s ability to protect data or meet compliance requirements is not dependent on the technologies you own. Rather it is how those technologies are used, monitored, and managed on a daily basis. Spending a ton of money (and time) perpetually looking for the “best of breed” technologies will not solve your problems. You must put your efforts into the operations and optimization of those technologies.

Tigera , a startup that offers security and compliance solutions for Kubernetes container deployments, today announced that it has raised a $30 million Series B round led by Insight Partners. Existing investors Madrona, NEA and Wing also participated in this round.

Like everybody in the Kubernetes ecosystem,is exhibiting at KubeCon this week, so I caught up with the team to talk about the state of the company and its plans for this new raise.

The company says that it didn’t need to raise right now. “We didn’t need the money right now, but we had a lot of incoming interest,” Tipirneni said. The company will use the funding to expand its engineering, marketing and customer success teams. In total, it plans to quadruple its sales force. In addition, it plans to set up a large office in Vancouver, Canada, mostly because of the availability of talent there.

Instead of encrypting everything with a single government key, several government agencies need to provide new public keys every day. The private key must be under the control of a court. Each secure encryption channel needs to subscribe to one or more of those agencies. The court must delete those keys after six months.

Advantages:

Disadvantages

Always remember that in a democracy, the law isn’t about justice but balancing demands. There are people afraid that embarrassing details of their private communicate will be exposed as well as people trying to cover the tracks of a crime.

Right now, there is no better way to determine which communication needs to be cracked open than a normal court case.

Reasoning:

If we used one or a few keys to encrypt everything (just because it’s easier), that would put a huge attraction on this data. Criminals will go to great lengths to steal those. If there are many keys, each one of them becomes less important. The amount of damage each key can cause must be smaller in this case. It would also mean they would have to steal many keys which would raise chances to get caught.

I was wondering if one key per month would be enough but there is really no technical reason to create so few. We have the infrastructure to create one every few seconds but that might be overkill. Once per day or maybe once per hour feels like a sweet spot. Note: When the technical framework has been set up, it should be easy to configure it to a different interval.

If we spread the keys over several organizations, an attack on one of them doesn’t compromise everyone. Also, software developers and users can move around, making it harder for unlawful espionage to track them.

Police officers and secret services should not be left alone with the decision what they can watch. Individuals make mistakes. That’s one reason why you talk to a friend when you make important decisions. Therefore, the keys should be in the hands of the law.

The law isn’t perfect. My thoughts are that we would use the perfect system if it existed. Since we’re using the law, the perfect solution probably doesn’t exist or it doesn’t exist, yet . In either case, using court rulings is the best solution we have right now to balance conflicting demands. The keys could be confiscated when the case is started and destroyed when the case is closed to avoid losing access halfway through the proceedings.

Mistakes will happen. Systems will break, keys will be lost, important messages will become indecipherable, criminals will attack the system, idiots will put keys on public network drives. Is there a way that this can be avoided? I doubt it. Therefore, I try to design a system which shows a certain resilience against problems to contain the damage.

For example, a chat app can request keys from its source. If that fails, it has options: