Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all 12749 articles
Browse latest View live

2019 Predictions: Information security will be given a seat at the table without ...

$
0
0

Many years ago, a board member said to me, “We’ve employed you to do information security, so why do we have to do anything?” This was fairly typical. My experience in the past has been that information/cyber security professionals have often been relegated to giving advice on the threat landscape and risks, and then futilely lobbying the board for visibility and resources to put appropriate controls in place.


2019 Predictions: Information security will be given a seat at the table without ...

In 2019, that attitude will finally, and permanently, change. Instead we will see organisations start proactively approaching information security experts for actionable advice and guidance. And rather than fighting for a seat at the table, information security leads will be given one without even asking. The CISO will get a seat at the boardroom table in businesses across all sectors. The price of this new visibility will be utility; only actionable, relevant, timely and understandable intelligence will enable a CISO to keep that seat. A key message which the CISO will have to drive to the board is that breaches are inevitable; good security is a balancing act between too much and too little security, and the board is responsible for defining their organisation’s balancing point.

Of course, we know that a key driver for this change will be the pressure that GDPR has introduced into business, not least due to the fines that can be levied on companies which have been breached, or which have failed to comply with the Regulation. I think we are likely to see the first tranche of breach-related fines announced in June 2019, which will set the scene for business strategies and priorities thereafter.

I’m going to go out on a limb and predict that we’ll see a couple of significant fines to set the tone; maybe 1% 2% of global annual turnover (not the maximum of 4% just yet the regulators will want to leave themselves room to up the ante) applied to household names. These will, of course, be appealed by the companies affected, so the actual fines will not be confirmed until 2020. Once the likely levels of fines are clear, any businesses which are not yet governing their information risks at board level will reassess their approach. Being able to demonstrate due diligence will be increasingly understood to be the best way to reduce the chance of a breach, and to minimise the chance of a fine should the worst happen.

The role of CISO must be integrated with the other heads of business especially with HR, as user education is one of the biggest factors determining whether organisational information security is effective. While technology obviously enables the implementation of many information security measures, it does not prevent the resourceful from circumventing them. Depending upon the success of awareness initiatives, and the suitability of technological security measures, people can either be a major component of our protection, or a major component of our risk.

With this in mind, more organisations will take a communal approach to tackling information security, by ensuring that staff at all levels are actively engaged, and empowered to make informed decisions. The increasingly normalised adoption of personal devices and remote working will also drive this transition. As employees become more involved in the process of managing information risk and begin to embed this mindset into their everyday roles, information security will finally be understood to be our shared responsibility. But this transition in mindset can only be achieved if information security is driven from the top down; investment in appropriate technology, and fundamental shifts in policy and process, are necessary to empower staff.

Board-level ownership of information security will become the norm as we move through 2019. And it will make the difference between effective proactive security, and scrambling to deal with the fallout of a breach.

Leave a comment below, or follow Thales eSecurity on Twitter , LinkedIn and Facebook.

The post 2019 Predictions: Information security will be given a seat at the table without asking appeared first on Data Security Blog | Thales eSecurity .

*** This is a Security Bloggers Network syndicated blog from Data Security Blog | Thales eSecurity authored byBridget Kenyon. Read the original post at: https://blog.thalesesecurity.com/2018/12/18/2019-predictions-information-security-will-be-given-a-seat-at-the-table-without-asking/


The National Vulnerability Database Explained

$
0
0

The National Vulnerability Database Explained

The National Vulnerability Database (NVD) is one of the most valuable resources available in the fight to keep our software products safe, providing developers and security professionals with the info they need to fix their products when new vulnerabilities are published.

Along with the publication of new vulnerabilities in a range of commercial products and open source software components, the NVD provides an easy to navigate database platform that includes an analysis not found in other public resources.

ANNUAL REPORT: THE STATE OF OPEN SOURCE VULNERABILITIES Download Full Report

Established in 2005, the NVD is operated under the auspices of the U.S. National Institute of Standards and Technology (NIST). It is sponsored by the Department of Homeland Security’s National Cybersecurity and Communications Integration Center, and by Network Security Deployment.

If you are a developer or security team member, the NVD can help keep your organization’s software safe, if you know how to take advantage of the information being provided.

What Kind Of Information Is In An NVD Posting?

Within a posting on the NVD, visitors can find a breakdown of many of the details about a software security vulnerability, to help them understand what they are dealing with and what their next steps should be.

This includes a description of the CVE and the source of the information, which is generally from the MITRE Corporation. Then we are given a picture of how dangerous a specific vulnerability can be in the impact section. Based on the CVSS v2 and CVSS v3 Severity and Metrics, the NVD tells readers how the vulnerability has been rated (Critical, High, Medium, Low), as well as details about how the exploitation could actually be carried out.


The National Vulnerability Database Explained

https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time

There are also helpful links to information that is not listed on the National Vulnerability (Read more...)

The Difference Between a Penetration Test and a Red Team Engagement

$
0
0

The Difference Between a Penetration Test and a Red Team Engagement

One of the most frustrating things to me as a security person is having sales and marketing types confuse the different types of security assessment .

Similarities

First, let’s start with similarities.

They’re both types of security assessment, meaning their goal is to improve the security of an organization. They’re also both based on behaving―to some degree―like an attacker. They’re both focused on results rather than coverage―so they aren’t designed to tell you everything wrong with a company, but rather to show you the specific issue(s) they uncovered. They both should be used by higher maturity customers, i.e., customers that have already gone through multiple rounds of vulnerability assessment and patching. Differences

Sales and marketing types love to mix these two together based on whichever one gets more reaction from the customer.

As you can see, Red Team engagements and Penetration Tests have a lot in common, but they are also quite distinct from each other as well.


The Difference Between a Penetration Test and a Red Team Engagement
Penetration Test : A time-boxed technical assessment designed to achieve a specific goal, e.g., to steal customer data, to gain domain administrator, or to modify sensitive salary information.
The Difference Between a Penetration Test and a Red Team Engagement
Red Team Engagement : A long-term or continuous campaign-based assessment that emulates the target’s real-world adversaries to improve the quality of the corporate information security defenses, which―if one exists―would be the company’s blue team.

The origin comes from the military, where an independent group that challenges an organization to improve its effectiveness.

Discussion

Penetration Tests are short-term challenges to one’s security posture, and ideally should be done when you think you have your stuff together and you want someone to validate that assumption. They can be network-based, use physical attacks, social engineering, phishing, be application-focused―or all of the above.

Today the term is quite diluted, with Penetration Testing meaning something different to almost everyone. And there are thousands of companies that will sell you one. The problem is you have no way of knowing if you’ll get a Nessus scan or a custom, high-quality manual assessment.

Somewhere around 2017 the Red Team became the assessment de jour for much of the industry. The problem is that only a tiny percentage of security services companies can actually execute them.

The main distinctions between Penetration Test and Red Team are:

Duration : Red Team engagements should be campaigns that last weeks, months, or years. The blue team and the target’s users should always be in a state of uncertainty regarding whether a given strange behavior is the result of the Red Team or an actual adversary. You don’t get that with a one or two week assessment. Multi-domain : While Penetration Tests can cross into multiple domains, e.g., physical, social, network, app, etc.―a good Red Team almost always does. Adversary Emulation : The item that separates a random Penetration Test from a Real Red Team engagement is that Penetration Tests generally involve throwing common tools and techniques at a target, whereas a Red Team should be hitting the organization with attacks that are very similar to what they expect to see from their adversaries. That includes constant innovation in terms of tools, techniques, and procedures, which is in strong contrast to firing up Nessus and Metasploit and throwing the kitchen sink. Exploitation

In general, Penetration Tests and Red Team engagements are more likely than Vulnerability Assessments to use exploitation, or proofs of concept, to show that vulnerabilities actually exist. But it’s important to understand that exploitation is not necessary if the evidence is obvious enough to the receiver of the report.

Summary

You can ask for a Pentest or Red Team as a low-maturity customer, but you’ll just be wasting money.

Both Pentests and Red Team engagements are based on acting like an attacker, they’re focused on results rather than coverage, and should only be requested by high-maturity customers. Penetration Tests are usually very short engagements of one to two weeks, whereas Red Team engagements should be campaign-based, long-term, and/or effectively continuous. Red Team engagements are usually cross-domain, where only some Penetration Tests have that quality. Red Team engagements should constantly create new tools and techniques to emulate their adversaries, while Pentest groups usually use off-the-shelf frameworks and standard pentester tactics.

This should help you tell these two assessments apart, and if you want to know when to use which kind of assessment, you can read my guide:

When to Use Vulnerability Assessments, Pentesting, Red Teams, and Bug Bounties

Notes The only real reason to do a Penetration Test in a low-maturity company is to bring skeptical decision-makers to religion by showing them that yes―they really should be listening to their security person.

DNS-Based Security Who Are You Kidding?

$
0
0

The proliferation of unsecured devices in the home presents a lucrative target for cybercrime with ransomware and cryptojacking just two common monetization methods out of many. Consumer security is a massive $6.5B market and with the growth of connected appliances in the home, the security industry is going through a transformation. Gone are the days when anti-virus software was a one-stop solution. Security is moving into the network.

But not all network-based security is equal. The two main approaches provide different results and face different challenges imposed by the changing environment in which they operate.

The first approach is DNS-based and is implemented on the service provider’s DNS system. It secures end users by inspecting their DNS requests before fulfilling their requests. If the DNS request is for a known* malicious domain, such as a phishing web site, or its content is inappropriate in a parental control service, the user is redirected to safety. The problems that this approach faces are significant, here are a couple of examples.

Writers of malware avoid the use of DNS. In fact, security researchers at Allot have observed that out of 1,700,000 sample downloads, only 850 used DNS for payload download―99.95% don’t use DNS! A second issue is that children easily avoid DNS-based parental control with apps like Google/Jigsaw that opens an encrypted tunnel to the Google DNS system, circumventing the SPs system without any remedy.

The second approach is in-line network-based security. As opposed to DNS-based systems, it sits in line and inspects all the requests coming from the end user including DNS and HTTP/S. It too redirects the user to safety if the domain in question is known to be malicious or its content is categorized as inappropriate.


DNS-Based Security   Who Are You Kidding?

The first advantage of in-line security is that it cannot be bypassed. It will see and inspect the DNS and HTTP/S request. The second advantage is that in-line security can also inspect the downstream traffic with anti-malware engines to recognize and block malicious code or scripts.

But in-line security also faces a challenge. Encryption not only hides the consumer’s personal data, it also hides malware and viruses from detection. So, where is the evidence that inline inspection and prevention of malware downloads is effective at all?

A recent survey performed by Allot professional services on behalf of four European SPs that protect 15 million mobile customers with an in-line security service, found that the service activated on average 140 million protections a month, over a period of six months.

On average three million unique customers were protected a month, based on matching their requests to threat intelligence systems. Furthermore, an additional 450,000 unique customers were protected from in-line detection and protection of malware downloads.

Although 3% of the protected 15 million may seem like a relatively low percentage, there is no doubt that 450,000 unique infected customers a month would have a significant negative impact on the service. This would manifest as a rise in call center complaints, dissatisfaction voiced on social media, and ultimately service attrition.

The following list of arguments shows why users should not rely on DNS-based security:

DNS parental control is easy to bypass IoT malware does not rely on DNS DNS over HTTPS direct to Google bypasses the ISPs DNS based security It is not relevant for IoT security and the connected home It is not future proof

Unlike DNS-based security, inline, network-based security cannot be bypassed and despite the wide adoption of encryption, in-line anti-malware engines are still effective. The evidence points to an inline security solution being the best option to protect the mass market against the growing threat of cyberattacks.

Are you concerned about DNS insecurity? Allot’s HomeSecure or NetworkSecure can assist― Contact Allot .

*Both DNS-based and in-line systems employ threat intelligence feeds that frequently update a database of malicious domains in addition to web content categorization.

市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

$
0
0

勒索病毒,今年无疑将再次登上年度网络安全热词Top10榜单,细数近两年来勒索病毒的罪状,堪称罄竹难书。就连国内顶级互联网公司,提起花样繁多的勒索病毒来也十分头疼。12月初,“微信勒索病毒”、“支付宝勒索病毒”甫一开始传播,就吓得微信和支付宝立马跑出来发声明撇清关系。在年末各国发布的网络安全白皮书中也都提到,2019年勒索病毒仍然是重灾区。面对如蝗虫一般不断来袭的勒索病毒,难道真的只能退避三舍?

从“WannaCry勒索病毒”到“微信勒索病毒”,勒索病毒为何一发不可收拾?

细究勒索病毒历史,最早的勒索病毒出现在1989年,名为“AIDS Trojan”意为艾滋病特洛伊木马,象征一旦感染了这个木马病毒,就如同艾滋病一般几乎无法治愈。艾滋病特洛伊木马采用加密文件或是进一步威胁公开用户隐私等方式,恶意利用代码干扰计算机正常使用,而缴纳赎金是唯一摆脱它的方式。绑架勒索,赚取赎金向来是社会恶势力分子常用手段,而在互联网世界中,勒索病毒更是无往不利。但是归根结底,勒索病毒只能点对点的攻击单个目标计算机,并未造成大范围影响。


市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

但勒索病毒真正肆虐则是在2017年,一个名为“The Shadow Brokers”的黑客组织入侵了美国NSA下属的方程式黑客组织后,公开了方程式组织的大量攻击工具的开源文件,其中就包含了一个超级大杀器――号称可以远程攻破全球约70%windows机器的漏洞利用工具永恒之蓝(Eternal Blue)。永恒之蓝是疑似美国NSA针对CVE-2017-(0143~0148)数个漏洞开发的漏洞利用工具,可以通过利用Windows SMB协议的漏洞来远程执行代码,并提升自身至系统权限。


市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

勒索病毒加密原理

在永恒之蓝的辅助下,只要一个人不小心打开了包含勒索病毒的文件或是网站,勒索病毒就会迅速感染他的电脑,进而通过永恒之蓝入侵并感染与之有关的所有电脑,WannaCry病毒就此大规模爆发了。据统计数据显示,在短短数天内,100多个国家和地区超过10万台电脑遭到了勒索病毒攻击、感染,W至少150个国家、30万名用户中招,造成损失达80亿美元,造成的社会影响巨大。

除了做好防范措施外,勒索病毒几乎无解

在勒索病毒大规模爆发之后,除了建议用户备份数据及时打补丁、关闭能够感染病毒的端口,以及帮助用户修复永恒之蓝系统漏洞外,全球众多的安全厂商至今还未能拿出能够行之有效的破解该勒索软件的方案。用户主机一旦被勒索软件渗透,只能通过重装操作系统的方式来解除勒索行为,但用户重要数据文件几乎毫无恢复的可能。

此后,包括Genasom、Foreign、NotPetya、Doublelocker在内的种类繁多的勒索软件竞相花式登台,将用户的电脑按在地面上反复摩擦。但同样的一点是,安全业内对这些勒索软件除了帮助用户修复可能存在的安全漏洞以外,对勒索病毒本身仍然无计可施。


市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

Petya勒索病毒勒索界面

难道勒索病毒就真的所向披靡通杀四方?知道创宇404实验室:我看未必!

咋勒索病毒四处攻城略地时,国内外众多安全厂商和安全团队也都着手对勒索病毒展开了研究。可以说谁能够率先破解勒索病毒,谁就能够赢得用户的热情拥趸,获得极高的声望。而曾经多次为微软、苹果、Adobe、BAT等知名厂商提交漏洞的知道创宇404实验室也在对勒索病毒保持着密切的关注。

2018年下半年,一个名为撒旦“Satan”的勒索病毒异常活跃,曾多次更新并衍生出变种勒索病毒,对国内部分服务器进行攻击。12月1日,一种名为lucky的勒索病毒大肆传播,该病毒会将指定文件加密并修改后缀名为 .lucky。


市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

Lucky勒索病毒勒索界面

知道创宇 404 实验室的炼妖壶蜜罐系统最早于2018年11月10日就捕捉到该勒索病毒的相关流量,截止到 2018年12月04日,该病毒的 CNC 服务器依然存活。根据分析的结果得知,lucky 勒索病毒几乎就是 Satan 勒索病毒,整体结构并没有太大改变,包括 CNC 服务器也没有更改。Satan 病毒一度变迁:最开始的勒索获利的方式变为挖矿获利的方式,而新版本的 lucky 勒索病毒结合了勒索和挖矿。


市场情报 知道创宇404实验室宣布破解lucky勒索病毒解密原理

lucky 勒索病毒的整体结构图

在了解该勒索病毒的相关细节后,知道创宇 404 实验室迅速跟进并分析了该勒索病毒。在分析该病毒的加密模块时,知道创宇404实验室意外发现可以利用伪随机数的特性还原加密密钥,顺藤摸瓜找到了该病毒的漏洞,经过多次验证,确认了该漏洞能够帮助用户直接获取密钥。而后,知道创宇 404 实验室对 lucky 勒索病毒进行了概要分析,并着重解析了加密流程以及还原密钥的过程。

目前知道创宇404实验室已经将解密方法转换为了解密工具,并已发送给其他厂商帮助用户直接破解lucky的勒索病毒。不幸感染lucky勒索病毒的用户可以通过各厂商发布的解密工具自行破解,如有需要也可联系知道创宇404实验室寻求协助。知道创宇404实验室提醒,勒索病毒依然在肆掠,用户应该对此保持警惕,虽然 lucky 勒索病毒在加密环节出现了漏洞,但仍然应该避免这种情况;针对 lucky 勒索病毒利用多个应用程序的漏洞进行传播的特性,各运维人员应该及时对应用程序打上补丁并及时备份。

知道创宇404实验室副总监隋刚表示,虽然勒索病毒都会采用加密文件的方式达到勒索的目的,但是由于各个勒索病毒的加密算法并不一样,其他的勒索病毒加密方式还有待破解。不过,此次能够破解lucky勒索病毒是一个具有开创性的开端,接下来可以更好的总结思路,举一反三研究其他勒索软件的加密方式,解决“勒索病毒无解”这个难题。对普通用户如何应对勒索病毒的问题,隋刚表示,勒索病毒是一个完整的程序,会随机产生加密密钥,密钥可能还保存在内存当中。这时尽量不要慌张而尝试重启电脑,重启电脑会清空可能存在于内存中的加密密钥,对进一步的分析获取勒索病毒密钥造成困难。

Alexa can now control your home security system

$
0
0

Amazon has been pushingAlexa skills to more developers lately. The companyopened up the Alexa Mobile Accessory (AMA) Kit to all third-party device makers last month. Amazon has now opened up Alexa’shome security features to the whole developer community. This essentially means more alarm and security camera manufacturers can now add the digital assistant’s functions to their products.

Alexa comes to home security systems

Amazon recently released theSecurity Panel Controller API for Alexato the public, allowing more companies onboard. Manufacturers can nowaccess the code required to let users control their devices with voice commands.The functionality, however, will be initially availablein the US only. In fact, certain models made by Abode, ADT, Honeywell,Ringand Scout are already leveraging it.


Alexa can now control your home security system

If you own a home security system from one of these companies, you can now control it through voice commands. To do so, you first need to download your relevant company’s skill from the Alexa app’s store. You canthen arm, disarm, or check the status of your home security via voice commands. While arming and monitoring your system through voice is great, disarming the system may not be. Amazon is well aware of this security implication and rightly needs you to meet some extra conditions to enabledisarming by voice.

First, you have to manuallyenable disarming by voicein the Alexa app or in your security system’s menus. Then, depending on your security system, you can choose your existing PIN or an Alexa-specific voice code to disarm the system. If your system lets you, choosing the latter could be better than shoutingyour PIN code to everyone within earshot.

While voice controlling your home security system may lead to some security implications, Amazon believes its user-specific voice recognition technology is secure enough. But do you trust the company enough use the feature? Tell us in the comments below.

Twitter warned of phone country code data leak two years ago but did nothing, ...

$
0
0

A security researcher found a bug in Twitter’s support form two years ago that exposed the country codes of phone numbers attached to user’s accounts. At the time, his bug report was closed as it did “not appear to present a significant security risk.”

Twitter now says that the bug may have been abused by nation state actors.

“We have become aware of an issue related to one of our support forms, which is used by account holders to contact Twitter about issues with their account,” said Twitter in its disclosure . “This could be used to discover the country code of people’s phone numbers if they had one associated with their Twitter account, as well as whether or not their account had been locked by Twitter.”

Peerzada Fawaz Ahmad Qureshi reported the bug through HackerOne, which hosts Twitter’s bug reporting program, in the hope of a fix and a bounty payout, but the report was marked as “informative” and no action was taken.

Qureshi shared his bug report with TechCrunch after learning of Monday’s disclosure, in which he described how it was “possible to map out whether a mobile number is attached to a Twitter account including the country where the mobile number is registered by identifying the country code.”

The bug report detailed how anyone could obtain the country code of a phone number from anyone’s account by running through the site’s password reset process. By selecting “I don’t have access” to an email address associated with an account, the form would change and would allow a user to enter a phone number instead. But, when that page loaded, it would automatically select the account holder’s country code by default.

Although only the country code was leaked, some say it would be enough to identify which country an account holder lives ― which could be dangerous in regions where freedom of speech and expression is restricted.

But after the bug was triaged, it was determined that “while this may or may not be ideal behavior, we don’t consider the disclosure of a user’s country code to be sensitive information at this time.”

Little did the company know that the bug could have been later exploited by running a “large number of inquiries” in one go, as Twitter said in its Monday disclosure.

It’s still not known exactly how the form was abused to allow the mass scraping of account-specific country codes. When reached, a Twitter spokesperson said that the bug was caused by an API that only supported the webform, and was not a developer API ― but declined to comment further when pressed on specifics of Qureshi’s report. Qureshi said it was possible that the webform’s API wasn’t rate limited ― allowing someone “to enumerate users who had a mobile number linked” to their account, he said ― but could not confirm as he did not test the limits of the API.

When checked on Tuesday, the webform no longer displays a user’s country code by default ― effectively nixing the bug.

Twitter said that it discovered the bug on November 15 ― a little over a month ago ― and was fixed a day later, and suggested ― without providing evidence ― that the data may have been scraped from IP addresses associated with China and Saudi Arabia. But the company didn’t say how many users were affected by the bug, but said it was “sorry this happened.”

Twitter’s latest apology comes months after it revealed it may have exposed some user direct messages to third-parties , amid a wave of security issues to plague Silicon Valley tech giants this year.

Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755 8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Virtustream Launches Industry-Leading Cloud Automation and Security Capabilities ...

$
0
0

Virtustream Enterprise Cloud enhancements accelerate time-to-value for enterprises moving mission critical apps to the cloud

LONDON, UK Tuesday 18th December 2018 Virtustream , an enterprise-class cloud company and a Dell Technologies business, today announced a major upgrade to Virtustream Enterprise Cloud that includes significant cloud automation and security enhancements, which enable enterprises the unprecedented ability to automate key tasks while maintaining security levels a multi-part process that previously required manual oversight. This technology evolution builds on Virtustream’s expertise in delivering highly scalable, secure and high-performance cloud services for mission critical enterprise applications.

The enhancements also feature a foundationally new version of the xStream cloud management software platform including an enhanced architecture and application programming interface (API), in addition to the ability to address many of the specific challenges presented when migrating and managing enterprise applications in the cloud.

“Enterprise applications and workloads require special handling and care,” said Deepak Patil, SVP, Product and Technology, Virtustream. “Historically, enterprise cloud customers had constraints that precluded them from flexibility and conveniences― such as quick provisioning―that are leveraged by cloud consumers with less complex use cases. This was primarily due to concerns about security, backups, monitoring and other issues. Virtustream’s new enhancements simplify and automate the most complex actions delivering immediate value to customers.”

This new upgrade extends automation deeper into previously manual cloud migration and management processes without compromising security or requiring onerous coordination of related operations. The new Virtustream Enterprise Cloud enhancements include the following capabilities:

Cloud Management : Enhanced cloud management capabilities deliver increased levels of integration through APIs and automation from infrastructure to platform services, reducing time-to-cloud for historically difficult to migrate applications. These enhancements allow enterprise-level customers the ability to self-provision virtual machines (VMs) with host-based automated configuration of security services including anti-malware, intrusion detection, file-integrity monitoring as well as the automated coordination of backup and monitoring in minutes.

This cloud management not only shaves significant time off of the normal process for configuring VMs in an enterprise context, but also reduces the possibility of manual errors during configuration. Additionally, customers can now create, manage and report on VM profiles that pre-define VM parameters, making the self-provisioning process even faster.

Application Automation : With these upgrades, Virtustream is driving automation capabilities into the application layer. These capabilities include APIs, tools and application specific automation tasks designed to reduce operational processes, reduce the total cost of ownership, and dramatically improve the agility and flexibility of applications running in Virtustream Enterprise Cloud.

For example, with this new release, customers running SAP applications in Virtustream Enterprise Cloud can now automate start/stop operations in the applications within minutes through a self-service portal with automated coordination of the adjacent processes such as monitoring suppression/enablement, backup disabling/enabling and security vulnerability scanning. This allows Virtustream customers the ability to optimise costs by automatically shutting down applications during weekends and maintenance periods without creating custom tooling or management scripts.

Expanded Reporting, Manageability and Visibility : Also in this release, Virtustream Enterprise Cloud’s self-service management portal offers important new features that provide customers tools for viewing application resource consumption and the ability to group and categorise applications for improved billing transparency. Virtustream helps customers to optimise their usage and create cost efficiencies through its industry-leading MicroVM technology, which provides the ability to avoid the use of pre-sized instances and achieve cost savings through a combination of aggregation and pay-as-you-go, usage-based billing.

In addition to these enhancements, Virtustream Enterprise Cloud, a VMware Cloud Verified service , will leverage the power of the latest Dell Technologies portfolio through the use of VMware’s hybrid cloud technologies and the latest Dell Technologies infrastructure.

“Enterprises no longer need to be held back by mission critical workloads,” said Patil. “There is a place to move them using new cloud operating models that compress processes and provide automation and efficiencies that clear space for new innovations, capabilities and businesses. As a long-standing industry expert in moving mission critical applications to the cloud, Virtustream understands the pressure that enterprise IT leaders are under and is designing solutions that will not only solve these pain points, but also will substantively improve time-to-value for cloud projects and empower our customers to confidently embrace the future.”

About VirtustreamVirtustream, a Dell Technologies business, is the enterprise-class cloud company that is trusted by organisations worldwide to migrate and run their mission-critical applications in the cloud. For enterprises, service providers and government agencies, Virtustream’s xStream Management Platform and Infrastructure-as-a-Service (IaaS) meets the security, compliance, performance, efficiency and consumption-based billing requirements of complex production applications in the cloud whether private, public or hybrid.

*Virtustream and xStream are trademarks or registered trademarks of Virtustream, Inc. in the United States or in other countries. All other trademarks used are the property of the respective owners.

Media Contacts:

Imtiaz Mufti

C8 Consulting

imtiaz@c8consulting.co.uk +44(0)1189 49 7738


2018!

$
0
0

2018 was a transformational year for serverless and cloud native applications. I do believe that this is the year that will be remembered as the one that marked the shift of “serverless” from a cool technology buzzword to the ‘go to’ cloud app architecture.


2018!
This month, Frost & Sullivan announced that Protego was awarded the Serverless Security New Product Innovation Award for 2018. This is another milestone, not only for us as a player in this space, but for the space itself.

To put the milestone in context, it’s not just that one of the world’s most respected analysts has highlighted what we’re doing for serverless security. It’s not even the fact that Frost & Sullivan have a serverless security category (though that is huge).

The thing that puts the exclamation point on 2018 for us is being on the same list as awesome companies like Zoom, Slack, and Intel. So, I thought I’d take the exclamation point as an opportunity to revisit our 2018 journeys―the journey of a small cloud native security start-up and the journeys of serverless and cloud native computing.

January

We spent January frantically trying to get all our product ducks in a row. Fresh off of our first re:Invent experience, and with the holidays behind us, we had a long list of design partners asking when they could touch the product. They’d seen enough of our demos and wanted to get in the driver’s seat. When designing our product we made a difficult choice. While it would have been far easier to just roll out posture security or serverless application defense, we chose to try and simultaneously solve all the key pieces of serverless security.

We chose, instead, to try and make Protego a one-stop-shop for serverless, and while I stand by that decision, it put a lot of pressure on us to deliver something so comprehensive, while some of our competitors focused on only one or two key features. Suffice to say, we didn’t sleep a whole lot in January. By the end of February, however, we were able to start putting the full picture in front of customers and it felt both to us and to them like it was worth the wait and the effort.


2018!

Protego Co-Founders Tsion (TJ) Gonen and Hillel Solow accept the Most Innovative Cyber Initiative Award at The Cybertech Conference in January

March

March was something of a turning point for us. Part of it was that we actually had people using the product, some even on production applications (yikes!). At the same time, there was a more fundamental shift going on in Protego. As we started to interact with and protect real-world applications, we began to understand how much more powerful the notion of security posture was in this new world. Initially, we felt that Protego Proact, our cloud-native code-driven security posture tool, would be the thing that drew customers in, but that the real prevention of attacks was in Protego Defend. What we learned was that, while there is no substitute for inline runtime defense, Proact was able to melt away huge parts of the attack surface by automating least privilege and risk minimization.

Unfortunately, what that meant for us was that while we need to keep up all the WAF- and RASP-replacing defense stuff we were so proud of, we also needed to double down on maximizing what Proact could do. We needed to fully support all the languages people were using. We needed to squeeze out every last drop of misconfiguration, without being overzealous and breaking the application. So, we didn’t sleep much in April or May either.


2018!

Some of the Protego team at the office… apparently caught on an unusually well-rested day.

July

Looking back, I’d say July was when a few changes in the ecosystem began to accelerate. First, there was a clear shift in people we were engaged with from “I just want to learn about serverless,” to “I actually have something real going on and I need a solution.” While serverless and cloud native are still in their toddler years and most organizations are still just starting on their journey, the middle of 2018 seems to be when things started to “get real” for those that made the move earlier.

The other shift was about cloud providers. AWS is still the dominant force in serverless, and most of what is already out there is on their platform. But for various reasons, over the past 5 to 6 months there has been something of a shift in attitude, and many more customers are asking us when we’re rolling out general availability on Azure, especially on Google Cloud. Maybe it’s just because I was at Cloud Next when Functions came out of Beta, but something felt like it had clicked with the other cloud providers this past summer.


2018!

A few members of the Protego team escaped the office to enjoy the sunshine in Jerusalem.

September

Announcing General Availability (GA) was in some ways inexplicably gratifying, and in other ways wholly underwhelming. On the one hand, it felt great to have the product at the point where we were both able and proud to let people just sign up and start using it. On the other hand, we’d already had quite a few people using it already, and the day after GA-day seemed a lot like all the other days.

Well, in some ways. The day after was when we got to start tackling all the new challenges we had put off until September, like supporting additional cloud providers, adding the ability to enforce security posture in CI/CD, and the many other goodies that are now rolling out.

November
2018!
re:Invent at the end of November was exhilarating and sobering. It is hard to imagine how much we’d accomplished since roaming the halls of the Venetian last year, hard to fathom how much more we can still build and create, and hard to even keep up with the pace of announcements that impact us and our customers. However, when Werner Vogels mentioned Protego in his re:Invent keynote as one of the companies that had been working closely with AWS, you can’t help but do a little dance in your head. Then you get back to work. December

Now we’ve received the Frost & Sullivan 2018 Global New Product Innovation Award. This is one of Frost & Sullivan’s Excellence in Best Practices Awards, which are presented annually to companies that are predicted to encourage significant growth in their industries, have identified emerging trends before they became a marketplace standard, and have created advanced technologies that will catalyze and transform industries.

“Protego Labs’ platform was designed specifically for the unique challenges of serverless security. It’s backed by continuous research, offers a holistic approach, was born in the cloud, provides automation dividends, and is feeding the pace of serverless adoption,” said Michael Suby, vice president of research at Frost & Sullivan. “It is for these reasons that Protego has earned our new product innovation award in serverless security.”

2019!

2018 was the year that serverless graduated from an idea that might revolutionize cloud software and became an undeniable, full-fledged paradigm shift. 2019 will continue this dizzying pace of innovation in the serverless space. The combination of people and technology rallying around redefining cloud software and the maturity of the ecosystem will lead to 2019 being the year of ‘Serverless First.’

The Innovation Award from Frost & Sullivan is a very welcome recognition for how far Protego has come this year, but it is also recognition of how far the serverless and cloud native industry has come. I am proud to be part of both of those journeys.

The post 2018! appeared first on Protego .

Recent Articles By Author

Here Come the Serverless Botnets AWS Lambda Security Best Practices Serverless Security Scorecard

*** This is a Security Bloggers Network syndicated blog from Blog Protego authored byHillel Solow. Read the original post at: https://www.protego.io/2018-2/

EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

$
0
0

EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

12月05日,新上线的又一款EOS竞猜类游戏 Fastwin 遭到黑客攻击,区块链安全公司 PeckShield 态势感知平台捕捉到了该攻击行为并率先进行了安全播报披露。数据显示,当天凌晨03:18―04:15之间,黑客(ha4tsojigyge)向Fastwin游戏合约(fastwindice3)发起124次攻击,共计获利1,929.17个 EOS。PeckShield 安全人员分析发现,该攻击行为是黑客利用 Fastwin 的合约在校验合约调用方时存在的漏洞,导致“内联反射(inlineReflex)”攻击成功。

据 PeckShield 此前发布的《浅析DApp生态安全》的报告显示,截止11月底,已经发生了超27起 EOS DApp 安全事件,主要集中在假 EOS 攻击、随机数问题等攻击方式,且在不断升级演变。而这次看似较小的攻击事件背后却暴露出了一个较以往危害性可能更大的新型漏洞:EOSIO 官方系统对调用合约自身函数存在不校验权限的问题。


EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

(图一:PeckShield 与 Block.one 邮件沟通)

PeckShield 认为这是一个非常严重的漏洞,并第一时间通知了 Block.one 团队(CVE-2018-20163)。Block.one 官方团队接受了该漏洞提议,并告知我们有其他研究团队也事先独立汇报了该漏洞,最终于周四(12月13日)更新了紧急补丁以补救防御,同时次日新发布1.5.1和1.4.5两个版本,完成了该漏洞修复,避免了更多攻击事件的发生及可能造成的资产损失。

“内联反射(inlineReflex)”攻击原理

正常的转账流程如图所示:玩家通过调用系统合约(eosio.token),将 EOS 转账给游戏合约,触发游戏合约的分发逻辑(apply),进而调用相关函数实现开奖。


EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

(图二:竞猜游戏正常转账流程)

而此次的攻击者(ha4tsojigyge),在自己帐号部署的合约中包含了与游戏合约相同的操作函数,在转账完成后,自行开奖获得奖金。如图所示:


EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

(图三:攻击者内联调用自身合约开奖)

从图中可以看出,攻击者在自身合约的函数(pushck)中,内联调用了与游戏合约开奖同名的函数(check),再通过通知(require_recipient)的方式将信息发送到了游戏合约。此时游戏合约的分发逻辑(apply)没有过滤掉此信息,并调用了开奖函数(check)。

总之,攻击者利用了 EOSIO 系统中对调用合约自身函数不校验权限的漏洞,进而使用游戏合约(fastwindice3)的帐号权限发起内联调用,致使绕过游戏合约在敏感函数中校验调用者权限的方法(require_auth),从而获取了游戏合约发放的奖励。

修复方法

从上述分析能够发现,攻击者合约的通知信息中,实际调用的合约是攻击者合约(ha4tsojigyge),而非游戏合约(fastwindice3),因此在游戏合约的分发逻辑(apply)中过滤掉此类信息即可。而且从系统定义的宏(EOSIO_ABI或者EOSIO_DISPATCH,如图四)中能够看到,分发逻辑处理了此问题。因此 PeckShield 在此提醒开发者在定制化自己的分发逻辑时,需要特别注意其中的调用来源。


EOS竞猜类游戏遭黑客攻击背后:Block.one官方悄然更新

(图四:系统EOSIO_DISPATCH代码)

需要强调的是:这个问题属于 EOS 公链层的较大漏洞,攻击者在内联调用中可以伪造任意帐号的权限执行,但这个修复可能会给部分开发者造成兼容性问题,如合约内联调用函数,而执行者帐号(actor)不是自己的时候,会导致整个交易(transaction)执行失败,如需解决兼容性问题请给合约赋予执行者帐号的 eosio.code 权限。

Indegy Publishes Industrial Cyber Security Predictions for 2019

$
0
0
We Can Expect New Attack Sources, Techniques and Protection Responses
from Operators

NEW YORK (BUSINESS WIRE) lt;a href=”https://twitter.com/hashtag/ICS?src=hash” target=”_blank”gt;#ICSlt;/agt; Indegy , a leader in industrial

cyber security, today announced it has published its ICS security

predictions for 2019 on threats facing critical infrastructure, energy

providers and utilities, manufacturing and more, in a new blog post here .


Indegy Publishes Industrial Cyber Security Predictions for 2019

“In many ways, 2018 represented the coming of age for industrial cyber

security. The old adage that operational technology networks are

isolated from threats by an air gap was recognized for what it is, a

fallacy in an era of interconnectedness and IIoT technologies,” said

Mille Gandelsman, CTO of Indegy. “Over the next 12 months, we can expect

both adversaries and their methods to evolve. On the plus side, we can

expect both operators and the security industry to make new OT-specific

advances in protection techniques.”

Summary of 2019 Predictions

Some of the highlights covered

in Indegy’s 2019 industrial cyber security predictions blog include:

Lone wolf and non-nation state adversaries will emerge, as the barrier
for launching operational technology attacks will drop and open the
door to the general hacking community Expect multi-pronged attacks that target several locations
simultaneously or in close succession Operators will extend passive security monitoring with decades-old IT
security techniques of active querying for deeper visibility into
threats than simply listening to network traffic Threat intelligence sharing initiatives commonly used in IT security
will emerge for operational technologies and environments New ICS-specific security standards, best practices and playbooks will
be introduced

About Indegy

Indegy, a leader in industrial cyber security,

protects industrial control system (ICS) networks from cyber threats,

malicious insiders and human error. The

Indegy

arms security and operations teams

with full visibility, security and control of ICS activity and threats

by combining hybrid, policy-based monitoring and network anomaly

detection with unique device integrity checks. Indegy solutions are

installed in manufacturing, pharmaceutical, energy, water and other

industrial organizations around the world.

For more information visit www.indegy.com

and follow us on Twitter and LinkedIn .

Contacts

Marc Gendron

Marc Gendron PR for Indegy

781-237-0341

marc@mgpr.net
Indegy Publishes Industrial Cyber Security Predictions for 2019
Do you think you can beat this Sweet post? If so, you may have what it takes to become a Sweetcode contributor...Learn More.

BrandPost: Securing the Industrial Internet of Things in OT Networks

$
0
0

In many organizations, traditional IT and critical Operational Technology (OT) networks are being merged to take advantage of the speed and efficiency of today’s digital marketplace. Typical OT networks are comprised of switches, monitors, sensors, valves, and manufacturing devices managed by an ICS system through remote terminal units (RTUs) and programmable logic controllers (PLCs) over a serial or IP connection. Since these systems manage sensitive and sometimes dangerous environments, they demand safe and continuous operation. To achieve that, they have traditionally tended to be air-gapped from the IT network to avoid the sorts of intermittent network or device crashes that IT systems can tolerate.

These systems are built upon high-value OT assets that can range into the billions of dollars. A system crash on a manufacturing floor can stall production for hours and potentially ruin millions of dollars in materials. Even worse, having to reset an open furnace or a 10,000-gallon boiler processing caustic chemicals can have far more devastating consequences than temporarily losing access to an online printer.

Since the primary goals of an OT environment are the safety of employees and local communities, while ensuring the constant availability and uptime of the network, its connected devices, applications, and operating systems are rarely updated. In fact, because these systems can operate for 30 to 40 years in their OT environments, they depend on dated configurations that remain unpatched. And because patching and updating devices can require shutting down entire systems, most OT managers follow the “if it isn’t broken, don’t fix it” rule. As a result, many older OT systems are notoriously vulnerable to malware and other threats that IT networks are naturally protected against. Complicating the problem further, many of the devices and systems installed in an OT network are also notoriously fragile. Even processes as benign as active device scanning can cause them to fail.

Digital transformation is impacting the security of OT environments

The challenge is that today’s digital marketplace requires organizations to respond faster to consumer demands than traditional OT processes can deliver. The addition of modern Industrial IoT (IIoT) devices to OT networks enables organizations to automate what were traditionally static, and mostly manual OT processes, as well as create smart physical environments such as office buildings, manufacturing floors, inventory warehouses, or physical plants. Effectively competing in the digital economy also requires integrating things like real-time data collection and analysis and remote management tools into OT networks to realize greater efficiency.

Beyond the need for an efficient and timely response, an additional challenge is surfacing as a result of digital transformation. System complexity brought about through the amalgamation of OT technology is raising the stakes, and the complexity of security integration, even higher. In smart buildings, for example, there exists a system of systems running simultaneously, including electrical grids, communications, security systems such as badge readers and access controls, fire protection, HVAC systems, and elevators. To manage these IIoT, OT, and IT systems centrally, they are increasingly being merged into a single control system. And in an environment where OT teams are managing multiple buildings simultaneously, this may also entail enabling remote management through a cloud-based platform.

Bolt-on security is not an option

Of course, given what we know about most OT environments, the implications of digital transformation and convergence from a security perspective are self-evident. As a result, a more systematic solutions approach is essential to solving modern OT security challenges. Attempts to address risk by simply deploying off-the-shelf firewalls, sandboxes, and IPS systems into OT environments present an unacceptable, disruptive, and uncertain outcome. Security tools need to be purpose-built to understand the sorts of protocols, communications, and services that have been deployed to preserve safety and availability while implementing OT security.

Instead, organizations need to start by designing security into the OT environment at the highest level to address the bigger picture that provides the absolutes of availability, safety, and security without having to bolt security onto the network as an afterthought. Lacking an architected and integrated strategy, security can quickly scale out of proportion if you try to secure and manage each of these systems separately. As an example, in building automation systems an integrated, segmented, and layered approach enables security to extend beyond merely locking down the HVAC system, to delivering real-time analytics and control that ensures integrity while safeguarding other systems such as fire suppression.

Visibility, control, and zero trust

This journey towards securing modern OT environments is begun by establishing continuous visibility. Network access control solutions can help with inventorying and managing IIoT devices, including keeping track of every connected device on your network, even as devices join or leave or move from one location to another. But control in the OT environment also entails baselining normal traffic and predefining approved functions that yield recognition and real-time response to any behavior that is out of scope. Fortunately, device behaviors within an OT environment tend to be static and predictable, so anomalous behaviors are more likely to be immediately apparent and identified.

In today's converged OT workplace, there’s also a deafening level of trust afforded to both the individual as well as an untrusted device. Such implicit trust is why in many OT networks it's entirely possible for an engineer to be able to control any PLC in the network from a single laptop. Likewise, when environment access is granted to accomplish maintenance through wired or wireless access, complete system access via an uncontrolled laptop is not uncommon. This is why securing your OT environment requires organizations to migrate away from implied trust towards a zero trust model.

Imagine one of your engineers, Ron, has been sitting at an HMI workstation managing the same line for 15 years. He's never given you any cause for concern, so you trust him implicitly. The advent of convergence, however, presents new severe OT risk, and what worked historically is now being replaced with systems that are suddenly interconnected and highly vulnerable devices that can be compromised remotely.

Part of the challenge is changing your paradigm. It often helps to start by assuming that your system has already been compromised. Visualizing the presence of malware, unmitigated access, and the ability of a threat actor to elevate privilege enables OT security teams to implement a more proactive approach to identifying and neutralizing access to critical and highly valued OT assets. This approach also enables establishing processes for at-speed recognition of actions that are beyond the scope of normal.

Finally, organizations need to shift from a reactive to a proactive security posture, allowing them to securely integrate their OT processes while extending protection far beyond those available with present day system defenses. Zero trust goes beyond merely changing policies and procedures, and requires engineering security directly into the environment to enable proactive security.

This requires implementing technical strategies such as segmentation and multi-factor authentication to mitigate the access control risk. For example, when a user or device is authorized into a specific subsection of the OT network at layer two of the Purdue model, they are limited to functioning properly within that restricted network zone. Likewise, all activity beyond the immediate authorized domain would require authenticated approval, thereby precluding an ability to impact the OT infrastructure both vertically and horizontally.

Summing up

The integration of IIoT devices into OT networks is inevitable for any organization looking to remain competitive in today’s digital economy. The challenge is to implement security without compromising availability or safety. Due to the very converged disposition of modern OT networks, this requires

Implementing purpose-built security devices designed for OT environments to protect the network from IT, the cloud, and the Internet Establishing continuous visibility into devices and their behaviors with a combination of NAC ( Network Access Control ) and behavioral analytics Moving towards a zero-trust security model built around the exercise of considering that you may already be compromised Implementing basic controls such as two-factor authentication and segmentation to isolate critical functions will limit system exposure in the event of a compromise.

Of course, these are just the first stepping stones to bridge the security challenges facing OT environments. With these foundational elements in place, organizations can continue to build a resilient and scalable security strategy that can grow and adapt as their OT environment continues to evolve.

Access or download the full “Independent Study Pinpoints Significan t SCADA/ICS Cybersecurity Risks ”

Read more about the unique challenges of securing operational technology systems and how Fortinet can help.

Read more aboutFortinet ’s leadership in OT security expanded with new additions to its Fabric-Ready partner ecosystem.

Red Team Assessment Phases: Reporting

$
0
0

Reporting is the final and potentially most important phase of a red team assessment. The goal of a red team assessment is to provide the client with a comprehensive view of their security and the ability to act to correct any identified issues. Any part of the assessment that the client can’t understand and act upon based on the report might as well not have happened, so it benefits everyone if the team puts in the time and effort to develop a clear and comprehensive report of the assessment.

Scoping the Phase

The goal of the reporting phase of a red team assessment is to convey the crucial information discovered during the course of the assessment to the customer. In this phase, the red team needs to be able to distill all of the data collected throughout the course of the exercise into the essential information that the customer needs to have and convey it in a way which is valuable to non-technical executives and the technical security team both.

Achieving Phase Goals

The reporting phase of an assessment should end with the client being presented with a report that covers any and all information that they need to know regarding the assessment. To reach this point, the red team needs to identify what information is essential or not, organize it into a consumable format for the customer and write the report in a way that brings value to the client and encourages a healthy working relationship.

Identifying Important Information

The first step in the reporting stage of a red team assessment is identifying what does and does not need to be included in the report. This varies from assessment to assessment based on the needs and wishes of the client, but a few pieces of information are always good to include in text of the report.

The first of these is any vulnerabilities identified in the course of the assessment. The reason that the client is paying the red team is to identify vulnerabilities that they need to address in their network’s defenses. The red team should have comprehensive notes on how each vulnerability was detected and how it can be exploited so that the client can verify the vulnerability and test potential remediations.

The second is a complete record of the red team’s operations on the system. With many members of the team, several operations may be running in parallel, but taking the time to organize the results and put together a timeline of the attack is helpful both to the team in crafting their report and to the client in understanding the attack as a whole and performing a retrospective look at their systems, logs and reports to identify any indicators of the attack that they may have potentially missed while the assessment was going on.

Organizing the Report

The contents and details of the report structure may vary from assessment to assessment. However, most reports will include an executive summary and a detailed description of the assessment, plus appendices and attachments. Knowing what to put where helps a red team not waste their clients’ time and demonstrates the professionalism of the services provided. Offensive Security provides a good sample report showing how this information should be laid out.

Executive Summary

Not everyone is going to have the time, interest or background to read and comprehend a complete report from an assessment. Since ultimately management is the one footing the bill for an assessment, the red team should include a summary of the assessment and its findings that justify the assessment and can easily be fit into an executive’s busy schedule.

This section should generally outline what the assessment covered, any identified vulnerabilities and a ranking of the significance of various findings. Since the main consumers of this section of the report will probably not have a technical background, the section should contain enough analysis that a reader can get a feel for the current state of their network, understand the major findings and their significance, and not be overwhelmed by technical detail or length of the section.

Detailed Descriptions

The main body of the assessment report should be a detailed description of the actions taken by the red team, their results and the impacts of the findings on the security of the client’s physical and network security. In this part of the report, the goal is to provide a comprehensive view of the actions taken during the assessment, so the author can assume that the audience has a technical background if not specifically a cybersecurity background.

This section should contain sufficient detail to support the narrative without drowning the reader in trivia. For example, the main report can contain a mid-level description of an attack and the significant results, with full detail being provided in attachments and appendices. When reporting the results of the assessment, red teams need to walk a fine line between providing insufficient information and reducing the reader to skimming the report for key points.

Attachments and Appendices

The attachments and appendices section of the report are where the red team should place any information that is important for the client but not essential for understanding the assessment narrative and the findings of the assessment.

One thing that is extremely useful to the client is example code for exploiting any vulnerabilities detected by the red team. While it’s not the job of the red team to implement solutions to an organization’s security issues, someone will eventually have to do so. Having sample code that exploits the holes that they need to patch both enables the security team to understand the vulnerability and provides them with a means for testing the effectiveness of potential remediations.

Another thing worth including as an attachment to a report is a complete log of the red team’s operations on the target network. Hopefully, nothing will go wrong during the assessment, but if it did, being able to prove that it was not the fault of the red team or covered by the red team assessment agreement can save a lot of legal trouble. Also, if the red team did anything to cover their tracks, the security team or system administrator may want unadulterated logs to provide them with a complete view of what actually occurred on their systems.

Ethical Hacking Boot Camp ― 93% Exam Pass Rate

Writing the Report

If the red team has collected all of the appropriate information throughout the course of their assessment, then writing the report should not be very difficult. However, there are a few things to keep in mind when writing the report that could make clients become repeat customers.

Firstly, the client hired the red team to understand the weaknesses of their network (and possibly physical) security solutions. All content within the report should be factual and not contain any opinions of the red team members. In many cases, red teams learn the “what” rather than the “why,” and misinterpretation and theorizing can potentially cause serious damage to the relationship between the client and the team.

Another thing to keep in mind is that the customer hired the team hoping to get a clean bill of health. While this may not be the case, including some kudos or compliments to the organization’s employees and security team (where appropriate) doesn’t hurt the red team but can really help the organization’s pride and help them swallow the bad news. Unless necessary, an assessment report shouldn’t name names and it should never read like the exploits of James

Best practices for implementing a successful BYOD programme

$
0
0

Mobile phone usage is still on the rise, with the global number of users expected to surpass 5 billion in the coming year.

Throughout Southeast Asia, mobile phone users make up 90% of all internet users and on average, people in the region spend longer on their phones than their American counterparts.

This smartphone explosion means it’s of little surprise that so many organisations have already adopted a Bring Your Own Device (BYOD) policy a practice where employees are allowed to use their own devices for work related purposes.

Beyond the obvious financial benefits, a BYOD policy can also help remote workers and improve productivity amongst those with a more flexible working schedule.

However, the success of this strategy relies on it being implemented correctly, with concerns around security often being the most cited reason amongst organisations who are yet to adopt a BYOD policy.

With that in mind, here are a number of best practices to help ensure your company remains secure whilst benefiting your employees.

Make sure your policy is clear

The first and most important thing you need to do when implementing a BYOD policy is to make sure its clear. If there is any vagueness or grey areas, your employees might accidentally exploit a vulnerability that could cause your organisation to have its security compromised.

From day one, employees need to know what they can and can’t use their devices for, what an IT support team can do for them if an incident occurs and what devices will be included in the policy different devices have varying levels of security, meaning some are more vulnerable to risk than others.

Having a clear policy not only eliminates a constant back and forth between employees and management about what is and isn’t allowed, it also helps to address potential security and privacy risks.

Security first

When it comes to personal devices, users are usually laxer about keeping it secure. While most people have a passcode on their home screen, it’s very unusual to have two-factor authentication in place for a device allocated for personal usage.

While increasing device security might be seen as a headache for some, if your device has sensitive, work-related information and data on it, upping the security stakes must be seen as non-negotiable.

Your organisation should also conduct a mobile risk assessment to identify any possible dangers and vulnerabilities; ensure networks are secured and implement a policy that ensures passwords are both complex and routinely changed.

We’ve mentioned it before but no matter how much money you spend on your security strategy, human error is still the most common cause of a data breach. Therefore, you need to ensure every employee only has access to what is necessary for them and keep the relevant people informed if this changes.

However, security isn’t just the responsibility of management, you also need to…

Educate your staff

It’s vital that your staff are included in all dialogues revolving around potential risks and changes to your security policy.

If staff don’t understand why they’ve got to follow certain protocol two factor authentication for example they’ll be less inclined to do so.

Comprehensively educating them on security risks from the beginning not only saves you time in the long run, it is also one of the best ways to prevent a potential incident. Make sure everyone working in your organisation understands the importance of using strong PINs, secure networks and data encryption, as well as making regular backups and not clicking on suspicious links.

Ensure usage is consistent

If you want your policy to be successful, you can’t have one rule for your employees and another for management.

It doesn’t matter how important someone is, if your organisation has decided to implement a company-wide BYOD policy, then everyone must know the rules and stick to them.

This is another reason why it’s important that your policy is clear so no one has an excuse for deviating from it! However, in order for usage to remain consistent, you must first ensure that it actually suits the needs of all those who will be partaking in it.

Make sure you consult with every team before determining your final policy. This way you can make sure it fulfils everyone’s requirements and minimise the issue of employees feeling like they are unable to support it.

Have an employee exit plan

The potential for a man-made security disaster always rears its head again any time you have an employee leave. If they’ve been using their own device, how can you ensure that access tokens have been revoked and sensitive data has been deleted?

Having a set plan in place can help your organisation deal with this problem; removing their access to a network should be made almost instantly. This information then needs to be sent to system administrators, so they can ensure the network remains both up to date and secure.

Wiping company-issued devices and disabling company emails and accounts also stops ex-employees from continuing to have authorised access and helps to keep sensitive information protected.

Sprint and T-Mobile merger approved by national security council

$
0
0

What just happened?A major milestone has been met in the process of Sprint and T-Mobile attempting to merge into a single entity. Approval from a handful of federal agencies in charge of national security now places the deal mainly in the hands of the FCC for final approval.

As Sprint and T-Mobile continue the lengthy process of attempting a merger, the Committee on Foreign Investment in the United States, Department of Justice, Department of Homeland Security, and the Department of Defense have all given their seal of approval .

Collectively referred to as Team Telecom, the government body approval was given without any objections and withdrew a request to defer action on the proposed merger.

Now that one major step forward in the process has been achieved, the deal will still be subject to FCC approval as well as other regulatory approvals. If no regulators object to the deal, it will close during the first half of 2019.


Sprint and T-Mobile merger approved by national security council

Cybersecurity is at the forefront of reasons why the deal might be stopped in its tracks. Both Sprint and T-Mobile are owned by foreign businesses with close ties to Huawei. As the Chinese telecom business comes under further scrutiny, there is potential for objection on the grounds of security concerns.

The United States is still awaiting the extradition of Huawei CFO . Even though not directly related to the merger, any increased tensions with Huawei and China could throw a wrench into the plans of Sprint and T-Mobile given that both are Huawei customers.

Valued at $26.5 billion, the proposed merger would cause a shift in the market from two major carriers and two less competitive options into three moderately competitive wireless providers. As 5G networks start to take shape, a more unified landscape with three actual competitors could help promote a better customer experience.


Aella Data Integrates with Demisto Enterprise for AI-Driven Breach Detection wit ...

$
0
0
Integration Combines AI-driven SOC Platform with SOAR for SOC Teams
to Stay Ahead of Increasingly Sophisticated Attacks.
Aella Data Integrates with Demisto Enterprise for AI-Driven Breach Detection wit ...

SANTA CLARA, Calif. & CUPERTINO, Calif. (BUSINESS WIRE) lt;a href=”https://twitter.com/hashtag/cybersecurity?src=hash” target=”_blank”gt;#cybersecuritylt;/agt; To help security operations teams stay ahead of the increasing volume of

threats going undetected for too long ,

Aella

, an innovator in AI-driven cybersecurity solutions and pioneer

in pervasive breach detection systems, announced a product integration

with Demisto ,

a leader in Security Orchestration, Automation and Response (SOAR). The

integration between Aella Data Starlight and Demisto Enterprise delivers

a complete solution for Security Operations Centers (SOCs), reducing the

time to detect an attack from months to minutes, automating response

actions across products, and making security operations more efficient

and effective.

Driven by artificial intelligence (AI) and machine learning, Aella

Data’s Starlight platform provides SOC analysts with advanced insights

into threat activity. The integration with Demisto further empowers

customers to easily complete the response and threat mitigation process

by leveraging Demisto’s visual playbook and automated response

capabilities. And by leveraging Demisto’s extensive ecosystem of product

integrations, Starlight users can achieve a complete, integrated

solution that covers collection, detection, investigation, response, and

defense.

“By reducing the time it takes for SOC analysts to act on potential

attacks, the integration between Aella Data and Demisto addresses one of

the most significant pain points that security operations teams are

experiencing,” said Paul Jespersen, Vice President of Business

Development and International at Aella Data. “According to the

2018

, sixty-eight percent of

breaches took months or longer to discover, can result in excessive

dwell times and potentially lead to extremely damaging data breaches. A

current example is the Marriott breach, which lasted for more than four

years.”

“A key challenge facing security teams today is extracting relevant

information from the barrage of data coming their way. Demisto’s

integration with Aella Data provides our users with a central console to

ingest aggregated alerts and execute standardized response that

coordinates actions across the security product stack,” said Rishi

Bhargava, co-founder and vp, marketing at Demisto. “This integration

builds atop existing Demisto capabilities and enables SOCs to scale

their operational and response capabilities.”

“We’re seeing customers shift their cybersecurity spending from defense

first (prevention) solutions to detection and response. They’re looking

for more complete protection,” said Jansen Uy, General Manager of

Cyberworld, a leading IT and security distributor based in Hong Kong and

a partner of both companies. “Together, Aella Data and Demisto are a

compelling and effective partnership that provides a truly autonomous

SOC with sophisticated detection and response capabilities, and one that

can be fully integrated with leading firewalls and other defense

solutions which are often already deployed by customers.”

Demisto Enterprise integrates with hundreds of security products and

enables customers to build playbooks for different security processes.

These playbooks incorporate a combination of automated tasks and manual

best practices to standardize and scale incident response. Demisto’s

playbooks help reduce MTTR (Mean Time to Respond) for security incidents

and free up time for security teams to conduct deeper investigations. In

addition, the case management and machine learning capabilities help

security teams maintain incident oversight and improve their security

posture with time.

Aella Data Starlight integrates with many security products including

firewalls and secure web gateway products, SSL visibility solutions,

other SIEMs, and SOAR platforms like Demisto for automated response

integration.

About Demisto

Demisto is the only Security Orchestration, Automation, and Response

(SOAR) platform that combines security orchestration, incident

management, and interactive investigation to serve security teams across

the incident lifecycle. Our orchestration engine coordinates and

automates tasks across 100s of partner products, resulting in an

increased return on existing security investments. Demisto enables

security teams to reduce Mean Time to Response (MTTR), create consistent

incident management processes, and increase analyst productivity. For

more information, visit www.demisto.com

or email info@demisto.com .

About Aella Data

Aella Data invented the industry’s first Pervasive Breach Detection

System which allows organizations of any size to automatically detect

and thwart attacks on their critical data systems before damage is done

or data is lost. Aella’s unique approach combines distributed processing

and machine learning to collect and analyze granular data with zero

blind spots across networks, servers, applications and intelligence

feeds. Instead of overwhelming security teams with countless false

alarms, the Aella Data Starlight Platform uses Multi Machine Learning

algorithms to cut through the noise and deliver high-fidelity alerts

that enable fast and effective responses. The software-based solution

deploys easily in any computing and network environment Located in

Silicon Valley, CA, Aella Data is backed by Northern Light Venture

Capital. Learn more at www.aelladata.com .

Demisto is a registered trademark of Demisto in the United States and

other countries. All rights reserved. All other company and product

names are either trademarks or registered trademarks of their respective

companies

Contacts

SKC, Inc.

Mary Placido

mary@skc-pr.com

(415)

218-3627

or

Sharon Y. Sim

sharon@skc-pr.com

(415)

420-1889

Lisette Rauwendaal

Lumina Communications

demisto@luminapr.com

(408)

827-4363


Aella Data Integrates with Demisto Enterprise for AI-Driven Breach Detection wit ...
Do you think you can beat this Sweet post? If so, you may have what it takes to become a Sweetcode contributor...Learn More.

Trezor One: Support for OMNI layer

$
0
0
Trezor One: Firmware Update1.7.2 Trezor One: Support for OMNIlayer

SatoshiLabs


Trezor One: Support for OMNI layer

Today, on December 18th, we have released a new firmware update for the Trezor One, this time with the number 1.7.2. This early holiday present brings you support for the OMNI layer. It is also a sign that the Trezor One keeps on being maintained and developed even as we are working on porting the Trezor Model T firmware back onto the Trezor One.

So let’s look at the details!

The Trezor One firmware update is available in Trezor Wallet (wallet.trezor.io)

OMNI layer (OMNI, MAID,USDT)

The support for the OMNI layer means that Trezor One is now capable of handling OMNI, MAIN, but also the stablecoin USDT ― Tether.

U2F fixes

As a part of the update, we are also rolling out U2F fixes for the Trezor One. To be more specific, we have implemented a security fix for a vulnerability discovered by Christian Reitter. As the author reasserts himself, the vulnerability has no discovered practical use yet. For more details, read the technical explanation linked below:

Details about the security updates in Trezor One firmware 1.7.2

On Tuesday December 18th, we released the firmware update 1.7.2 for Trezor One devices. This is a release which brings… blog.trezor.io

Miscellaneous changes

The Trezor One will also no longer ask you for your PIN, if you have just set one. It is a small cosmetic change, but it will make the initial setup flow a bit smoother.

About Us

Trezor Model T is the next-generation hardware wallet, designed with experiences of the original Trezor in mind, combined with a modern and intuitive interface for improved user experience and security. It features a touchscreen, faster processor, and advanced coin support, as well as all the features of the Trezor One.

Trezor One is the most trusted and ubiquitous hardware wallet in the world. It offers unmatched security for cryptocurrencies, password management, Second Factor, while maintaining an absolute ease-of-use, whether you are a security expert or a brand new user.

SatoshiLabs is the innovator behind some of the most pivotal and influential projects with Bitcoin and cryptocurrencies, mainly Trezor , the world’s first cryptocurrency hardware wallet, or CoinMap.org , the primary resource for bitcoin-accepting venues.


Trezor One: Support for OMNI layer
Trezor One: Support for OMNI layer
Trezor One: Support for OMNI layer
Trezor One: Support for OMNI layer
Trezor One: Support for OMNI layer
Trezor One: Support for OMNI layer

Verizon LG V30, LG Zone 4 and LG Exalt Get November Security Patch Updates

$
0
0

Verizon has released a series of monthly updates and security patches for a few LG smartphones. The three phones now receiving the updates are theLG V30, LG Zone 4 and the LG Exalt. Each of these brings in some significant improvements to the handsets and if you are a Verizon subscriber in the US and own any of these devices to make it a point to download and install these updates. In most cases, these will automatically download and install after showing you a notification. Here are some of the highlights of these updates.

Software Update for LG V30

Verizon terms this the 8 th System Update and the software version is VS99620g . Apart from certain security patches for the Android OS, the major improvement is being brought about in the front camera sections where a portrait mode is being added to help you make adjustments to the clicked portrait by using a sliding feature.

In addition, there is a Flash Jump-Cut feature added as well. Here you can create GIFs with images taken in a sequence every 3 seconds in this new mode. The LG V30 received its last update on September 1. Get more details about the update here .


Verizon LG V30, LG Zone 4 and LG Exalt Get November Security Patch Updates
Updates for LG Exalt

The software update version is VN22013A . The mandatory December security patches for updating the Android OS are included in this December monthly update issued byVerizon for the users of the LG Exalt smartphones. On the functional updates, there is a new ‘Manage Contacts’ added to the menu under Contacts. This is the second update this LG device is receiving, coming a good 13 months after the previous one issued in October 2017. There are a few changes in the RTT call mode as well. You can understand the changes from here .

LG Zone 4 December Updates by Verizon

This device is receiving an update within a month of the previous one and this X210VPP12a version update brings in some improvements in the performance of the phone. Android OS related security patches are also included in the update and specific details have not been spelt out by Verizon in the notification . Any bugs that have been reported earlier have been resolved through this update, the carrier says.

Steps to follow to get the update for your phone

All these are over-the-air (OTA) updates and automatically land on your devices. The only factor for you to consider is that you have a Wi-Fi connection running on your phone since these update files could be large in size and you may lose precious data. Also, make sure there is enough residual battery life to last the full download and installation.

Is Your Organization at Risk Because a Local Administrator Has a Weak Password?

$
0
0

In July, media reported that SingHealth, Singapore’s largest health organization, was breached with 1.5 million medical records stolen. The stolen records included those of Singapore’s prime minister Lee Hsien Loong. Consequently, a special inquiry had taken place, revealing that SingHealth had several security gaps and vulnerabilities which could have easily been exploited by attackers, including a local administrator account with a very weak password (P@ssw0rd). In fact, one of the ways which enabled the attackers to move laterally in the network was by using compromised Citrix local accounts.

Do you know if your organization is at risk because of a local administrator’s weak password? To help organizations detect and prevent weak and vulnerable passwords and network configurations, we have released a new version of Preempt Inspector .

Preempt Inspector is a free tool intended to help organizations discover potential weaknesses in their Active Directory environment and reduce their attack surface. The first version of Preempt Inspector focused on detecting users having a password which can be easily compromised either by simply using a weak password, or by using a password which has been exposed during one of the largest breaches (such as the LinkedIn breach). The second version introduced some new features, one of them being discovering Stealthy Admins in Active Directory users accounts which can easily obtain administrative privileges but are not members of any administrative groups. By analyzing the statistics, we have found that all organizations are vulnerable to most of these issues.


Is Your Organization at Risk Because a Local Administrator Has a Weak Password?
New features in Preempt Inspector version 3

Version 3 of Preempt Inspector does all the above with a few additional security features. Its main goal is to reduce the risk introduced by local administrators & prevent one of the most common attacks today: NTLM Relay.

Duplicate Local Admins

It is widely known that domain users are not the only ones which can put your organization at risk. Moreover, since most of the security products focus on protecting domain accounts, there is another type of account which is left for grabs for attackers to abuse local accounts. One of the biggest issues related to local administrators is having a local administrator account with the same password on a group of domain machines (in the worst case, that group consists of all computers in the organization). In some cases, the duplication is intentional such an account provides an easy way for the IT team to manage all domain computers.

In other cases, it might be caused by an “innocent mistake”: when new computers are created using the same image, all the SAM database, including all the local users and password, are cloned to all those machines. To make things even worse, in most cases, an attacker can detect such instances of cloned local admin passwords without any special privileges. The security impact is simple: it is enough to compromise a single machine to compromise the entire group. So, if the assistant and the CEO of the organization share a local administrator, an attacker which is able to take over the assistant’s computer, can then gain administrative access to the CEO’s machine as well.

In this version of Preempt Inspector, we help organizations discover cloned local administrative accounts. To detect such cases of cloned passwords, Preempt Inspector connects to remote machines and queries the ‘pwdLastSet’ attribute of local accounts using the SAMR protocol. This option is enabled on all windows machines (up to Win10 anniversary update in which the default configuration allows only local administrators to perform such queries). The ‘pwdLastSet’ attribute gives a password change timestamp in a 100 nanoseconds resolution which would always be equal in cases of cloned machines (since this attribute is cloned along with the others from the SAM database). In most private preview customers, we were able to discover a large amount of machines sharing a local administrator account.

We recommend that organizations configure a unique password for local administrators on different machines, either manually or by using LAPS, which provides a way to manage local administrator passwords on domain-joined computers.

NTLM Relay Mitigations

Another old but very effective attack technique is that of NTLM Relay. In an NTLM Relay attack, a compromised machine takes advantage of NTLM connections made to it and redirects the NTLM session to attack other, previously non-compromised, target servers. The attack is extremely powerful for several reasons: First, as long as NTLM is enabled in the network (not used, just enabled), any connection can be downgraded to NTLM. Second, most applications, by default, are not protected from NTLM Relay. For the Preempt Inspector, we’ve focused on the two riskiest and most vulnerable protocols to NTLM Relay:

LDAP Signing An attacker that relays NTLM credentials to an LDAP connection, can perform any LDAP operation on behalf of the compromised user. If the compromised user is a domain admin, the most detrimental attack vector would be to create a new domain admin which would grant attackers full persistence over the domain environment. To have your LDAP protected against this attack you need to turn on LDAP signing in your domain. However, that alone is not enough last year, Preempt researchers discovered CVE-2017-8563 that allows performing NTLM Relay in LDAP connections even when LDAP signing is enabled. To be fully protected from this vulnerability, a patch is required along with special registry configuration in each domain controller. Preempt Inspector scans all domain controllers and alerts on any unsafe LDAP configurations.

SMB Signing An attacker can also relay NTLM credentials to SMB connections. By default, SMB is enabled on all Windows machines and allows a user with sufficient privileges to download files, fetch sensitive configurations and run code remotely. To be protected from SMB Relay you need to enable SMB signing on all machines in your network. For some obscure reason only domain controller have SMB signing enabled by default. Preempt Inspector scan all domain controller to verify default SMB signing setting is still enabled and samples several domain workstations to ascertain whether SMB signing is enabled on other machines.

For a more comprehensive review of NTLM refer to this blog post .

We will continue developing and adding new features to the Preempt Inspector. If you are interested in a specific feature which you would like to see incorporated into the Preempt Inspector, you can contact us at inspector@preempt.com .

移动App模块化设计

$
0
0
三层架构 基础层:构建程序骨架,处理原始数据的IO 业务层:控制数据流并进行加工 UI层

层次不等于文件组织,也不等于模块划分。一般按照界面划分模块后,同属该模块的业务层和UI层都放在同一目录下(还可以有子目录)。一个模块不会被层次限死,最多三层都可以跨越。

这层的目录命名有叫 base 或 foundation 的,如果设计得好,这部分东西是不关联具体业务的,多数可以跨项目使用,由业务层做定制化后为所属项目服务。

这层可以进一步细分成3种类型。

设置:持久化存储,key,升级时持久化数据迁移,变化通知 颜色:换肤,渐变色 图片:换肤,编解码 文本:富文本处理,多语言 调试:Log、debug辅助、宏开关 加解密:AES、DES、RSA…… 编解码:base64,URLEncode/Decode,zip 数据结构:JSON,XML 数据算法:MD5,SHA1 网络:网络类型判断,缓存,下载,后端api交互 线程/进程管理:worker线程,线程消息,锁 系统信息:版本判断、屏幕分辨率、内存容量、磁盘容量、修改系统设置 文件管理:路径、备份 字符串:格式化(日期、时间、钱币、小数),转码(unicode),正则表达式,特殊数字检测(电话号码) 常量值,一般是业务用的,例如url地址 程序骨架 消息框架 页面路由 组件化框架 插件化框架 功能逻辑

它们都可视为component:

初始化:被其他程序调用,(android)创建快捷方式 升级:首次安装与覆盖安装的判断 用户信息:第三方登录 广告 统计埋点 推送 崩溃:注册crash handler 二维码 分享 支付 LBS 字符串常量

有3种放置方式:

Localizable.strings

没有哪种方式绝对地优越,在没必要的情况下,越方便的方式越好。

网络模块

网络模块可分4层:

基础层:可以是4种东西 系统网络框架 封装了系统框架的第三方库 在socket层重新实现的第三方库 自己实现的网络框架 通用层:简化接口,定义通用回调,统一加入必须的参数 API层:与后端接口对应的函数集,函数内再调用通用层的接口 封装层:方便其它模块调用。例如需要同时调用3个API且全部返回数据后合并回调,可以把这个逻辑做成1个函数 设置模块

“设置”有几种含义:

准确的“设置”是指Setting,值在运行时初始化且是可改变的。 配置是Configuration,其值确定后是不变的。值来源于配置文件或服务器下发。 profile和preference都有跟某个用户绑定的意思,是用户的偏好,每个用户可以不一样。

他们又可分成是否需要持久化保存,所以会有RuntimeSetting和ArchivedSetting两个类。RuntimeSetting一般是个单例,数据只保存在内存中,没必要用key-value来访问,直接由成员变量表示即可。

View层组件

组件化的最原始目的是可复用,现在也被视为解耦的手段之一了。这些组件是可跨项目使用的:

Toast Alert、多选框等多种弹窗 通知栏 WebView,做好了通用设置和样式,包括加载进度和出错展示等

不可重用的例子:

启动闪屏 新手教育、更新说明 其它思路 iOS预编译头文件(.pch)尽量不用,有些模块不应该依赖那么多东西 来自第三方的代码都不要改,做成pod(iOS)或library(android),可以随时覆盖式升级。应在其基础上做扩展,不行就再封装一层 初始化流程可以有专门的controller来负责,简化app入口函数的内容 一个自定义view(例如弹窗)应该与业务无关,所有的展示内容和设置都应该由外部传入。 应该让设计师做好规范化,颜色定义是一套风格,所以颜色值不会很多 同一模块内的类,根据是否可跨项目重用,应区分文件保存。例如SettingModel是可重用的,但SettingKeys是具体到业务的,应分放到两个文件
Viewing all 12749 articles
Browse latest View live