微软的简单加密算法函数库(Microsoft Simple Encrypted Arithmetic Library，Microsoft SEAL)，已在GitHub上根据MIT许可证免费使用。容易使用的同态加密（Homomorphic Encryption）函数库，该库是由Microsoft的Cryptography Research小组的研究人员开发的。

该库已被英特尔采用，以实现HE-Transformer中的底层加密功能，HE-Transformer是其神经网络编译器nGraph的同态加密后端。 SEAL是用标准C++编写的，没有外部依赖关系，因此可以在许多不同的环境中轻松编译。

同态加密(HE)是一种加密技术，这意味着数据可以保持加密，但仍然用于计算。计算可以在不需要访问解密密钥的过程中进行。计算结果是加密的，只有解密密钥的所有者才能看到结果。

SEAL于2015年首次发布，后来在微软的CryptoNets演示中使用。这是一个演示如何将学习到的神经网络转换为可应用于加密数据的版本，微软称之为CryptoNets。该技术允许数据所有者以加密形式将其数据发送到托管网络的云服务。由于数据已加密且云提供商无法访问解密所需的密钥，因此数据仍保密。但是，神经网络仍然可以与加密数据一起使用以进行加密预测，并且还以加密形式返回它们。

现在已经开始将同态加密标准化，微软以及包括英特尔，IBM和SAP在内的其他行业领导者都是同态加密标准化小组的成员。

微软将SEAL库开源的举动可能被视为一种见利忘义的举动，使得微软的技术成为其他集团成员做出任何决定之前的标准，特别是考虑到微软SEAL页面上的标准化文章表明：

“由于该技术仍然很新，现有的库在功能和设计上各不相同，我们相信明确的公共标准化工作可能有所帮助。”

然而，微软官方的说法是

“期待与开源社区合作，继续发展我们的库。如果您有兴趣，我们热忱邀请您加入我们的GitHub”

Microsoft SEAL On GitHub

Homomorphic Encryption Group

linux公社的RSS地址 ： https://www.linuxidc.com/rssFeed.aspx

本文永久更新链接地址： https://www.linuxidc.com/Linux/2018-12/155850.htm

OWASP Secure Software Development Lifecycle Project(S-SDLC)是OWASP组织首个由OWASP中国团队独立发布并主导的研究项目，并在全球范围内正式发布。S-SDLC被越来越多的企业所重视，纷纷开始实施。

S-SDLC是安全软件开发生命周期，是一套完整的，面向Web和APP开发厂商的安全工程方法。帮助软件企业降低安全问些，提升软件安全质量。S-SDLC的理念来源于微软SDL，最终目标是帮助用户减少安全问题，并使用该方法从每个阶段提高总体安全级别。

不少厂商为满足企业软件安全开发的需求，推出了S-SDLC安全咨询，推出了基于“平台+工具+服务”的一体化解决方案。

SecZone S-SDLC解决方案V2.0全景图：

1、安全培训

根据行业企业实际需求，定制安全培训

2、安全需求

在项目需求分析阶段引入安全需求，使系统具备一定的安全功能而提高系统安全性是此阶段安全活动的目标。本阶段的安全需求由业务需求提出方提出，研发团队和安全团队共同参与完成安全需求分析。

安全人员需要从业务的角度思考安全风险，然后通过自身丰富的安全攻防经验，更好的挖掘和规避安全风险问题，形成安全需求清单。

3、安全设计

在设计阶段阶段，仔细考虑系统的安全设计和用户隐私问题。

4、安全开发

定制开发者的开发规范，并将安全技术方案开发规范中让安全方案实际落地，便于开发者写出安全的代码。

4、安全测试

基于《Owasp Testing Guide v4》测试框架，构建WEB应用安全测试规范，输出渗透测试报告。

5、安全部署/运维

漏洞、补丁安全事件管理

安全基线，对操作系统、数据库、中间件制定安全加固规范

参考文献：

https://www.owasp.org/index.php/OWASP_Secure_Software_Development_Lifecycle_Project

http://www.owasp.org.cn/owasp-project/S-SDLC

https://mp.weixin.qq.com/s/CzZmM4nAVGREczfBqRc69Q

https://mp.weixin.qq.com/s/Fezu2YS39fEKlz972j2K6A

It seems like every time we turn on the news we’re confronted with a story about a high-profile company suffering a major data breach that has affected thousands, if not millions of their customers.

Unfortunately, we’re in danger of becoming immune to these stories, seeing them as nothing more than business as usual.

The truth is, data security has never been more important. The introduction of the EU’s General Data Protection Regulation (GDPR) was testament to that, forcing companies across the globe to get serious about how they collect, store and destroy the personal information of their customers.

The state of California has also passed its own law that mimics GDPR in order to boost the rights consumers have surrounding their own data.

As a result, a growing number of companies are actively hiring a dedicated CISO/CSO (Chief Information Security/Chief Security Officer) to help them handle sensitive data and mitigate the very real threat of data leaks or breaches that can cost organisations both financially and in terms of reputation amongst their customers.

According to Ponemon Institute’s 2017 Cost of Data Breach Study , in 2017 the average cost of a data breach across the ASEAN region was US$2.29 million. The report also found that appointing a CISO could reduce the cost of said breach by about US$5 per stolen record.

While hiring is CISO has its clear benefits, it doesn’t guarantee your business won’t be hit by a cyberattack. However, there is very little downside to improving internal security practices and hiring someone with a fundamental understanding of how security systems work.

As the nature of the threat landscape has evolved over the past few years, so too has the role of the CISO. A position that was once purely focused on the technical has now become more business orientated, with CISOs needing to take a proactive and business-focused approach to security.

While the role still oversees the hiring of an internal security team, CISOs must now also take responsibility for deploying security hardware, setting, reinforcing and updating a company-wide security strategy and auditing current systems to monitor any potential security flaws and mitigate future risks.

With different countries and continents implementing their own data governance laws, having a dedicated CISO can also prove crucial in allowing your organisation to conduct business overseas.

Between 27 th June and 4 th July this year, a cybercriminal gang stole the medical records of 1.5 million citizens from one of Singapore’s biggest healthcare groups, SingHealth.

The hackers used a malware infected computer to gain access to the database, but officials said there has been a sustained and specific attack against the Prime Minister, Lee Hsien Loong, who medical records were stolen in this breach.

In July 2016, Vietnam Airlines suffered a data breach that saw hackers get their hands on the personal information relating to 410,000 customers. The attack was carried out by self-proclaimed Chinese hackers who compromised the national flag carrier’s website.

The data stolen, which was then leaked on the internet, belonged to VIP members of the airline’s Lotusmiles scheme. It included names, birthdays and addresses.

Despite the continued growth of the digital economy throughout the ASEAN region, levels of cybersecurity readiness fluctuate significantly from country to country. To date, Malaysia, Singapore and the Philippines currently have some data privacy laws in place.

Furthermore, a report by A.T. Kearney states that the region is a hotbed for cyberattacks, with countries like Vietnam and Indonesia playing host to significant amounts of suspicious web activity and malware launch pads.

As a nation, Singapore has a robust cybersecurity infrastructure. However, research by ServiceNow has shown that CISOs in Singapore are, on average, lacking the resources necessary to make their company’s security strategy a success.

However, earlier this month, the Data Protection Excellence Network announced plans to provide better support for recruiters in boosting the number of Data Protection Officers (DPOs) in the region.

Advertised positions for data privacy experts in Singapore grew 23% year-on-year in September 2018, compared to the same period last year.

Unfortunately, this is not enough to mitigate the security concerns dominating the rest of the continent.

An overwhelming 75% of CISOs in Asia are worried that data breaches are going unaddressed, with a further 71% raising concerns about their ability to even detect the breach in the first place.

For the majority of large scale organisations, employing a CISO makes sense from both a financial and a security perspective.

As the threat landscape becomes harder to navigate, leaving the safety of personal data to chance is a risk most companies are no longer willing to take.

However, for smaller companies that lack the budget, structure or means to hire a dedicated security officer, there are other alternative solutions that can be put in place.

Traditionally, the CIO would take responsibility for data security therefore absorbing the role of the CISO back into that of the CIO could help to temporarily bridge the security gap.

The bottom line is, whether it’s your CISO, DPO or someone else inside your company that has responsibility for your security strategy; ensuring they have the budget and support they need to do their job is fundamental.

As threat actors get smarter and cyberattacks become more sophisticated, the security of your company and the data it holds is far too valuable to be left at risk.

The most wonderful time of the year? Sure, but not if your business and customers are getting robbed.

Andy Williams had it right when he sang about the holidays being the most wonderful time of the year. With all the gift-giving, festivities, parties, feasting, and family events, the holiday season is the perfect way to end the year. For retailers, this is doubly true, as many will earn more profit over the holidays than at any other time. However, retailers also need to be wary, because hackers will be looking to turn a profit, too, at the expense of legitimate businesses and their customers.

These hacking Grinches will certainly try to steal Christmas, but a good defense can ensure that they get nothing but lumps of well-deserved coal in their stockings. Most attackers will follow the same tired-but-tested attack patterns that have been so successful in the past. Here are the most popular vulnerabilities that attackers will try to exploit this holiday season.

Point-of-Sale Machines

There are a few ways that attackers can exploit this. One of the easiest scams is to install skimmers on unguarded machines, which capture credit card data from customers who use them. Another more advanced form of attack is inserting malware into a POS device, which could compromise an entire organization. That is what recently happened to Saks Fifth Avenue and Lord & Taylor stores, which ultimately lost over 5 million customer records.

With more people wandering around stores during the holidays, be sure that POS machines are never left unattended or unguarded. Ideally, they should be secured, powered down, or locked when not in use or whenever they aren't being actively monitored. Access points such as USB ports should also be disabled or physically sealed because even an employee innocently charging his phone might inadvertently allow malware to slip into the POS system that way.

Applications and Social Media

Retailers should be wary about collecting personal information from users via social media or through applications because they may not have direct control over that information or where it's stored.Best Buy, Sears, and Kmart found this out the hard way after outsourcing their chat and customer service applications to a company that was hacked using malware.

Attackers gained information such as credit card numbers, home addresses, phone numbers, and other personal information on customers from those stores. And, although this was a third-party breach, customers laid blame on the retailers.

Other Vendors

Far too many retailers have learned this hard lesson. Perhaps the most famous third-party breach was atTarget, which had millions of its customer records compromised. The attackers in that case didn't attack Target computers directly, but instead compromised an HVAC provider and used its credentials to access database systems.

To protect themselves, retailers must constantly assess the levels of access given to third-party vendors that provide goods and services or that work within the retail supply chain. As many corporations now do with their internal users, third-party retail vendors should be given the least amount of privilege necessary in order to perform their jobs. A vendor that distributes goods ― candy, dog food, or anything else ― might need limited access to some systems in order to help track orders or report on deliveries. But it doesn't need admin access to your entire network.

The ongoing assessment should involve looking at all third-party vendors and enforcing least privilege across the board. Some vendors ―outsourced accountants, for example ― may require a high level of access to critical systems. For them, additional security checks and monitoring should be required. Third-party vendors should know that they will be monitored as part of their contract and can be fired if they don't maintain adequate cybersecurity. That may seem harsh, but it must be done in order to protect your retail organization and your customers.

Happy Holidays

Researchers tracking the Fancy Bear threat group have revealed the persistent targeting of NATO-aligned nation-states through a new campaign.

According to researchers from Palo Alto Networks, the latest wave of attacks, labeled the "Dear Joohn" movement, is also moving against former USSR nation states.

In a blog post this week, the team said that Fancy Bear -- also known as Sofacy, APT28, STRONTIUM, Pawn Storm, and Sednit -- is striking groups with political ties, as well as private organizations.

The APT has been active from at least 2014 and has been linked to cyberattacks against the US Democratic National Committee (DNC), the World Anti-Doping Agency (WADA), the Ukrainian military, and many others. It is generally believed the threat actors are sponsored by the Russian government.

Fancy Bear has also recently been connected to Earworm, a separate Russian hacking group, due to the potential sharing of tools and infrastructure.

The campaign has been given a fresh edge of late with the increased deployment of weaponized documents under the name "Joohn" which execute the Zebrocy and Cannon tools.

Over October and November this year, targets located across four continents have become the recipients of Joohn documents.

Nine samples were collected by Palo Alto from would-be victim organizations, including foreign affairs offices and government entities. In each case, the preliminary attack vector was spear phishing, with file names crafted to reference current political issues such as Brexit, the Lion Air crash, and rocket attacks in Israel.

Recipients of these messages, sent from email addresses which looked similar to legitimate government entities, would be asked to download malicious Microsoft Word files.

These documents would then retrieve a malicious macro and request permission from the user to enable macros in order to infect the victim's system.

"The majority of delivery documents contain a generic lure image requesting the victim enable macros with no additional content, the adversaries seemingly relying solely on lure filenames to entice victims to launch the malicious document," the researchers said.

Some of these lure images would include NATO EOD seals. One example obtained by the firm contained instructions in Russian, which the team says "may indicate the intended target was a Russian speaking nation-state."

See also: Former Mt. Gox CEO could face 10 years behind bars in embezzlement case

If Fancy Bear's command-and-control (C2) servers are active when the document executes, the macro is loaded via a remote template. However, if inactive, the enable macros prompt never appears.

The Joohn author name was used in the majority of the documents obtained, as well as the remote templates. It also appears that the IP-based C2s used in the Dear Joohn campaign is separate from other criminal scheme infrastructure used by Fancy Bear.

Once executed, the documents deliver the Cannon and Zebrocy Trojans. A number of Zebrocy variants are used by the attackers and are written in languages including Delphi, C#, and VB.NET.

TechRepublic: 15 skills you need to be a whitehat hacker and make up to $145K per year

Researchers had previously only known about the Delphi variant.

The Trojan is able to gather system data and send this to the C2 server via HTTP POST requests, receiving and executing in return payloads such as the open-source penetration testing kit Koadic.

The first known sample of Cannon was collected in April this year. The C# tool is believed to come in at least seven different flavors and functions as a downloader by sending emails to the C2 server to obtain additional payloads.

However, Cannon is also equipped with the means to gather system information, take desktop screenshots, and maintain persistence through a variety of mechanisms.

"We believe we have also found a Cannon variant written in Delphi," Palo Alto says. "We have seen Sofacy using multiple languages to create variants of the Zebrocy Trojan, so it seems fitting that the group would create additional variants of Cannon in multiple programming languages as well."

CNET: Iran-linked hackers reportedly targeted activists and US officials

"The group clearly shows a preference for using a simple downloader like Zebrocy as first-stage payloads in these attacks," the researchers added. "The group continues to develop new variations of Zebrocy by adding a VB.NET and C# version, and it appears that they also have used different variants of the Cannon tool in past attack campaigns."

Back in September, ESET researchers revealed a separate Fancy Bear campaign which utilizes LoJack in what may have been the first documented case of a UEFI rootkit in the wild.

The team said the rootkit was found bundled with the legitimate LoJack system recovery toolset, which is able to patch a victim's system in order to install malware at the firmware level.

As the first standards-compliant 5G cellular devices are on the edge of release, it might be too late to change the key technologies inside them. But an association representing 90 percent of the global SIM industry is now urging cellular carriers to adopt a new 5G SIM card before theylaunch 5G services, a move that promises to enhance network security, user privacy, and battery life for the next generation of mobile devices.

The non-profit SIMalliance suggests that practical and timing considerations will push carriers to consider three different types of 5G SIM cards: “transitional,” “recommended,” and “low power” alternatives. Transitional cards can be thought of as basic keys to let early 5G devices join5G networks, including new 5G security protocols and secure temporary keys, plus support for over-the-air SIM updates and app management, but little else to improve the quality of a user’s experience. As the word transitional suggests, SIMalliance sees this sort of card as being used only in the earliest stage of 5G adoption by carriers.

By comparison, the “SIMalliance Recommended 5G SIM” promises to leverage the full power of the 5G standard, and be the “most future-proof” option. In addition to supporting enhanced 5G security, this SIM would protect the identities of 5G users using encryption, support multiple quality of experience features, and use device-specific resource optimization tools to prioritize multimedia content and local roaming performance.

A low power 5G SIM would be a variation on the recommended card, designed specifically for Internet of Things devices. It would have most of the recommended card’s features, but omit the subscriber privacy options while adding multiple protocols to support extended battery life. In addition to containing device-specific personalization details that would reduce network communications, this card couldnegotiate data activity levels with the device to conserve energy, and be capable of storing its status before switching off. The card could also be locked to the device or device type, preventing a traffic light SIM card with unlimited service from being stolen and placed in a phone.

“A SIM is the only platform which can be used to secure 5G network access according to the 5G standardization body, 3GPP,” explainedSIMalliance ChairmanRemy Cricco. “On behalf of the SIM industry, SIMalliance advocates only one type of 5G SIM which promotes the highest levels of security and functionality in 5G networks. By deploying the SIMalliance Recommended 5G SIM at 5G launch, MNOs will offer their customers the best possible experience, services, security and privacy, while optimizing their investments and positioning themselves to realise the full potential of 5G as future use cases and possibilities unfold.”

If you’re interested in a deeper dive on the technical features expected to be supported in 5G SIMs, a full description of the 3GPP Release 15 5G SIM Card proposals is available here . It remains to be seen whether “recommended” 5G SIM cards will be able to arrive in the first wave of 5G smartphones expected in early 2019, or whether carriers will continue with transitional alternatives for some time.

Attackers working on behalf of the Iranian government collected detailed information on targets and used that knowledge to write spear-phishing emails that were tailored to the targets' level of operational security, researchers with security firm Certfa Lab said in a blog post . The emails contained a hidden image that alerted the attackers in real time when targets viewed the messages. When targets entered passwords into a fake Gmail or Yahoo security page, the attackers would almost simultaneously enter the credentials into a real login page. In the event targets' accounts were protected by 2fa, the attackers redirected targets to a new page that requested a one-time password.

With Xojo 2018 Release 4, we updated the macOS SDK to 10.14. This means that App Transport Security is now something you need to be aware of for your Mac apps.

From Apple’s docs :

I first talked about App Transport Security when it started affecting iOS . Starting with Xojo 2018 Release 4, this change matters to your Mac apps because Xojo is now using the updated Mac libraries that have this requirement. Simply stated, it means that if your Mac apps useURLConnection, Xojo.Net.HTTPSocket ,HTTPSocket(now deprecated),HTTPSecureSocket orHTMLViewer, then your URLs have to be secure and use https. If they are not secure, you will either get an error returned or no page displayed.

If you are relying on other services or URLs that do not yet support https, then what do you do? Apple has provided a workaround: you have to specify an exemption in your plist file. In the plist youidentify specific URLs for which you want to allow unsecured connections. To do this, create a text file called Info.plist, add this content to it and drag the file to the Navigator to add it to your project:

Replace the domain names (or add more) based on your needs.You can also allow all unsecured connections, but Apple may reject App Store submissions that use this without valid reasons:

Keep in mind that Apple may reject your App Store submission if you allow arbitrary URLs without a good reason.

For additional information, refer to theUsing a plist, URLConnection ,Xojo.Net.HTTPSocket andHTMLViewer pages in the Docs.

Need easy server hosting with 1-click SSL support so you can avoid App Transport Security? Be sure to check outXojo Cloud!

Update Dec. 14, 2018 10:30 CST: Added new Shamoon 3 IOCs

Shamoon is a type of destructive malware that has been previously associated with attacks against various organizations in the oil and gas industry that we've been tracking since 2012. A new variant of this threat, identified as Shamoon 2, has been used against several compromised organizations and institutions. Throughout 2017, Talos observed an increase in Shamoon 2 activity and responded to ensure our customers remained protected.

On Dec. 10, Talos observed a new Shamoon 3 variant ( c3ab58b3154e5f5101ba74fccfd27a9ab445e41262cdf47e8cc3be7416a5904f) that was uploaded to VirusTotal. While it is unclear where this sample came from, it shares many of the characteristics of the Shamoon 2 variant. Talos once again responded to ensure our customers are protected with all the existing coverage mechanisms. Additionally, Talos will continue to monitor for new developments to ensure our customers remain protected.

Shamoon 2 has been observed targeting very specific organizations and propagating within a network via network enumeration and the use of stolen credentials. Some of the credentials are organization specific from individuals or shared accounts. Other credentials are the default accounts of products used by the targeted customers.

Coverage for Shamoon 2 is available through Cisco security products, services, and open source technologies. Note that as this threat evolves, new coverage may be developed and existing coverage adapted or modified. As a result, this post should not be considered authoritative. For the most current information, please refer to your FireSIGHT Management Center or Snort.org.

Recent Shamoon 2 activity serves as a good reminder that users and organizations need to have a comprehensive disaster recovery plan. No one can say for certain if you will be targeted by destructive malware but we can say with 100% certainty that all drives fail. Without a proper system to backup and restore your data, you risk permanently losing your data. Ensuring your assets are properly backed up and can be quickly restored is critical should a system become compromised by Shamoon, ransomware, or other destructive malware and require a complete restoration.

Advanced Malware Protection ( AMP ) is ideally suited to prevent the execution of the malware used by these threat actors.

CWS or WSA web scanning prevents access to malicious websites and detects malware used in these attacks.

Email Security can block malicious emails sent by threat actors as part of their campaign.

The Network Security protection of IPS and NGFW have up-to-date signatures to detect malicious network activity by threat actors.

AMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.

Shamoon 2

4919436d87d224f083c77228b48dadfc153ee7ad48dd7d22f0ba0d5090b5cf9b

5475f35363e2f4b70d4367554f1691f3f849fb68570be1a580f33f98e7e4df4a

01a461ad68d11b5b5096f45eb54df9ba62c5af413fa9eb544eacb598373a26bc

c7f937375e8b21dca10ea125e644133de3afc7766a8ca4fc8376470277832d95

We are thrilled to have been selected as a finalist in the SC Media Awards for Best Web Application Solution in the Trust Awards Category. As many of you are aware, the SC Awards are viewed by the security industry as the gold standard of excellence in cybersecurity and we’re in great company with the likes of Imperva, Akamai, WhiteHat Security, and Contrast Security.

This recognition is a reflection of how we are transforming the approach to securing web applications as the industry undergoes a rapid shift to cloud-based solutions. First generation WAF solutions rely on rule, signature, and anomaly detection and are missing the most critical, high-impact attacks because they lack contextual information on the attacker. As a result, security teams are armed with limited intelligence from their current tools to address an increasing volume of sophisticated attacks. Threat X, however, provides a behavior-based application security approach that unlike other WAF’s, provides complete visibility, reduces false positives, and prevents legitimate traffic from being blocked.

“Being named a finalist by SC Media is tremendous validation for ThreatX and further cements that we are successfully changing the face of WAF security,” said Bret Settle, CEO ThreatX. “Our behavior-based, next-gen WAF, is helping our customers to make a seismic shift in how they deploy and manage their web application security.”

Our SaaS-based WAF helps organizations minimize the risk associated with web, cloud, and legacy apps, APIs, and microservices within hybrid cloud environments. Using progressive profiling to monitor attacker behavior in real time, ThreatX moves beyond static signatures and arms teams with complete visibility into threats, attack vectors, and application vulnerabilities. These insights enable teams to reduce false positives and prevent legitimate traffic from being blocked. At ThreatX, we take an innovative approach to web application security, which not only offers a unique set of features and capabilities that are unavailable from other WAF providers but also comes with a variety of benefits:

Attacker-focused, behavior-based threat and application profiling and risk-based mitigation minimizes false positives and catches the known AND unknown attack vectors.

Continuous, real-time corroboration, correlation, and analysis of all suspicious events result in the rapid recognition of new attack techniques and targeted vulnerabilities without reliance on rules and manual analysis.

Machine learning-based threat and application profiling enables rapid auto-tuning, deploys in hours with immediate attack protection, and achieves safe blocking mode in 1-2 days.

Continuously maintained, highly-scalable, cloud-native, SaaS platform which requires no upgrades, server re-starts, or source code installs.

Put simply, ThreatX automates the analysis of thousands of security events and gives our customers greater confidence in their web application security. It is this unique approach that is helping us reshape the WAF market and, of course, achieve this recognition from SC Media.

We are looking forward to connecting with everyone at the awards dinner in San Francisco in March!

Dec 14, 2018

Author: Nina Seth

Nina Seth is a senior product marketing manager for VMware EUC. Nina holds a Master of Business Administration from San Jose State University and a Bachelor of Arts in Political Science from the University of California at Davis.

Share This Post On

Written in collaboration with Devyani Pisolkar, NSX Product Marketing

It’s been a banner year for VMware Horizon Cloud on Microsoft Azure. This service offering allows customers to easily pair their own Microsoft Azure capacity with the intuitive Horizon Cloud control to quickly deliver virtual desktops and apps to end-users in a matter of hours. We are seeing a lot of momentum from customers as they adopt Horizon Cloud to deliver virtual desktops and application from their own Microsoft Azure infrastructure to any device, anywhere.

This year alone we added a number of key capabilities to Horizon Cloud on Microsoft Azure:

The VMware Horizon Cloud team continues to build more capabilities to make it even easier to deploy, manage, and utilize virtual desktops in the cloud. This month, we are back with a new release of VMware Horizon Cloud on Microsoft Azure with exciting new features. This release brings cloud monitoring support in Australia to support data sovereignty requirements in the region, Windows Server 2019 support for RDS, as well as, support for VMware NSX Cloud. We are particularly excited about the integration with NSX Cloud and the added security it brings to our customers so let’s dive a little deeper on this topic.

In this release, we worked closely with the VMware NSX team to deliver an integrated solution that enables organizations to further secure their virtual desktops. As we know, more and more cyber-attacks start with phishing attacks on end users, using end user devices as the entry point of the attack. End-user security starts with securing virtual desktop environments. NSX Cloud helps secure virtual desktops and applications deployed by Horizon Cloud and provides a more robust security posture to the customer environment in Microsoft Azure.

VMware NSX Cloud delivers networking and security for applications running natively in public cloud environments such as Microsoft Azure and Amazon AWS. NSX Cloud is an extension of VMware’s NSX Data Center technology that brings the NSXnetworking and security framework to cloud-native applications.

VMware NSX Cloud for Horizon Cloud on Azure brings enhanced security to virtual desktop environments, with policies that dynamically follow end users across infrastructure, devices, and locations.

NSX Cloud protects virtual desktops and apps hosted in Microsoft Azure data centers by securing traffic between each VDI system (east-west traffic) and providing isolation for desktop pools. The NSX Cloudmicro-segmentation policy can control traffic betweendesktops within Azure VNET/s as well as traffic destined toon-premisesapplications in ahybrid deployment.

Administrators can set policies centrally that dynamically adapt to the end user’s computing environment, with network security services that map to the user based on role, logical grouping, desktop operating system, and more―independent of the underlying network infrastructure. Policies follow the virtual desktops wherever they are moved across the cloud-hosted environment.

We are extremely excited to have support for NSX Cloud for Horizon Cloud on Microsoft Azure and look forward to enabling customers with this powerful security solution in their cloud environments.

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn about the span of categories for Trend Micro’s 2019 Security Predictions . Also, learn about a newexploit kit that targets home or small office routers which attacks victim’s mobile device or desktop through web applications.

Read on:

2019 Security Predictions Report Released

Good security predictions are very difficult to develop, and companies and consumers need to be selective about the security advice they take.

U.S. Investigators Point to China in Marriott Hack Affecting 500 Million Guests

U.S. government investigators increasingly believe that Chinese state hackers were responsible for the Marriott breach that exposed the private information and travel details of as many as 500 million people.

What Happens When Victims Pay Ransomware Attackers?

Although ransomware infections have been around for years now, they continue to spur success and high monetary profits for attackers.

House Releases Cybersecurity Strategy Report

The House Energy and Commerce Committee released the comprehensive Cybersecurity Strategy Report, in which it identified procedures to both address and prevent cybersecurity incidents.

The 9 Best Ways to Protect Your New Tech Gifts

The time for all things merry and bright is here and there is nothing brighter than a shiny new smartphone or laptop! Exciting as it is to play with all their new features as soon as they come out of the box, new devices also bring new risks.

New Exploit Kit “Novidade” Found Targeting Home and SOHO Routers

Trend Micro identified a newexploit kit that targets home or small office routers and enables attacks on a victim’s mobile device or desktop through web applications in which they’re authenticated with.

Cybersecurity, Trade Tensions Rank as Top Threats to Markets in 2019, Survey Finds

The biggest risk to markets going into the new year is the threat of a cybersecurity attack, according to a new survey of risk managers and non-risk professionals by the Depository Trust and Clearing Corp.

Cryptocurrency Miner Spreads via Old Vulnerabilities on Elasticsearch

To prevent attacks that exploit known vulnerabilities in Elasticsearch, it is necessary to patch systems regularly and have security monitoring in place with custom rules.

Security Threats and Risks in Smart Factories

A single cyberattack can negate the benefits derived from a smart factory. That’s why security must not be left behind as organizations move forward with their “smart” agendas.

Will Sophisticated Attacks Dominate in 2019?

Trend Micro released its 2019 predictions report, warning that attackers will increase the effectiveness of proven attack methods by adding more sophisticated elements to take advantage of the changing technology landscape.

New Version of Disk-Wiping Shamoon/Disttrack Spotted: What You Need to Know

Trend Micro came across externalreportsthat the notorious, disk-wiping worm Shamoon, also known as Disttrack, has reemerged with an updated version.

What are some of your 2019 Security Predictions? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: @JonLClay.

"By design, Signal does not have a record of your contacts, social graph, conversation list, location, user avatar, user profile name, group memberships, group titles or group avatars," Signal's Joshua Lund wrote in a blog post . "The end-to-end encrypted contents of every message and voice/video call are protected by keys that are entirely inaccessible to us." Lund added that Signal is open source, meaning anyone can "verify or examine the code for each release." "People often use Signal to share secrets with their friends, but we can't hide secrets in our software," he wrote. "We can't include a backdoor in Signal."

Before the law was passed, Applesent a letter to the Australian government, outlining its concerns about the bill. The company described portions of the bill as being "overly broad" while also noting a lack of judicial oversight and the global impact such a law stands to have. "There is profound risk of making criminals' jobs easier, not harder," Apple said. "Increasingly stronger -- not weaker -- encryption is the best way to protect against these threats." Similarly, the Reform Government Surveillance coalition, a group that includes Apple, Facebook, Google and Twitter, among others, released a statement saying Australia's law is "deeply flawed, overly broad and lacking in adequate independent oversight over the new authorities."

Tech companies and government agencies have continued tobutt heads over access to communications, both in Australia and abroad. In the US, federal agencies have repeatedlycalled for backdoor access and tech firms have fought back against those demandsin courtrooms.

Signal acknowledged that Australia could try to block its service throughout the country, but it added that in the past, that hasn't worked so well for other countries. With VPNs and other strategies available to get around those sorts of maneuvers, such restrictions wouldn't necessarily have the impact the government would be striving for.

Signal isn't new to these kinds of challenges as it has faced pushback fromother countries as well.

"Attempting to roll back the clock on security improvements which have massively benefited Australia and the entire global community is a disappointing development," wrote Lund, who reiterated Signal's commitment to opposing mass surveillance around the world.

经历了20多天的闭站备案，终于完成了网站备案，博客总算有了个合法的身份，这里简单分离下备案经历。

备案分两部分:

原则上部署到国内服务器的网站都需要进行域名备案（部署到外海服务器不需要进行域名备案），到空间提供商备案即可，例如，我的博客部署在腾讯云主机，到腾讯云提交备案申请即可。

备案主要分为以下四个步骤：

其中前三个步骤较快，每一步仅需1-2工作日；第四步为提交管局审核，通常为20个工作日以内，我这次从提交管局审核到审批通过仅需要9个工作日，比预期快，整个域名备案大概花了15个工作日。

关于备案的详细信息， 参考 域名备案参考 。

域名备案审核通过之后可以到 域名信息备案系统 进行验证，如下:

完成域名备案后，会提示请于备案完成后的30日内登陆全国公安机关互联网站安全管理服务平台办理公安备案，虽然是个人博客，建议做下公安备案 ，公安备案在 互联网安全管理服务平台 进行。

公安备案手册，详见 公安备案教程1 和 公安备案教程2

公安备案审核通过之后可以到 互联网安全管理服务平台 进行查询，如下:

公安备案比较快，上午提交，下午就收到审核通过消息了，各地审批时间会有差异。

备案完成后建议将网站备案号放到博客底部，具体操作如下:

修改 /d/hexo/themes/next/layout/_third-party/analytics/busuanzi-counter.swig 文件，底部添加如下一段代码:

<div > <a target="_blank" href="http://www.beian.gov.cn/portal/registerSystemInfo?recordcode=33010402003707" style="display:inline-block;text-decoration:none;height:20px;line-height:20px;"><img src="/images/gongan.png" style="float:left;"/>浙公网安备 33010402003707号</p></a><span class="post-meta-divider">|</span><span><a href="http://www.miitbeian.gov.cn">浙ICP备18045927号</a></span> </div>

效果如下:

We now know the worst passwords of 2018. These are the passwords you should never use, and that you shouldn’t let any friends or family members use either. Because not only are they very common, they’re so weak that even a six-year-old could crack them.

A lot of these terrible passwords will be familiar from previous lists. Obvious words such as “password” and “qwerty” plus the the easy-to-remember number sequences such as “123456” and “111111” make it into the top 10 worst passwords year after year.

This means there are people out there who have failed to change their passwords despite being shamed for their choices every year. But then someone using the same number six times in a row probably isn’t the brightest of individuals. Eh, Kanye .

The more interesting passwords appear further down the list. At #67 we have “maverick” (as in Top Gun), at #60 we have “starwars” (as in Star Wars), at #45 we have “solo” (as in Han), at #39 we have “harley” (as in Harley Quinn), and at #23 we have “donald”.

We have to assume “donald” is a reference to Donald Trump, the 45th President of the United States of America. But then it could also refer to Donald Duck, Donald Glover, or Donald Sutherland. None of which are quite as newsworthy as Trump right now.

This list of bad passwords comes courtesy of SplashData , the company behind password manager, SplashID. The passwords are the most commonly found passwords from recent data breaches, which is testament to both their popularity and their uselessness.

Whether or not you use a password manager, it’s worth learning more about them. We have previously compared the biggest password managers Is Your Password Manager Secure? 5 Services Compared Is Your Password Manager Secure? 5 Services Compared Unless you have an incredible memory, there's no way you can possibly hope to remember all your usernames and passwords. The sensible option is to use a password manager -- but which is best? Read More , explained how password managers keep you safe How Password Managers Keep Your Passwords Safe How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More , and discussed some password manager security mistakes Are You Making These 6 Password Manager Security Mistakes? Are You Making These 6 Password Manager Security Mistakes? Password managers can only be as secure as you want them to be, and if you're making any of these six basic mistakes, you're going to end up compromising your online security. Read More .

Image Credit: Maxx-Studio via Shutterstock.com

Explore more about:Password, Password Manager , Security Breach .

Cryptocurrency clients ingest and process unauthenticated content, perform cryptographic validations and store large amounts of data. In around 2012, a couple of interesting DoS attack vectors in Bitcoin involving orphan transaction handling were reported by Sergio Demian Lerner. Given that Satoshi-like blockchain clients have been repeatedly reimplemented from scratch since then, it is likely that these type of issues re-occur in other coin implementations. For this reason, in this blog post, we discuss CVE-2012-3789 once again, add some illustrations and further commentary on the issues brought up by this CVE. The bottom-line is: when developing cryptocurrency blockchain client from scratch, surveying previously known blockchain software vulnerabilities (notably, Bitcoin, given the amount of audit it received) is necessary.

When a cryptocurrency client processes a new transaction, it must gracefully handle the case in which one (or more) of the new transaction’s parent transactions are unknown. Peer to peer network do not preserve the order in which the transactions are broadcasted to nodes. For instance, a peer may broadcast a series of chained transactions in a short period of time, some of which may be delivered before the other ones. The order in which transactions are received is by no means going to be the same as the order transactions were sent. As such, nodes need to keep track of transactions with unknown parent transactions.

Enter orphan transactions. A cryptocurrency client may deal with this by:

The first requirement in the list mandates having a data structure which keeps a list of orphan transcations: such a list may be indexed by transaction hashes. The remaining requirements dictate a data structure that would somehow facilitate transaction unorphaning. Given a newly received transaction, is this transaction a parent of a known orphan transaction. If yes, is there other unknown parent transactions for this orphan? A data structure that returns maps orphan transactions to their parent hashes would be helpful in this case, as, given a new transaction’s hash, it would be easy to see if there is any orphans attached to it. In other words, a map that keeps parent tx -> orphan transaction relations for all saved orphan transactions is needed.

This is what the Bitcoin client’s mapOrphanBlocks and mapOrphanBlocksByPrev maps do, see the source code for Bitcoin 0.6.0 relevant to the attacks discussed in this post. In particular:

Given the mapOrphanTransactionByPrev map, when a new transaction arrives and is accepted to the mempool, it is now easy to look up what orphan transactions depend on it. Suppose that orphan-tx-hash_3 (colored in red on the picture) is currently stored as orphan. Now assume its parent transaction parent-tx-hash_2 arrives and is deemed to be valid. Since orphan-tx-hash_3 depends only on parent-tx-hash_2 , it can be unorphaned and erased from the orphan memory store. Now orphan-tx-hash_3 is regarded as a new transaction that may unorphan other orphan transcations. The recursive unorphaning algorithm implemented in a form of a loop is here .

With such orphan handling mechanism in place, let’s discuss the issues that can arise with it.

Consider a peer to peer network where a peer sends data to the target peer and the target peer stores this data in some form. If there is little or no cost involved on the side of the sending peer and there is no limit on the stored data size on the side of the receiving node, memory/storage exhaustion Denial of Service concerns arise: the receiving peer can simply be made to store more data it can handle. The exploitability of such a DoS attack vector would be determined by factors such as whether the receiving peer stores all the data sent to it (or, say, just the hash of the data), the network throughput between peers, etc.

Limiting the data amount a peer will receive could be achieved by simply refusing to receive new data entries, or by introducing an ejection policy. For instance, entries could be ejected based on age and other factors, or purely randomly. While these approaches do mitigate the previously mentioned memory exhaustion Denial of Service, it is interesting to note that legitimate entries may be blocked from entering the memory store or, legitimate entries may be ejected from the memory store. This by itself could be considered a problem.

Enough digression and back to the orphan transactions issue we’re discussing here, the limitless orphan memory store allowed a straightforward memory exhaustion DoS attack in early Bitcoin. As a result, the number/size threshold on the orphan store was added by introducing an orphan ejection policy: an old orphan is randomly chosen and ejected once the size threshold is surpassed.

The function that ejects/deletes orphans is here:

Before deletion, the corresponding transaction is pulled from mapOrphanTransactions . The for loop looks up the entries in mapOrphanTransactionsByPrev and decides which pairs to delete. A trivial implementation here would go over all of the map entries. A natural optimization present in the early Bitcoin client is to go only through those mapOrphanTransactionsByPrev entries that are indexed by actual inputs to the transaction that we’re deleting (see the for loop bounds in the code snippet). Out of such a constrained set of pairs, finally, only the pairs with expected child transaction are matched (see the if condition). It is possible for a parent transaction to be a parent of multiple different transactions and not necessarily those we want to delete. Going back to the illustration above, when deleting orpha-tx-hash_m-1 , EraseOrphanTx iterates over three pairs, but only deletes two of them: (parent-tx-hash_1, orphan-tx-hash_1) does not get deleted since orphan-tx-hash_1 does not match the deleting transcation.

The question that CVE-2012-3789 answers positively is whether it’s possible to have a sufficiently high number of iterations in the for loop above to cause CPU exhaustion. The maximum number of orphans is 10000, see ( MAX_ORPHAN_TRANSACTIONS ). An orphan’s parent transcation is identified with a transction hash and the parent transaction’s output index. A transaction can’t repeat parent transaction entries, however, an orphan transaction can reference the same parent hash with different output indexes. Consider what happens if the victim client ends up with the mapOrphanTransactionsByPrev store in the state described by the left side of the picture:

The right column in the left side of the picture is basically one (non-existent) transaction repeated with different output indexes. All of the 10000 orphans point to the same (unknown) transaction. Suppose the client now needs to delete orphan-tx_2-hash . The EraseOrphanTx function now iterates through all of the edges on the picture, since the parent transaction hash maps to the set of orphan transactions 100*10000 times. Repeated deletion itself can be triggered by sending orphans on top of 10000 orphans, since surpassing the threshold triggers an ejection. As such an attacker can achieve CPU exhaustion on the target node.

A similar DoS setting that one may consider is shown on the right side of the picture. In this case, each of the 10000 orphans depend on the same 100 inputs of the same transaction. A single transactions cannot have duplicate inputs , however if a client does not reject orphans referencing the same inputs, then the number of edges the deletion loop needs to go over is similar to as on the left side of the picture.

TL;DR: Handling orphan transaction in coin clients is fertile ground for memory/CPU exhaustion attacks, since getting victim nodes to store orphan transactions comes at no cost. See this related discussion on DoS vectors on orphan blocks. Care should be exercised when storing and processing data maps coming from peers, especially if the sending peers do not pay fees or do not need to a PoW for the data to be processed. Finally, limiting a data store’s size for memory exhaustion DoS mitigation can be done by introducing a data entry ejection policy. However, ejecting entries leads to a (possibly) unintended consequence of legitimate data entry being erased. As shown by CVE-2012-3789, Denial of Service attacks easily sneak into apps.

VMware Cloud on AWS with NSX-T SDDC Connectivity, Security, and Port Mirroring Demo

Watch the embedded demo below or view on the NSX YouTube channel here to see several cool NSX-T networking and security capabilities within VMware Cloud on AWS. The demo shows connectivity from VMware Cloud on AWS SDDC to on-prem via AWS Direct Connect Private VIF. Access to native AWS services from VMware Cloud on AWS SDDC is also shown. Additionally, Edge security policies, distributed firewall/micro-segmentation, and port mirroring are demonstrated.

For additional info and demonstrations on NSX networking and security in VMware Cloud on AWS see my prior presentations at AWS Re:Invent 2018 and VMworld 2018 at links below.

VMworld 2018: VMware Cloud on AWS with NSX Use Cases, Design, and Implementation

AWS re:Invent 2018 Connectivity for VMware Cloud on AWS Software Defined Data Centers

Santa Claus is coming! Was your website naughty or nice this year?

Here is a quick checklist of the top 10 bad things that can harm your website security and the top 10 good things that can improve your website security.

If your website falls into any of these categories, this is the perfect time of year to start thinking about improving your security posture.

If your website fits into most of these checklist items, congratulations! Your website has been a good boy (or girl) and should get its security badge from Santa.

I use Geoblocking to reduce potential malicious traffic to my website.

Here are some website security tips for you:

You can read our post on 10 Tips to Improve your Website Security to know more about how to have a good website security posture.

If you want to start next year with a secure website, we can help .

Security-consciousness is more natural for some organizations than others. For certain industries, like finance or data management, it is almost ‘built-in’… but, all companies are a target for data breaches and ransomware, and employees are a primary entry-point for hackers, so how mindful your people are of security risks is increasingly important. The traditional response to this has been a one-and-done end-user training. A deeper avenue is to equip your employees with an awareness of the risks, and the behaviours to mitigate them but if they aren’t motivated to comply, this can fall flat. So, how do you create a work culture that is security conscious, when you are not in an industry where it is already ‘built-in’?

The answer will require collaboration across multiple teams, top-down and bottom-up tactics, and making the solutions you implement both visible, and pervasive. Below are five considerations for building a security-conscious work culture.

1) Policy

First we have to talk about how payment card PIN (Personal Identification Number) is verified. PIN can verified “offline” by the software running on the chip if you have a chip card and are paying using a chip-capable terminal and the setup is right. PIN can also be verified in “online” mode by the financial institution that issued the card or organization that processes card transactions on behalf of the financial institution.

I don’t know which algorithms are used to verify PIN in “offline” mode because implementations may be different and I’m not aware of standards for chip software.

PIN pad device encrypts the PIN you entered and it is sent along with a financial message to the issuer for verification. Issuers do not store the clear-text PIN and typically use a HSM (Hardware Security Module) to generate and verify PIN without revealing it in a clear-text form. In fact, issuers can store nothing at all unless they want to renew payment cards with the old PIN. Everything needed to verify the PIN is received in ISO-8583-based message:

There are two algorithms used and supported by most HSMs to generate “hash” value and verify it later:

I have seen a few issuers that use the IBM method but in most cases the VISA method is used not only by VISA but by MasterCard and other card schemes.

PVV is calculated in following way:

(PAN + PVKI + PIN) PVKey -> PVV

It takes 11 digits of PAN (Primary Account Number - your card number), a single digit PVKI (PIN Verification Key Index) usually just a constant “1”, 4 digits of PIN. Resulting 16 digits are treated as a hex representation of 8 bytes and encrypted using Triple DES PIN Verification Key. Then 4 digits are chosen out of 8 encrypted bytes using some strange algorithm.

But the main takeaway from this is that 16-digit input is turned into 4-digit output. I like to call it a hash function using cryptography. And like all hash functions also this one has collisions.

So I wrote a script and did some tests using random PAN and PIN Verification Key values. Similar results were replicated using a real HSM, a real card number and a real PIN Verification Key as well. For 10,000 input PIN values (all 4 digit values) only about 6,400 unique PVV values are calculated.

Almost every card has a set of 6 PIN values that all produce the same PVV value. Some cards have even a set of 9 PIN values with the same PVV.

To look at these results in a different way:

There’s 60/40 chance your card has more than one correct PIN. Just like some people win in a lottery, some manage to perform a transaction with an “incorrect” PIN and get it approved because of PVV collision.