Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all 12749 articles
Browse latest View live

欺骗防御入门:花最少的时间、金钱和资源得到最大效能

$
0
0

欺骗技术能赋予防御者其他防护技术所不具备的优势:通过布置满是鲜香美味诱饵的雷区,诱使攻击者暴露出自身意图和手段,实现早期准确检测。FBI和其他顶级司法机构早已使用此类技术诱捕儿童色情犯和金融大盗一类的罪犯了。


欺骗防御入门:花最少的时间、金钱和资源得到最大效能

设置诱饵的目的,是为了捕获攻击者了解网络时的早期动作及其发现目标的方法。网络攻击的早期阶段也可以称作“现场侦察”,打断这一阶段最终可以减少潜在攻击的驻留时间,对数据保护工作而言至关重要。防御者可以观察正在发生的事,更深入地了解攻击的本质,更透彻地理解攻击者在网络甚或在云文件共享环境中移动的方式。

越来越多的公司企业开始将欺骗作为填补现有安全解决方案空白的一种方式,将之作为数据防丢失、加密、访问管理和用户行为分析等安全解决方案的一种补充。但安全团队如何确定哪种欺骗技术是最适合自家公司的呢?

定义“蜜”环境

当前,欺骗技术市场中绝大多数产品都主要着眼打造复杂的“蜜”环境,旨在引诱攻击者进入虚假系统,转移并记录其攻击行为。

蜜罐

蜜罐是与网络毗连的系统,用以引诱攻击者并检测、转移或研究黑客的攻击尝试。蜜罐按与入侵者的互动程度分为不同类型。设计恰当的话,蜜罐可以阻止攻击者访问公司运营网络中的受保护区域。配置良好的蜜罐应具备公司生产系统中的多个相同组件,尤其是数据。蜜罐最大的价值就是能获取到攻击者行为及意图的相关信息。进出蜜罐的数据可使安全人员收集到这些信息,比如攻击者的击键记录、在虚假蜜罐系统中横向移动的尝试动作等。

蜜网

蜜网是由多个蜜罐组成的真实网络的模拟。基本上,蜜网就是模仿公司网络中常会出现的多台服务器环境的大规模网络诱饵。SANS 2017 报告《蜜罐状态:理解今日蜜罐技术使用》中写道:“蜜网连接与交互的方式与真实网络无异――系统间所有连接都没模拟。”SANS报告按10分制请蜜罐用户为蜜罐和蜜网有效性评分,在总体有效性上蜜网得分7.5。与蜜罐类似,蜜网最大的价值就是安全团队能从中收集到的有关攻击者行为的情报。

只要构建并维护良好,蜜环境可供安全团队观察攻击者巡游网络搜索数据并渗漏出去的方法。但有个前提:攻击者要上钩――进入蜜网。

蜜环境痛点

蜜环境的部署、管理和维护面临几个重大挑战与痛点。在购买欺骗技术之前,你得好好分析一番成本效益。

首先,虽然蜜环境是在企业运营环境之外构建与维护,蜜网仍需黑客初步突破运营环境。公司企业最好期望通往蜜网的面包屑足够诱人,能够切实引诱到黑客。另外,一旦黑客离开虚假环境,我们没办法知道他/她还会不会重新进入该运营环境以继续攻击,也不会知道他/她在被诱饵面包困住前可能渗漏出了什么数据。

其次,创建这些环境所需的成本与资源可能会给本就不堪重负的安全团队又套上一层枷锁。想让攻击者相信蜜网是真实公司网络,公司企业建立的蜜环境就必须模拟运营环境。于是,该环境也必须有人维护以保持其“真实性”。维持蜜网运转所需的投入与保养可没那么轻松。

再次,蜜环境能提供的攻击者相关数据的有用程度是有限的。蜜网确实是了解攻击者如何在系统内搜罗数据的好方法,但攻击者的真实身份和数据被盗后会被攻击者作何用途,就不能靠蜜网探知了。

最后,攻击者越来越精于分辨蜜环境特征。真正危险的黑客往往瞄准他们确知是真实机器的特定IP地址。黑客很容易分辨某主机是不是企业网络中的蜜罐,因为这些机器要么没有出站流量,要么伪装流量没遵循正常使用模式,显得很不自然。想要让蜜网发挥自己的价值,入侵者就不应该感觉到自己处在虚假系统中。蜜网环境应给攻击者一种虚假的真实感和安全感,让他/她觉得自己没被发现或没被监视。

在现实世界中欺骗

在运营环境和云环境中部署欺骗技术,可使安全团队检测并欺骗直奔敏感数据而去的攻击者,而不是寄希望于攻击者被诱导到其他地方。在运营网络中部署可信诱饵文档能提供蜜罐和蜜网的所有好处,且不用创建和维护虚假环境。

不依赖蜜环境的欺骗还可用于主动反击黑客和泄密者。攻击者依靠各种各样的工具保持匿名,这些工具往往能带来大胆攻击的成功。不局限于虚假环境的欺骗技术可穿透这些工具,暴露出攻击者,且攻击者往往还毫无所觉。这就给公司企业和司法机构钉死黑客和泄密者提供了特别的优势。

SANS 2017 报告《蜜罐状态:理解今日蜜罐技术使用》:

https://www.sans.org/reading-room/whitepapers/detection/state-honeypots-understanding-honey-technologies-today-38165


One in three networks has exposed passwords

$
0
0

One in three networks has exposed passwords

Passwords are exposed in Group Policy Preferences in 32.2 percent of networks, according to new research, leaving them open to the risk of hackers traveling laterally through the network.

The study from identity and access specialist Preempt also shows organizations lack visibility and control when it comes to their passwords and privileged users.

Almost 97 percent of inspected enterprises revealed at least one security issue between Active Directory issues and password policies, while 72.2 percent had 'stealthy admins' -- users with excessive administrative privileges that could be used or manipulated by malicious actors.

"While cybersecurity spending is at all time highs, our research finds the vast majority of organizations are vulnerable to hacking via brute force password attacks, compromised user credentials, and other common tactics," says Ajit Sancheti, Preempt's co-founder and CEO. "Compromised credentials were responsible for 81 percent of hacking related breaches last year, and our research suggests this will potentially worsen unless enterprises prioritize password best practices, as well as visibility and control around privileged users."

The study is based on data from Preempt's free-to-use Inspector application. Among other findings are that the bigger an organization is, the more secure their passwords tend to be. Preempt Inspector was able to crack 8.7 percent of passwords in large organizations (over 1,000 employees), compared with 10.3 percent in medium organizations (100 to 1,000 employees) and 16.78 percent in small organizations (fewer than 100 employees).

Password quality is best in the US and Europe is better than the rest of the world, with researchers able to crack 6.3 percent of US passwords, compared with 11.74 percent of passwords in Europe and 17.86 percent of passwords from other regions. There are wide variations in policy, however, with only five percent of all networks having a strong password policy, while 23 percent of networks have a very weak password policy.

You can find out more about the report on the Preempt blog The latest version of the Inspector tool is also available for free download now.

Image credit: Maddas / Shutterstock

Overstock’s Investment Wing Uses Digital Tokens to Acquire Shares from Security ...

$
0
0

CoinSpeaker

Overstock’s Investment Wing Uses Digital Tokens to Acquire Shares from Security Startup

Medici Ventures, Overstock .com’s investment wing, has acquired digital tokens translating to 3.6 million shares from Chainstone Labs. These shares are a 29.6% stake in the startup worth $3.6 million. That marks the first step of venturing into the security token markets by Chainstone.

Furthermore, Medici plans to launch a security token marketplace in January 2019. The tZERO token is set to become the primary traded asset on this platform. The CEO at the Atlantic Financial Blockchain Labs, Bruce Fenton, is also the leader at Chainstone. He is a firm believer that there will come a time when tokens start acting as shares. He said:

“We believe that digital securities are a far superior model to the old ways of moving securities. Since this is our business focal point it is a natural fit to have our own equity digitized into securities token.” Background

The Chainstone digital security token features among the pioneer equity tokens issued using a public blockchain. Moreover, Ravencoin confirmed that it was the first major security token issued on the network. The story of Ravencoin started on October 31, 2017, the date of its announcement. Later on January 3, 2018, it launched as a network.

Since November 5, 2018, Ravencoin supports the issuance of tokens. Medici Ventures is a notable supporter of the blockchain network. Their primary mission is to use blockchain to eliminate middlemen, democratize capital, and re-humanize commerce. They reiterated their mission in a statement saying:

“We believe our equity purchase in Chainstone Labs is a huge step forward in that mission as Chainstone will help change the landscape of the global economy.” The Digital Shares

Currently, there exist 12.4 million digital shares in the company. All of them thrive under the Chainstone name. Moreover, they reside on the Ravencoin blockchain created by Fenton, Joel Weight, and Tron Black. Initially, they designed the network for P2P asset transactions.

Fenton believes that Ravencoin was a perfect option since it has many advantages over other platforms. The platform benefits from the scalability and security of the Bitcoin code base. Chainstone aims to provide support Blockstream’s Liquid among other platforms with ERC-20 tokens in thefuture. According to the Medici Ventures president, using blockchain for issuance and tracking of shares will enhance transaction security, speed, and transparency.

The public can access the token at the start of 2019. Currently, there are no plans to make the token tradable on tZERO. However, the company is still in its early stages. The firm also said in a press release that it is creating a security token for cobalt sales. GSR Capital, a Hong Kong-based company, commissioned the project.

Although the crypto markets suffered a downward trend in 2018, blockchain developments kept budding. Overstock is among the growing number of investors who believe that the new era is inevitable. Tokens will join the markets trading as shares.

Overstock’s Investment Wing Uses Digital Tokens to Acquire Shares from Security Startup

Information Security Manager Salary and Job Outlook

$
0
0

As information security continues to be a pressing concern in all sectors of business and government throughout the world, the job of information security manager is constantly in demand. Let’s take a look at the information security manager salary and job outlook in various parts of the United States.

What Is an Information Security Manager?

Since an information security manager has many shifting roles and responsibilities, the ISACA (formerly known as the Information Systems Audit and Control Association) established a set of guidelines for executives and management. It lists some of their requirements as:

Overseeing the establishment, implementation and adherence to policies and standards that guide and support the terms of the information security strategy. (This could be in the form of creating “best practices” guidelines and materials for new hires or specific department protocols) Communicating with executive management to ensure support for the information security program Overseeing and conducting risk management activities (risk assessment, gap analysis, business impact analysis and so on) to help the enterprise reach an acceptable level of risk Advising and making recommendations regarding appropriate personnel, physical and technical security controls Managing the information security incident management program to ensure the prevention, detection, containment and correction of security breaches. (This could involve: conducting simulations or real-world drills, hiring and managing ethical hackers, and so on) Reporting appropriate metrics to executive management. For example: number of incidences blocked; analytics from phishing simulation programs noting the number of phony emails clicked; number of employees that have successfully completed educational programs and so on Participating in resolving problems with security violations Creating an enterprise-wide information security education and awareness campaign. These can be in the form of videos, printed materials, emails, company-wide memos, meetings, Security Champions and more Coordinating the communication of the information security awareness campaign to all members of the organization and its vendors, auditors, executive management and user departments to enhance information security

In other words, an information security manager is focused on analyzing and aligning security risk and protocols with the company’s policies and goals, as well as overseeing the people that run the day-to-day operations.

Pay Scales

PayScale currently shows an average pay of $110,112 per year, but total pay can reach up to $145,329.

The top cities and median salary are listed as:

San Francisco: $166,328 Seattle: $136,788 New York: $134,056 Houston: $129,830 Boston: $124,038 Washington: $122,784

Additionally, the ISACA has created the Certified Information Security Manager (CISM) credential, which has become an industry benchmark for competence in the field. The CISM has been around since 2003 and according to our analysis is currently considered the highest-paying credential in the field of information security.

The CISM consists of 150 multiple-choice questions regarding information security including management, risk management and compliance, program development and incident management. In order to qualify, you must have at least five years’ experience in information security and three years of experience specifically in infosec management.

Those with the CISM can see a substantial increase in average pay. According to PayScale, it reaches about $122,000.

Top cities for CISM and their salary ranges:

New York, New York: $92,551 $183,259

Washington, District of Columbia: $90,637 $155,370

Dallas, Texas: $86,147 $154,633

Atlanta, Georgia: $78,509 $151,734

Seattle, Washington: $86,509 $150,474

In addition to the information security manager, the CISM is also a beneficial certification for an information security system officer (ISSO), who is often a conduit between departments on security issues. It also aids information or privacy risk consultants, whose job it is to document and assess threats as well as ensure policy is followed to minimize risk.

Information Security Manager Job Outlook

Because information security is getting increasingly complex and new threats come online every day, the job outlook for information security managers is quite positive. While specific U.S. Department of Labor statistics are not available, the related job of information security analyst shows a projected growth of 28%, much higher than the average growth of all occupations at 7%. One can safely assume that the job of information security manager will be growing along those lines.

Sources The Job Description for an Information Security Manager , Chron Information Security Analysts , Bureau of Labor Statistics Information Security Manager , PayScale Salary for Certification: Certified Information Security Manager (CISM) , PayScale

Top 10 Logz.io Features and Announcements in 2018

$
0
0

Top 10 Logz.io Features and Announcements in 2018
Home Blog Community Top 10 Logz.io Features and Announcements in 2018 What a year this has been for Logz.io! It’s been an event-packed year for both our users and our community, with a myriad of new capabilities and product features rolled out one after the other.

More on the subject:

So What is Observability Anyway 10 DevOps Interview Answers Sharing ELK Dashboards and Visualizations on Slack

We’ve done the best to update you on the major new additions and have also added a What’s New feature within the UI itself to make sure you don’t miss on the new goodies being introduced.

Still, the end of the year is a great opportunity for a recap and in this article, I’d like to highlight the top 10 announcements in 2018. Please note that the list below is not ordered by importance and does not include ALL the news.

#1 Live Tail 2.0

Replacing tail -f , Live Tail allows you to see your logs streaming into the system in real time. Live Tail was announced in 2017 and has since been widely adopted by our users to troubleshoot issues and measure the impact of new code deployments.

In 2018, we’ve enhanced this feature by adding two new capabilities. First, users can now view the logs in a parsed state as well. Second, they can improve the way these logs are displayed by adding fields and using Kibana-like filters.


Top 10 Logz.io Features and Announcements in 2018
#2 Alice Slack bot

We are a ChatOps-driven organization and so are many of our users. In 2018, we introduced a new Slack bot called Alice which allows you to query Elasticsearch, view Kibana dashboards, and plenty more right from within your own Slack org.


Top 10 Logz.io Features and Announcements in 2018

Alice is based on Logz.io’s public API and we intend to add support for more and more API methods in the near future.

You can read more about Alice here .

#3 Security Analytics

Logz.io Security Analytics is a security app that we’ve built on top of the ELK Stack that allows you to apply the same procedures used for monitoring and troubleshooting your environment, for securing it as well.


Top 10 Logz.io Features and Announcements in 2018

Based on the same data set used for operations, this app includes threat detection, correlations, security dashboards and integrations, and more.

More about Logz.io Security Analytics can be found in this article .

#4 Apollo and Sawmill

Logz.io is built on top of two of the world’s most popular open source monitoring platforms ― the ELK Stack and Grafana. We understand the importance of giving back to the open source community, and in 2018 we open sourced two projects that are used in our architecture ― Sawmill and Apollo.

Sawmill is a Java Library that enables data processing, enrichments, filtering, /and transformations. After some hard-earned lessons from using Logstash, Logz.io developed and implemented Sawmill in our data ingestion pipelines to ensure reliable and stable data ingestion. Apollo is a Continuous Deployment tool for deploying containers using Kubernetes, and was developed to help Logz.io continuously deploy components of our ELK-based architecture into production. #5 Logz.io Community

Other major 2018 news is the Logz.io Community on Slack which we announced in July.

The community, now numbering over 800 members, aims at providing its members with the tools to learn from peers, share knowledge and skills, and stay up-to-date with the latest monitoring and logging news from Logz.io and from the online community.

We’re super-thrilled to see this community slowly grow and would love to see you join the party if you haven’t already. You can register here .

#6 Markers

Markers is a capability added to our AI-powered Insights feature. Both Cognitive Insights and Application Insights help users deal with the “finding a needle in the haystack” challenge by using machine learning and crowdsourcing to surface critical issues that would otherwise have gone unnoticed. The new Markers feature takes it up a notch by enabling users to understand the context in which these events are taking place.

Users can use a query to signify that an event has taken place and create a marker. This marker can then be plotted on the storyline graph to allows users to more easily identify a correlation between this event and the Insights identified and flagged by Logz.io.


Top 10 Logz.io Features and Announcements in 2018
#7 Logz.io Academy and Online Docs

During 2018 we introduced two major resources to help our users make the best out of Logz.io ― the Logz.io Academy and online documentation .

The Academy contains courses and webinars that will guide our users on their Logz.io journey. From the basics, through parsing and creating visualizations, users will find useful practical information to help them make the most out of the data shipped to Logz.io.

Our new docs contain technical information on the product’s main features and how to use them, including an extensive API guide which includes examples and detailed usage instructions.


Top 10 Logz.io Features and Announcements in 2018
#8 Account Management

We revamped the account management page (Settings → Manage Account) to give users more control and supervision over how much data is being shipped with two new advanced account settings.

Each account now has the option to save account utilization metrics on a set schedule (every 10, 30 or 60 mins). These metrics include the used data volume f

A Post-Compliant World? Part 1

$
0
0

Over the next three articles, we will consider the past, present and future state of infosec compliance. Please note that these are personal views, not necessarily shared by past employers.

Introduction

My security career began at a time when data security was just a niche subject of little concern to anyone other than specialists. It has bridged to the present, when everyone has to be concerned about their own information because anyone, anywhere is now a potential threat to it. Between these two extremes the attempts, particularly by governments (I worked for one) to ensure compliance were utterly transformed to the extent I believe we now live in a post-compliant age.

In this new world, security will always have to play catch-up with the latest security incident, to the point that the emphasis must shift from identify/detect/protect/respond toI hope you’ll agree that it’s always useful to sometimes look back, so we can more effectively learn lessons for the future. We must do as much as we can to avoid the same traps of complacency and over-protectiveness that I believe were features of infosec for years. We need to learn to stop fighting the last war.

A Short History of Security

I started security compliance checking during the mid-1980s, before the word “infosec” was ever heard. My job during those years was about “physical and documentary” security, a simple world where standards of compliance were quite easy to judge: the doors were locked, check; all the papers on a file were there and any copies were accounted for, check. The keys to cupboards and doors were all in place, and everyone in the office seemed to understand what they had to do to keep things secure. As if to underline this simple, unchanging environment, our compliance reports were pre-printed, needing minimal additional text to describe our findings.

The earliest approaches to computer security (as it was then called) were based on tried-and-tested models set upon principles of defense in depth, of having “trusted” (i.e., specially trained and motivated) users and building secure data centers inside thick walls (which could incorporate all of the preceding).

From around 1990, I started to notice more computer systems in offices. But this was still pre-Internet, and mostly a pre-networking age. These computers were rarely networked, and their screens were mostly green. I did not see any real attempt to reconcile this emerging world of stealthy data creation to the reporting and compliance models that had been around for years. Also, there was still no computing power inside the average home and none on phones. This meant nobody had to think about computer security outside the relative security of an office. “Telecommuting” was not yet a word.

The tried-and-tested methods used to account for papers and keys continued to be applied to removable media such as floppy disks, which at that time held minimal amounts of data by today’s standards. A 5.25” floppy could not hold much more than 1 MB of data, or just over 500 pages of text.

But the growth of office systems and a lack of understanding about how easily electronic data could be lost and stolen and how computer viruses could now wreck the information and the hardware and software used to produce it led to security staff looking for new ways to counter these threats.

The next attempt to get to grips with all this was to create security policies. Tailored to specific systems, they were intended to get office managers to take responsibility for security by methods such as asking them to sign off the (sometimes very complex) procedures. To codify all actions needed of system users to keep the system secure, simpler (but often overlong) operating procedures (SyOPs) formed a subset of these policies. For example, SyOPs would tell users how to make up passwords, how they should lock away removable media, instruct them not to use unauthorized removable media and so on.

The words were certainly all there, but they did not make sense to most people. The concepts of computing were often very new to many users, not yet taught in any classroom and obscured by over-complex terminologies and processes.

With hindsight, I can see the missing element. That element was any sustained effort to update the consciousness of users about the new truth: Information could now be replicated and distributed invisibly. It could no longer be controlled by any of the physical methods long used to oversee the security of documents and workspaces.

Paradigm Shift

The next noticeable phase came around the mid-1990s, when office networking made these imperfect security responses even shakier. The initial response was simply to increase the length of system security policies (and calling them “network” security policies), which made it even harder for the average office worker to grasp what they had to do to protect information. The increasing complexity of the technical drafting needed left security officers with even less time to assess the effectiveness of security measures. And building anything without assessing its effectiveness is a recipe for failure.

A major attempt was made to tackle this by shifting the emphasis of the security officer’s job towards checking a system’s operation against the security documentation. The documentation would now be produced and owned by the information owners, who could turn to outside consultants to produce it. This process, called accreditation , is difficult to define in simple terms but was basically an honest attempt to apply audit and assurance to existing procedures. It included for the first time elements of risk management, i.e., system owners would now “own” and take responsibility for any risks identified by the accrediting security officer.

This shift did allow infosec staff to step back from drawing up procedures for other people’s systems and enabled them to reposition themselves as commenters upon the effectiveness of procedures proposed by system designers and managers. These changes roughly coincided with the growth of the Internet for business, using new technologies that also introduced new vulnerabilities.

The details of these changes are less important than the security mindsets they uncovered, for people who were in their own way still fighting the last war. Early in the office automation revolution, security officers sometimes stood in the way of progress to forestall security difficulties.In the pre-infosec age, I had got quite used to security viewpoints taking precedence, but this was a new world, where security really could stand in the way of success and of progress. Continuing advances in office technology, and the eagerness of the office to exploit them, set up repeating conflicts between those charged with security and those directed to ensure progress.

But it was the business need to use the Internet (and “secure” Intranet services, which used Internet technology but did not have direct links to the Web) that finally destroyed the model of security as an impregnable castle.

It took extra efforts to reform the approach to security learning required for infosec. Security education was rooted in a time of just reading materials, not practical lessons or “see-it, do-it” approaches. More importantly, it was now necessary to tell employees about the risks of their use of infosec in a world where there was little or no constraint upon their use of the same technologies outside the office.

Accepting and Moving Forward

From the early 1990s to the mid-2000s, I saw infosec compliance change from imposing risk-averse approaches to applying risk-management solutions. This went along with a growing realization that any government-imposed models of security were “virtuous, but self-defeating.”It also became clear that the application of technological solutions did not “cure” security problems but were at best a pill to manage them. All these things were hard for security people who had developed their skills during the 20th century to swallow.

Yet acceptance of these points was key to managing the rising tide of data usage. It was especially difficult to convince more experienced security officers that the new paradigm was essential, not just from a desire to automate but for economic progress.

In my next piece, I’ll review the problems for security through the normalization of IT, the constant change of threats and the pressure through legislation to “do something!” about infosec problems.

Footnotes:

The five Core Functions of the current (2014) NIST Cybersecurity Framework. See nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf

A notorious example: World War 1 had taught France the importance of entrenched defenses. To deter the next war, they built the vast entrenchments of the Maginot Line. The mobile German army of World War 2 simply stepped around them.

An example, from memory, was cautioning against enabling some “mobile code,” an honest attempt to prevent system intrusions.

Quote from former NSA and CIA Director General Michael V. Hayden, speaking at the Billington Conference, Washington, DC (September 2015)

MailChimp deleted my account with no warning or notification

$
0
0

I make and sell a security product called the SC4-HSM which, among other things, acts as a FIDO U2F key . A few days ago I was contacted by an independent security researcher named Christian Reitter saying that he had discovered a security flaw that impacted a wide range of such keys. It turned out that the SC4-HSM is not impacted by the flaw, so I waited for the information embargo period to end and went to send out a notice to my mailing list letting my customers know all was well and they didn't need to worry. I keep my mailing list on MailChimp. I don't use the account very often, but every time I have used it I have had no problems.

Today, however, when I went to log in to my account, I was met with the following message:

This account has been deactivated. To continue using Mailchimp, please create a new account with a new username. If you have questions, please contact compliance@mailchimp.com.

I went to my web site to see what a customer would experience if they tried to sign up for my list, and the result was the most unhelpful error message I have ever seen on the web (and that's saying something):


MailChimp deleted my account with no warning or notification

(Remember, this is what one of my prospective customers would see. Such a person may or may not have a MailChimp account, most likely not, so what would be the point of going to a dashboard? Assuming that button actually took you to a dashboard. Which it doesn't.)

I was shocked. As I said, I don't use my account very much, but I know it was active as of November 26 (three weeks ago) because someone signed up for my mailing list that week and I received a notification about that. I went back through my mail archives to see if a warning or notification about this had gotten spam-filtered somehow. Nope. Nothing.

So the situation is this: MailChimp shut down my account without even notifying me, let alone warning me that this was about to happen. At the same time, they turned the link on my site that prospective customers use to sign up for my mailing list into a dead link, and cut off my access to the existing list so I can no longer contact my existing customers. The only way to contact MailChimp is by email (they don't have a phone number AFAICT). I sent them an inquiry about this but they have not responded.

As if all that were not bad enough, there appears on the face of it to be no way to re-activate my account. The only option given in the error message is "To continue using Mailchimp, please create a new account with a new username." If I take this error message at face value, my mailing list is gone forever. WTAF MailChimp?

I really don't like to resort to public shaming, but this really is unacceptable. Even if I do manage to get my account and/or mailing list back somehow, I don't see how I can ever rely on MailChimp for anything mission critical. Pulling the rug out from under me like this is something you only get to do once.

Spring Security系列之授权过程(七)

$
0
0

Spring Security系列之授权过程(七)
前言

本文是接上一章 Spring Security系列之认证过程(六) 进一步分析Spring Security用户名密码登录授权是如何实现得;

类图
Spring Security系列之授权过程(七)
调试过程

使用debug方式启动https://github.com/longfeizheng/logback该项目,浏览器输入http://localhost:8080/persons,用户名随意,密码123456即可;

源码分析

如图所示,显示了登录认证过程中的 filters 相关的调用流程,将几个自认为重要的 filters 标注了出来,


Spring Security系列之授权过程(七)
从图中可以看出执行的顺序。来看看几个作者认为比较重要的 Filter 的处理逻辑, UsernamePasswordAuthenticationFilter , AnonymousAuthenticationFilter , ExceptionTranslationFilter , FilterSecurityInterceptor

以及相关的处理流程如下所述;

UsernamePasswordAuthenticationFilter

整个调用流程是,先调用其父类 AbstractAuthenticationProcessingFilter.doFilter() 方法,然后再执行 UsernamePasswordAuthenticationFilter.attemptAuthentication() 方法进行验证;

AbstractAuthenticationProcessingFilter public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; #1.判断当前的filter是否可以处理当前请求,不可以的话则交给下一个filter处理 if (!requiresAuthentication(request, response)) { chain.doFilter(request, response); return; } if (logger.isDebugEnabled()) { logger.debug("Request is to process authentication"); } Authentication authResult; try { #2.抽象方法由子类UsernamePasswordAuthenticationFilter实现 authResult = attemptAuthentication(request, response); if (authResult == null) { // return immediately as subclass has indicated that it hasn't completed // authentication return; } #2.认证成功后,处理一些与session相关的方法 sessionStrategy.onAuthentication(authResult, request, response); } catch (InternalAuthenticationServiceException failed) { logger.error( "An internal error occurred while trying to authenticate the user.", failed); #3.认证失败后的的一些操作 unsuccessfulAuthentication(request, response, failed); return; } catch (AuthenticationException failed) { // Authentication failed unsuccessfulAuthentication(request, response, failed); return; } // Authentication success if (continueChainBeforeSuccessfulAuthentication) { chain.doFilter(request, response); } #3. 认证成功后的相关回调方法 主要将当前的认证放到SecurityContextHolder中 successfulAuthentication(request, response, chain, authResult); } 复制代码

整个程序的执行流程如下:

判断filter是否可以处理当前的请求,如果不可以则放行交给下一个filter 调用抽象方法attemptAuthentication进行验证,该方法由子类UsernamePasswordAuthenticationFilter实现 认证成功以后,回调一些与 session 相关的方法; 认证成功以后,认证成功后的相关回调方法;认证成功以后,认证成功后的相关回调方法; protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException { if (logger.isDebugEnabled()) { logger.debug("Authentication success. Updating SecurityContextHolder to contain: " + authResult); } SecurityContextHolder.getContext().setAuthentication(authResult); rememberMeServices.loginSuccess(request, response, authResult); // Fire event if (this.eventPublisher != null) { eventPublisher.publishEvent(new InteractiveAuthenticationSuccessEvent( authResult, this.getClass())); } successHandler.onAuthenticationSuccess(request, response, authResult); } 复制代码 将当前认证成功的 Authentication 放置到 SecurityContextHolder 中; 将当前认证成功的 Authentication 放置到 SecurityContextHolder 中; 调用其它可扩展的 handlers 继续处理该认证成功以后的回调事件;(实现AuthenticationSuccessHandler接口即可) UsernamePasswordAuthenticationFilter public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException { #1.判断请求的方法必须为POST请求 if (postOnly && !request.getMethod().equals("POST")) { throw new AuthenticationServiceException( "Authentication method not supported: " + request.getMethod()); } #2.从request中获取username和password String username = obtainUsername(request); String password = obtainPassword(request); if (username == null) { username = ""; } if (password == null) { password = ""; } username = username.trim(); #3.构建UsernamePasswordAuthenticationToken(两个参数的构造方法setAuthenticated(false)) UsernamePasswordAuthenticationToken authRequest = new UsernamePasswordAuthenticationToken( username, password); // Allow subclasses to set the "details" property setDetails(request, authRequest); #4. 调用 AuthenticationManager 进行验证(子类ProviderManager遍历所有的AuthenticationProvider认证) return this.getAuthenticationManager().authenticate(authRequest); } 复制代码 认证请求的方法必须为POST 从request中获取 username 和 password 封装Authenticaiton的实现类UsernamePasswordAuthenticationToken,(UsernamePasswordAuthenticationToken调用两个参数的构造方法setAuthenticated(false)) 调用 AuthenticationManager 的 authenticate 方法进行验证;可参考ProviderManager部分; AnonymousAuthenticationFilter

从上图中过滤器的执行顺序图中可以看出 AnonymousAuthenticationFilter 过滤器是在 UsernamePasswordAuthenticationFilter 等过滤器之后,如果它前面的过滤器都没有认证成功,Spring Security则为当前的 SecurityContextHolder 中添加一个 Authenticaiton 的匿名实现类 AnonymousAuthenticationToken ;

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { #1.如果前面的过滤器都没认证通过,则SecurityContextHolder中Authentication为空 if (SecurityContextHolder.getContext().getAuthentication() == null) { #2.为当前的SecurityContextHolder中添加一个匿名的AnonymousAuthenticationToken SecurityContextHolder.getContext().setAuthentication( createAuthentication((HttpServletRequest) req)); if (logger.isDebugEnabled()) { logger.debug("Populated SecurityContextHolder with anonymous token: '" + SecurityContextHolder.getContext().getAuthentication() + "'"); } } else { if (logger.isDebugEnabled()) { logger.debug("SecurityContextHolder not populated with anonymous token, as it already contained: '" + SecurityContextHolder.getContext().getAuthentication() + "'"); } } chain.doFilter(req, res); } #3.创建匿名的AnonymousAuthenticationToken protected Authentication createAuthentication(HttpServletRequest request) { AnonymousAuthenticationToken auth = new AnonymousAuthenticationToken(key, principal, authorities); auth.setDetails(authenticationDetailsSource.buildDetails(request)); return auth; } /** * Creates a filter with a principal named "anonymousUser" and the single authority * "ROLE_ANONYMOUS". * * @param key the key to identify tokens created by this filter */ ##.创建一个用户名为anonymousUser 授权为ROLE_ANONYMOUS public AnonymousAuthenticationFilter(String key) { this(key, "anonymousUser", AuthorityUtils.createAuthorityList("ROLE_ANONYMOUS")); } 复制代码 判断 SecurityContextHolder 中 Authentication 为否为空; 如果空则为当前的 SecurityContextHolder 中添加一个匿名的 AnonymousAuthenticationToken (用户名为 anonymousUser 的AnonymousAuthenticationToken) ExceptionTranslationFilter

ExceptionTranslationFilter 异常处理过滤器,该过滤器用来处理在系统认证授权过程中抛出的异常(也就是下一个过滤器 FilterSecurityInterceptor ),主要是处理 AuthenticationException 和 AccessDeniedException 。

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException { HttpServletRequest request = (HttpServletRequest) req; HttpServletResponse response = (HttpServletResponse) res; try { chain.doFilter(request, response); logger.debug("Chain processed normally"); } catch (IOException ex) { throw ex; } catch (Exception ex) { // Try to extract a SpringSecurityException from the stacktrace #.判断是不是AuthenticationException Throwable[] causeChain = throwableAnalyzer.determineCauseChain(ex); RuntimeException ase = (AuthenticationException) throwableAnalyzer .getFirstThrowableOfType(AuthenticationException.class, causeChain); if (ase == null) { #. 判断是不是AccessDeniedException ase = (AccessDeniedException) throwableAnalyzer.getFirstThrowableOfType( AccessDeniedException.class, causeChain); } if (ase != null) { handleSpringSecurityException(request, response, chain, ase); } else { // Rethrow ServletExceptions and RuntimeExceptions as-is if (ex instanceof ServletException) { throw (ServletException) ex; } else if (ex instanceof RuntimeException) { throw (RuntimeException) ex; } // Wrap other Exceptions. This shouldn't actually happen // as we've already covered all the possibilities for doFilter throw new RuntimeException(ex); } } } 复制代码 FilterSecurityInterceptor

此过滤器为认证授权过滤器链中最后一个过滤器,该过滤器之后就是请求真正的 /persons 服务

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException { FilterInvocation fi = new FilterInvocation(request, response, chain); invoke(fi); } public void invoke(FilterInvocation fi) throws IOException, ServletException { if ((fi.getRequest() != null) && (fi.getRequest().getAttribute(FILTER_APPLIED) != null) && observeOncePerRequest) { // filter already applied to this request and user wants us to observe // once-per-request handling, so don't re-do security checking fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } else { // first time this request being called, so perform security checking if (fi.getRequest() != null) { fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE); } #1. before invocation重要 InterceptorStatusToken token = super.beforeInvocation(fi); try { #2. 可以理解开始请求真正的 /persons 服务 fi.getChain().doFilter(fi.getRequest(), fi.getResponse()); } finally { super.finallyInvocation(token); } #3. after Invocation super.afterInvocation(token, null); } } 复制代码 before invocation重要 请求真正的 /persons 服务 after Invocation

三个部分中,最重要的是 #1,该过程中会调用 AccessDecisionManager 来验证当前已认证成功的用户是否有权限访问该资源;

AccessDecisionManager: beforeInvocation protected InterceptorStatusToken beforeInvocation(Object object) { ... Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource() .getAttributes(object); ... Authentication authenticated = authenticateIfRequired(); // Attempt authorization try { #1.重点 this.accessDecisionManager.decide(authenticated, object, attributes); } catch (AccessDeniedException accessDeniedException) { publishEvent(new AuthorizationFailureEvent(object, attributes, authenticated,accessDeniedException)); throw accessDeniedException; } ... } 复制代码

authenticated 就是当前认证的 Authentication ,那么object 和attributes又是什么呢?

attributes和object 是什么? Collection<ConfigAttribute> attributes = this.obtainSecurityMetadataSource() .getAttributes(object); 复制代码

调试


Spring Security系列之授权过程(七)
我们发现 object 为当前请求的 url:/persons , 那么 getAttributes

方法就是使用当前的访问资源路径去匹配我们自己定义的匹配规则。

protected void configure(HttpSecurity http) throws Exception { http.formLogin()//使用表单登录,不再使用默认httpBasic方式 .loginPage(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL)//如果请求的URL需要认证则跳转的URL .loginProcessingUrl(SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM)//处理表单中自定义的登录URL .and() .authorizeRequests().antMatchers(SecurityConstants.DEFAULT_UNAUTHENTICATION_URL, SecurityConstants.DEFAULT_SIGN_IN_PROCESSING_URL_FORM, SecurityConstants.DEFAULT_REGISTER_URL, "/**/*.js", "/**/*.css", "/**/*.jpg", "/**/*.png", "/**/*.woff2") .permitAll()//以上的请求都不需要认证 .anyRequest()//剩下的请求 .authenticated()//都需要认证 .and() .csrf().disable()//关闭csrd拦截 ; } 复制代码

0-7 返回 permitALL 即不需要认证 , 8 对应 anyRequest 返回 authenticated 即当前请求需要认证;


Spring Security系列之授权过程(七)
可以看到当前的 authenticated 为匿名 AnonymousAuthentication 用户名为 anonymousUser AccessDecisionManager 是如何授权的?

Spring Security默认使用 AffirmativeBased 实现 AccessDecisionManager 的 decide 方法来实现授权

public void decide(Authentication authentication, Object object, Collection<ConfigAttribute> configAttributes) throws AccessDeniedException { int deny = 0; #1.调用AccessDecisionVoter 进行vote(投票) for (AccessDecisionVoter voter : getDecisionVoters()) { int result = voter.vote(authentication, object, configAttributes); if (logger.isDebugEnabled()) { logger.debug("Voter: " + voter + ", returned: " + result); } switch (result) { #1.1只要有voter投票为ACCESS_GRANTED,则通过 直接返回 case AccessDecisionVoter.ACCESS_GRANTED://1 return; @#1.2只要有voter投票为ACCESS_DENIED,则记录一下 case AccessDecisionVoter.ACCESS_DENIED://-1 deny++; break; default: break; } } if (deny > 0) { #2.如果有两个及以上AccessDecisionVoter(姑且称之为投票者吧)都投ACCESS_DENIED,则直接就不通过了 throw new AccessDeniedException(messages.getMessage( "AbstractAccessDecisionManager.accessDenied", "Access is denied")); } // To get this far, every AccessDecisionVoter abstained checkAllowIfAllAbstainDecisions(); } 复制代码 调用AccessDecisionVoter 进行vote(投票) 只要有投通过(ACCESS_GRANTED)票,则直接判为通过。 如果没有投通过则 deny++ ,最后判断if(deny>0 抛出AccessDeniedException(未授权) WebExpressionVoter.vote() public int vote(Authentication authentication, FilterInvocation fi, Collection<ConfigAttribute> attributes) { assert authentication != null; assert fi != null; assert attributes != null; WebExpressionConfigAttribute weca = findConfigAttribute(attributes); if (weca == null) { return ACCESS_ABSTAIN; } EvaluationContext ctx = expressionHandler.createEvaluationContext(authentication, fi); ctx = weca.postProcess(ctx, fi); return ExpressionUtils.evaluateAsBoolean(weca.getAuthorizeExpression(), ctx) ? ACCESS_GRANTED : ACCESS_DENIED; } 复制代码

到此位置 authentication 当前用户信息, fl 当前访问的资源路径及 attributes 当前资源路径的决策(即是否需要认证)。剩下就是判断当前用户的角色 Authentication.authorites 是否权限访问决策访问当前资源fi。


Serious Security: When cryptographic certificates attack

$
0
0

Serious Security: When cryptographic certificates attack

Artificial intelligence, fuzzy logic, neural networks, deep learning…

…any tools that help computers to behave in a way that’s closer to what we could call “thinking” are immensely useful in fighting cybercrime.

That’s because what’s generally known today as machine learning is good at dealing quickly with immense amounts ofthreat-related data, pruning out the many irrelevancies to leaving the interesting and important stuff in clear sight.

But don’t knock human savvy just yet!

Sometimes, a single, informed glance by a human expert is more than enough, like this great tweet from last week by computer security practitioner Paul Melson:


Serious Security: When cryptographic certificates attack
Do you see what I see? ―-BEGIN CERTIFICATE― UEsDBBQ…

Melson didn’t say exactly how or where he came across the file mentioned in his tweet. Given that he describes himself as an “unrepentant blue teamer” someone whose job is to keep unwanted visitors out of a network, or to find and eject those who have already sneaked in it’s reasonable to infer that he oughtn’t, and isn’t planning, to tell us. Let’s just assume he spotted the file as part of ruining some malicious hacker’s sneaky experiments.

If you’re a security researcher yourself, you’re probably going, “Hey, that’s cool!” (Or, perhaps more appropriately, “That’s very uncool .”)

But if you aren’t a sysadmin, you might be wondering what the fuss is about so we figured it would be informative to dig into the story behind the story.

Why does the text ----BEGIN CERTIFICATE---- UEsDBBQ... ring all sort of alarm bells, and what do those bells tell you?

Here goes.

Why the alarm bells?

If you’ve ever dealt with public key cryptography for example, setting up web servers to accept HTTPS connections you’ll know you need a public/private keypair and a cryptographically signed certificate that vouches for your public key.

HTTPS relies on an underlying protocol called TLS, short for Transport Layer Security, and most TLS systems use a file format called X.509 to store their cryptographic material.

X.509 is a product of the 1980s telecommunications world, and follows the fashions of that era its native representation relies based on a rather complicated binary file storage system called DER (Distinguished Encoding Rules), which is, in turns, based on the resoundingly-named Abstract Syntax Notation One (ASN.1).

Let’s make a self-signed certificate of our own to play with (we used Lua code here, linked with LibreSSL, but you don’t need to reproduce what we did, so don’t worry if you aren’t a programmer):


Serious Security: When cryptographic certificates attack

We saved the raw binary data of the certificate as a DER file, giving us a decidedly text-unfriendly certificate that looks like this when dumped:


Serious Security: When cryptographic certificates attack

Even with the careful help of LibreSSL’s built-in ASN.1 parser, we get the still-not-very-readable:


Serious Security: When cryptographic certificates attack

To make X.509 certificates more robust so you can add them to emails, keep them in text files and so on without risk of corruption they are usually saved in Privacy-Enhanced Mail format, or PEM for short:


Serious Security: When cryptographic certificates attack

PEM files consist of the raw DER data converted into base64 , a text-only format in which four text characters are used to encode every three bytes of binary data, thus sticking to plain ASCII and avoiding control characters, risky punctuation marks and so on.

So, as a security practitioner, you’ll quickly get used to seeing -----BEGIN CERTIFICATE----- in security-related files.

In fact, you sort-of stop noticing certificates after a while they aren’t supposed to be secret, and any modification, whether by accident or design, automatically renders them useless.

So why would Melson’s rogue certificate stand out?

Certificates are there to share. Every time someone connects to your website, you send them a copy of your certificate, which contains your public key and a digital signature by which a trusted third party vouches for the fact that it really is your public key, issued for your website.

What are certificates supposed to look like?

Let’s dump the first few bytes of the 149 certificates that are built into Mozilla products as officially-trusted certificate authorities these are the trusted third parties that Mozilla currently accepts as fit to vouch for websites that you visit with Firefox:


Serious Security: When cryptographic certificates attack

Note that every certificate starts with the bytes 30 82 0x .

That’s because the X.509 encoding always kicks off like this:

30 - what follows is an X.509 SEQUENCE of objects
82 - the next 2 bytes encode the length of the rest of the objects
HH - the high 8 bits of the 2-byte length
LL - the low 8 bits of the 2-byte length

The lengths of all these Mozilla “root” certificates range from 442 to at most 2007 bytes, so their encoded lengths are never lower than 0x0100 (256 in decimal), and never bigger than 0x07FF (2047), so their X.509 encodings always start with one of these sequences:

30 82 01 00
30 82 01 01
30 82 01 02
. . .
30 82 07 fe
30 82 07 fe
30 82 07 ff

We’ve printed the hexadecimal length of each DER file in the chart above it always comes out as 4 plus the length encoded into the SEQUENCE mark, which denotes the four bytes used for the sequence mark itself, plus the length of the sequence.

Now, when you convert three bytes starting 30 82 0x into base64 notation, you end up with four encoded bytes like this…

Raw Base64
------ ------
30 82 00 MIIA
30 82 01 MIIB
30 82 02 MIIC
30 82 03 MIID
30 82 04 MIIE
. . .

…and so on.

In fact, you get this pattern all the way to 80 82 3f :

Raw Base64
------ ------
. . .
30 82 3d MII9
30 82 3e MII+
30 82 3f MII/
30 82 40 MIJA
30 82 41 MIJB

In other words, for any X.509 certificate that is less than 0x3FFF (16,383) bytes long, the first three base64 characters of the corresponding PEM data will always be MII .

And therefore ---BEGIN CERTIFICATE---- UEsDBBQ smells plain wrong!

Know your base64 magic

Actually, there’s more to it that that.

The first two characters of a base64 sequence decode to the first 12 bits of the original content, and many popular file types aways start with the first two or more bytes.

Constant bytes at the start of files are known in the jargon as magic numbers , because they magically tell you the type of the file.

More precisely, magic numbers give you a strong hint that a file will turn out to be of type X, or tell you that it can’t be of type Y or Z.

Here are some common examples:


Serious Security: When cryptographic certificates attack
Serious Security: When cryptographic certificates attack

Here are those sequences converted into base64 strings, shortened to just two or three characters for easy recognition:


Serious Security: When cryptographic certificates attack

Experienced security researchers will readily recognise dozens of these base64 “hints”, but even if you only memorise TV (which stands for MZ) and UE (for PK), you will be able to spot loads of potentially malicious files at a glance.

The MZ file marker covers a whole range of windows executable files, including both EXEs and DLLs, which share the same format.

And ZIP archives are used for many purposes, including by Android apps, which come with a .APK extension but are stored in ZIP format, and Microsoft Word files, which use a variety of different internal layouts, including ZIP.

All of this raises the question, “What had Melson spotted?”

From the UE at the start, you can tell at once it was a ZIP file, but what was inside?

It turned out to be an Excel spreadsheet complete with macros (embedded program code) set to execute when the document was opened:


Serious Security: When cryptographic certificates attack

VBA (Visual Basic for Applications) macros inside an Excel file are embedded into the component called xl/vbaProject.bin :


Serious Security: When cryptographic certificates attack
By default, Office won’t automatically run macros, so a little caution will keep you safe crooks trying to spread malware this way not only have to persuade you to open the document but also have to trick you into clicking a button to [Enable macros].

Fortunately, it looks as though Melson spotted this one while the crooks were still messing around with the idea, because the embedded Auto_Open macro simply tries to run a program called C:\shell.exe that has already been installed in the root directory of the C: drive.

Given that the root directory is not writable by a regular user, any crook hiding malware there probably already has sysadmin powers, so this attack really doesn’t add much.

But it’s a neat way of hiding in plain sight and it means that the crooks can use the inconspicuous and official Windows utility CERTUTIL.EXE to decode the file.

CERTUTIL knows to expect the -----BEGIN CERTIFICATE----- marker and therefore automatically strips it off before un-base64ing the enclosed data:


Serious Security: When cryptographic certificates attack

Of course, if you use CERTUTIL to verify the extracted “certificate” afterwards, you will immediately realise that it is bogus, because it isn’t in DER format at all:


Serious Security: When cryptographic certificates attack

…but the crooks already know that and can therefore use CERTUTIL as an attack utility rather than as a security tool.

What to do? Don’t trust files based only on filenames or headers they include. The crooks don’t play by the rules so they routinely mis-label data in the hope of staying off your radar a bit longer. Take care when you verify downloaded data. Make sure that the scripts or tools you use to validate untrusted file don’t themselves try to “assist” you by choosing a helper app based on what the files seem to be.

The second point sounds above obvious but it is easily overlooked.

Notably, never double-click a file just to see what the operating system makes of it you will often end up launching it,- with all the security risks that entails, instead of merely viewing it.

Norton LifeLock Research Identifies American Cyber Literacy Gap

$
0
0
Norton LifeLock Enlists Former MythBuster Kari Byron To Expose
Cyber Myths Placing Consumers’ Personal Information At Risk

MOUNTAIN VIEW, Calif. (BUSINESS WIRE) More than half of Americans (53 percent) don’t know that their data and

personal information is not protected even if they enable privacy

settings on social media apps or websites, according to a survey

commissioned by Symantec (NASDAQ: SYMC) brand Norton LifeLock. In

fact, once information is shared online, it’s no longer private and,

it can fall into the wrong hands whether it’s compromised through a data

breach, email scam or even someone familiar.


Norton LifeLock Research Identifies American Cyber Literacy Gap

This is just one of several cyber myths Norton LifeLock identified in

their recent online survey, conducted by The Harris Poll among more than

2,000 American adults. Regardless of age or gender, cyber myths coupled

with poor cyber safety habits are likely hindering people’s ability to

protect themselves from cyber crime.

Even Millennials and Gen-Z age groups, who are often seen as the most

tech savvy generations, are less likely to know how to protect their

digital and financial lives compared to older adults. More than one in

four 18-to-34-year-olds (27 percent) believe it’s safe to send personal

information through email if they have a strong password, compared to

only six percent of seniors (65+) and 11 percent of 54-to-64-year-olds.

Similarly, more than 4 in 10 of 18-34-year-olds (44 percent) believe or

are unsure if it’s usually okay to ignore browsers and security warnings

about questionable websites and proceed to the site, compared to only 17

percent of seniors.

“We find people have many misconceptions and unfounded beliefs about the

safety of their data online,” said Paige Hanson, Chief of Identity

Education, Symantec. “Cyber criminals are ruthless and determined to

take advantage of consumers’ digital and financial well-being, so we

hope to educate and help consumers protect themselves by sharing common

myths and clarifying the facts about real online dangers.”

To help educate consumers and bring the story to life, Norton LifeLock

enlisted myth busting expert, author and producer Kari Byron to take

part in a five-part educational video series, helping close the cyber

literacy gap and foster cyber safe behavior.

“I’m deeply passionate about digging into closely held beliefs and

uncovering truths, which is why I’m excited to help Norton LifeLock with

this fun, easy to understand video series,” said Byron. “You don’t know

what you’ve got until it’s gone and that includes your data, your

privacy, or even your identity.”

What Are the Cyber Security Myths Dispelled by Norton LifeLock?:

Smart Phone Hygiene

Cyber Myth: One in 8 Americans (13 percent) believe hackers
cannot gain access to data and personal information on a locked mobile
phone. Cyber Fact: Locking your phone is important, but not enough.
Without touching your phone, hackers can gain access to your data and
personal information in the cloud where it’s stored. They can also
trick you into installing a malicious app that enables them to steal
account information and even look at your email and texts. To help
keep your phone protected, use a complex password, install security
software, only use trusted Wi-Fi, and be careful about who you let use
your phone.

Private Browsing

Cyber Myth : About 1 in 5 Americans (19 percent) believe
that turning on private browsing hides their online activity from
their internet service provider. Cyber Fact: Private browsing may only hide certain activities,
such as browsing history on the device itself, and it does not conceal
online activity from your internet service provider, the websites you
visit or your employer. To help hide your online activity, try a
virtual private network service (VPN). Using a VPN will encrypt the
data you send and receive while using public Wi-Fi so you can pay
bills, check email and privately surf the web.

Credit Freezes and Identity Theft

Cyber Myth: More than half of Americans (54 percent) don’t know
that freezing their credit after a data breach doesn’t prevent their
identity from being stolen. Additionally, 52 percent believe or are
unsure whether their bank or financial institution will handle all
consequences that result from identity theft, including stolen funds
reimbursement, credit repair, and reinstating ability to take out
loans. Cyber Fact: Your identity can be stolen even if you freeze your
credit. A credit freeze will only prevent thieves from opening new
accounts in your name where a credit report is required. It doesn’t
protect existing financial accounts or prevent them from filing fake
tax returns in your name. While a credit freeze is a good idea if your
data is breached, identity theft protection services could help you
see potential threats that a credit freeze can’t catch.

The Dark Web

Cyber Myth: More than half of Americans (52 percent) believe
it’s impossible or are unsure if they can find out if their personal
information is on the dark web. Cyber Fact: Your personal information can be bought and sold on
the dark web names, Social Security numbers, birthdays typically
for less than $1.50 per record 1 . An identity theft
protection service can patrol the dark web and notify you if it finds
your information on the sites it searches 2 .

Ransomware

Cyber Myth: More than one-third of Americans (35 percent) don’t
know that paying off a ransomware attack will not ensure they regain
access to their files. Cyber Fact: If a hacker targets you and you pay the ransom, you
may not get your files back, and, if they can make you pay once, you
could be targeted again. With the average ransom costing $522, that’s
an expensive way to learn the truth. To help protect yourself, back up
your data regularly, invest in security software, and keep your
software and operating system up to date.

Check out the video series with Kari Byron here .

Survey Methodology:

This survey was conducted online within the United States by The Harris

Poll on behalf of Norton LifeLock from July 31 August 2, 2018 among

2,012 U.S. adults ages 18 and older. This online survey is not based on

a probability sample and therefore no estimate of theoretical sampling

error can be calculated.

About Symantec

Symantec Corporation (NASDAQ: SYMC), the world’s leading cyber security

company, helps organizations, governments and people secure their most

important data wherever it lives. Organizations across the world look to

Symantec for strategic, integrated solutions to defend against

sophisticated attacks across endpoints, cloud and infrastructure.

Likewise, a global community of more than 50 mi

2018 Annual Digest of Identity and Access Management

$
0
0

2018 Annual Digest of Identity and Access Management

Identity and Access Management continues to be a key component in building an enterprise’s cyber security strategy. Today we are presenting our observations of Identity and Access Management in 2018. What happened this year? What can enterprises learn from events in the media in terms of Cyber Security in general, and Identity and Access Management specifically?

Here is a brief timeline of significant regulations, data breaches and world events that were marked by the media, including Gemalto sources and these events signified in the Identity and Access Management arena:

Q1

February 1

PCC DSS 3.2 takes effect

What happened

This payment card regulation affects individuals who access systems which hold credit card data. From February 1, 2018, they are required to authenticate themselves with multi-factor authentication . The Payment Card Industry Data Security Standard was developed to encourage and enhance cardholder data security and facilitate broad adoption of consistent data security measures globally. The ultimate aim is to reduce credit card fraud.

Lessons learned

Companies should already be far along the road to PCI DSS 3.2 compliance by now. They should be prioritizing compliance by working with partners on encryption, key management and authentication.

Q2

May 19

The Royal Wedding

What happened

When Prince Harry married Meghan Markle , thousands of reporters were present, and yet the secrets about Meghan’s dress, manufacturer and designer remained a secret. While the interworking of the dress designer, Givenchy and the Royal Family network will remain privileged, it seems that part of the reason for the success of the secret was that the work was confined to locations which were secured physically.

Lessons learned

Physical seclusion is not always possible for fashion industries and other global enterprises today. They often collaborate on Computer Aided Design (CAD) software alongside cloud-based applications, and some require reports that provide visibility into login attempts into their ecosystem. An identity and access management solution as a service (IDaaS) can help fashion enterprises or governmental institutions ensure that only the right person receives the right information at the right time, without endangering the enterprise or its end customers.

May 25

General Data Protection Regulation (GDPR) begins

What happened

General Data Protection Regulation (GDPR), requires companies to be more accountable to their EU-based users on how their data is controlled and used. It also requires companies to notify their local data protection authority regarding suspected data breaches.

Lessons learned

Although GDPR can fine organizations for data breaches, these fines may be reduced if the organizations can prove that they have deployed security controls to minimize damage. To help your organization handle GDPR, identity and access management provides a first line of defense to the sensitive user data harbored in your companies’ cloud and web apps. With scenario based policies and convenient access management, you can help your enterprise save on GDPR costly fines or sanctions.

Q3

August 1

Reddit’s Company Cloud Attacked

What happened

Reddit, the social media platform, considered to be the 5th top rated website in the U.S., shared that a few of their employees’ administrative accounts were hacked. An attacker gained access to data through Reddit’s company cloud after compromising some accounts.

Lessons learned

While they did in fact have their sensitive resources protected with two-factor authentication (2FA), Reddit encouraged users to move to token-based 2FA. For years corporations and security professionals have been urged to implement multi-factor authentication (MFA) as the solution for cybersecurity concerns. While MFA isn’t a silver bullet that solves all your cybersecurity concerns, it is a key component in elevating the security of an organization and adding a very important layer of protection.

September 25

Facebook Mega Breach

What happened

The September 2018 Facebook breach was not only a ‘mega’ breach in terms of the 50 millions of compromised users affected, but also a severe breach due the popularity of the social media giant. Cyber criminals got ahold of users’ FB login credentials. The breach was compounded by the fact that many users utilize their Facebook credentials to log into other social media sites, which means that the hackers actually were able to access not only a user’s Facebook account, but to all other accounts that use Facebook login credentials.

Lessons learned

The risks that consumers were exposed to as a result of buffet-style sign on in the Facebook case, also apply to the enterprise. Fortunately, there is a solution: To maintain the convenience of single sign on without compromising on security, enterprises can use Smart Single Sign On .

Q4

November 30

Quora and Marriott Hotels announce massive breaches of user data

What happened

Quora Q&A site suffered a massive breach of user data, including the compromise of 100 million users’ credentials. On the same day, the Marriot International Hotel chain suffered a serious breach, allegedly undetected for 4 years!

Lessons learned

In the Quora case , similar to Facebook, accounts are linked to other social media sites such as games and quizzes, so that access to one account opens the doors to related data. The Marriott Hotel incident shows that it’s not enough to protect your data. It also deals with access issues involved with mergers and acquisitions in this case merging the Starwood Reservation system with Marriott . You need to see who is accessing your networks and see if there is any unusual activity, right from the start. Monitoring and reporting capabilities in an access management solution can help organizations gain insights into unauthorized access attempts.

Identity and Access Management as a Strategy, 2019-style:

In 2019, it is inevitable that there will be more cyber security violations, including corporate identity theft. And it’s likely that more regulations will be put in place to force enterprises to be proactive, not just reactive.

The question is what organizations will do to brace these breaches. For more information on how your enterprises can prevent breaches, enable the continuous business transformation of their resources securely and simplify compliance, learn more about Gemalto’s SafeNet Identity and Access Management , request a 30 minute demo of SafeNet Trusted Access or watch our video, “ How Access Management Enables Cloud Compliance .”

CoinPoker offers 1,000,000 CHP to anyone who debunks their transparent card shuf ...

$
0
0

Cryptocurrency poker platform CoinPoker releases open source random number generation software, allowing players to participate in card shuffling and verify the fairness of hands. The software is an attempt to revolutionize the industry, and CoinPoker offers a 1,000,000 CHP Bug Bounty to testers who can find software flaws.

Long before CoinPoker was established in 2017, the online poker industry struggled with giving players transparent and secure poker games. Card shuffling software and random number generators have been the objects of scrutiny from suspicious players, and building trust is something that many poker sites struggle with.

This is partially because of unfair practices and cheating which is prevalent even in the biggest poker rooms on the market. From PlanetPoker, the first market leader in online poker, through to Full Tilt more recently, players were cheated . With transparency being the industry’s Achilles’ Heel, CoinPoker is bringing unprecedented security and transparency.

Introducing Transparent Card Shuffling in Online Poker

Traditionally, online poker rooms have been secretive about their card shuffling software. Players have been unable to verify that these closed systems shuffle the cards in a truly fair manner.

Using one-way cryptographic hash functions, CoinPoker’s new card shuffler makes it possible for the room to safely disclose information about the shuffling process. The new random number generator uses encrypted input from all players to create a collective shuffle factor, which can later be used to verify if the shuffle was fair.

Players can also use the RNG’s Hand Hindsight feature to view undealt cards from previous hands. No real money online poker site has previously provided this feature to the public.

The software is open source, and can now be reviewed on GitHub here .

How to Collect a 1,000,000 CHP Bug Bounty

In line with the vision for transparent poker, CoinPoker openly invites software experts and cryptography enthusiast to test the new software for bugs. If the card shuffler can be proven wrong, the reward is 1,000,000 CHP tokens.

The objective is to combat any doubts about the software’s integrity, and in the process eliminate any errors should they exist. The Bug Bounty goes to anyone who can fulfill one of the following conditions*:

Prove that players don’t have equal possibility to participate in the card deck shuffling Prove that player cannot impact card deck shuffling with following rules: Prove the existence of a seed that enhances the probability of winning. Decode the initial deck’s cards from card hashes at the beginning of a hand.

For more details visit CoinPoker’s official Bug Bounty page , or contact their support team on Telegram or email.

*Terms and conditions apply, for more details click here .

The post CoinPoker offers 1,000,000 CHP to anyone who debunks their transparent card shuffling software appeared first on AMBCrypto .

Beyond Scanning: Don’t Let AppSec Ignorance Become Negligence

$
0
0

Beyond Scanning: Don’t Let AppSec Ignorance Become Negligence

In recent months, as I’ve worked with more and more prospects and customers, I’ve started to see an interesting trend: As more agile dev teams become responsible for their own security posture, they are relying on the operations team to “plug an AppSec tool” into their CI/CD pipeline to resolve their AppSec. While I agree with the sentiment that security needs to be embedded in the build process, I am always surprised that a “tool integrated into a CI/CD pipeline” is as far as the planning typically goes. Saying that, I was told by one of my best mentors that consistency should never be a surprise.

When I ask these same teams, “once you plug a tool into your CI/CD and you get results, what are your next steps?” I am mainly met with little to no response. Basically, these teams are going from ignorance of their application security state, to knowledge of security-related defects in their code, to security negligence by not acting to address these risky defects.

I have even seen AppSec programs that check all the boxes they have solid, prioritized app inventories; executive sponsorship; integrations; remediation and mitigation points; policy management; multiple testing techniques; and centralized reporting yet some agile teams are stepping in and taking a “tool approach” that only focuses on scanning instead. This is not only short-sighted, but also reveals a knowledge gap surrounding what it takes to make an AppSec program successful as security hands the program to individual agile dev teams. When I check-in on these security teams, inevitably all the early momentum they leveraged to overcome cultural hurdles and foster a “security is everyone’s responsibility” mentality has come to a halt. This includes the aspirational goals around passing policy and establishing remediation checkpoints. This is not due to development doing the scanning directly (they should do this), but rather governance of the larger AppSec outcomes fading away. Ops seems more interested in how many scans they can do per day … with no further outcome.

Don’t fall into this trap. You can’t scan your way to secure code. Security teams still need to be a part of the security picture as scanning occurs in the CI/CD pipeline. Here are three key aspects of application security “beyond scanning” that will produce real risk reduction from your efforts:

Secure coding education:

The easiest flaw to fix is the one that is never introduced in the first place. However, most developers don’t have secure coding skills. While it is great to have a scanner built into the CI/CD pipeline, it is just as important now to shift testing “left.” With tools like Veracode’s Greenlight , developers can fix flaws in real time in their IDE while building their applications. In turn, developers learn as they code and reduce the number of flaws introduced over time. In addition, to help drive secure coding education , Veracode provides a number of options for sharing best practices, including instructor-led trainings such as lunch and learns, eLearning on AppSec, and developer workshops on secure coding.

Fixing what you find:

Ultimately, your AppSec program is not effective if you’re not fixing what you find. You can scan every piece of code you write, but without adequate training and guidance, you will not create more secure code. In fact, you will delay developer timelines and still produce vulnerable code. Enabling developers with both a scanning tool and remediation and mitigation guidance is key. At Veracode, we conduct over 5,000 consultation calls a year with development teams, guiding them through fixing flaws they have never had to address before. And we’ve found that after only one to two of these calls, developers’ secure coding know-how improves dramatically.

In addition, your AppSec program also needs to be set up to enable remediation guidance.

For instance, every scan completed should be assessed against a policy ― not a policy that changes how you scan or what is discovered, but rather a filter of the results to see if you passed or failed based on the parameters you set for risk tolerance. This policy should also include: how often does a team need to scan, how long do they have to fix certain flaws based on severity/criticality, and what scanning techniques must be used. In addition, you need remediation time built in between scans. Just scanning multiple times a day and pulling results into a tracking system is not useful if no one has the bandwidth to fix anything. You are better off setting a realistic scanning schedule (once a day) so developers have time to fix what they find. You can increase scan frequency as you become more secure and are passing policy on a regular basis.

Scaling:

Can your security team help your development teams fix all the flaws their scans are finding? If you have multiple development teams working in different environments, this can be a nearly impossible task for one central security team. In addition, developers are naturally curious, so just giving them scan results without explaining the underlying technology finding the flaws will lead to push back.

Considering the skills shortage, engaging outside AppSec expertise goes a long way, both to establish your program’s goals and roadmap and keep it on track, and to guide you through fixing the flaws you find. We aren’t suggesting you replace your security team with consultants, but rather that you complement it with specialized AppSec expertise.

We’ve seen the difference this support makes: Veracode customers who work with our Security Program Managers grow their application coverage by 25 percent each year, decrease their time to deployment, and demonstrate better vulnerability detection and remediation metrics. In addition, Veracode has a fully staffed Advanced Integration Team. They work with global companies to help build out scanning in complex CI/CD environments that can vary by teams and regions. It is rare we see a one-and-done simple set-up that enables a full organization. Ultimately, our experienced Security Program Managers help you define the goals of your program, onboard and answer questions about Veracode products, and work with your teams to ensure that your program stays on track and continues to mature.

Vulcan plans to test AI security system on Seattle plaza, capable of scanning pa ...

$
0
0

Vulcan plans to test AI security system on Seattle plaza, capable of scanning passersby for threats

by Mark Harris on December 19, 2018 at 7:17 amDecember 19, 2018 at 7:19 am

Listen to our new podcast Numbers Geek!


Vulcan plans to test AI security system on Seattle plaza, capable of scanning pa ...
Part of Radio Physics Solutions’ Experimental License Request in FCC application filing.

A technology company working with Vulcan Inc. is seeking to install and test an AI-powered scanning system outside the company’s Seattle headquarters building, capable of sensing whether people walking by are concealing weapons or devices from a distance of up to 80 feet.

According to a document filed with the Federal Communications Commission, the scanner would be located at the entrance to Vulcan’s HQ at 505 5th Avenue South, in a position that would allow it to scan people walking through the plaza above the International District light rail station in Seattle.

Vulcan is the holding company for many of the late Microsoft co-founder Paul Allen’s ventures. The FCC document notes that Vulcan is interested in whether the scanner could be used to protect schools, and that Vulcan is considering investing in the scanner’s manufacturer, a British company called Radio Physics Solutions (RPS). RPS filed the FCC application.

“The proposed operations will take place intermittently,” wrote RPS in the FCC filing. “The screening results will be presented to staff on a real-time basis, allowing them to determine the effectiveness of the technology, which will allow them to evaluate their investment.”

The scanner ― called MiRTLE, for Millimetre-Wave Radar Threat Level Evaluation ― has already been tested inside Vulcan’s parking garage in late November, where it was used to scan a single Vulcan employee, according to other FCC documents, and confirmed by Vulcan. The device can conduct approximately 3000 scans per second, and the new FCC application requests permission to conduct tests over a period of 12 months.

“The screening results will be presented to staff on a real-time basis, allowing them to determine the effectiveness of the technology, which will allow them to evaluate their investment.”

It’s not clear how often the scanner will be active, or the extent to which it will scan people walking by. However, the FCC document contains an image of the plaza with the caption, “Objective: Have surveillance and detection system covering the plaza in front of the building. Get alert as early as possible before suspicious person/threat enters building.”

The MiRTLE scanner uses millimeter-wave radio signals similar to those found in airport security scanners. Like them, the RPS device can penetrate clothing to identity objects that traditional metal detectors might miss, such as plastic explosives or 3D-printed weapons.


Vulcan plans to test AI security system on Seattle plaza, capable of scanning pa ...
A portion of a Radio Physics Solutions brochure describing the MiRTLE system.

By sweeping a wide range of frequencies and using artificial intelligence to interpret the results, the MiRTLE scanners can also operate at long distances and on subjects that are moving. RPS claims the device can even distinguish between a hidden gun and a similarly-sized phone or camera.

RPS has previously demonstrated its scanners to the Transportation Security Administration and at the entrance to a high school in Texas.

“Vulcan is constantly exploring new technologies and data-driven solutions to make the world a better place,” a spokesperson told GeekWire.

Millimeter wave scanners are not completely uncontroversial, as the high frequency radiation can theoretically heat up skin and cause mild tissue damage. An airport scan lasting just a few seconds reaches only about one tenth of the limit recommended by the International Commission on Non-Ionizing Radiation Protection (ICNIRP).

If RPS scans members of the public, however, exposure would not be not controlled in the same way. Individuals sitting on benches or taking cigarette breaks might remain within the test area for many minutes, and thus be exposed to potentially millions of scans.

Gary King, CEO of RPS, told GeekWire: “[We] take safety very seriously, both in design and use of the product. [Our] safety calculations were presented to the FCC, which was completely satisfied with the safety of MiRTLE. Someone eating lunch in the plaza is very safe.”

King would not confirm the product’s technical performance but GeekWire’s calculations suggest that standing as close as 15 feet to the scanner for up to 45 minutes would not breach ICNIRP’s guidelines.

Millimeter-wave scanners have also raised privacy concerns. Airport scanners can produce realistic images of people’s body profiles beneath their clothes, as well as reveal medical devices or prostheses. Scanners in airports now typically mask specific body parts, and display only generic body images.

But MiRTLE works in a different way, the company says, without creating images or videos of the bodies it scans. “This system does not invade privacy,” says King. “The product does not and cannot image people.”

While RPS’s latest application is still pending approval by the FCC, the agency has permitted all of RPS’s previous tests in the US.

Huawei will spend $2 billion to rebuild its international reputation

$
0
0

Huawei will spend  billion to rebuild its international reputation

A campaign against Huawei has been underway for some months, led by the United States of America, to which many other countries are joining. The Chinese giant is afraid of its alleged ties with the Chinese government and is accused of creating a risk to world security.

The situation is rapidly deteriorating, particularly after the arrest of Huawei’s CFO in Canada , with allegations of having violated the embargo against Iran and is likely to worsen with a new lawsuit in the United States.

After the United States, Canada, Australia and New Zealand, with Japan and France ready to veto, even the Czech Republic has forbidden local telephone operators to use Huawei technology to build 5G networks, speaking openly about ” risks to national security ” .

Join GizChina on Telegram

According to Drusan Navratil, director of the National Network and Information Security Agency (NCISA), Chinese laws require private companies to collaborate with intelligence agencies. The fear is that Huawei and the other Chinese manufacturers will install backdoors in their network devices to allow the Chinese government to intercept all communications, which would effectively represent a serious risk to global security.

Huawei will invest 2 billion dollars to upgrade the security infrastructure

The accusations do not leave indifferent the Chinese colossus that does not accept the accusations addressed by western countries and goes to counterattack. Ken Hu, current president of Huawei, has convened a press conference, inviting some journalists to the headquarters of Huawei Technologies Ltd.


Huawei will spend  billion to rebuild its international reputation

Ken Hu said his company will invest two billion dollars over the next five years to upgrade security infrastructure and make it even more effective. In a rare opening moment, journalists who attended the press conference were able to visit the laboratories of Huawei’s Research and Development Center to find out what Huawei is doing to improve.


tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT

$
0
0
概述

TA505 是Proofpoint研究团队一直在跟踪的一个活动非常频繁的网络犯罪组织,根据目前收集到的数据,该组织操作过始于2014年的上百次Dridex恶意活动,以及2016年和2017年的大规模Locky攻击活动,而且其中的很多攻击活动涉及到了全世界数以亿计的恶意消息。近期,该组织又开始传播各种远程访问木马(RAT),以及各类信息提取、加载和网络侦侦查工具了,其中就包括我们之前没介绍过的tRat。

tRat是一款采用Delphi开发的模块化RAT,这款RAT在今年9月份和10月份的恶意活动中首次出现。那么在这篇文章中,我们将对这款RAT进行简单的分析。

恶意活动

在2018年9月27日,Proofpoint检测到了一次恶意邮件活动,该活动中的恶意Microsoft Word文档使用了宏功能来下载tRat。这份恶意文档中标记了Norton杀毒引擎的字样,并且通过文档名称和嵌入的图片告诉用户这份文件是受卡巴斯基安全产品保护的。邮件的主题栏包含了“安全共享文件”的字样,这里同样也使用了社工技术来安装tRat:


tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT
tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT

在2018年10月11日,我们还观察到了另一个传播tRAT的恶意活动。这次活动背后的攻击者就是TA505,而且这一活动比之前的更加复杂,他们使用了Microsoft和Microsoft Publisher文件,并且丰富了主题栏和发送方的内容。通过分析来看,此次活动似乎针对的是商业银行机构的用户。

在这一活动中,带有恶意Microsoft Publisher文档的消息会标记上“计费单”和“收货单”等字样。比如说,有的恶意邮件主题为“呼叫通知-[随机数字]-[随机数字]”,携带的附件名为“Report.doc”:
tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT

其中,邮件附件会包含恶意宏,启用之后,便会下载tRat:


tRat:一种出现在多起垃圾电子邮件活动中的新型模块化RAT
恶意文件分析

在对恶意软件样本进行了分析之后,我们发现tRat会通过将代码拷贝到下列位置来实现持续性感染:

C:\Users\<user>\AppData\Roaming\Adobe\FlashPlayer\Services\Frame Host\fhost.exe

接下来,tRat会在启动目录中创建一个LNK文件,然后目标设备会在系统启动时执行恶意代码:

C:\Users\<user>\AppData\Roaming\Microsoft\windows\StartMenu\Programs\Startup\bfhost.lnk

tRat中大多数的重要字符串都会加密存储,并使用了十六进制转码。这里给大家提供了一个python脚本来对这些字符串进行解密。【 脚本下载 】

tRat使用TCP(端口80)来与远程C2服务器进行通信,数据进行了加密并以十六进制形式发送。为了生成解密密钥,tRat会连接三个字符串,并生成一个大写的十六进制编码字符串,我们解码出的样本字符串如下:

"Fx@%gJ_2oK" "AC8FFF33D07229BF84E7A429CADC33BFEAE7AC4A87AE33ACEAAC8192A68C55A6" "&LmcF#7R2m"

目前我们还不知道不同恶意软件样本的这些字符串会不会变化。

为了生成密钥,tRat会在解密过程中使用一个1536字节的密码表,虽然我们现在还没弄清楚这个密码表中所有元素的明确含义,但是我们发现代码会进行异或计算,而且算法中的部分值是从加密数据中获取的。【 密码表获取 】

tRat的初始网络请求为“ATUH_INF”,解密样本如下:

MfB5aV1dybxQNLfg:D29A79D6CD2F47389A66BB5F2891D64C8A87F05AE3E1C6C5CBA4A79AA5ECA29F8E8C8FFCA6A2892B8B6E

这个字符串包含了两个子字符串,由“:”分隔。第一个子字符串是一个硬编码的标识符(加密字符串),第二个子字符串包含了加密的系统数据,样本如下:

FASHYEOHAL/nXAiDQWdGwORzt:3A176D130C266A4D

这些数据中会包含受感染主机的名称、系统用户名和tRat bot ID。

目前,我们还没观察到tRat的远程C2服务器发送任何新的功能模块,所以我们现在还无法确定新版本恶意软件会增加哪些功能。

入侵威胁指标IoC IoC:cd0f52f5d56aa933e4c2129416233b52a391b5c6f372c079ed2c6eaca1b96b85

IoC类型:SHA256

IoC描述:tRat样本哈希,9月27日活动

IoC:cdb8a02189a8739dbe5283f8bc4679bf28933adbe56bff6d050bad348932352b

IoC类型:SHA256

IoC描述:tRat样本哈希,10月1日活动

IoC:51.15.70[.]74

IoC类型:IP

IoC描述:C&C

参考资料

1. https://github.com/EmergingThreats/threatresearch/blob/master/tRat/decrypt_str.py

2. https://github.com/EmergingThreats/threatresearch/blob/master/tRat/table

3. https://github.com/EmergingThreats/threatresearch/blob/master/tRat/decrypt_comms.py

*参考来源: proofpoint ,FB小编Alpha_h4ck编译,转载请注明来自CodeSec.Net

Sophos 在XG Firewall 中加入横向移动保护功能以阻止网络威胁散播

$
0
0

2018年 12月18日 -全球网络及端点安全领导厂商Sophos (LSE: SOPH) 今天宣布,其下一代 SophosXGFirewall现已加入横向移动保护功能,以便阻止人工操纵的针对性网络攻击或漏洞利用在受感染的网络中进一步渗透。

根据SophosLabs 2019 威胁报告,针对性勒索软件正在增加。考虑到SamSam勒索软件活动预计已获得超过650万美元的收益,网络罪犯们纷纷跟着使用此方法也就不足为奇了。在这些攻击中,网络罪犯将薄弱的入口点作为攻击目标,并暴力破解远程桌面协议 (RDP) 密码。成功后,它们开始进行横向运动,一步一步地窃取域管理员凭证,操纵内部控制,禁用备份以及其他操作。当大部分IT主管发现上述攻击行为时,破坏已经造成了。

Sophos高级副总裁兼产品总经理Dan Schiappa表示:“许多组织具备抵御自动攻击程序的能力,但无法阻止人工操纵的交互式攻击。如果主动攻击者进入系统,它们可以进行“横向思考”以便消除攻击障碍,躲避检测并四处移动。除非具备适当的安全措施,否则很难阻止它们。横向移动大都发生在端点位置,因此同步安全非常重要。攻击者会利用漏洞、Mimikatz和权限升级等非恶意软件技术进行升级。在任何攻击者或任何攻击行为进一步扩散之前,网络需要知道如何响应和自动关闭或隔离受感染的机器。”

BitPaymer、Dharma 和Ryuk等类似的“网络飞贼式”攻击使用类似的横向移动手段来提供勒索软件,这些攻击与暗网上出售的勒索软件即服务 (RaaS)工具包大不相同。Sophos预计2019年人工操纵的攻击将继续存在。

Schiappa指出:“对今天的每个组织来说,通过在防火墙和端点之间共享情报来阻止主动攻击者或蠕虫漏洞的横向移动,并自动隔离受感染的系统至关重要。可惜,许多企业环境的网络交换机或 LAN 网段存在盲点,这可能成为攻击的秘密发射台。Sophos XG Firewall的新功能可以阻止威胁扩散,即使防火墙无法直接控制流量也不受影响。”

通过同步安全实现横向移动保护

Sophos XG Firewall可以与新Intercept X Advanced with Endpoint Detection and Response (EDR)等Sophos的端点产品自动交互,从而提供新层级的保护。这些必要的安全支柱通过Sophos同步安全技术中的Security Heartbeat相互连接,打造出一种智能解决方案,可以主动预测和抵御威胁,通过发现并自动隔离受感染机器来阻止进一步感染,以及修复受感染的设备。Security Heartbeat技术实现了高风险端点与同一广播网域或网段中其他端点的自动隔离。

IDC安全产品研究副总裁Frank Dickson表示:“网络罪犯非常具有创造性和攻击性,它们在开发新的威胁,利用漏洞或手动攻击组织自身时非常谨慎;攻击薄弱点,然后进行横向移动并升级凭证正逐渐成为今天常见的攻击手段。Sophos通过Security Heartbeat将网络和端点情报连接起来,推出一项重要的创新功能来在几秒钟内发现和缓解以横向移动为中心的网络攻击,从而通过隔离端点来阻止威胁扩散。本质上,通过实施Sophos XG Firewall网络,Intercept X得到增强,从而为企业打造集成度更高的增效型网络防护方法,缓解网络安全专家的管理负担。”

位于美国蒙大拿州博兹曼的Pine Cove Consulting是Sophos的合作伙伴,其副总裁Brandon Vancleeve表示:“几年前,当人们讨论打造分层解决方案所需的一流端点产品时,Sophos率先推出了同步安全技术,并利用其Security Heartbeat解决方案推动了网络安全市场的变革。如今,网络威胁不断变化,让端点和网络产品相互通信和共享情报变得尤为重要。Sophos的同步安全技术给市场留下了深刻影响,新的横向移动防护功能显著提升了该技术的功能。现在,XG Firewall和端点保护将能够隔离自己子网中的设备,这是一项重要的发展,将会改善客户的安全态势,让他们能够迅速了解网络之外的威胁形势。我们的大部分客户具有多个LAN网段,因此,我们认为新的检测功能可以提供市场上最好的防护。”

Sophos XG Firewall的其他新增强功能包括:

防护增强功能

更深、更广的IPS覆盖范围,精细度更高 javascript加密劫持防护

Sandstorm沙盒增强功能

通过集成InterceptX,以便在进入网络前发现零日威胁 利用机器学习、CryptoGuard和漏洞利用检测从行为方面进行网络和内存的深度分析

网络增强功能

支持同步安全的新型Sophos Connect IPSec VPN客户端

培训功能

为基于用户的策略和报告提供Chromebook客户端身份验证支持 面向SafeSearch和YouTube限制的用户/用户组策略支持

新华社:黑客攻击“零门槛”、涉网犯罪“链条化

$
0
0

从6月视频网站Acfun受黑客攻击造成千万用户数据外泄,到近期华住、万豪等企业因被“黑”致上亿客户个人信息泄露,今年以来黑客类犯罪频频进入公众视野。

记者日前从北京市公安局网安总队了解到,黑客类犯罪逐步呈现数量多、范围广、链条化的新特点,“零门槛”学会黑客攻击,获得大量信息后进行勒索或靠售卖信息为网络诈骗、色情、赌博等恶性犯罪“输血供电”的行为层出不穷。

黑客犯罪频发 已成涉网犯罪核心

11月底,万豪国际集团发布声明称,其旗下喜达屋酒店客房预订数据库被黑客入侵。据万豪方面透露,2014年以来,一名攻击者一直都能访问该集团喜达屋部门的客户预订数据库,数据库中包含约5亿名客人信息,其中高达3.27亿人次的泄露信息包括名字、邮寄地址、电话号码、护照号码、生日、到达和离店信息等。

记者梳理发现,今年以来,国内外多个知名酒店、互联网企业遭遇黑客攻击,致使用户个人信息和相关数据泄露。据北京市公安局网安总队办案人员介绍,黑客类犯罪正在成为涉网犯罪的核心以及电信诈骗、网络勒索、网络招嫖、网络赌博等恶性犯罪的上游犯罪。

根据公安部今年开展的“净网2018”专项行动进展通报,公安机关针对网络黑灰产业为网络诈骗、色情、赌博等恶性犯罪“输血供电”的情况,共抓获犯罪嫌疑人8000余名,其中黑客达1200余名。

“近年来,随着各行各业的数字资产越来越多,恶性犯罪需求加大,酒店、航空公司、互联网企业、培训机构……黑客攻击的范围也越来越广,数据量越来越大,让人防不胜防。”北京市公安局网安总队一位办案民警介绍。

黑客类犯罪呈现新趋势

据了解,在数据泄露原因方面,62%的数据泄露与黑客攻击有关。记者采访发现,当前黑客类犯罪正呈现一些新的趋势。

――黑客技术易获取。记者调查发现,网络中活跃着大量涉及黑客技术交流的qq群和帖子。在qq群搜索“hack”等字样后,记者在随机加入的两个群组“群文件目录”中都发现了大量低端的黑客教程和软件,如红包外挂、强制聊天程序、网盘破解程序等。记者随意点击一个网盘破解软件,不出一分钟即可完成黑客程序安装。

在群内,一些网民在频繁交流黑客破解程序的技术环节,还有网民兜售已经泄露的某网约车平台乘客信息。群组人数规模均在400人以上,网友注册信息显示来自全国各个地区。

――以黑客类犯罪为前端的涉网犯罪的产业化特征明显。北京市公安局网安总队办案民警告诉记者,如果某些不法分子想从事电信诈骗,他所做的只是在一些网站上发布需求信息,就会有散落在全国各地的人提供非法获取个人信息、“黑网站”架设、非实名制电话号码、“黑银行卡”、客服人员等,每一个步骤都有人去实施。

――黑客犯罪技术手段不断更新。北京警方今年打掉的一个名为“小七论坛”的网站提供对流氓软件“加壳”的服务,“加壳”后的流氓软件可以躲过各种杀毒软件查杀,而且“加壳”还提供像杀毒软件一样的实时更新服务。

据介绍,除了非法获取信息外,一些不法分子还会利用“撞库”技术,以获取的大量用户名、密码信息解锁与该用户登录信息相同的论坛、家用摄像头等,从而获得更多信息,用于从事其他违法犯罪活动并从中获利。

齐抓共管治理网络环境

业内人士认为,黑客犯罪不仅危害企业与个人的财产和信息安全,也对社会秩序和国家安全造成了威胁。随着物联网、人工智能等技术进入实际应用,黑客攻击对象的覆盖面也会增加,打击黑客类犯罪任重道远。

相关办案民警表示,虽然公安机关的打击力度在不断加大,但互联网的发展趋势和跨区域性等特点,使得黑客犯罪案件仍处高发态势,应着力构建网信、工信、公安等各部门之间协调沟通机制,综合治理互联网黑客犯罪问题。

中国互联网协会研究中心秘书长胡钢认为,设计网络安全的立法工作应坚持“快立频修”,高效快速立法,以应对新型网络犯罪行为,处理迭代发展的网络犯罪案件。“司法机关要及时处理紧迫多变的黑客犯罪案情,对不法分子起到震慑和警示作用。”胡钢说。

北京师范大学刑法研究所副所长彭新林认为,存有大量公民个人信息、易成为黑客犯罪重点攻击对象的单位,要增强网络安全防范意识,积极主动开展黑客犯罪的预防活动。“广大网民要切实增强安全意识,强化安全防护措施,防止计算机信息泄露,对发现的网上黑客违法犯罪线索及时举报。”彭新林说。(参与采写:实习生赵旭)

关于TLS/SSL协议

$
0
0
由于http协议是明文传输,安全性差,因此要利用https来进行加密传输,关键点在于TLS/SSL协议 一、TLS/SSL协议的发展

SSL(安全套接层)最初在1994年创建,作为http的扩展,后来逐步发展为独立协议,并更新了三个版本(v1.0、v2.0、v3.0),后来在v3.0基础上标准化了该协议,并命名为TLS(传输层安全协议v1.0)。因此,TLS可以理解为SSL协议的升级版。


关于TLS/SSL协议
二、HTTPS = HTTP + TLS/SSL

由于TCP协议可保证数据传输的可靠性(完整性),因此任何数据到达TCP之前经过TLS/SSL协议处理即可。

http方案的服务端默认端口为80 https方案的服务端默认端口为443 http通信风险: 冒充风险:冒充他人身份参与通信 窃听风险:通信内容被获取 篡改风险:通信内容被修改 TLS/SSL协议核心: 认证 密钥协商 数据加密 TLS/SSL协议主要由两层构成: 握手层 加密层 三、TLS/SSL握手

开始加密通信之前,客户端和服务器首先必须建立连接和交换参数,此过程称为握手。

相关概念:

一、认证: 客户端要通过CA机构,采用签名数字证书的技术方案,对服务端进行身份认证,避免中间人攻击。

二、密码套件协商: 客户端和服务端需要协商出双方都认可的密码套件,密码套件决定了本次连接采用的加密算法、密钥协商算法等各类算法。

三、密钥协商: 不同的密钥协商算法会有不同的握手过程,由于RSA算法和静态DH算法都存在前向安全性问题,因此目前使用最多的是DHE算法和ECDHE算法(与服务器密钥对的关系不大)。

四、握手消息完整性校验: 握手消息会经过TLS/SSL协议加密层保护,可以确保握手消息的机密性和完整性,如果握手消息被篡改,则整个握手过程会失败。

基于RSA算法的握手: 客户端给出加密协议的版本号、客户端生成的随机数和客户端支持的加密套件。 服务端确认使用加密协议的版本、确认双方使用的加密套件、提供数字证书(包含公钥)和随机数。 客户端确认数字证书有效性,并返回一个新的使用数字证书中的公钥加密的随机数(预主密钥) 服务端使用自己的私钥获取客户端发来的预主密钥。

客户端和服务端根据约定的加密套件,使用前面两个随机数和预主密钥生成主密钥,之后的通信使用主密钥加密解密。


关于TLS/SSL协议

由于整个握手阶段是明文的,因此也存在安全风险(第三个随机数存在被破解出的风险),可以将默认的RSA算法改为DH算法提高安全性。

基于DH算法的握手: 客户端给出加密协议的版本号、客户端生成的随机数和客户端支持的加密套件。 服务端确认使用加密协议的版本、确认双方使用的加密套件、提供数字证书(包含公钥)和随机数。 服务器利用私钥将客户端随机数,服务器随机数,服务器DH参数签名,生成服务器签名。 服务端向客户端发送服务器DH参数以及服务器签名。 客户端向服务端发送客户端DH参数

之后,客户端利用公钥验证服务器签名,客户端与服务器各自利用服务端DH参数、客户端DH参数生成预主密钥,再通过预主密钥、客户端随机数、服务端随机数生成主密钥(会话密钥)。最后握手完成,之后的通信使用主密钥加密解密。


关于TLS/SSL协议

此外,在认证过程中,如果客户端发现服务端证书无效,就会向用户发出警告,由其选择是否要继续通信。

四、TLS/SSL加密

握手层协商出加密层需要的算法、算法的密钥块,加密层则进行加密运算和完整性保护。

目前主要有三种加密模式:

流密码加密模式 分组加密模式 AEAD模式 考虑到加密和完整性运算涉及到的安全性问题,建议采用AEAD加密模式。 五、OpenSSL和TLS/SSL的关系 TLS/SSL协议是设计规范,OpenSSL是目前最通用的TLS/SSL协议实现。

OpenSSL是一个底层密码库,封装了所有的密码学算法、证书管理、TLS/SSL协议实现。

对于开发者来讲,正确地理解并使用底层OpenSSL库即可。

检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)

$
0
0

以太坊智能合约数量与日俱增,其安全问题也随之暴露。攻击者利用安全漏洞对智能合约进行攻击,导致数字资产发生丢失或被盗取。故加强区块链智能合约的安全性随着以太坊合约的增加逐步进入大众视野,成为了区块链智能合约开发中工作中的一个难题。

近日,区块链安全研究中心(由中国信息通信研究院泰尔终端实验室、上海交通大学网络空间安全学院、上海掌御信息科技有限公司共建)、中国区块链应用研究中心等机构联合发布了 《区块链智能合约安全审计白皮书(2018年)》 。

本白皮书通过检测区块链智能合约安全检测平台内 31276 份智能合约 ,归纳出 9大类智能合约安全漏洞。 从数量上来看,权限控制占比最重,达到了46.97%,远高于其他类型,其他占比较高的安全漏洞有错误使用随机数、逻辑设计缺陷等类型。

以下为内容精选,巴比特经授权发布:

目前,以太坊智能合约的编程语言 solidity 和以太坊智能合约运行的虚拟环境 EVM 的设计还不完善,不排除出现安全漏洞的情况。

如果智能合约开发者稍有疏忽或者测试不充分,就有可能造成智能合约的代码存在漏洞。这对项目安全来说就像一颗隐藏的炸弹,一旦爆炸,后果将不堪设想。目前以太坊智能合约的安全漏洞容易导致用户资产贬值,被冻结,被非法转移等重大问题。


检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)

本白皮书内 31276 份智能合约为数据样本以 以太坊 ERC20 Token 标准 进行检测,检测技术采用区块链智能合约安全检测平台的快速扫描引擎,检测时间为 2 周。

最终得出智能安全合约在call 安全漏洞、条件竞争漏洞、重入攻击、权限控制漏洞、数值溢出、事务顺序依赖、账户冻结及绕过、逻辑设计缺陷、错误使用随机数等 九大安全漏洞类型 的分布,并对每种类型的漏洞严重等级进行了评级。

检测的智能合约相关数据如下:

检测智能合约数:31276 检测智能合约代码行数:9407593 检测智能合约函数数:371655 检测智能合约的交易笔数:87608190 检测智能合约价值:$1,002,810,870

智能合约安全漏洞及其严重等级定义如下:
检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)
安全检测结果及分析

根据检测结果, 按照安全漏洞类型智能合约安全漏洞的分布如下:


检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)

智能合约安全漏洞目前有 9 类,从安全漏洞的数量来看,权限控制占比最重,达到了 46.97%,远高于其他类型。而数据溢出未在本次数据样本中被监测出。

根据检测结果, 按照安全漏洞严重等级智能合约安全漏洞的分布如下:


检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)

从安全漏洞的严重性看,3 级漏洞占比最重,高达 48.65%,二级漏洞也有 41.82%。

典型分析案例

从 检测样本合约 中选取了 TopToken 智能合约进行分析,TopToken 智能合约以太坊地址:0x0E6BB94B7f25B96f13E0baf5bC04b8Ba39b897A8。

此智能合约的源代码可在 https://etherscan.io/address/0x0e6bb94b7f25b96f13e0baf5bc04b8ba39b897a8#code 上查看。

通过 BSCSCS 平台的快速扫描引擎,TopToken 的安全漏洞扫描结果如下:


检测了3万多份智能合约,这份白皮书找到了9大智能合约安全漏洞(附下载链接)

根据漏洞分布,我们可以看出 TopToken 安全漏洞主要体现在权限控制、逻辑设计缺陷和错误使用随机数三个方面。 按照漏洞数量排序:错误使用随机数、逻辑设计缺陷和权限控制。 按照漏洞严重等级:L2、L3,其中 L2 安全漏洞数量为 23 个,L3安全漏洞数量为 7 个。

结语

作为智能合约的相关方又该如何避免漏洞的发生呢?

1.开发者应该提高自己的安全意识

现在发现的漏洞中,大多是因为直接使用普通的加减乘除符号,但却没有对可能溢出的情况作判断,这就造成了数据溢出的隐患,而解决方法也很简单,使用安全的运算库 library SafeMath 就可以彻底避免数据溢出的问题。

2.项目方也应建立自己统一的合约编写安全标准,并对照安全标准严格执行,进行逐一检查

在完成智能合约编写后,请专业的智能合约审计公司,对合约代码用形式化验证的方法进行审计,并由审计公司给出审计报告和潜在漏洞的修复建议。

3.数字资产交易平台也应该做好对项目方的审核工作和自身安全防护

对交易平台中的项目,应要求其能提供智能合约安全凭证,避免有漏洞的代币对交易平台的信誉产生不良影响。

2018 年是区块链行业发展的转折年,随着数字资产市场逐渐转冷,区块链项目开始出现明显分化,这些都是行业泡沫逐渐稀释的迹象。人们越来越意识到,除了发币圈钱之外,区块链技术需要更多的应用场景来证明自己的价值。

随着区块链行业日趋发展,应用场景逐渐增多, 区块链智能合约的安全问题也成为了区块链产业的一大重点 。未来,人们在不断提高对区块链的理解和认知的同时,也要对智能合约的安全加以重视,对安全漏洞加以防范。

白皮书下载链接: http://8btc.com/doc-view.html?d=3105

――――――――――――――――――

一份白皮书,选取多个维度,建立严格的数据筛选模型,详解数据背后的意义,用数据证明价值,凝聚区块链行业价值标准共识。它就是《鉴识2019区块链价值白皮书》,白皮书即将在杭州发布,欢迎您现场见证,购票链接: http://www.huodongxing.com/event/4469946085700
Viewing all 12749 articles
Browse latest View live