在2011年发布的一份报告中，IBM指出，与计算机用户相比，移动用户遭遇网络钓鱼诈骗的可能性要高出3倍。在此前的网络钓鱼活动中，研究人员分析了网站Web服务器上的访问日志文件，然后得出了这一结论。

在近10年后，我们继续看到许多组织发布的报告中明确提出，针对移动市场的网络钓鱼攻击呈现出增长趋势。令人惊讶的是，网络钓鱼者似乎已经有了最新的首选目标――iPhone用户。移动安全解决方案提供商Wandera发现，与Android用户相比，iOS用户遭遇的网络钓鱼攻击次数是其两倍之多。

针对移动端网络钓鱼，我们针对当前值得关注的一些内容，进行了数据统计，具体如下：

1. 在 《移动端网络钓鱼2018：当今每个现代企业面临的神话与事实》 白皮书中，Lookout进行了统计，发现自2011年以来，用户点击网络钓鱼链接的速度平均增长了85%。

2. 在最新的 《网络钓鱼活动趋势报告》 中，反钓鱼工作组（Anti-Phishing Working Group）透露，支付行业在2018年第一季度中持续被网络钓鱼威胁行为者列为首选的目标行业（36%）。

3. 同样，在反钓鱼工作组的报告中还声称，所有的网络钓鱼站点中，有35%使用了HTTPS协议和SSL证书。

4. 由于Google现在已经将非HTTPS网站标记为“不安全”，预计会有更多网络钓鱼者滥用HTTPS网站“值得信赖、合法”的公认概念。

5. 在 《2018年度网络钓鱼状况》 中，Wombat Security重点提到了短信网络钓鱼作为攻击媒介这一点。随着2017年媒体报道的增加，他们认为利用短信的行为将继续呈现增长趋势，特别是在移动端网络钓鱼安全意识较低的国家。

6. PhishLabs在 《2018年网络钓鱼趋势和情报报告》 中表示，电子邮件和在线服务是2017年下半年最易受到攻击的目标行业（占比26.1%），其中高度集中于模仿Microsoft Office 365的网络钓鱼URL，这也表明针对企业的网络钓鱼活动呈现出上升趋势。

7. 同样，PhishLab的报告还指出，基于用户对SaaS（软件即服务）公司（占比7.1%）的信任，相应的网络钓鱼活动急剧增加。在2015年，针对该目标的攻击是不存在的，但在接下来的两年之中增长了一倍以上。

8. Wandera 表示 ，有48%的网络钓鱼攻击都发生在移动设备上。他们还 声称 ，iOS用户遭遇网络钓鱼的可能性比下载恶意软件高出18倍。

网络钓鱼攻击不再仅仅局限于电子邮件，特别是在移动设备上的钓鱼攻击。根据移动设备的固有设计和实际功能，网络钓鱼者会选择合适的策略，让诈骗信息被用户看到，并且设法窃取个人和业务的相关数据。

尽管许多用户非常熟悉桌面上的网络钓鱼行为，但他们实际上并不熟悉网络钓鱼的方法，以及手机上可能遇到的一些新型网络钓鱼方式，甚至也不熟悉电子邮件网络钓鱼。

SMiShing是指通过短信进行的网络钓鱼。Android高级分析专家Nathan Collier撰写了一篇安全文章，描述了他的同事在Android设备上收到一条钓鱼消息的分析过程，这条消息自称来自于一家人力资源公司，推荐了一个Amazon公司Prime专员的职位。

iOS用户也不断遭到短信钓鱼的攻击。我们在Reddit上发现了一条公开发布的信息，用于警告其他iPhone用户提高警惕：

通常情况下，针对iOS的短信钓鱼中会包含这样的内容：

在我们收到您的回复之前，您的Apple ID已经被停用。通过点击{短网址URL}确认您的个人信息来重新启用。――苹果公司。

Vishing，或语音信箱钓鱼（有时也包含VoIP网络钓鱼），是指利用设备的呼叫功能进行网络钓鱼。网络钓鱼者可能会向目标留下了诱导的留言信息，可能留下一个让目标回拨的号码，也可能直接呼叫目标。其中，留下诱导的留言信息正是Ars Technica编辑Sean Gallagher在2018年7月发表的一篇iOS网络钓鱼骗局文章中所描述的攻击者策略。根据Gallagher的说法，攻击者会发送一封电子邮件，将用户引导到一个虚假的Apple网站，该网站弹出一个对话框，并开始呼叫一个名为“AppleCare员工Lance Roger”的人员。AppleCare实际上是Apple提供的延长保修期服务。

针对Android环境，我们发现了最新版本的Fakebank，这是一种能够拦截银行短信、呼入电话和呼出电话的移动木马。举例来说，用户如果打电话到合法的银行服务热线，其呼叫请求会被该木马重定向到伪装成银行工作人员的诈骗者那里。安全研究人员在面向韩国用户的恶意APP中发现了这种变体。

语音网络钓鱼也可以作为更大规模的企业电子邮件攻击的一部分。

应用程序（APP）可以改善用户的移动体验。假如没有这些APP，人们可能会觉得这些手机设备是一个昂贵又没有价值的东西。

这些精彩的程序，可以让用户在暂时离开台式计算机的时候访问个人或工作邮箱，在旅途中通过通讯平台与家人和朋友保持联系，实时观看和分享媒体内容，以及在等待过程中消除无聊。

不幸的是，网络钓鱼者也利用了应用程序的强大功能。如今的互联网上，充斥着通过移动应用程序实现网络钓鱼攻击的事件。

例如，攻击者将Facebook的消息服务Messenger作为一种途径，伪装成“流行视频”进行网络钓鱼攻击。

如果点击这个“视频”，就会将移动用户引导至虚假的Facebook视频登录页面，然后诱导用户输入他们的Facebook凭据。这样一来，就会进一步向受害者的联系人继续发送类似的视频诱饵，从而实现攻击范围的扩大。

这就是即时通讯钓鱼的案例。同样，针对其他即时通讯服务，也存在相似的网络钓鱼攻击，比如WhatsApp、Instagram、Viber、Skype、Snapchat以及Slack。

其次，是社交网络钓鱼，这是一种滥用社交网站功能来传播网络钓鱼活动的方式。以下是我们捕获到的通过LinkedIn的InMail功能发送网络钓鱼邮件的示例：

这是社交网络钓鱼的另一个示例，一个Twitter帐户冒充NatWest银行，并将钓鱼内容插入到NatWest银行客户和NatWest官方Twitter帐户之间的实时对话之中，企图以银行官方的名义为用户“解决问题”。

最后，是广告网络钓鱼。在移动设备上，广告可以有多种形式：可以是免费应用程序、用户访问的网页、弹出式通知或是横幅（Banner）广告。由于应用程序会在后台与其他服务（例如广告的相应服务器）进行通信，因此可能会使移动用户面临网络钓鱼或恶意软件的风险。

这些假冒的应用程序，都以流行的品牌名称来命名，并承诺用户下载和安装后，将会得到某些特权或福利。Google Play商店发现多个虚假Instagram应用程序收集用户凭据的事件就是一个例子，这些应用程序已经被下载150万次，并且这些应用程序承诺能够提升关注者、评论和点赞的数量。

要检测移动网络钓鱼，无疑是一个巨大的挑战，对于那些未知的钓鱼活动和未知的钓鱼方式来说更是如此。无论各位的技术水平或所选择的检测方式如何，根据经验，大部分网络钓鱼都有迹可循。我们已经有了一个非常全面的清单，可以指导各位排查一般的网络钓鱼行为。但是，针对移动用户，我们还列出了一些潜在的移动网络钓鱼迹象，供大家进行参考：

1. 消息突然出现，声称用户赢得了奖品，或者有帐户或订阅服务突然停用（没有说明具体原因），或者需要用户迅速进行操作来解决问题。这样的情况，通常都是社会工程学的伎俩，用户应该提高警惕。

2. 但考虑到这些通知也有可能是真实的，用户需要针对真实通知及时做出响应，我们建议用户应该避免直接点击这些通知中的链接，而是直接访问合法域名（从浏览器书签中加载，或手动输入网址），并从合法域名中登录帐户查看具体情况。

3. 如果一条消息来自未知的号码或未知的发件人，同时消息声称它来自您实际使用的服务，请加倍谨慎。由于几乎不可能在移动设备上向服务提供商确认该通知内容是否属实，因此用户最好能自行验证这一通知的真实性，如上面所述，并检查相关帐户的可疑活动。如果无法确定，建议联系服务提供商的用户支持部门。

4. 如果消息中包含伪造的超链接，对于一些用户来说是显而易见的，但对于其他一部分用户来说则难以甄别。了解您所使用服务的官方网址URL是非常有用的。如果您认为该链接与以往访问的网址不太一致，或者有任何怀疑，都应该谨慎行事，避免点击该链接。

5. 消息使用缩短后的URL（短网址服务）。缩短URL是有效利用字符数有限的消息服务的一种绝佳方法。但不幸的是，这也会掩盖可能看起来非常明显的恶意URL。

6. 如果没有任何说明，消息或来电者要求用户提供个人信息，则应引起警惕。大多数合法且声誉良好的企业不会致电或发送消息要求用户提供敏感信息。在某些情况下，如果银行怀疑您的帐户存在潜在的欺诈活动，他们会直接致电。银行可能会核实用户的身份，但绝对不会要求用户提供帐户密码或身份证号码。

7. 如果邮件或来电者不清楚您的姓名，也应该引起警惕。大多数企业，都明确知道他们服务的客户具体是谁，并且一般会以尊称的方式直呼其名。

8. 如果访问的URL没有绿色挂锁图标，这就意味着该网页没有使用HTTPS协议。尽管使用HTTPS的不一定都是合法网站，但没有使用HTTPS的依然需要提高警惕。

9. 如果访问的URL前面一段是正确的，但后面还包含一些无法解释的破折号，那么应该引起注意。网络钓鱼这正在使用一些被称为URL填充的技术，他们创建一些子域名，该子域名由合法的网站地址组成，但后面还带有连字符，以隐藏真实的域名，并增强假域名的可信度。

同样，也有一些同形异义词被用在移动设备上。幸运的是，现在有很多互联网浏览器，已经被改进为能够显示包含可混淆的域名的Punycode版本。

如果用户在移动浏览器上访问Punycode URL，那么用户会收到警告，告知他们所访问网站的风险性。但是，并不能保证浏览器已经充分考虑所有的同形异义词。根据Wandera的研究，在Android和iOS上的许多通信和协作工具都没有将Punycode URL标记为可疑。

Wandera的内容营销经理Liarna La Porta在一篇 文章 中写道，

只有Facebook Messenger、Instagram和Skype会通过显示xn前缀的网络预览的方式，为用户提供识别PunyCode URL的可能性。在Skype中，不会使用Unicode为域名提供超链接，这就意味着用户无法直接点击信息中的URL。尽管这些应用程序没有提供最佳的防御方法，但它们至少提供了进一步评估可疑链接的可能性。

2017年4月，一位在某台湾电子制造公司工作的立陶宛男子，成功对两家知名企业发起了 网络钓鱼攻击 ，并迫使每家公司都向其支付超过1亿美元的“封口费”，而这两家知名的企业分别是Google和Facebook。

当一个目标具有薄弱的网络钓鱼防范意识时，那么网络钓鱼技术已经不再成为一个关键的因素。对于桌面用户来说，防范网络钓鱼是一项挑战。那么对于具有更多潜在攻击面的移动设备来说，用户就面临着双重挑战，特别是在攻击者已经针对特定用户发起攻击，目标就是窃取移动设备中的敏感公司数据的情况下。

实际上，网络钓鱼的方法早已不再局限于电子邮件。在移动设备上使用商业的网络钓鱼防范软件，其实并不足以保护用户免受攻击。真正要防范网络攻击，还需要人和设备共同的调整：改进移动设备及其应用程序的安全功能，掌握网络钓鱼的甄别方式，并制定措施来应对网络钓鱼。

现代Android上的网络钓鱼攻击

社交网络钓鱼

Security+认证在国际上影响力很大，和CISSP一样同属国际十大认证之一。目前拿到Seurity+认证的专业人员遍布全球 147 个国家/地区，受到了全球的广泛认可。

美国国防部高度重视 Security + 认证，因此将其纳8570.01-M 指令。中国各大企业也逐渐开始高度重视Security + 认证，并逐渐开始培养Security +人才，持有Security +证书人才的职业发展前景无限好。

Security+认证，是对你网络安全、应用/数据/主机安全，访问控制、身份管理、以及加密等基础技术能力的证明。

随着近几年出现的各种勒索事件，网络安全问题已经刻不容缓。目前安全行业技术人才匮乏，最受认可的信息安全认证，如CISP和CISSP，内容层面都更偏向信息安全管理的。而技术知识讲的较为宽泛，考试内容点的分布上也是一带而过。同时，CISSP还要求取证人员具有5年以上信息安全行业的工作经验，CISP也有大专学历也有4年以上的类似要求。这些要求，无疑会给那些有技术能力的年轻人的持证之路造成困扰。

众所周知，无论是找工作还是升职加薪，或是投标报人员，其员工的认证都是非常重要的。由于Security+偏重信息安全技术，所以对从业年限没有特别的要求。

它的出现能够部分程度减轻“从业年限”对这些年轻人职业发展的约束。

目前安全牛课堂第11期Security+网络班正在招生，本期还是直播授课形式，每周一三五晚上19：30-22：00，不耽误大家白天的工作和生活。

如果有特殊情况错过直播，可以看录播复习哦，是不是很贴心呢~

Security+学员群日常互动

如果你想了解更Security+认证的更多情况，欢迎随时来找牛妹咨询~

As the clock struck midnight on 1 January 2018, the massiveEquifax breach, disclosed just a few weeks prior, was still weighing heavily on the minds of those in the information security profession. Sure, we’d seen breaches of gargantuan scale before, and we all knew that Equifax surely wouldn’t be the last, but something felt different this time.

The scale, combined with the fact that a non-trivial percentage of the millions of people caught up in the breach had little to know exposure to Equifax, and the level of detail the company stored about them, placed the credit reporting industry under levels of scrutiny that it had never experienced before.

There was shock, outrage, frustration and an overwhelming sense that corporations that handle our personal information need to truly be held accountable. Perhaps Equifax was the straw that broke the camel’s back, and inspired the change we all deserve? Some even opined that it might be the end for Equifax as an organisation altogether how couldit survive this disaster?

Yet here we are, 12 months later, and Equifax is still standing. There have been a few slaps on the wrists,from various public bodies, along the way. There have been fines, brought by private lawsuits and hamstrung government departments, but Equifax has survived, and has never looked like being brought down by a breach that was so poorly handled, and would have been so easy to prevent. The news cycle changed, and the world moved on to the next major breach. The accountability we all craved was found lacking.

As 2018 rolled on, there were some positive signs that things were changing in this regard. One such example was in the US state of California, where, in direct response to the 2016Mirai botnet incident, in which thousands of devices making up the internet of things (IoT) were used to disrupt a non-trivial chunk of the internet, the state adopted new legislation. The Information Privacy: Connected Devices bill (otherwise known as Senate Bill 327 ) contained something that is often found lacking in cyber security legislation specific actions to be taken to improve the standard of information security. This was something many had hoped would happen, but few predicted they see so quickly; legislation moving in lockstep with current technology imagine that.

The bill lists a series of requirements for IoT device manufacturers, most notably the banning of hardcoded default credentials, the entry vector leveraged by Mirai and other IoT malware variants. It’s an extremely basic step, but one that required the passing of specific legislation to address. Although this law was passed in California, it’ll hopefully have a positive impact globally, as device manufacturers design their offerings around the new requirements.

You’d think that something as simple as a default password on a device would be a no-brainer, but clearly, given the need for such specific legislation, it’s not. You might also think the timely application of a patch to address a known software vulnerability on an exposed web server is a no-brainer too, but as Equifax showed us, it’s not. Which brings us to 2019.

Next year, the cyber security industry will continue to pump out new offerings that use advanced technologies in the name of breach prevention. Solutions using machine learning , artificial intelligence (AI), anomaly detection and, dare I say it, blockchain (ugh, now I feel dirty) will all feature at trade shows and on airport billboards around the world. Companies will purchase these solutions, and will partially deploy them before getting bored, limited by cost or other business pressures, instead of doing something that would have a much more profound impact on security, such as getting back to basics.

This includes taking the time to rediscover your assets and data stores, deploying strong authentication, taking the time look at built-in settings in the operating systems and software you already have and hardening them, encrypting data, and patching promptly.

These are all things that should be top of mind in 2019, but won’t be. Instead, the buzzwords, graphical UI’s and overhyped marketing of the industry will serve to distract and confuse. Asset management isn’t sexy. Patching is boring. But, if we really want to stem the tide of significant incidents and breaches, then this back-to-basics approach is the right way to go. Let’s make 2019 the most boring year ever!

CW Security Think Tank contributors’ wish list for 2019 Prioritise multifactor authentication in 2019 .

Carl Franklin is Executive Vice President of App vNext , a software development firm focused on the latest methodologies and technologies. Carl is a 20+ year veteran of the software industry, co-host and founder of.NET Rocks!, the first and most widely listened to podcast for .NET developers, a Microsoft MVP for Kinect for windows , a Microsoft Regional Director , and Senior Executive of Pwop Studios , a full-service audio and video production/post production studio located in Southeastern Connecticut.

He was awarded the MVP for Kinect because of his work on gesture recognition. Namely, KinectTools and GesturePak . KinectTools is an abstraction over the Kinect 2.0 SDK that takes the detail work out of using the Kinect in a Windows application. GesturePak lets you record, edit, and recognize gestures in a Windows application. Both are free open source products.

Carl is also the creator of Music to Code By , a set of 25-minute long instrumental music pieces designed to get you into a state of flow and keep you there. Music to Code By has been praised widely by developers for keeping them focused and helping them solve difficult problems.

Carl has been a leader in the .NET community since 2002, and in the Visual Basic (VB) community before that. In the very early days he wrote for Visual Basic Programmer’s Journal, authoring the Q&A column of that magazine as well as many feature articles for VBPJ and other magazines. He has authored two books for John Wiley & Sons on sockets programming in VB, and in 1994 he helped create the very first web site for VB developers, Carl & Gary's VB Home Page.

Before he started .NET Rocks! in 2002 (three years before the word ‘podcast’ became popular) he developed and taught hands-on training classes for VB.NET and ASP.NET via his training company, Franklins.Net.

Carl has spoken regularly at conferences around the world, such as DevIntersection , NDC , NDC London , OreDev , Microsoft TechEd, Microsoft TechEd Europe, DevTeach , DevReach , and others.

In addition to his work in the development field, Carl works in the music business as a composer, recording engineer, producer, multi-instrumentalist, and vocalist. With his band, the Franklin Brothers , he has produced two albums, Lifeboat to Nowhere and Been a While . Both albums get nothing but five star reviews. Noted guitar virtuoso John Scofield has collaborated with Carl on two songs, Chain Reaction and Groove or Get Out of the Way .

Richard Campbell started playing with microcomputers in 1977 at the age of 10. He's really never done anything else since. In that time he's been involved in every level of the PC industry, from manufacturing, to sales, to development, and into large scale infrastructure implementation. He has been a witness and participant to the Bill Gates vision of "A PC on every desktop."

For years he's served as a consultant to companies in many countries, including Barnes&Noble.com, Dow Chemical, Johnson & Johnson Health Care Services, Reuters, Subaru/Isuzu and the U.S. Air Force, providing advice on architecture, scaling systems and mentoring development teams. His long experience in working with large scale systems made him a sought-after consultant during the halycon years of the DotCom boom. He worked closely with venture capital and private equity firms providing architectural guidance and due diligence.

He is a Microsoft Regional Director and is recognized as a Microsoft Most Valuable Professional (MVP) in the area of ASP.NET development.

In 2004 Richard first met Carl Franklin, creator of .NET Rocks (www.dotnetrocks.com), The Internet Audio Talkshow for .NET Developers. Richard was a guest on show 69, but his friendship with Carl quickly evolved into a partnership and by show 100 in early 2005 he came onboard as co-host. In 2007 he started RunAs Radio ( www.runasradio.com ), a podcast for IT Professionals.

He is a co-founder of Strangeloop Networks, which was acquired by Radware in 2013 and spent five years on the board of directors of Telerik which was acquired by Progress Software in 2014.

In 2012 Richard founded the Humanitarian Toolbox ( www.htbox.org ), an organization designed to let developers around the world donate their skills to disaster relief organizations by building open source software. By 2014, Humanitarian Toolbox became a 501(c)3 registered US charity, working on a number of different projects for the United Nations, US Center for Disease Control and Red Cross.

Today Richard is a consultant and advisor to a number of successful technology firms as well as the co-owner and content planner of the DevIntersection ( www.devintersection.com ) group of conferences.

When evaluating enterprise security tools for their effectiveness, it can be challenging to find the right model for best calculating your “Return on Security Investment” (ROSI).

Just a few years ago, the potential cost attributed to a security breach was likely to be primarily related in the assessed financial cost into a business’ reputation, with only a relatively small number of cases ever reaching significant legal or sustained loss of service related costs. But with GDPR (as well as an increasing number of international laws) bringing new fines to consider and the steadily growing number and sophistication of security intrusions over the last few years, assessing both the possibility and resulting impact is increasingly imperative and demands ever more robust assessments of your security expenditure.

The most popular model I’ve seen deployed for security budget scoping in the real world is based on simply assessing cost asking what’s the most I can get for my dollar based on my budget (or quite simply where can I get the best “bang for your buck”). This is a useful starting place for establishing budget sizing, but in order for even this simple methodology to work, it is necessary to assess “the bang” aspect, and it is here that things can become more challenging.

To put it a financial model around security “value,” we can consider an objective of trying to mitigate as much risk as possible, preferably up to the point where the cost of implementing additional security controls is as close to any possible value of additional savings from security incidents. This is where concepts like Foundational Controls offer a sensible way of making this problem tractable. By identifying measurable controls (especially industry supported ones like those developed for (Read more...)

网络犯罪是全球各家公司企业的最大威胁，也是未来20年人类面临的最大难题之一。

Cybersecurity Ventures 曾在2016年做出预测：到2021年，网络犯罪将给世界造成 6万亿美元 损失，比2015年的3万亿翻一倍。这代表着史上最大经济财富转移，危及创新与投资热情，甚至比全球所有非法药物交易都要赚钱。

该网络犯罪预测无可辩驳，过去两年来正在被数百主流媒体、学术机构、政府高官、协会、业界专家、大型技术与网络安全公司，以及全球打击网络犯罪的从业者所证实。

Frank W. Abagnale 为FBI当了40多年顾问，是伪造、侵吞公款与安全文档方面全球最受尊崇的权威之一，同时也是斯皮尔伯格2002年电影《逍遥法外》中莱昂纳多迪卡普里奥饰演的神骗主角的原型人物。他很赞同6万亿美元的网络犯罪损失预测。

我很担心网络开始变得非常黑暗。目前为止还只是金融犯罪，只为盗取钱财或相当于钱财的数据，但我们已经拥有关闭某人心脏起搏器的能力了。

Cybersecurity Ventures 的损失预测是基于历史网络犯罪数据的，包括近些年一年比一年增多的网络犯罪事件数量、敌对国家支持的黑客团体及有组织犯罪团伙黑客行动的急剧增加，还有到2021年将迎来指数级增长的网络攻击界面。

网络犯罪损失包括数据破坏、资金被盗、生产力受损、知识产权被盗、个人及金融数据被盗、公款被侵吞、欺诈、正常业务过程中断、取证调查、被黑数据及系统的恢复和删除，以及声誉损失。

全球托管安全服务提供商(MSSP) Herjavec Group 的创始人兼首席执行官 Robert Herjavec 表示：损害成本的急剧上升只会促使更多的公司企业疏于应对网络攻击。

网络攻击是美国增长最快的犯罪形式之一，不仅在规模上，在复杂程度和损失额度上都增长迅速。2018年底曝出的万豪数据泄露是今年第二大数据泄露事件，估计有5亿用户账户被泄。史上最大的雅虎黑客事件经重新计算后受影响用户账户数量从之前估测的10亿个上升到了30亿个。2017年的Equifax也曾夺过史上最大桂冠，影响了1.46亿客户。还有2017年发生的WannaCry和NotPetya勒索软件攻击，都是比之前的攻击更为复杂更大规模的网络攻击事件，而且是标志性事件。

美国的网络犯罪已成一种流行，FBI一位督导特工就向《华尔街日报》表示：每个美国人都应预计自己的所有个人数据(个人可识别信息：PII)已经被盗并正在暗网上贩卖。

DDoS攻击、勒索软件和不断冒出的零日漏洞利用正将对网络犯罪所致损失的预测演变为现实。但更令人担心的是那些围绕网络犯罪的媒体热炒，那些新闻和数据泄露通告令我们洋洋自得。风险真实存在，而我们不能放任自己麻木于一种泄露无可避免的感觉。

我们的整个社会都与互联网相连。互联网连接的增长速度已经超出了我们保护互联网的能力。

1989年，万维网诞生；1991年，第一个网站上线；今天，全世界有将近19亿个网站。

2015年，全球互联网用户数20亿；2018年，这个数字直接翻了个倍，世界半数人口都连上了互联网(全球人口77亿，互联网用户数近40亿)。

Cybersecurity Ventures 预测2022年时互联网用户数将达60亿(届时世界总人口数80亿中的75%)，2030年时将超过75亿(届时全球6岁以上总人口数85亿的90%)。

就像传统上随人口数量增长而加剧的街头犯罪，网络犯罪也遵循同样的规律。不仅仅是武器越来越复杂，也因为作为目标的人和数字资产的增加。

保护公司企业免遭网络攻击侵害的难度受多方面因素的影响。新兴黑客团伙、互联设备增长是其中最重要的――需保护的海量数据给本就复杂的局面再添一重困难。

微软预测，2020年时的在线数据规模将是2016年时的 50倍 以上。

思科证实，云数据中心流量到2021年将占数据中心总体流量的95%。或者，换个说法，云计算将在未来3-4年里取代数据中心模式。

Cybersecurity Ventures 预计，云端存储的数据总量到2021年将是现在的100多倍，其中包括供应商和社交媒体公司运营的公共云(比如AWS、推特和Facebook)、可被公民和公司企业访问的政府自有云，以及中小型企业拥有的私有云。

英特尔的预测是IoT世界将引发‘数据大爆炸’，无线通信的智能设备数量将从2006年的20亿个，暴增到2020年时的2000亿个。

Gartner预报，2021年全球将卖出5亿多可穿戴设备，远超2017年时的3.1亿。可穿戴设备包括智能手表、头戴式显示器、随身摄录机、蓝牙耳机和健康监测装置。

尽管生物特征识别技术开发者承诺未来将消灭口令，一份2017年的报告却发现，到2020年，全球需要保护的网络口令将达3000亿个。

每年都要新增1110亿行软件代码，其中暗藏大量可被利用的漏洞。

全球数字内容将从2016年的40亿TB(4ZB)，增加到2020年的96ZB。

深网是搜索引擎搜不到的网络深处，暗网隐在深网的角落，故意藏起来供罪犯秘密进行邪恶犯罪活动。有人估算深网规模是表面网络的5000倍以上，并以无法量化的速率增长。

ABI预测到2020年将有2000万辆联网汽车附带内置软件安全技术出售；西班牙电信公司也称，90%的汽车将联网――2012年的联网汽车比例仅仅2%。

数百万人面临自身植入式医疗设备(IMD)被黑的风险，包括心脏除颤器、起搏器、脑神经刺激器、胰岛素泵、耳管等等。

Fairchild Semiconductor 微机电系统及传感解决方案副总裁 Janusz Bryzek 预测，20年之内将出现45万亿联网传感器。IoT、手机及可穿戴设备市场的增长、数字医疗、上下文计算、全球环境监测和IBM“5 in5”――人工智能(AI)、超图像、超摄镜、芯片医疗实验室、硅光子，是联网传感器激增的推动力。

网络犯罪给私营和上市公司都带来了前所未有的破坏，推高了IT安全开支。

Gartner最新预测显示，全球信息安全(网络安全市场的一个子集)产品及服务开支在2018年会突破1140亿美元，比去年增长12.4%。2019年，该市场预计将再增8.7%，达1240亿美元。

该Gartner预测没计入各种网络安全分类，比如物联网(IoT)、工业控制系统(ICS)和工业物联网(IIoT)安全，汽车网络安全等等。

Cybersecurity Ventures 预计，2017-2021年5年全球网络安全产品及服务开支累计将超1万亿美元。也就是说，这5年里网络安全市场平均年增长率将达12-15%。

IT分析师预测仍赶不上网络犯罪的急剧增加：勒索软件的流行，恶意软件焦点从PC和笔记本电脑重回智能手机与移动设备，数十亿防护不周的物联网设备，黑客雇佣兵的兴起，以及公司企业、政府部门、教育机构和全球消费者更频繁遭遇高级网络攻击。

《投资者商业日报》一篇报道称：

网络安全开支追踪的问题在于，除了IBM和思科，其他科技巨头并不总会公布网络安全盈利数据，手机恶意软件和数据恢复上的消费者安全开支大幅削减更是从不会被列入报告内容。与企业类似，消费者也在为网络攻击花费时间与精力。所以，一些业内分析师的网络安全开支预测与 Cybersecurity Ventures 的万亿美元5年市场预测之间存在偏差也正常。

美国司法部将勒索软件描述为新的网络犯罪商业模式，一种全球性现象。

勒索软件感染计算机后会限制用户对文件的访问，往往威胁用户如果不支付赎金就会永久销毁数据。此类网络威胁已泛滥成灾，成为发展最快的网络犯罪。

2016年末，每40秒就有一家公司沦为勒索软件的受害者。Cybersecurity Ventures 预测，到2019年，该间隔将缩短到每14秒一家，2021年将达美11秒有一家公司受害。

去年，FBI估测，公司企业和个人每年支付出去的勒索软件赎金总额达10亿美元。

网络安全行业专家和司法官员一直在建议公司企业不要支付赎金。虽然支付赎金期望能找回数据的勒索软件受害者占比呈减少趋势，但勒索软件攻击相关的总损失却在激增。

2017年的全球勒索软件损失预测是超50亿美元，比2015年增长15倍。如今，2019年的勒索软件全球总损失预计将达115亿美元，到2021年，这个数字是200亿。

专精勒索软件攻击检测与响应员工培训的KnowBe4公司创始人兼首席执行官 Stu Sjouwerman 称：

勒索软件攻击正从广撒网式网络钓鱼转向高度针对性、强破坏力的网络感染，可致整个公司数天乃至数周宕机掉线。生活就是这么残酷，勒索软件仍将存在，而传统基于软件的终端防护无法抵御此类恶意软件。

微软全球事件响应与恢复团队表示：安全运营中心(SOC)每天分拣的网络攻击和安全事件总量持续增长，仅靠人力几乎不可能跟进。

安全其实是人的问题。网络犯罪都是人的执行的。我们需要有资质的人来追捕作恶者。

技术当然很关键，我们在技术上也取得了长足进展，但如果缺乏足够的白帽子军团对抗逐年增多的黑帽子，我们将无法拉低网络犯罪率。

美国证券交易委员会(SEC)互联网强化办公室前主任 John Reed Stark 在去年的博客文章中写道：今天最大的实际威胁不是国家支持的网络攻击、新奇的隐秘恶意软件，或黑客文化横行；信息安全领域最危险的阴云是严重的网络安全人才短缺。

Palo Alto Networks 研究中心的业内专家称，到2019年，全世界对网络安全人员的需求将增至约600万人。

网络犯罪将促使网络安全职位空缺在2021年时达到350万个，是目前缺额的3倍，且网络安全失业率仍将继续保持为零。

如今每个IT岗位同时也是网络安全岗位。每个IT员工、每个技术工人都或多或少要负责一些保护App、数据、设备、基础设施和人员安全的工作。

传统上IT公司与其安全团队之间是有条分界线的。事实上，除了CIO，唯一的另一个IT‘首席’就是首席信息安全官(CISO)。但未来的网络人才来源于更广泛的IT员工。董事会的问题是招聘和留住新鲜安全血液。

网络攻击愈演愈烈的当下，网络安全人才短缺让CIO、CSO和CISO捉襟见肘，纷纷投身抢人大战。面对有限的人力资源，安全主管们必须分清主次，学会取舍。

美国最大医药提供商CVSHealth首席安全官 Jim Routh 称：

我的工作基本上就是确定如何分配稀缺资源去处理高等级风险。你永远不会有足够的资源去做每一件事，你必须从分配资源的角度挑选投入的方向。

虽然黑客年报总是点缀着聪明程序员找出系统漏洞完成恶意入侵的传说，但绝大多数网络攻击其实始于简单的电子邮件。超过 90% 的成功黑客攻击和数据泄露源于网络钓鱼。网络钓鱼者精心编制电子邮件诱使收件人点击钓鱼链接、打开藏毒附件，或向本不应该发送的对象转发信息。

美国主流医疗企业 Northwell Health 副总裁兼首席信息安全官 Kathy Hughes 表示：安全链中最弱的一环是人。企业可以拥有各种精妙的技术和安全防护层，但安全最终落脚到人身上，那些真正意识到威胁且知晓如何检测与报告的人。

2018是有所突破的一年，很多公司企业都开始正视这个问题，要么训练自己的员工，要么双管齐下，投注更健壮的持续安全意识培训及网络钓鱼模拟项目。

Northwell可能是大型企业如何培训员工了解网络威胁并从中受益的典型例子了。Hughes主导了该公司的安全意识培训项目，招聘了安全意识培训经理和专职员工，针对容易上当受骗的用户(包括新员工)组织了网络钓鱼模拟攻击演练。

全球160多个国家都有分公司的施乐公司特别看重安全意识文化。其副总监兼首席信息安全官Jay博士曾任白宫副CIO，她表示：施乐的安全部门规模有多大呢？3万人！包括了施乐公司每一名员工。

网络攻击界里施乐的待遇与白宫一样，都被两块九毛九就能买到的黑客工具攻击。如《财富》杂志所言，黑客工具包提供的网络犯罪价目表中工具从1美元到200美元都有，其中很多都能被新手使用，可用于注入勒索软件、窃取个人可识别信息(PII)、黑进电子邮箱账户等等邪恶举动。

全球网络安全意识培训开支预计在2027年达到100亿美元，2014年这个数字是10亿美元。培训员工如何识别和防御网络攻击是网络安全行业投资最欠缺的一个领域。

未来5年，员工培训将被证明是网络安全投资中回报率最高的。

Infoworld计算机安全专栏作家，在微软担任了11年首席安全架构师的 Roger Grimes 表示：每家公司都将被黑。

过去3年里医疗提供商是黑客眼中的靶心。Herjavec认为：2017和2018年我们见证了医疗提供商对网络安全投资的重视。他们感受到了老旧系统的痛，不得不多加保护自身基础设施与患者数据。对医院的勒索软件攻击到2021年预计会增加5倍。

今年我们看到了传统行业中越来越多的牵引，希望2019继续保持这种势头。尤其是在制造业这种加密锁定软件造成了一些真正伤害的领域，我们将看到公司企业不断完善自己的安全项目与安全投资，赶上不断进化的漏洞利用。制造业已变成2018年时的医疗行业。

思科调查访问的制造业安全人员中40%表示他们并不具备正式的安全策略。制造业杂志 Process Industry Informer 认为，因为普遍缺乏网络安全投入，又越来越依赖现代技术， 制造业是目前最脆弱最容易被网络罪犯盯上的行业 。

建筑业是2018年另一个网络攻击热点目标。随着建筑公司开始标准化IoT设备，比如恒温器、热水器和电力系统，一整个新的攻击界面出现在黑客面前。

消费者产品公司是今年冒出的又一个遭受网络攻击和网络安全人才招聘挑战的行业。《华尔街日报》一篇文章称，千禧一代和Z世代劳动者可能觉得新兴技术或投资银行是更具吸引力的潜在雇主。

2016年最遭网络攻击的行业：医疗、制造、金融服务、政府和交通运输，基本上维持原样，除了排序略有调整。每个行业都走向了“科技”――广告科技(广告业)、金融科技(金融服务)、教育科技(教育技术)、政府科技(政府)、法律科技(律所)等等，所有这些行业都得扩展其网络防护。

小企业在今年遭遇网络安全阻碍。大量小公司猛然醒悟自己也是网络攻击的对象，也需要采取预防性安全措施。很多只有不到250名员工的公司通过惨痛的经历认识到了：如果等到被黑后才开始处理网络安全问题，可能就为时已晚了。近乎半数的网络攻击针对小公司实施，该比率在来年可能还会继续增加。

不管大中小型公司企业的CEO都应留意的一条警告是：数字网络事件与可能造成业务中断的任何自然灾害或人为破坏一样，都是需要提前防备的。

除了上述行业，物联网设备是2018年最大的技术犯罪驱动力――所有迹象表明这一状态在2019年及可预见的未来仍将持续。思科估测，IoT设备数量到2021年将是全球人口总数的3倍。IoT设备制造过程中只重功能轻视安全，操作系统本就极小，安全就更像是一种“增强”而非“内置”特性了。

最后，2019年，在雅虎、万豪和其他数据泄露事件的后续影响开始显现的日子里，消费者最好多加关注安全。

考虑到被盗电子邮箱和PII，想想黑客能够读取私人短信和查看婴儿监视器，人们就有动力转向更安全的电子邮件提供商，开启两步验证，以及开始购买自己的网络安全产品了。

尽管网络犯罪泛滥，技术可以让世界成为更安全的地方。

交通运输部预见，未来10年里自治车辆技术将大幅降低交通事故死亡率，拯救近30万人的生命。

英特尔在去年宣布了最大安全相关并购案，以153亿美元买下以色列汽车碰撞规避技术公司Mobileye――包括其450名工程师和近150万辆车的安装基础。

当市政传感器和先进家用安全远程监视系统开始通过IoT无缝融合，犯罪统计数字可减少20%。

全球的网络工程师和创业者都在努力研发新解决方案以对抗和减少网络犯罪。数百家顶级网络安全公司正在创新尖端产品和创建新服务以打赢网络犯罪攻坚战。越来越多的MSSP正在接过全球各型企业面对的艰巨网络风险责任。

网络犯罪是网络攻击界面不断扩大的必然产物，这是可以预见也应该预见的。对我们面对的风险和威胁有清醒的认知可以帮助公司企业和消费者更好地保护自身。

https://www.herjavecgroup.com/the-2019-official-annual-cybercrime-report/

阅读： 13

绿盟科技发布了本周安全通告，周报编号NSFOCUS-18-50，绿盟科技漏洞库本周新增149条，其中高危62条。本次周报建议大家关注Microsoft Outlook 远程代码执行漏洞等，Microsoft Outlook由于没有正确处理内存中的对象，在实现中存在远程代码执行漏洞。远程攻击者可借助特制的文件，利用该漏洞在当前用户的安全上下文中执行操作。目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的 页面 下载。

文章目录

（数据来源：绿盟科技安全研究部&产品规则组）

最近一周CVE公告总数与前期相比平稳增长。

（数据来源：绿盟科技 威胁情报与网络安全实验室 收集整理）

截止到2018年12月14日，绿盟科技漏洞库已收录总条目达到42257条。本周新增漏洞记录149条，其中高危漏洞数量62条，中危漏洞数量85条，低危漏洞数量2条。

网络钓鱼攻击是受伊朗政府支持的黑客惯用的攻击手段。我们对最新的网络钓鱼攻击进行了跟踪，并将其命名为“The Return of The Charming Kitten”。

这起攻击的目标是那些曾参与对伊朗的经济和军事进行制裁的人士以及世界各国的政治家、公民、人权倡导者和新闻工作者。

根据分析，我们认为攻击者将那些开启2步验证的用户的email账户和验证码作为目标。防范此类攻击，使用Yubikey等加密设备是很有效的。

在2018年10月初，推特用户MD0ugh揭露了一起伊朗黑客针对美国金融机构基础设施的网络钓鱼攻击。他推测这可能是伊朗遭受美国新的制裁后进行的反击。

根据我们的调查，攻击者采用不同的手段实施攻击，主要分为以下2种：

我们还发现在进行网络钓鱼攻击之前，黑客会搜集目标的个人信息。黑客会根据目标的网络安全水平、联系人、活动、工作时间、地理位置等信息为每个目标设计具体的攻击计划。

我们注意到，不同于以往的钓鱼攻击，在最新的攻击活动中黑客并不会修改受害者的账户密码，这使他们能在不被发现的同时保持对受害者的电子邮件通信进行实时监控。

通过使用这种方法，攻击者伪装成邮件服务商向目标发送安全警报，用户会立即点击“目标链接”查看详细信息，来对可疑访问进行限制。

发送带有标题的链接（例如来自Google Drive的共享文件）是近年来黑客使用的最常见的技巧之一。与之前的攻击相比，这些攻击的独特之处在于他们使用了看似为Google 站点的页面，黑客构造虚假的Google Drive下载页面来欺骗用户，使受害者认为这一个真正的Google Drive页面，不存在安全问题。

图2：虚假Google Drive文件共享页面

通过伪造具有相同界面的Google Drive文件共享页面，黑客假装与用户共享文件，用户本应该下载并运行共享的文件。然而该页面没有任何文件，他们使用入侵的Twitter，Facebook和Telegram帐户发送这些链接来寻找新的受害者。通过此页面将目标用户定向到虚假的谷歌登录页面，诱使用户输入身份验证信息。

受信任阶段：互联网用户都认为谷歌的主域（google.com）是安全可靠的，攻击者正是利用用户的这种心理，在sites.google.com（Google的子域）上构造虚假页面来欺骗用户。Google提供的网站服务使用户能够在其上显示各种内容。攻击者使用此功能发送虚假警报并将受害者重定向到不安全的网站或嵌入网络钓鱼链接的页面。

图4：攻击者如何滥用site.google.com

非受信任阶段：由于Google可以快速识别并删除sites.google.com上的可疑链接和恶意链接，所以黑客会使用自己的网站进行伪造，进行攻击。钓鱼网站的链接几年前的网络钓鱼活动曾使用的链接非常类似。例如，攻击者在域名或网络钓鱼URL中使用诸如“management”, “customize”, “service”, “identification”, “session”, “confirm” 等关键词来欺骗那些想要验证自己网址的用户。

黑客在电子邮件正文中并不是文本，而是使用图片来绕过谷歌的安全检测和反网络钓鱼系统。为此，攻击者还使用第三方服务（如Firefox屏幕截图）来对图片进行托管。

图5：虚假警报图片示例

攻击者在邮件正文中单独隐藏了其他图片，以便在受害者打开电子邮件时收到通知。通过这种技巧，黑客可以在目标打开电子邮件并点击网络钓鱼链接后立即采取行动。

除了恶意邮件和钓鱼链接之外，攻击者还在定制化平台创建相应条目来存储受害者的凭据信息。我们还注意到他们针对Google和Yahoo!，设计了PC和移动端的钓鱼页面，可能在将来进行下一系列的攻击。

在最近的攻击中，攻击者使用了一种有趣的技术，一旦受害者输入了用户名和密码，攻击者将立即对这些凭据进行验证，如果信息正确无误，那么他们就会要求提供2步验证码。

换句话说，他们会在自己的服务器上实时验证受害者的用户名和密码，即使启用了2步身份验证（例如短信，验证应用或one-tap），他们也可以欺骗目标并窃取该信息。

图6至图9展示了一些由伊朗黑客发送给目标的网络钓鱼页面。

图6 ：获取Gmail帐户密码的虚假页面

通过我们对这些网络钓鱼攻击的分析可以得知：黑客已经注册了大量的域名。根据最新的调查结果显示，在相对较短的时间内（2018年9月至11月），黑客就已经使用了20多个域名。

在撰写本文时，用于网络钓鱼攻击的域名数量有所增加。通过对这些服务器更深入的调查，我们揭示了在最近的攻击中这些域名是如何被使用的。

图10:网络钓鱼活动中攻击者所用域名关联分析

此外，这些攻击中对域名和服务器的命名方式，所用的技巧，针对的目标都与拥有伊朗政府背景的黑客组织――Charming Kitten非常相似。因此，我们认为这是Charming Kitten组织的伊朗黑客发起了新一轮的网络攻击，并且将以色列公民和美国公民作为重点目标。

网络钓鱼攻击是伊朗黑客窃取数据最常用的手段，但对于此次活动，最应该重视的是它的发生时间。这次攻击活动在2018年11月4日前几周开始进行，当时美国正对伊朗实施了新一轮的制裁。因此该运动试图对他国政治人士以及对伊朗实施经济和军事制裁的当局进行渗透，来窃取信息。

换句话说，这群受伊朗政府支持的黑客根据伊朗政府的政策和国际利益需求来选择目标，对其造成影响。

因此，我们向科技公司，政府官员，社会人士以及互联网用户提出了一系列建议，来防御此类威胁。

对科技公司，政府人员的建议：

对社会人士及海外伊朗人士：

对互联网用户的建议：

The anticipated impact of futuremobile network applications, such as connected and autonomous vehicles (CAVs), virtual reality gaming, the internet of things (IoT) and gigabit download speeds, to name but a few, means the UK needs to rethink its mobile security strategy if it is to capture the benefits of 5G.

This is the key finding of a new report released through the government’s 5G Testbeds and Trials programme , with input from, among others, the University of Surrey’s 5G Innovation Centre and three ofthe ongoing testbeds AutoAir, 5G RuralFirst, and the Worcestershire 5G Testbed.

“Performance risk in such a complex network means that we need to reconsider many of our digital security processes. We believe that with the sound recommendations made in this paper, the UK will be in a good position to continue our leadership position in 5G innovation, development and deployment.”

Peter Claydon, project director of AutoAir, said: “Since the age of 2G, mobile networks have been some of the most secure things on the planet, helped by the fact that each one is controlled by a single network operator. 5G opens up mobile networks, allowing network operators to provide ‘slices’ of their networks to customers.

“Also, customers’ data can be offloaded and processed at the edge of the network, without going through the secure network core. This report is a timely reminder of the security challenges that these new features raise.”

The report’s authors believe the UK needs to innovate to create a “new way to predict and pre-validate” 5G network connections possibly using mobile AI-based autonomous technology whether those come from smartphones, other home IoT devices or machines, so that the network can recognise them quickly and efficiently and confirm their security and validity without compromising experience or performance.

Read more about network security The proliferation of poorly secured network-connected devices has prompted the UK government to publish new best practice guidelines. Do these go far enough? IT groups need to consider varying layers of security. For instance, the similarities and differences between cyber security and network security are closely entwined. A significant shortage of cyber security staff, poorly configured firewalls and unmanaged end-user mobile devices are some of the top network security threats .

The report made three further key recommendations: first, that a cross-layered process be designed to allow end-to-end security for critical 5G services in areas such as transport or health; second, that a dedicated body be established to monitor and encourage security-by-design practice around 5G; and third, that existing UK testbeds be involved in further testing of 5G security standards and capabilities as they emerge.

Robert Driver, head of UK5G, the country’s national 5G innovation body, said: “The paper highlights the challenges and inevitable trade-offs between cost, security and performance in the development and deployment of 5G. In a new environment of multiple use cases, each with different performance requirements, along with the expected introduction of new market players, alignment and cooperation between parties will be essential. Systems need to be ‘secure by design’ and new approaches, including the use of AI, will be required.”

Adopts AICPA’s New Trust Criteria Ahead of Schedule

SOUTHFIELD, Mich. (BUSINESS WIRE) Secure-24 ,

an NTT Communications Company, and a leading global provider of

comprehensive managed cloud services, IT operations, applications

hosting, and managed security services, today announced the successful

completion of the Service Organization Control (SOC) 2 & 3 evaluation in

American

Institute of Certified Public Accountants (AICPA)

With fluid regulatory landscapes and increased demand for transparency

into controls and processes, the AICPA continually refines the reporting

criteria used in SOC reports. In April 2017, the organization updated

the Trust Services Principles and Criteria (now the 2017 Trust Services

Criteria) impacting the controls required to be included with SOC 2 and

3 reports. Secure-24 has adopted the new Trust Services Criteria earlier

than December 15, 2018 as required by the AICPA.

“Information security is our highest priority and Secure-24 prides

itself on establishing the highest quality standards for process

improvement. We are pleased that our SOC 1, SOC 2 and SOC 3 Reports

affirm that Secure-24 has implemented the highest controls to mitigate

risk,” said Jaclyn Miller, Vice President of IT and Compliance at

Secure-24. “The reports provide clients with third-party verification

that our operations meet process and control requirements relevant to

user entity financial statements and also meet internationally

recognized standards.”

Issued by Ernst & Young LLP, global accredited and independent

accountants, SOC 2 and SOC 3 compliance confirms that Secure-24 has

controls in place to ensure the security, availability, processing

integrity and confidentiality of its managed cloud services. Secure-24

is among the first to issue a SOC 3 Report to clients regarding its

compliance to the new AICPA Trust Services Criteria.

The AICPA Trust Services Criteria aligns the SOC 2 and SOC 3 control

requirements to COSO 2013 Internal Control Integrated Framework. A SOC

3 compliance report is designed to meet the needs of existing or

potential customers who need assurance about the effectiveness of

controls at a service organization that are relevant to the security,

availability or processing integrity of the system used by the service

organization to process a customers’ information or the confidentiality

or privacy of that information.

SOC

3 Report

Tweet

Examinations https://bit.ly/2Ghv8tg

About Secure-24

Secure-24, an NTT Communications Company, has 17 years of experience

delivering mission critical application hosting, comprehensive managed

IT, cloud, and security services to enterprises worldwide. Secure-24’s

focus on superior service, support, governance and compliance has driven

industry-leading client satisfaction rates. The company is an SAP

certified Hosting, HANA, and Cloud Partner, a Microsoft Silver Partner

and an Oracle Gold Partner managing Oracle E-Business Suite, PeopleSoft,

JD Edwards and Hyperion applications across all industries for

businesses of every size. Secure-24 has been named one of

Computerworld’s 100 Best Places to Work in IT for six consecutive years.

Visit www.secure-24.com to

learn more about Secure-24 products and services.

About NTT Communications Corporation

NTT Communications solves the world’s technology challenges by helping

enterprises overcome complexity and risk in their ICT environments with

managed IT infrastructure solutions. These solutions are backed by our

worldwide infrastructure, including industry leading, global tier-1

public and private networks reaching over 190 countries/regions, and

more than 400,000m 2 of the world’s most advanced data center

facilities. Our global professional services teams provide consultation

and architecture for the resiliency and security required for your

business success, and our scale and global capabilities are unsurpassed.

Combined with NTT Data, NTT Security, NTT COCOMO and Dimension Data, we

are NTT Group.

www.ntt.com | Twitter@NTTcom | Facebook@NTTcom | LinkedIn@NTTcom

SatoshiLabs

On Tuesday December 18th, we released the firmware update 1.7.2 for Trezor One devices. This is a release which brings support for sending OMNI assets. OMNI is a platform built on top of Bitcoin used by various cryptocurrencies such as Tether. It also fixes a security issue located in the U2F subsystem that we have discovered internally on November 26th.

Please note that several other vendors are also affected by this issue, which influenced aspects of our disclosure process. We would like to thank these vendors for their immediate response and willingness to release their updates so quickly.

The vulnerability consists of an information disclosure in the initial handshake of the U2F protocol which could potentially be leveraged to extract sensitive data. It was found during research by Christian Reitter (independent security researcher working closely with SatoshiLabs) in coordination with Dr. Jochen Hoenicke (security researcher at SatoshiLabs) and was immediately disclosed.

After assessing the impact on the Trezor One, Christian identified a number of external open-source projects which also used the affected data structure and began a coordinated responsible disclosure to inform them confidentially over encrypted and authenticated channels. During this process, we have worked with several projects to help them determine the practical impact on their project. All projects have agreed to the proposed coordinated disclosure.

There is no evidence that the vulnerability has been used in practice. However, we encourage everyone to keep their Trezor devices up-to-date at all times.

The open Universal 2nd Factor ( U2F ) standard is a strong second factor security mechanism that helps user to keep their important accounts safe. Two factor authentication systems help in the unfortunate event that account credentials are e.g. stolen by malware. In this scenario, despite obtaining username and password, an attacker will be unable to derive the cryptographic key held within the U2F device and is blocked from authenticating successfully without it to sites that have this protection enabled.

The Trezor One enumerates as a standard U2F HID USB device to fulfill its role as a fully featured U2F hardware token. This functionality was developed on the basis of the C/C++ reference implementation for U2F by Yubico , one of the companies that created this security standard. This reference implementation defines essential data structures & protocol characteristics and is therefore used in parts for several other U2F implementations such as the Trezor One, and the affected data structure originates there.

At the beginning of each U2F session, host computer and U2F client device perform a basic two-way handshake before any cryptographic request such as a site authentication is issued. This handshake contains the information leak that is described in the following paragraph.

The C struct `U2FHID_INIT_RESP` represents the U2F message payload of the U2FHID_INIT handshake reply sent by the Trezor. It is intended to store 17 bytes as defined by the FIDO U2F HID specification . However, due to automatic optimizations related to memory layouts and address boundaries, this particular struct is transparently padded to a new size of 20 bytes by default during compilation. The resulting three additional bytes of hidden data are inaccessible through the regular struct fields, but the `sizeof()` value is increased. This configuration is referred to as an unpacked struct and compilers generally do this to speed up accesses. However, only a minority of structs will be padded, making this behavior easier to miss in practice.

In the `u2fhid_init()` function, `U2FHID_INIT_RESP` is used directly to assemble the message contents of the reply message, and during this process, every regular data field is overwritten with valid data. However, since the struct memory area was not cleared with zeros during initialization and the three hidden data bytes are never written to, these three bytes still contain the raw data that was present in this memory area during the struct initialization, which represents discarded memory of previous Trezor operations .

At the end of `u2fhid_init()`, the memcpy copies all 20 bytes including the problematic trailing bytes into the packet transmit buffer, from where they are transmitted over USB with each U2FHID_INIT packet.

The information leak consists of three memory bytes. The returned value have been observed to be stable between subsequent U2F handshake packets and device reboots, but can vary depending on previous actions on the Trezor. This behavior suggests that particular memory contents such as the existing stack protection defense mechanism are likely not impacted. Additionally, Trezor functions that handle sensitive data are designed to scrub the memory areas of the relevant variables before discarding them, which reduces the probability that the information leak can directly expose sensitive data. This can be seen as a mitigating factor, but we are taking no risks and have moved forward to release a patched firmware as soon as possible. This is also motivated by the fact that the problematic function can be invoked without any form of authentication and is not protected by the PIN, because of the U2F design.

Please also note that due to memory layout differences, the exact leak behavior will differ between firmware versions and vendors.

The described vulnerability can be used by an attacker with local access to the U2F interface to read a small area of previously discarded memory of the Trezor One. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data.

The bug was fixed by correcting the memory layout of the affected struct via the __attribute__((packed)) and overwriting it with zeros upon initialization.

The described vulnerability can be used to read a small area of discarded memory. During research, we have so far been unable to escalate this to any meaningful compromise or exposure of sensitive data. In addition, there is no evidence that this vulnerability has been used in practice . However, we encourage everyone to keep their Trezor devices up-to-date at all times.

(Reuters) ― Huaweion Tuesday said it would spend $2 billion over the next 5 years to focus on cybersecurity by adding more people and upgrading lab facilities, as it battles global concerns about risks associated with its network gear. The typically secretive Chinese technology giant made the comments at one of its most indepth press conferences at its Dongguan offices, after welcoming about two dozen international journalists into its new campus in the southern Chinese city.

Huawei has been in the news these past weeks for the arrest of its chief financial officer Meng Wanzhou ― also the daughter of its billionaire founder Ren Zhengfei ― in Canada at the request of the United States.

This has exacerbated the woes of the Chinese firm, which has already been virtually locked out of the U.S. market and has been prohibited by Australia and New Zealand from building 5G networks amid concerns its gear could facilitate Chinese spying.

“Locking out competitors from a playing field cannot make yourself better. We think any concerns or allegations on security at Huawei should be based on factual evidence,” its rotating chairman Ken Hu said. “Without factual evidence we don’t accept and we oppose those allegations.”

Huawei has been communicating with governments worldwide regarding the independence of its operation, he said. He added that Japan and France had not formally banned its telecom equipment. Recent media reports have indicated moves by these governments to shun the company’s equipment.

Sources have told Reuters that Japan planned to ban government purchases of equipment.

Other media reported that the country’s three top operators planned not to use current equipment and upcoming 5G gear from Huawei, and that France was considering adding items to its “high-alert” list that tacitly targets Huawei.

Huawei has repeatedly said Beijing has no influence over it.

At the tour of Huawei’s Shenzhen headquarters on Tuesday, journalists glimpsed some of Huawei’s most advanced R&D labs housed in a three-story building with a white facade and four columns, referred to by insiders as the “White House.”

Wu said Huawei had secured more than 25 commercial contracts for 5G, slightly above the 22 the Chinese technology giant had announced in November.

The company has shipped more than 10,000 base stations for the fifth generation of mobile communications, he said, adding that Huawei expects revenue to exceed $100 billion this year ― up 8.7 percent from last year.

Huawei is the world’s largest supplier of telecommunications network equipment and second-biggest maker of smartphones and unlike other big Chinese technology firms, derives half its revenue from overseas.

Wu said on Tuesday Huawei was looking forward to “a just conclusion” in the case of Meng, who was arrested in Vancouver on December 1 after U.S. officials alleged Huawei was trying to use banks to evade sanctions against Iran and move money out.

She is awaiting possible extradition to the United States in a case that has roiled global markets amid concerns it would exacerbate tensions between the United States and China, which are already strained over trade matters.

Meng, the 46-year-old daughter of Ren, has said in a sworn affidavit she is innocent and will contest the allegations against her at trial if she is surrendered to the United States.

Wu said Meng’s arrest has had no impact on the travel of the company’s senior executives.

北京时间12月18日晚间消息，据路透社报道，华为今日表示，未来五年将投资20亿美元用于强化网络安全，招募更多员工，并升级实验室设施。报道称，华为今日在东莞新园区接待了20多名国际记者。 华为在记者招待会上表示，为缓解全球对其网络设备安全风险的担忧，公司在未来5年将投入20亿美元用于加强网络安全，增加相关人员，升级实验室设施。

华为商城

华为轮值董事长胡厚]称：“将竞争对手拒之门外并不会让自己变得更好。我们认为，任何有关华为安全方面的担忧或指控都应以事实为依据。没有事实证据，我们不接受，还要反对这些指控。”

胡厚]还称，华为一直都在就其业务的独立性与世界各国政府进行沟通。他还表示，日本和法国尚未正式禁用华为的电信设备。最近有媒体报道称，这些政府将采取禁用华为的设备。

据胡厚]透露，华为目前已赢得逾25个5G商用合同，居世界首位，而且还表示将向全球出货逾万个5G基站。此外，华为还与全球50多家运营商开展5G商用测试，已向全球客户提供了1万多套5G基站。

胡厚]还表示，华为预计公司今年的营收有望超过1000亿美元，与去年相比增长8.7%。

Basketball legend Michael Jordan once said, “Talent wins games, but teamwork and intelligence win championships.” When it comes to something as important as your company’s security, you can’t afford to rely on anything less than a championship security team.

What does a championship security team mean for your organization? You may have hired the best individuals across the spectrum of IT roles, but if they aren’t working together, you’re missing out on game-changing productivity.

We pulled together a list of key players for a winning security team based on our experience in the industry. Titles almost certainly vary from one company to the next, but the focus and responsibilities of the roles are certainly familiar to IT and security professionals alike. Here’s what you need to build your winning security team:

A majority of records within organizations are now stored electronically, meaning the Chief Information Officer (CIO) has a vested interest in the overall security strategy. The traditional role of the CIO is expanding from IT resource management, policy development, standard operating procedure development, and more. They are now accountable for more than technology management. As the number of digitally captured business functions continues to expand, the CIO is getting involved strategically in additional functions, departments, and business decisions.

CIOs must not only be involved in, but leading the cybersecurity strategy planning. They are connected to several important parts of the organization, and need to get buy-in from these teams in order to execute an effective software security plan.

While the CIO works on the business management part of an organization, the Chief Information Security Officer (CISO) is critical in the age of security breaches . The CISO’s role is to monitor and analyze potential security risks, and to work closely with the CIO to increase IT risk mitigation. A good CISO must develop, deploy, and maintain an InfoSec program to protect the data an organization stores and processes.

The CISO must identify risk across the entire operation, from verifying that IT facilities are secure to educating employees on the organization’s security policies and practices and how to respond if a breach occurs. The potential penalties from regulations such as PIPEDA and GDPR are significant if data is misused and/or poorly secured. CISOs must integrate security policies and protection strategies, working closely with key players in the organization to deploy, revise, and oversee security strategy.

As someone who works closely with the CIO and CISO and handles the design and implementation of cloud storage strategies, the leader of Cloud Operations efforts is a critical player on a successful security team.

Their practices need to be safe, reliable, and perfectly aligned with the overall software security plan. They need to be involved in the strategic planning and implementation of security plans because they have unique knowledge of cloud best practices―and won’t fall victim to insecure code or data breaches.

IT Security Specialists are critical in the implementation and management of the software security plan. These team members are the people on the line actually doing the work.

Having a variety of background and experience levels helps diversify the knowledge and approach within your security team. This diversity leads to a wider range of knowledge and better decision making when it comes to the best way to approach implementing security throughout your software development lifecycle (SDLC).

IT Security Specialists are responsible for the successful implementation and management of your security plan. They are also critical in helping to train and promote the importance of software security throughout other parts of the organization.

Every organization benefits from the internal evangelists who sit in the engineering team and promote AppSec best practices . In a rapidly accelerating software delivery environment, these internal evangelists can help your organization keep up with the evolving challenges of application security.

Don’t discard entry level tech resources as not knowing enough to be involved. Instead, tap into them as resources for internal talent development. For your experienced developers, it’s important not to make assumptions about their knowledge. Ensure that their training is up to date too, and then validate their knowledge periodically.

Finding and hiring new and experienced tech resources is expensive, so it’s important that you continue to develop your own internal teams. Push their boundaries of security knowledge and help them learn. You may even get some new takes on old processes while you’re at it.

To implement an effective software security plan rapidly, you need buy in from the rest of the business leadership team.

Your CIO and/or CISO needs to build critical relationships with other key decision makers such as the Director of Operations, the CFO, and the CEO, and explain how their software security initiative supports other critical business functions. For example, if there is a large security breach that costs the business millions, everyone experiences the repercussions.

If all of the business leaders can get on the same page and work together to build a more security-focused organization, the security team can execute their software security plan much more effectively and efficiently.

Even though other players in the security team have the best intentions of “following the rules,” no one has rule-following down quite like the legal and compliance teams.

The CIO, CISO and other team members rely on their legal team to make sure the organization is following policy within their own business, and identifying the industry standards and regulations they must adhere to, such as GDPR, PCI-DSS , HIPAA and many more. Industry standards can change frequently, so it’s important to have dedicated resources who keep the team on point when it comes to compliance.

The security team also relies on the compliance team to ensure that record keeping and documentation policies are being followed by the entire organization.

Lastly, the actual data users play a huge role in the success of a solid software security plan.

While it seems like individual users may be too far downstream to matter, these users are the people most often handling the data.

The U.S. House of Representatives Committee on Energy and Commerce recently released its Cybersecurity Strategy Report, in which the committee identified several key concepts and principles to address and prevent cybersecurity incidents .

“ The support and stability of the open-source software (OSS) ecosystem,” ranked third among the top six priorities identified by the government. Recognizing that “modern information systems and products have continued to grow in scale, sophistication, and complexity,” the committee members wrote to the executive director of the linux Foundation, Jim Zemlin, acknowledging that OSS has become part of the nation’s “critical cyber infrastructure.”

Recent Articles By Author

In large part, the security issues in OSS have been overlooked by everyone, yet few would disagree that there are security challenges that must be addressed.

Increasingly concerned about OSS-based attacks, Jason Glassberg, managing principal at Casaba Security, said that because the code is not very well-scrutinized, there are increasing security risks that often go unknown.

Whether software is proprietary or open source, there are always risks, but for a long time many people functioned under the belief that more eyes on the code inherently elevated the code’s security. Until Heartbleed.

That’s not to say that proprietary software written behind the curtain can buy greater protection. It’s true that with OSS everyone has access to the code. Theoretically millions of eyes are looking at it, which makes it somewhat safer because more people have access to it.

“The problem is when it is used without rigorous controls. People risk using components they don’t understand, and when you are not controlling the end-to-end production of software, you may be introducing risks you don’t know about,” Glassberg said.

This lack of understanding is often the result of a lack of inventory, said Carlos Perez, head of threat R&D at TrustedSec. “ Many people do not keep a list of the full OSS components they are using in their environments which means they don’t know they are vulnerable even after a vulnerability has been disclosed,” he noted, which was an issue recently when an attacker was publishing rights to EventStream .

Because OSS is easier and faster than building code from scratch, it has become much more widely used. “We’ve seen a marked increase in the development and usage of OSS, even from major players in the software world. Microsoft is making a huge push into the OSS sphere, and it looks to be that OSS is the future of development,” Glassberg said.

Because everyone is jumping on the bandwagon without really understanding the components their using, the risks have increased as well. In the committee’s letter, U.S. Reps. Greg Walden (R-Ore.) and Gregg Harper (R-Miss.) wrote, “Its pervasiveness also creates widespread, distributed, and common points of potential risk across organizations when OSS vulnerabilities are found.”

It’s often said that, “it takes a village to raise a child,” and it will take an entire industry to make OSS as secure as possible.

“Once you realize the problem exists, you can look for ways to solve the problem,” Glassberg said. As the committee recognized, there are ongoing efforts, such as the Linux Foundation , to transition from the Wild West to a more structured and f irmly established process on how things are updated and developed.

“As more of these efforts become mainstream, the process will be much more organized for updates and patches,” Glassberg said.

But the subject needs to be discussed more openly. The industry needs to come together, and Perez said organizations such as NIST and CERT can have great influence when it comes to creating standards for inventory and testing.

The reality is that if you have a problem, you have two choices: either hide it or release a fix to it and move on. “That’s the whole beauty of the white hat movement,” Glassberg said. “It’s always better to have bad news come from friends rather than enemies because the bad news is coming one way or the other.”

Fortunately, the future of the security industry will provide lots of opportunities to build friendly relationships with security researchers, according to a new report, “ Inside the Mind of a Hacker ,” from Bugcrowd.

“ Cybersecurity isn’t a technology problem, it’s a people problem―and in the white hat hacker community there’s an army of allies waiting and ready to join the fight,” said Casey Ellis, founder and CTO at Bugcrowd.

The advancement in the digital realm has certainly streamlined and improved the way people received services. Presently, common masses have access to vast information and services on the go. However, data security and efficiency have been a critical challenge that companies across the globe are continuously dealing with. While present cloud storage options offer vast space, there are challenges that keep enterprises from completely relying on centralised data storage systems.

Below are the fundamental setbacks of conventional data storage options:-

Internet privacy threats such as identity thefts, tracking, hacking, etc. have been significantly impacting individuals and enterprises alike. In fact, according to a recent survey, 96% of internet users think an online privacy threat is the biggest internet challenge that they fear. Centralised storage systems are always vulnerable to data breaches, making it an ineffective option.

Companies evidently have a huge amount of data to store. While centralised databases offer adequate space to store their data, there are challenges that cannot be overlooked. A centralised database offers low adaptability and only focuses on certain specific tasks. This leaves no scope for collaboration and results in a rigid storage process.

In the high-speed world that we live in, nobody has the time or patience to wait on technology. Therefore, the speed of a service is extremely important. However, cloud storage fails to provide the high network bandwidth that is required for fast data transfer, making data accessibility a rigid process

Friend is an open source community developed within blockchain technology that envisions to provide effective solutions to the aforementioned problems. By eliminating these pitfalls, the platform aims to offer digital independence to internet users. With icons, menus, and apps, Friend looks similar to an operating system. However, it is a platform that empowers operating systems to offer a robust network that is backed by blockchain-powered applications. It is basically an autonomous cloud computer that is entirely controlled and managed by users. It is an ecosystem which is free from oppression and censorship and personal information of every individual is secure

Below are the essential features of the Friend Ecosystem:-

The platform provides a decentralised cloud storage that allows users to have full control over their data. Users can decide where their data is stored and who has access to it, therefore, ensuring there is optimum transparency and security in the system.

The network allows organisations to easily deploy applications, services, and data on its decentralised infrastructure. Users can either join the global Friend Network or set up a private network for their organisation to efficiently share applications, data, services, etc.

The inbuilt collaboration functionality by Friend Chat allows users to conduct live discussions while viewing the dataset. Moreover, shared presentation sessions enable everyone to view the same content on their respective screens, thereby offering flexible collaboration option.

The Friend network focuses on protecting the important data of its users. By encrypting the user’s device, the platform protects private data before it is even stored on the server. Moreover, users can also obtain anonymous access, thereby preventing their identity from being disclosed. It liberates users from Big Techs and provides a secure ecosystem where users can store their data and obtain freedom to develop and collaborate using any device and software.

With the aforementioned challenges of centralised storage options, companies are increasingly looking for decentralised solutions to security and efficiency. Blockchain-based cloud storage solutions allow users to secure their data and participate in digital activities with utmost effectiveness. Friend is one such unique cloud computing platform that allows users to garner maximum efficiency from its decentralised servers.

12月18日，金融科技公司乐信（NASDAQ：LX）宣布，正式通过DNV-GL国际权威审核认证，获颁ISO 27001（信息安全管理体系标准）认证证书。这标志着，乐信的信息安全管理和服务已达到业界领先水平，实现了与国际主流模式的接轨。

乐信副总裁史红哲表示，乐信的业务架构是建立在全数字化、全信息化的基础之上的，信息安全保护工作是重中之重。“建立信息安全管理体系有助于保障公司及用户的敏感数据信息免受威胁，减少事故的发生，降低安全风险，增进与投资人、合作伙伴和用户之间的信任。”

此次乐信ISO27001标准信息安全管理体系建立，历时8个多月，一共编写发布制度文档54个， 26个部门，进行体系落地优化，输出多轮资产识别和风险评估分析，不断进行问题整改优化，最终顺利通过评估。“今后DNV GL愿与乐信一道推动该体系的进一步完善，提升整个行业的信息安全服务水平。” 该认证的评审机构DNV GL大中华区副总裁陈立表示。

2017年年初，乐信旗下的网络借贷信息中介平台桔子理财还顺利通过了“信息系统安全等级保护三级测评”，获得了由公安部核准颁发的等级保护三级备案证书。

Pipe Networks, a subsidiary of telecom services provider TPG, has been ordered by the telecommunications regulator to comply with new rules for small mobile phone base stations (small cells) following two investigations which found the company had contravened code rules.

The Australian Communications and Media Authority (ACMA) has warned Pipeworks that if it fails to comply with its direction, it may issue an infringement notice or commence proceedings in the Federal Court.

The ACMA’s direction follows two ACMA investigations where PIPE Networks was found to have contravened code rules:

The Mobile Phone Base Station Deployment Industry Code aims to ensure mobile telcos consult with local councils and communities before deploying mobile phone infrastructure.

“It’s important for telcos to keep affected communities in the loop and to consider their feedback when deploying new infrastructure”, said ACMA Chair, Nerida O’Loughlin.

“We expect to see more and denser deployments of small cells as demand for mobile services increases and as 5G networks are built,” O’Loughlin said.

The ACMA recently registered a revised version of the code which includes new, tailored consultation provisions dealing specifically with the deployment of small cells, and says these provisions are better suited to the rollout of small, rather than large infrastructure.

The new code also contains provisions that enable community consultations about mobile base stations to use digital communication channels, such as social media and email.

“The ACMA will closely monitor the deployment of small cells to ensure communities are consulted in line with the new version of the Code, and to identify any new concerns’, O’Loughlin said.

With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

Register now for YOW! Conference

Sydney 29-30 November

Brisbane 3-4 December

Melbourne 6-7 December

Register now for YOW! Workshops

Sydney 27-28 November

Melbourne 4-5 December

REGISTER NOW!

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

How does business security get breached?

What can it cost to get it wrong?

6 actionable tips

DOWNLOAD NOW!

Cryptocurrency market has crashed to its lowest level in 2018 but managed to get a greener graph in early today, as per coinmarketcap. However, this might be the reason at some point on why investors, analysts, and VCs are still confident in the future of cryptocurrency and its underlying technology thus investing million dollars in new startups.

KuCoin exchange was the latest crypto trading platform reported by Coingape that has secured the funding of $20 million from VCs. Nevertheless, the team has researched yet another crypto firm called ‘ Abacus ’ that has raised $2 million to aid investors and startups for managing their tokenized liquidity programs. Specifically, it has raised $1million from investor Justin Kan and serial entrepreneur whereas the other players in funding round of Abacus was ‘Y Combinator (YC) and Coinbase’.

Abacus is a brain child of Pradyuman Vig and Ian Macalinao developed to streamline the overall mechanism of tokenized securities. According to reports, it will help SEC and other auditing team to scrutinize the security by doing both automating ‘the compliance for tokenized security transactions as well as to keep track of chain of custody of private securities’ . Moreover, the founding team notes that it helps them from the issuance of tokens to administration and settlement the tokenized securities on blockchain via smart contracts.

Coinbase exchange with its funding contribution towards Abacus will possibly count among its ‘first exchange’s partners. Beside Coinbase, Abacus is also focusing on the other market leaders, in fact, it has already partnered with a New-York based P2P trading platform called AisSwap. Furthermore, it is closely looking at ‘Chicago-based exchange ‘OpenFinance’ to join hands with which is presently planning to begin trading its first security token.

Indeed the key mission of Abacus is to make private security trading more transparent but still, the firm’s operation is very small. Vig asserted that they are programmatic and automatic’ and doesn’t need ‘an army of engineers’. Moreover, they are already working with a Texas-based VC firm, SpaceFund and gaining a significant portion of revenue. Vig notes that

The core idea that Abacus is supporting to SpaceFund is that the same investors can sell their own ‘SpaceFund tokens’ to other investors once the value of these tokens upsurge. On the other hand, Abacus is charging ‘a subscription fee’ from SpaceFund’.

“We want to allow more visionary people to get involved, support the entrepreneurs opening space to humanity, and share in the wealth it will create. This offering is both a giant leap and a first step in that direction.”

― @RocketRick @CryptovestMedia https://t.co/VefgBNz1o4 pic.twitter.com/YaS6fMIFVl

― SpaceFund (@SpaceFundInc) December 16, 2018

The post New Private Security Startup, Abacus Secured $2 Million From VCs appeared first on Coingape .

Artificial intelligence (AI) has been a darling of the press and may be a term that is frequently overused. Truth be told, AI that is indistinguishable from human intelligence is more science fiction than reality, like what we’ve seen in “Ex Machina.” At the same time, more mundane approaches to AI such as statistical analysis, regression analysis and deep learning have been established as key technologies for businesses. This practical AI has permeated the enterprise, with marketing, IT, human resources, security and other departments leveraging the technology to streamline processes and increase efficiency. Given the speed and scale required of today’s global businesses, this reliance on automation is a natural progression.

In particular, AI use cases have picked up significantly in security. Here’s why: A recent survey by PCI Pal found that 44 percent of U.S. consumers have suffered the negative consequences of a security breach. This influx in online criminal activity has made it difficult for any organization to defend against increasingly sophisticated hackers, especially as they refine their tactics and leverage AI. The same survey found that 83 percent of U.S. consumers will stop spending with a business for several months in the immediate aftermath of a security breach, representing a significant loss in revenue. To keep up with the rate of cybercrime and avoid reputational and/or financial repercussions resulting from a data breach, security teams across a number of industries have turned to AI.

Recent Articles By Author

The crypto industry is not really that different from any other FinTech online service. Crypto exchanges are just websites where you can buy, sell or exchange cryptocurrencies for other digital or traditional currencies such as the U.S. dollar or euro. They’ve been around for a while, but they’ve recently boomed with the surge in Bitcoin, the most popular cryptocurrency. With the cryptocurrency market estimated to hit $1 trillion this year, it’s no surprise that cybercriminals are targeting these exchanges and getting away with massive sums. In fact, in the past year, there were several major attacks targeted at crypto exchanges, including the following:

It’s hard to talk about crypto and AI in the same breath. It feels as though the conversation has been overloaded by fashionable acronyms, a sort of “bullsh*t bingo.” That said, driven by this escalation in attack activities, the crypto industry is paying more attention to security and is looking toward newer and automated technologies including AI and machine learning to protect themselves.

Within the crypto industry, security needs to address all three fundamental layers of crypto economy: coins or tokens (protocol), exchanges and personal wallet security. If there’s an issue at the protocol layer and a hacker is able to identify and exploit protocol flaws, it doesn’t matter how secure the second and third layers are, hackers will get in. And because crypto exchanges are similar to a centralized web application, they’re prone to the same security issues as all other websites. This is bad news for issuers and crypto exchanges alike, given their livelihood depends on the security of crypto assets and confidence from the public.

To circumvent these issues, the crypto industry leverages AI to effectively and quickly automate security protocols and identify vulnerabilities not visible to the human eye. More specifically, AI is being used to secure cryptocurrency exchanges in the following ways:

Proactive Attack Blocking.By analyzing website and application traffic, AI is able to identify and block attacks before they do damage to the website. By leveraging attack data, including payloads, attack types and endpoints, AI is able to actively verify and prioritize threats and determine whether they are a high-risk incident or simply irrelevant aggressive noise.

Fraud Identification.AI can be designed to detect fraud in transactions via a predefined set of rules that automatically detect when something on the exchange is awry. AI is already being implemented by banks and other financial technology companies, making it an easy jump to retool AI capabilities for crypto exchanges.In addition, AI-centric fraud detection should be at the foundation of transparent exchanges, which would make it even easier to regulate the exchange of currency and detect any malicious hacks.

Vulnerability Detection.Not specific to AI but still very important to the security of the crypto industry is timely detection of vulnerabilities. An automated security system should be used to continuously analyze network perimeters and discover exposed assets and services. Further, continuous security testing should be used to automatically scan for vulnerabilities in crypto exchanges that could potentially be exploited by hackers. AI can help here to assess how risky the vulnerability might be and to quickly generate a virtual patch.

As long as cryptocurrencies remain in use, we can expect hackers to target crypto exchanges for profit. With cybercriminals becoming increasingly skilled, it will be important for issuers and crypto exchanges to continue to incorporate AI into security processes to effectively defend against the constant threat of a breach. And because exchanges grow their business by having the trust of consumers, it will be imperative for them to leverage technologies such as AI to monitor and secure assets in real time.