It’s only four days before Christmas and you’re probably done planning your menu. So what’s for dessert? Don’t go with the usual cake. Go for something special as Pie à la mode. Well, we won’t teach you how to make one but we’re serving you a different kind: Android Pie à la mode. The Android developers have just posted security and privacy details of Android 9 Pie. The new OS has been around for months but we don’t know everything about it.

The Android 9 Pie is described as more secure than ever, thanks to several anti-exploitation techniques and a hardened platform. The Android team was able to make major changes in Android Pie including upgrading File-Based Encryption to provide support for external storage media.

A BiometricPrompt API was presented so biometric authentication is allowed. The look is more standardized and authenticating is more reliable now.

When it comes to anti-exploitation enhancements, Android Pie expands security mitigations and enables by default the Control Flow Integrity (CFI) security mechanism.

The Android devs also implemented the Integer Overflow Sanitization to work on information disclosure vulnerabilities and memory corruption.

Google has invested heavily in hardware-backed security and continues to look into possible vulnerabilities. A mobile OS API Android Protected Confirmation was introduced to start critical transactions.

Other privacy enhancements introduced include the StrongBox Keymaster, limited access to background apps, new permission rules and permission groups, MAC address randomization, new defaults for Network Security Configuration, and DNS over TLS support.

SOURCE: Android Developers Blog

Story Timeline Android 9 Pie significantly improves battery life and efficiency Android Studio 3.2 rolls out with Android 9 Pie in mind Changing the volume rocker on Android 9 Pie gets noisy

A security researcher who uses the online handle SandboxEscaper has published proof-of-concept exploit code for an unpatched vulnerability in windows.

The flaw is located in the “MsiAdvertiseProduct” function, which, according to Microsoft’s documentation , enables an installer to “advertise” shortcut and registry information about a product to Windows by writing it to a script.

Recent Articles By Author

Emergency Patch for Zero-Day Vulnerability in Internet Explorer More Shamoon 3 Attacks Detected in the Middle East and Europe WordPress 5.0 Gets Security Patch a Week After Release

According to SandboxEscaper , a malicious application could trigger a race condition in this functionality, allowing it to read arbitrary files with SYSTEM privileges. For example, this can be exploited by a limited user account to read files belonging to other users that shouldn’t normally be accessible to that account.

While the vulnerability cannot be exploited by malware to gain full control of a system, it can be used to access potentially sensitive information. A potential attacker would need to know the location of the targeted files, but according to the researcher, this is not a big impediment.

“Even without an enumeration vector, this is still bad news, because a lot of document software, like Office, will actually keep files in static locations that contain the full path and filenames of recently opened documents,” the researcher said in his exploit notes. “Thus by reading files like this, you can get filenames of documents created by other users.. the filesystem is a spiderweb and references to user-created files can be found everywhere … so not having an enumeration bug is not that big of a deal.”

Researchers from ACROS Security, which runs the 0patch.com micropatching service, confirmed that the published proof-of-concept exploit works and indeed provides read access to files the initiating user shouldn’t have access to.

This is the third zero-day flaw publicly disclosed by SandboxEscaper since August.The first one, located in the Windows Task Scheduler, allowed for privilege escalation and was quickly adopted by hackers and used in real-world attacks. In October, the researcher released details about a second vulnerability in the Windows Data Sharing Service (dssvc.dll) that could be used to delete system files.

SandboxEscaper, who claims has been unemployed for years and is only doing this as a hobby, recently published a notification , supposedly received from Google, informing them that the FBI asked for information related to their Google account. GitHub suspended the researcher’s account that was used to host the previous exploits.

The U.S. Department of Justice has charged two Chinese nationals with conspiracy to commit computer intrusions and other offenses in relation to the activity of a cyberespionage group called APT10.

APT10, also known in the security industry as Red Apollo, CVNX, Stone Panda and Potassium, has been active since at least 2006 and has targeted organizations from multiple industries, as well as government agencies from around the world. The group’s primary goal was to steal intellectual property and confidential business and technology information.

Prosecutors allege that Chinese nationals Zhu Hua and Zhang Shilong were members of APT10 between 2006 and 2018 while working for a Chinese company called Huaying Haitai Science and Technology Development Company (Huaying Haitai) and that they acted in association with the Chinese Ministry of State Security’s Tianjin State Security Bureau.

“The APT10 Group targeted a diverse array of commercial activity, industries and technologies, including aviation, satellite and maritime technology, industrial factory automation, automotive supplies, laboratory instruments, banking and finance, telecommunications and consumer electronics, computer processor technology, information technology services, packaging, consulting, medical equipment, healthcare, biotechnology, pharmaceutical manufacturing, mining, and oil and gas exploration and production,” the DoJ said in a press release . “Among other things, Zhu and Zhang registered IT infrastructure that the APT10 Group used for its intrusions and engaged in illegal hacking operations.”

The indictment links the defendants and APT10 to computer intrusions at more than 45 technology companies and government agencies from at least a dozen U.S. states. The victim list includes NASA’s Goddard Space Center and Jet Propulsion Laboratory and the U.S. Department of Energy’s Lawrence Berkeley National Laboratory.

Opinions expressed by Entrepreneur contributors are their own.

You can classify every digital currency in existence as one of these fivetypes of cryptocurrency. These distinctions are of the utmost importance for cryptocurrency investors because they determine what exactly you’re investing in, and who can invest in the first place. From coins to tokens, stablecoins to utility and security tokens, here are the main types of cryptocurrency you need to know about.

The biggest distinction in cryptocurrency is between coins vs tokens . Every cryptocurrency has to be one or the other. Here’s what differentiates coins from tokens: Coins have their own blockchain. Tokens do not.

Most of the big name cryptocurrencies -- Bitcoin (BTC), Ethereum (ETH), and Ripple (XRP) -- are coins. The most important thing to remember about coins is that they have their own blockchain, meaning a decentralized, peer-to-peer network that records transactions on a digital ledger.

By contrast, a token does not have its own blockchain. The Ethereum blockchain is the most popular platform for token creation, though you can theoretically create a token on any blockchain. 0x (ZRX), Maker (MKR) and Basic Attention Token (BAT) are examples of ERC-20 tokens, meaning a specific type of Ethereum-based token. In other words, their protocol exists ‘on top of’ the Ethereum blockchain.

Related:5 Benefits of Online Peer-to-peer Lending That You Didn't Know

Since coins have their own blockchains, it makes sense that they serve as currency, a means of exchange, within that network. This is why Bitcoin is called digital gold and Ripple is lauded for its fast transactions: Bitcoin is a store of value, like gold, and Ripple facilitates cross-border bank transactions . Furthermore, it’s easier to convert USD to a coin, rather than a token. Investing in a token usually requires exchanging USD for a coin first.

The value of a token is a little more complicated. Tokens are typically released inICO, which stands for Initial Coin Offering. ICOs are like IPOs for cryptocurrency, meaning that they give the investor access to tokenized services or products, or represent a stake in a cryptocurrency company. This is where tokens get a little confusing: Tokens fall under different SEC regulations depending on what they represent. You can separate tokens into two types of cryptocurrency that represent either a utility or a security.

Related:6 Cryptocurrencies You Should Know About (and None of Them Are Bitcoin)

Understanding the distinction between these two types of cryptocurrency is paramount to investors, cryptocurrency companies and the government. In other words, the SEC has much stricter regulations for security tokens than it does for utility tokens because, as their name suggests, they’re considered to be digital securities.

Most Tokens Are Utility Tokens.

If you can buy or trade a token on a cryptocurrency exchange without being an accredited investor, then it’s a utility token. In broad terms, a utility token gives an investor access to a service or product. This can mean that a token can represent exclusive access, a discounted rate, or early access. When you hear about smart contracts and DApps, you should assume that a utility token is involved.

Basic Attention Token (BAT) is a utility token that has received a lot of press. It’s a means of exchange for digital advertising attention , hence the name. Integrated with the browser Brave, BAT works in three ways:

Users receive BAT for consenting to view ads.

Content creators receive BAT when users view ads on their site.

Advertisers buy ad space with BAT.

BAT represents attention, not stock or currency, making it a utility token. This means that anyone can trade utility tokens on a cryptocurrency exchange.

Related:Smart Contracts: Here Are the Practical Applications of This Exciting Blockchain Technology.

Security Tokens are different. Like securities, security tokens represent part-ownership in a tradeable, real-world asset external to the blockchain. And because security tokens are regulated by the SEC like securities, you have to be an accredited investor to participate in STOs, meaning Security Token Offerings.

The SEC decides whether something is a security token using the Howey Test. In simple terms, the Howey Test determines whether a cryptocurrency investment is ‘speculative’, meaning that the investor makes money based on the labor of a third party.

Investing in security tokens is slightly more difficult. Investors must use a security token issuance platform, like Polymath or Swarm, to buy and trade tokenized securities. Unlike Coinbase or Binance, which are cryptocurrency exchanges that allow anyone to create an account, security token issuance platforms require their users to meet specific requirements. This typically means having your accredited investor status confirmed by a KYC provider. The platform will then create a customized profile that specifies how and how much each investor can trade.

Related:Will the SEC Redefine Who Can Be an 'Accredited Investor'?

Distinctions between types of cryptocurrency can be obscure. Since companies have access to a much smaller investment pool with security tokens, some try to pass off their security tokens for utility tokens. There is also debate over whether tokens can represent currency, like coins, rather than access to a service. To make matters less clear, stablecoins are often technically ‘stabletokens’.

What is a Stablecoin?

Stablecoins are an increasingly popular type of cryptocurrency, especially in a Bitcoinbear market. This is because stablecoins are “pegged” to traditional assets like fiat (meaning government-backed currency like the US Dollar or Euro) or gold.

For example, the theoretical exchange rate between a stablecoin pegged to the USD and the US Dollar itself is 1 to 1. In theory, the company behind a stablecoin has the same exact amount in assets, stored in bank accounts, as they do tokens.

The advantage of stablecoins is that in a bear market, crypto investors can move their money from volatile cryptocurrency to stablecoins, a more ‘stable’ asset class in theory. This is instead of converting it back to USD, which can be a two-step process that incurs transaction fees. When a bull market returns, investors can convert their stablecoin back into other more volatile currencies at little to no cost.

Sandboxes, the standard go-to cyberthreat protection module for many organizations, aren’t what they used to be. Once considered a premiere tool for cybersecurity protection, hackers have figured out how to compromise them.

A sandbox, of course, is where a security-conscious IT department will route a file to analyze its contents before releasing it to the user. The sandbox runs the file in an environment isolated from the working system and checks to see if there is any suspicious activity. If there is, the file gets dumped―and if it gets approved, users can feel confident that they can work with it without unleashing malware that could terribly compromise the organization.

At least that’s how it’s supposed to work. But while hackers have moved on and developed increasingly sophisticated techniques to beat the system, sandboxes―which have been around for years―haven’t really changed. Hackers today are armed with a slew of evasion techniques that have all but rendered the sandboxes ineffective, if not virtually irrelevant.

Here are five ways hackers have “killed” the sandbox:

Delayed Execution:This involves a malware attachment delaying its activity until after the sandbox finishes checking it. A sandbox typically analyzes a file for 7 to 20 minutes, so malware can just go to sleep during that processing time, and wake up after 25 minutes. In some cases, malware can be programmed to execute on a particular date or at a particular time, a technique known as the “logic bomb.” For example, Shamoon malware was discovered in 2012 when it was used for targeted attacks on high-revenue businesses in the Middle East. To evade sandboxing, this virus was programmed to execute its logic bomb at a certain date and time.

Hiding Malicious Code in Password-protected Attachments:Unless the sandbox knows the password of a file, it won’t be able to open it to examine attachments or macros, where malware is often stored. These files are usually sent in a phishing scam, where recipients are convinced that the file is legitimate (perhaps from a client), and that it was sent to them password-protected to ensure “security”―with the password written in the email “for their convenience.”

Data Obfuscation and Encryption:Standard sandboxes can’t decipher encrypted traffic, so if hackers send files in this manner, the sandbox won’t catch it. Malware accomplishes this by changing or encrypting its code and communications so that the sandbox can’t analyze it. For example, a trojan called Dridex encrypts API calls so that traditional malware sandboxes can’t read them.

Remotely Called VBA or javascript:In this scam, hackers include what appears to be nothing more than an innocent link in a file, thus raising no suspicions on the part of the sandbox. The malicious code is downloaded only after the file passes sandbox inspection.

Malware Detection of Sandboxes:This method involves hackers dispatching a file with attached malware that can actually detect if it is in a sandbox environment. For example, according to IBM’s SecurityIntelligence , “Many detection programs also create hashes for file names they analyze. Since a hashed file name is always longer than 30 characters, the threat actors can simply check the length to determine whether their malware is in a sandbox.” Other approaches include malware checking for discrepancies between virtual and physical systems, such as the number of CPU cores; malware looking for devices, such as a printer; or malware checking the availability of antivirus programs by looking for active processes. If the malware detects these telltale signs of sandbox activity, it will simply remain inert until it finds itself in a production environment.

So what can we do about it? Instead of focusing on the behavior of malware―which, as we have seen, can be easily hidden―solutions need to concentrate on the actual exploit technique behind the malware. While there may be millions of new malware a month, there are a limited number of exploits, and an intelligent system that can monitor those exploits will prove far more effective than a sandbox.

To do that, the monitoring system needs to compare what is going on with what is supposed to be going on. If an array of software in use is supposed to affect an operating system or a CPU in a specific manner and the monitoring system records activity in the processor that does not match the expected profile, that anomaly could be a sign that there is an attempt to exploit. In that event, the system could automatically “arrest” the rogue processes without requiring manual intervention from administrators.

This deterministic, black-and-white view of incoming code is far more effective in protecting IT systems than the behavioral/heuristics-based sandboxes that many organizations rely on. By monitoring the IT system in real time and checking for the exploits that hackers must use if they want to accomplish their goals, threat detection can become far more reliable and effective. And in an era where small changes in behavior can easily go unnoticed, advanced threat technologies must detect an attack before these changes can occur.

Click2Gov是美国各地政府用以接收从公共事业账单、税收、罚款等费用的支付门户系统。它由Superion开发，该公司已于2018年7月与其他公司合并成立一家名为CentralSquare Technologies的新公司。根据Risk Based Security，大约600到6,000个Click2Gov的安装记录。

自投入使用以来，Click2Gov显然为人们带来了诸多便利，然而由于它与敏感的财务数据相关，潜在的安全问题所带来的负面影响也更严重。

今年9月，网络安全公司FireEye证实Click2Gov发生了一起安全事件，威胁行为者已经在其中种植前所未见的恶意软件，解析支付卡数据的日志并提取付款细节等详细信息。

而安全研究公司双子座咨询公司(Gemini Advisory)最近发布了一份报告，指出该软件再一次遭受攻击。报告显示，至少有美国的46个城市以及加拿大的一个城市的294,929条付款记录遭到了泄露。调查结果显示，在丢失客户数据的城市中，只有不到50%的城市知情或公开披露了其网站上发生的数据泄露事件。恶意行为者通过在暗网销售这些信息，至少获利170万美元。

与此同时，有关负责机构仍在努力查清攻击细节，那些使用了软件的地方门户网站仍处于潜在的危险之中。事实上，Superion在6月份已经部署了一个补丁来解决黑客用来渗透Click2Gov的原始漏洞，但由于许多软件使用机构没有及时修补或保持更新，市政机构的IT工作人员技术水平有待提升等诸多原因，系统仍然容易受到威胁。软件开发方表示，所有受影响的系统都由本地托管，而云端的Click2Gov并未受到影响。

此外，本地托管系统似乎还存在其他问题。佛罗里达州的圣彼得堡，加利福尼亚州的贝克斯菲尔德和爱荷华州的艾姆斯都报告说，过去三个月内公用事业支付门户出现过数据泄露情况。而他们所泄露的数据已被发现在暗网出售。

双子座咨询公司表示:“在我们对20起Click2Gov账户被盗用事件的分析中，明确发现至少有111860张支付卡被盗用。此外，在每一宗案件中，被盗的支付卡都是在违规期间或被发现并被举报后立即上传出售的，每张卡的平均售价为10美元。幕后黑手很可能是此类案件的惯犯。”

目前Click2Gov正与地方政府合作，解决仍然存在的安全问题，后续细节有待披露。

声明：本文来自黑客视界，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

大家在使用浏览器浏览网页时，很可能会遇到某些伪装成微软或Google的网站，并告诉你你的电脑遇到了某些异常问题，然后让你拨打页面中给出的电话来寻求帮助。虽然目前大多数反病毒产品都能够检测到这种类型的攻击，即技术支持诈骗（TSS），但网络攻击者现在又开始采用各种新的技术来绕过这种安全检测了。

网络犯罪分子为了绕过这种安全检测，TSS开发人员设计出了一种脚本混淆技术来呈现页面中的诈骗信息，并绕过检测。这种混淆技术包括Base64编码，开发自定义混淆程序，或者使用AES加密来隐藏脚本以绕过检测引擎。

在对恶意代码进行混淆处理的时候，传统的TSS攻击者一般只注重一种方法。比如说，他们一般会对恶意代码进行实时混淆，或者在线加密（AES）和解密javascript代码。但是根据赛门铁克最新的研究报告，网络犯罪分子再一次升级了他们的技术支持诈骗攻击，为了绕过安全检测，或增加检测难度，他们正在使用多种混淆技术来对恶意脚本代码进行隐藏处理。

赛门铁克的研究人员Chandrayan在报告中写到：“将代码混淆技术应用到技术支持诈骗攻击中，并不是一件新鲜事，但是使用这种多重编码&混淆技术的情况并不多见。一般来说，技术支持诈骗会尝试让基于字符串的检测引擎去对字符串、随机数字或字符来进行检测扫描，但是在大多数场景下这种扫描方式的假阳性会非常高。因此，我们可以认为，这种技术支持诈骗技术使用了现成的编码技术来欺骗反病毒引擎并绕过安全扫描。”

比如说，下面这个是研究人员近期检测到的一个TSS页面，Chandrayan在其中发现了大量经过混淆处理的代码：

上面这段数据接下来会输入到另一个脚本中，而这个脚本会使用atob()这个JavaScript函数来对上述代码进行反混淆处理：

解码之后我们就可以得到一份新的脚本代码，接下来攻击者还会使用AES加密算法来对脚本进行加密。这里使用了热门的代码库CryptoJS来解密这段代码，随后便会将其添加到页面中并呈现技术支持诈骗信息。

值得一提的是，网络犯罪分子所采用的技术支持诈骗攻击策略越来越先进，而且很多攻击者还会将这种技术应用到恶意广告攻击之中。

如果你真的遇到了这种声称你计算机出现问题并要求你拨打帮助电话或下载其他软件的，大家可以直接忽略这个页面或者关闭浏览器就行了。

* 参考来源： bleepingcomputer ，FB小编Alpha_h4ck编译，转载请注明来自CodeSec.Net

阅读： 3

近日，国外安全研究员 SandboxEscaper又一次在推特上公布了新的windows 0 day漏洞细节及PoC。这是2018年8月开始该研究员公布的第三个windows 0 day漏洞。此次披露的漏洞可造成任意文件读取。该漏洞可允许低权限用户或恶意程序读取目标Windows主机上任意文件的内容，但不可对文件进行写入操作。在微软官方补丁发布之前，所有windows用户都将受此漏洞影响。

■ 预警编号 NS-2018-0041

■ 发布日期 2018-12-21

■ 危害等级 高， 此漏洞可导致 攻击者读取任意系统文件，PoC 已公开。

文章目录

近日，国外安全研究员 SandboxEscaper又一次在推特上公布了新的Windows 0 day漏洞细节及PoC。这是2018年8月开始该研究员公布的第三个windows 0 day漏洞。此次披露的漏洞可造成任意文件读取。该漏洞可允许低权限用户或恶意程序读取目标Windows主机上任意文件的内容，但不可对文件进行写入操作。在微软官方补丁发布之前，所有windows用户都将受此漏洞影响。

目前该作者的推特账号已被冻结，Github账号已被封禁，但目前该漏洞PoC已公开，请相关用户引起关注。

参考链接：

所有Windows系统。

用户可以使用漏洞验证工具自行排查，详细验证过程可参考下面的视频：

漏洞验证工具可到下面的链接下载：

https://cloud.nsfocus.com/api/krosa/secwarning/files/window任意文件读取漏洞排查工具.zip

该漏洞不能远程利用，因此想要触发该漏洞，需在目标主机上运行漏洞利用程序，截止本通告发布，微软官网仍未发布修复补丁，请用户及时持续关注官方的修复公告。

为防止攻击者利用该漏洞读取本地的敏感信息，请谨慎运行来源不明的文件，及时安装杀毒软件，并实时监控攻击者的入侵行为，攻击者常见的攻击手段如下图所示：

根据攻击者的常用手段，可重点关注具有以下特征的告警：

本安全公告仅用来描述可能存在的安全问题，绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，绿盟科技以及安全公告作者不为此承担任何责任。

绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告，必须保证此安全公告的完整性，包括版权声明等全部内容。未经绿盟科技允许，不得任意修改或者增减此安全公告内容，不得以任何方式将其用于商业目的。

北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于2000年4月，总部位于北京。在国内外设有30多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。

基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及web安全防护等产品以及专业安全服务。

北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市交易，股票简称：绿盟科技，股票代码：300369。

2018-12-11 在 CVE中文申请站 公布了一个 DEDECMS 5.7 SP2 最新版本中存在文件上传漏洞，具有管理员权限者可利用该漏洞上传并getshell执行任意php代码。

经过分析验证。该漏洞要求管理员权限登录。并且要开启会员功能，这个功能在默认情况下是不开启，需要管理员手动开启。

经过360CERT判断，该漏洞危害小，影响面有限。但还是推荐使用DedeCMS的用户进行相关验证，并执行修复建议。

include/dialog/config.php在dialog操作的时候，针对用户权限进行校验。这就限制了必须是管理员。

随后include/dialog/select_images_post.php进行图片的校验，在这里可以明显的看到逻辑错误，这里针对文件名中的异常符号进行了替换为”的操作，并且随后的正则过滤条件限定宽松。导致漏洞产生。

对数据包进行修改

漏洞

同时在分析中发现一处有意思的点

如果要开启会员功能，需要访问到sys_info.php, 但这个文件最终会调用到dede_random_bytes, 其中有个一个关于MCRYPT_DEV_URANDOM的检测。

如果不是用的集成环境包，而是手动配置服务器，以Debain9为例，若没有安装libmcrypt-dev这个package则会导致访问不存在的函数is_php

进而导致无法进行系统基本参数设置。

1.文件后缀名检测进行重写。 2.对上传文件名进行统一重命名，后缀名只允许为image type类型。 3.对上传文件夹进行限制，不允许执行php。

除了上述方式以外，还可以直接进行代码层面的修改

对于受影响的正则表达式进行强化。限定$cfg_imgtype固定结尾的文件。

include/dialog/select_images_post.php

2018-12-11CVE中文申请站进行细节公开

2018-12-21360CERT发布预警

CVE-2018-20129：DedeCMS V5.7 SP2前台文件上传漏洞 CVE中文申请站

Digital transformation is about much more than moving workflows to the cloud and adopting IoT. It is about retooling the entire network, from the data center to the branch office to mobile devices, to make it faster and more efficient, flexible, and cost-effective. That, in turn, drives the development of things like agile software and application development, and the rethinking of things like remote user and device access to network resources.

Because networks have become so expansive and interconnected, and businesses rely on real-time information to make critical decisions, organizations can no longer afford for branch offices to function as tiny satellites attached to, and dependent on, a remote, centralized network. Instead, today’s cloud-enabled branch offices need to be able to manage and track workflows directly, process transactions at digital speeds, easily participate in global collaboration. And most importantly, they need to provide end users with instant access to digital resources, whether they are located in a central data center, in the cloud, on a local server, or a remote or mobile device.

SD-WAN addresses the challenges of distributed organizations by extending the power and resources of today’s network to the next-generation branch office. It provides real-time access to distributed resources and ensures the optimal performance of the business applications and workflows that today's digital businesses depend upon.

As organizations adopt and deploy these new infrastructures, however, each additional ecosystem brings with it its own set of unique security challenges, many of which that traditionally isolated security solutions just don't have the span of control to address. This is part of the reason why, according to a recent Gartner survey , 72% of executives see security as their biggest SD-WAN concern. Compounding the problem further, however, is that SD-WAN is often implemented by network teams that get so caught up in the efficiency and productivity benefits that they don’t even consider implementing security until after an SD-WAN solution has already been selected and deployed.

Unfortunately, SD-WAN vendors don’t make it easier. There are well over 60 different SD-WAN vendors in the market today, and while nearly all of them claim to provide some security, the vast majority only support IPSec VPN and basic stateful security. And given the state of the cybersecurity challenges organizations face today, these tools are not at all enough to protect your branch from attack. As a result, most organizations end up having to add additional layers of security after they have already deployed their SD-WAN solution.

To address the limited security embedded in most SD-WAN solutions, organizations are forced to consider how to add security to an existing deployment. But in today’s world where complexity is just as much a challenge as performance, advanced security can no longer be added as an afterthought. And yet, that is exactly what most vendors end up recommending. Generally speaking, bolting on an external firewall or deploying additional networking gear loaded with IPS or other security tools is simply not as secure as the security that has been deployed across the rest of the network. For example, SD-WAN security capabilities are generally restricted to basic Layer 3 controls, while advanced―and critical―Layer 4 to Layer 7 capabilities, such as URL filtering, application inspection, and content-specific controls are not provided.

Implementing security as an overlay is also increasingly challenging as many organizations simply do not have the IT resources needed to deploy, implement, fine tune, and manage these additional security elements―especially when deployed at a remote branch office. In addition, many of the legacy security solutions organizations try to add to their SD-WAN deployment have a difficult time adapting to today's dynamically shifting and highly elastic SD-WAN architectures.

In such an environment, the complexity of weaving security into an SD-WAN solution by hand introduces unnecessary overhead and risk. Simply handing off traffic inspection to an entirely separate security solution can also create challenges for latency and time-sensitive applications and workflows. And things like scalability and adaptability can be severely compromised by the inherent limitations of security devices that were just never designed for today's environments.

In today’s interconnected environments, with new threats that can span multiple attack vectors, security can’t afford to be a collection of piecemeal solutions operating in isolation. For a security solution to meet the demands of an SD-WAN architecture, however, it needs to share many of the same design tenets, including speed, agility, flexibility, and scalability. Instead, SD-WAN and security need to be as tightly integrated as possible.

Just as important, security also needs to be part of your original SD-WAN planning so security can be thoroughly integrated into the SD-WAN functionality, as well as into and across other security tools, to better detect and prevent today’s advanced threats.Deploying SD-WAN that has been fully integrated into a robust security solution means that the full range of essential security functionality can occur at digital speeds, including:

And because nearly three-fourths of network traffic is now SSL-encrypted―and because SSL inspection requires massive amounts of processing power cripples nearly every NGFW solution on the market today―relying on bolted-on solutions to inspect encrypted traffic forces organizations to either forfeit the performance advantages of their SD-WAN deployment in favor of security, or to simply not adequately inspect traffic.

Finally, true native management of remote VPN connectivity allows organizations to maintain appropriate levels of security protection and inspection, and ensure high levels of visibility and control not only for data and applications passing through the SD-WAN environment but that span the entire distributed network.

This article originally ran in Term Sheet, Fortune’s newsletter about deals and dealmakers. Sign up here.

Thank you to everyone who responded to the question: “What’s your top business-related prediction for 2019?” This year’s CrystalBall was much darker than years past, with many readers predicting that a recession is around the corner.

Below are your predictions:

RECESSION: Term Sheet readers predict an economic downturn in 2019.

“Huge stock market crash, particularly in the U.S. and U.K., will lead to falling house prices and a long recession.” ― Gareth Stephens

“The relative youth of the tech sector has been an essential part of its decades-long dominance. But in 2019, it is possible that many burgeoning entrepreneurs, investors, and employees in the tech sector will see for the first time what life is like through a recession. While the fundamental drivers of technology will continue to strongly impact innovation across most sectors, an economic downturn will show us which companies, young or not-so-young, are truly able to withstand the slings and arrows of real-world economic cycles.” ― Yann Ranchere, partner at Anthemis

“In 2019, we’re going to hit a recession and small businesses are going to go out of business at a faster rate than they have for a while. The market’s historic high, recent fluctuations, and rising interest rates, there’s a maximum 12-month runway before it drops precipitously. For small business owners, now is the time to reduce expenses, not the time to expand, despite the fact that capital is easily available. The recession will arrive fast and it could be quite painful (or detrimental) for those small businesses that aren’t prepared as consumers pull back on spending.” ― Ian Crosby, CEO & founder of Bench

“Economists and analysts agree that a recession and market correction could happen within the next 12 to 18 months. Since a downturn will likely cascade to many compensation-related issues―such as benchmarking, dilution, goal setting, and disclosure, more companies will devise a ‘CEO Pay playbook’ to handle these facets in a potential downturn.” Robin Ferracone, founder and CEO of Farient Advisors

“U.S. China trade war escalates, China’s debt bubble bursts, markets crash to 1929 level and great depression starts off, leading to nationalist riots worldwide in a social media fueled dimension … or party goes on for a year and people talk about the incredible end of Snapchat instead. ― Tim Bartel

CRYPTO: Readers are betting on the growth of blockchain technology.

“I expect one or more major breakthroughs in blockchain network and infrastructure in 2019. Lack of performance, security and privacy have stunted the adoption of public blockchain technologies at scale.” ― Scott Beechuk, partner at Norwest Venture Partners

“As Bitcoin and Ethereum continue their downward slide, a new protocol will emerge that solves current scalability problems and reignites global interest in blockchain.” ― Aaron Jacobson, partner at NEA

“Activist investing in crypto. Along the lines of what Vista did with smaller SaaS companies.” ― Michael Nov

“Massive hassles for many US-based crypto projects in trying to distribute tokens legally and in maneuvering around the regulators as the rules of the road become more clear.” ― David Pakman, partner at Venrock

“Facebook announces launch of its own blockchain & accompanying development platform for dApps” ― Nikao

“Compliance headaches for banks leads the way for blockchain technology.” ― Navin

M&A: Readers predict some major acquisitions in the coming year.

“Apple will seriously consider buying Tesla.” ― Ajay Chopra, general partner at Trinity Ventures

“With Thomas Kurian at the helm, expectGoogle Cloud to make a major acquisition to inject enterprise DNA into the company.” ― Aaron Jacobson, partner at NEA

“Uber buys an automaker. Admittedly highly unlikely but fortune favors the bold and all that.” ― JC

“We will see the 2 biggest (notional $) M&A transactions in history. Maybe something big in content and telecom. Comcast/Disney type- thing. Or a big software deal. I’m less convinced of who it will be but more just think the bid for debt is so insatiable that a ‘next level’ deal will get done.” ― Gabe Bassin

“Amazon buys Fitbit. Already making moves in health (lifestyle and healthcare), it’s anAmazon top seller, and they need to make Alexa mobile to compete withApple Watch.” ― Michael Remondi

“More vertical healthcare consolidation. The Aetna/CVS kind” ― Ian Bongaardt

“Social media sites will seek M&A with large news outlets (e.g.Facebook acquires The New York Times ).” ― Michelle Nacouzi, associate at Indicator Ventures

“Dealmakers turn to public markets: Following the buying-binge of recent years, public corporates will continue a recent trend of divestitures and spinouts. Take-private transactions will also rise as valuations for public and private companies converge.” ― Dylan Cox, senior private equity analyst at PitchBook

“Agriculture tech start-ups are looking to revolutionize the industry by developing innovations to solve key challenges in the sector left untouched by bigger organizations. In the process, Big Ag and food companies will be swallowing up these startups at an ever-increasing rate to bolster customer services, automation, market access and expand the ways they do business. Fortunately for the fledgling businesses, monetizing their offerings will matter less than a need to keep up to competition.” ― Darcy Pawlik, vice president of global agriculture at Understory.

“The ongoing corporate investment in providing better digital experiences will continue to drive consolidation in the tech vendor ecosystem, potentially even resulting in a leader like Salesforce or Adobe being acquired.” ― Scott Webb, president of Avionos

“Salesforce is acquired by Amazon or Google.” ― Alex Choy

IPOS: Readers expect 2019 to be a strong year for tech IPOs.

“I expect 2019 to be a very interesting and volatile year that is overall healthy for the venture capital ecosystem. It should be a strong year for IPOs though I think there will be many peaks and valleys along the way. Tech M&A tends to be a stepchild of the IPO market in many ways, so I expect a strong M&A year overall. One thing we will certainly see is a number of companies acquired on the brink of their potential IPO. Once companies are on file, there is some incentive for the super-large strategic buyers to use some of their unprecedented cash hordes to acquire strategic assets. These assets will be more expensive once the companies go public since they will have to pay another premium.” ― Sandy Miller, general partner at IVP

“Big IPOs next year create liquidity for 1000+ employees (like Facebook IPO) + VCs that will lead to an increase in seed activity. This is much needed to allow founder/startups to get funded for riskier ventures that we need, but will create another A crunch by end of 2020.” ― Trace Cohen

“2019 will be a big year for tech IPOs. There will be more market debuts ― and bigger ones ― in 2019 than in 2018.” ― Ajay Chopra, general partner at Trinity Ventures

STARTUPS: Readers predict more money to chase even fewer deals in 2019.

“It’s easier than ever to raise a pre-seed or seed round, but Series A/B investors are setting the bar higher than ever and looking for very strong traction before making an investment. On the flipside, once they see it, they are prepared to write larger checks than before.” ― Matt Hartman, partner at betaworks Ventures

“I think that the piles of VC and PE money will chase even fewer deals than they have been in 17’ 18’.” ― Elias

“We see a lot more down rounds for unicorns (and soon to be former unicorns!)” ― Angela Graves Winegar

“A record number of new U.S.-based unicorns in 2019 will be based in the Pacific Northwest, and more than half will be based outside of the SF Bay Area.” ― Karan Mehandru, general partner at Trinity Ventures

“On the private investment side, we have begun to see valuations begin to moderate, although they are still at relatively high levels on an historic basis. That said, the quality of the companies we are seeing in the late-stage private market is very impressive and, in fact, the best ever. Particularly, we are seeing a large number of companies with very rapid (40-100% annual) rapid growth at scale (greater than $50MM in revenue).” ― Sandy Miller, general partner at IVP

“The big will get bigger. The great will get bought by them. And trillion-dollar market caps will become more than a temporary phenomenon.” ― Ben Narasin, venture partner at NEA

“Investors start to see how underserved parents are, and ‘parent tech’ gets hot.” ― Turner Novak

“Valuations will peak across digital health companies, driven by two factors the end of our long economic expansion which will cause investors to pull back, and newer entrants to digital health investing retreating to the industries they know best. But, this will leave a very favorable investing market for proven and steadfast investors in the industry.” ― Keith Figlioli, general partner at LRVHealth

“Filed under ‘about damn time,’ women’s health is finally receiving the attention it has long deserved. The global women’s healthcare market is projected to be $51.3B by 2025. Investors are starting to recognize that products which address problems for half the population, never mind 85% of the decision makers in healthcare, are worth betting on.” ― Cindy Eckert, founder and CEO of The Pink Ceiling

…. And founders will be more cognisant of sources of funding:

“2019 will be the Year of Transparency around sources of capital in the venture ecosystem and values-alignment.” ― Patricia Nakache, general partner at Trinity Ventures

“The venture capital industry will continue to evolve and specialize. Entrepreneurs will continue to grow wiser about the importance of selecting an investment partner that is optimized for the current stage of development.” ― John Vrionis, co-founder & partner at Unusual Ventures

“Softbank announces they will not do another Vision Fund and we start to see large GPs raise smaller funds than the 2016-2018 vintages. All this from experiencing first hand the phenomenon of diminishing returns as fund size increases. I think the toxicity of Saudi money is part of it, but more than anything I think that many of the companies they invested in are now over-capitalized and will suffer as a result. Not all, but I think many will have a lack of fiscal discipline that comes from too much easy money.” ― Erik Berg, investment analyst at Rev1 Ventures

GLOBAL: Readers predict it’ll be a challenging year for global markets.

“China’s economy will experience an accelerated slow down. For the first time, China will experience neutral growth in its manufacturing and real estate sectors. However, other emerging markets, such as Africa, will experience an uptick as the US stops int rate hikes” ― Tala Al Jabri

“I believe 2019 will be a problematic year for the Mexican economy where we will see currency devaluation, higher unemployment, and more social unrest…” ― Elias

“I predict a referendum for a French exit to the a European Union.” ― Francisco

“Brexit will be called off and the UK will remain in the EU.” ― Calvin

DATA & PRIVACY: Readers expect more cyber-attacks and data leaks.

“Especially with GDPR & other privacy regulations, organizations’ reputations are on the line as public demand for transparency, security & data privacy roars. Therefore those that thrive not just survive will transform their operating models to DevSecOps given shortage of security professionals.” ― Ramin Sayar, CEO of Sumo Logic

“Attacks on companies will increase. Now that hackers have seen how easy it is to leak data (Facebook, Google, Apple), crimes will become increasingly targeted toward corporations and small businesses, aka ransomware, with a heavy focus on the cloud.” ― Yossi Atias,GM IoT Security at BullGuard

“Large organizations have often expressed uneasiness about moving their data to the cloud despite the common knowledge that cloud providers like AWS are often more secure than the enterprise itself. But despite the massive investments in security infrastructure it is a matter of when not if a major cloud provider will suffer a large-scale breach. Every provider has experienced security breaches and countless outages, but none of these massive data centers have been put to the PR test of a large-scale attack. It’s only a matter of time and it may change the way companies go about their cloud-first strategies.” ― George Avetisov, CEO & co-founder of HYPR Corp.

“In 2019, we will continue to observe that failure to comply with privacy regulations will have a devastating impact on a company’s operations as much as its checkbook. Companies that don’t meet GDPR and other privacy and security requirements will lose business to competitors who do.” ― Chris Babel, CEO of TrustArc

“2019 will be the year of passwordless authentication. Advances in digital user identity analysis, behavioral biometrics and machine learning will enable highly accurate, frictionless access to websites and mobile applications where user sessions are verified behind the scenes with no visible authentication control.” ― Bruce Taragin, managing director at Blumberg Capital

“2019 will see the acceleration of the weaponization of data, a new frontier in the cyber threat landscape where data is manufactured, manipulated and corrupted to disrupt data driven systems and bypassing security defenses designed to detect and defend against penetration.” ― Bob Ackerman founder and managing director of AllegisCyber

VOICE: Readers expect a surge in popularity of voice interfaces.

“2019 will be the breakout year for applications that combine people and things, communicating with each other, whether through voice activated commands (“Alexa, call Mom”), or messaging alerts (“A stranger is on your doorstep”). The lines will blur and tremendous value will be created when companies design applications, connected on secure networks, that make it as easy to develop a relationship with your smart car, smart home, or smart campus as it is to develop a relationship with human beings.” ― Sacha Gera, SVP, PLM & Engineering at Kandy.io

“As they are becoming exponentially smarter, virtual assistants and speech-enabled systems such as Alexa, Siri, Cortana, and Google Home have been increasingly adopted by consumers. We will see this wave spill over into business applications in 2019 driving the development and proliferation of new, “informal” user interfaces driven by speech, gestures, or pen scribbles bringing consumer grade user experiences to the workplace.” ― Peter Maier, co-president of SAP Industries.

ELECTRIC SCOOTERS: Readers expect the e-scooter category to get even hotter in 2019.

“Ridesharing narrows its focus: We expect automakers, ridesharing companies, and investors in the mobility space to increasingly pivot towards last-mile micro-mobility and bundled mobility-as-a-service solutions, marking a secular shift away from pure-play ridesharing applications.” ― Asad Hussain, emerging tech analyst at PitchBook

“Micro-mobility becomes a legit global category fueled by so many other disruptions before it.” ― Candace Locklear, co-founder of Mighty

“Discussions about autonomous vehicles will shift from cars and trucks to e-scooters, which will dominate the emerging mobility landscape in 2019.” ― Ajay Chopra, general partner at Trinity Ventures

作者： {wh1t3p1g}@ArkTeam

原文作者： Abeer Alhuzali, Rigel Gjomemo, Birhanu Eshete,

and V.N. Venkatakrishnan, University of Illinois at Chicago

原文标题： NAVEX: Precise and Scalable Exploit Generation for Dynamic Web Applications

原文链接： https://www.usenix.org/conference/usenixsecurity18/presentation/alhuzali

问题的提出

发现可达的sink点

WEB的动态特性

可扩展性

方法提出

程序实现共包括两个部分a. 漏洞sink点识别b. 具体的攻击生成

漏洞sink点识别

代码属性图构建

具体的攻击生成

动态执行

导向图生成

最终的漏洞利用生成

作者在代码属性图的基础上，添加了净化标签和数据库标签，并且使用了净化约束，数据库查询约束和攻击字串的约束作为约束条件，用Z3约束求解器来判断该代码链是否可被攻击。但是注意到的是作者并没有明确处理基于类开发的CMS的漏洞检测，或许这个问题可以进一步发掘。其次关于微软开发的Z3约束求解器的作用，可以在后续的研究中应用这个方法来处理一些类似机器学习的分类效果。

Real life is difficult. It’s tedious, filled with peaks of excitement, troughs of desperation, and long valleys of sameness. It’s also filled with repetitive tasks. Due to the modernization of the labor force, cooperative and social work has been replaced with men and women interfacing with machines or having them as communication intermediaries. Consensus and collaboration have been replaced with ones and zeroes, decision trees, and metrics.

This is not only true for work, but also for education. What Fredric Taylor started to measure work performance and timing has evolved, and now we’re getting to the point where we measure everything about the workday and work habits, even if someone’s working remotely.

What this leads to is a sense of profound isolation, and for many, a loss of what it means to be human and alive. This is not how our ancestors lived. Even without technology, people collaborated and cooperated. When the first technological communities, such as Bulletin Board Systems (BBSs), CompuServe, Quantum Link (pre-AOL), Multi-User Dungeons (MUDs), and Internet Relay Chat (IRC) came about, one of the first things each did was to provide some sort of replacement for social communities outside the computer realm.

CB Simulator and Club Caribe from Quantum Link and MUDs, amongst others, provided those escapist fantasies. Instead of sitting isolated in the computer lab late at night, or working on an assignment or experiment, you could be transported off to another world and be someone else different, and virtually live a different life. Many people I knew from college flunked out after discovering either MUDs, IRC, or both.

This evolved to Second Life, Everquest, Ultima Online and many of the Massively Multiplayer Online Roleplaying Games (MMORPGs) we have today, such as World of Warcraft. This can also include Fortnite, PUBG, Call of Duty and social media. The next generation of this is virtual reality, which will soon be powerful and small enough to be fully immersive.

We’ve managed to create a substitute for reality without the direct human communication and social cues. This disconnects us from the rest of humanity, and causes people to feel more lonely, isolated, and alone. It also leaves many with a lack of empathy, understanding, or ability to separate real-life experiences and people from their virtual equivalents. All the while, the technology around us serves as a gigantic Skinner Box used to measure our conditioning and quantify our behavior and response.

We’ve managed to create generations of people who respond better to technologies than their peers, who are measured on engagement with technology, and who are, in reality, in a gigantic video game. As the past few years have shown, we’ve had significant decay socially because of this. Violent video games, according to Sestir and Bartholow, in their paper “ Violent and nonviolent video games produce opposing effects on aggressive and prosocial outcomes ,” increase aggressiveness. Anger and aggressiveness, as I’ve written about before, increase engagement, and ironically, make people buy more.

We’ve also substituted technology for parenthood and extended family interaction. Over the past 30-40 years, the cost of living has increased so much that both parents have to work, and there are also a significant number of single parents. This means that we have a number of children being left to their own devices with little to no supervision, and little control over what they do or access since security is expensive and obstructive for content blocking, and realistically, many people don’t do it.

We also remove degrees of social interaction in other ways. With the emphasis on mobility of families for jobs, extended and close social interactions with close relatives and parents as part of the immediate social circle has decreased. As this has happened, the number of elderly and older relatives staying with their children or grandchildren has decreased. Facetime and Facebook don’t provide adequate substitutes for close interaction. This potentially leads to more isolation.

If we make people the hero of their own little world, it gives people more reason to stay. In the real world, they feel like they are nothing. In the computer world, they’re actually something. We have generations of people now who have significant accomplishments online in virtual worlds, and almost none to speak of outside of them. This also leads to people who promise to keep the world the same or enhance personal experiences as being in charge, as opposed to overall improvement of society as a whole, because people can’t (or won’t) see outside their immediate world view.

The algorithms that are used to keep people engaged and keep that positive response don’t have feelings, empathy, or understanding. They just understand that giving more like content means that people spend more time on the site, click more ads, or buy more items to quest on further. Keeping people angry, distracted, detached, and responding to stimuli without major consequences is now big business. Keeping them the hero of their story in a narrative that has them triumphing over the mundane and vanquishing/eliminating their foes dehumanizes those they think are different and lowers the barriers for hatred and resentment. Keeping them in a tunnel where their actions rid the world of evildoers and bring them fame, praise, and victory will keep them engaged, less likely to leave, and more likely to lash out at those that interfere with it or cause withdrawal.

This leads to minor instances and issues that would otherwise be resolved in minutes in real life, such as losing a video game, having violent consequences because people become so angry and visceral at any interference with stimuli that they fake hostage situations so that SWAT teams attack them, sometimes with tragic consequences, organize Distributed Denial of Service (DDoS) attacks on people or companies they don’t like, hack websites that criticize them, and violently oppose and attack others with differing points of view, beliefs, genders, or skin color, such as with GamerGate and Charlottesville. The increased detachment leads to more anger and less empathy.

This also leads to people that can be more easily manipulated based on stimuli. If you easily understand what makes people tick, how to make them angry, and how to provide positive stimuli to them, you can direct them to do what you want. It doesn’t have to be conscious.

“The Secret Life of Walter Mitty” is a short story about a man leading a normal, albeit boring, life, who is triggered by external stimuli he observes on a shopping trip to have realistic daydream fantasies about leading a more exciting life than the one he has. This reflects an escape from his boring life.

We see the combination of both detachment and loss of emotion/empathy/hope and need to have an escape from the drudgery of normal life and technology in Information Security, much like Walter Mitty.

Information security isn’t always exciting. It’s frustrating. We fight for budgets with everyone else and often lose. We are understaffed and underpaid. We have customers who do not understand what we do. The lack of understanding is often a gulf between cybersecurity, the IT department, and the rest of the organization. Work that should be getting done, such as organization-wide risk assessments, insider threat analysis, or data exfiltration analysis, often dies on the vine due to lack of support or understanding. There is an undercurrent of anger and resentment with many cybersecurity professionals, and a lack of empathy toward their peers.

By Guy Bunker

When it comes to traditional Data Loss Prevention (DLP) solutions, the ‘false positive’ is frequently the downfall. This is where an event is triggered by a policy in error. For example, a 16-digit number could be a credit card number, or it could be a reference number. If one is mistaken for the other, then this gives rise to a false positive.

All DLP events need to be investigated, so the false positive has been a time consuming and painful thorn in the IT Departments daily operation for many years. But, ‘ideas’ and solutions have evolved and today, it is possible to mitigate false positives using Lexical Expression Qualifiers (LEQ) which reduces the burden on already overstretched IT departments.

Data detection challenges

DLP systems are used to detect and prevent sensitive data contained within a network from being shared outside the network unauthorized. The types of sensitive data that needs to be protected may vary depending on the industry in which an organization operates. Some examples include credit card data, Bank Account numbers, Patient ID’s, Passport numbers, Employee Addresses or Customer Accounts and Contact data. Obviously, DLP technology needs to be able to recognize numerical or alphabetical sequences depending on the type of data it’s being asked to detect.

For example, when it comes to recognizing a credit card number, there is a well-known method called a Luhn check to verify that the number seen is not a random 16 digit number, but an actual credit card number. A Luhn check can be run in conjunction with a Bank Identification Number (BIN) check to further reduce the possibility of the technology mis-recognizing the number as a valid credit card, creating a ‘false positive’ and subsequently blocking an email communication from being delivered when it wasn’t necessary.

This is all fine, but what about numbers which don’t have Luhn or BIN checks? Numbers like Customer Accounts or Patient IDs or Passport Numbers which are generally 6-10 digits and may or may not have an alpha prefix. Even with a prefix, the number can frequently be recognized by technology as something other than that which it is. With the advent of web applications and very long URLs, even these can be misinterpreted as valid credit card numbers, complete with a Luhn check!

With traditional DLP technologies, false positives have been the bane of these solutions since their inception. Once its detected data, the system will then block the communication until it can be reviewed by the IT department and then released.

Clearswift’s Adaptive Redaction functionality (available in all its core email and web solutions), mitigates the false positive issue by removing just the data which breaks policy and leaving the rest to continue to its destination without delay. In most cases this works well and ensures secure and continuous collaboration. Furthermore, where the unmodified data might be required, the original message or file can be quickly reviewed and released. However, there are situations where redacting the information still creates an issue due to the information actually being required and the review/release cycle taking too long. In these instances, there is another piece of functionality which can be used the Lexical Expression Qualifiers (or LEQ) file.

Leveraging Lexical Expression Qualifiers (LEQs) to mitigate false positives

LEQs can be used as a method to validate information found against an external data source, for example a system database storing sensitive data. At the simplest level, this database could be holding customer or patient data, including ID numbers. To prevent Patient IDs from being shared outside of the organization through company systems such as email, a DLP system would need to verify that, for example, a 10-digit Patient ID number within an email its detected matches a Patient ID number from the database. But of course, there is a possibility that the number that has been detected is a false positive.

To prevent a false positive, the Patient ID number can be augmented with another value from the same database record, for example the patient Surname. So, if the Patient ID number is detected and the Surname is detected, then the chances are that the Patient ID number is indeed an ID number and not just another numerical figure. This additional LEQ checking can be extended to the Patient ID number, the First Name, the Surname and the Date-of-birth. The more information verified through LEQs, the more the system can be sure of an appropriate policy match.

Setting up LEQs

The idea behind LEQs is great, but how does this actually work? For system administrators the thought of an external system constantly sending queries to the database is not one which is acceptable for performance reasons. And, the idea of duplicating the data within another system is out the question.

The answer to this is to take a database abstract which contains the appropriate information for the DLP system to use. The abstract can be taken as frequently as is required and at a time where the normal day-to-day business is not impacted. Typically, this occurs in the early hours each morning and is fully automated. The resulting extract is then transformed into a series of one-way encrypted values for each of the fields, aka hashes, before being securely transferred and imported by the security gateway.

This method of encryption ensures that even if the LEQ file was to fall into unauthorized hands, there is no way that the original data can be recreated, thereby protecting the information completely. The email or web gateway can then use the information in the LEQ file without impacting the performance of the database or the business.

It takes a little time to set up, but once it is set up, it’s fully automated and the end of result is the mitigation of false positives, which results in a reduction in operational time fixing false positives and most importantly, enhances the protection of sensitive information.

With more and more sensitive information being transferred between an ever-increasing number of individuals for business, it is critical to put modern measures in place to keep data secure at all times. So, while traditional DLP policies can create issues which slow collaboration down, advanced features such as Adaptive Redaction and LEQ files are designed to mitigate the false positive while keeping information safe and the business running at full speed.

At Clearswift, our customers can leverage LEQ’s from within our core email and web products along with a multitude of advanced threat prevention and data protection features. Contact our team for discussion or demonstration of our technology today.

More information:

Contact the Clearswift Team

Clearswift Email Security Products

Clearswift Web Security Products

Adaptive Data Loss Prevention

12月20日，一名黑客（Evil_Polar_Bear）披露了未修复的Microsoft windows 0-day漏洞。值得注意的是，该研究人员发现的缺陷未提交给微软。自该漏洞最初被披露以来，它一直对公众开放。

基于安全考虑，不允许许多系统级文件运行。甚至一些系统级文件夹用户也会被提示没有权限。

最新发现的安全漏洞是利用微软广告组件实现对任意文件的读取，但幸运的是，该漏洞的潜在危害不应该特别大。

https://t.co/yHxeJRyQrC New 0day. My github got taken down. And screw it, I'm not going to get anything for this bug anymore. So you can all go fuck yourselves. Bye, happy holidays.

― SandboxEscaper (@Evil_Polar_Bear) December 20, 2018

MsiAdvertiseProduct是微软的广告组件，微软将其描述为生成广告脚本、分配注册表和快捷方式等等。

此组件调用的函数将导致安装程序运行时实现任何文件的副本。攻击者可以使用此漏洞读取系统的所有文件。

尽管Microsoft也在这个组件中部署了安全策略来检查文件，但是使用竞态条件完全可以绕过Microsoft的强制安全检查。

与其他漏洞相比，该漏洞只能读取任意文件而不能写入，因此攻击者不能使用该漏洞插入恶意软件。

同时，此漏洞不能远程执行。如果您想使用它，您必须引导用户下载可执行文件以便安装。

因此，从目前的新闻来看，漏洞的影响不应该很大，但是对于高安全性的环境，仍然需要注意文件泄漏的风险。

linux公社的RSS地址 ： https://www.linuxidc.com/rssFeed.aspx

本文永久更新链接地址： https://www.linuxidc.com/Linux/2018-12/155962.htm

“Apple Inc on Thursday changed how it reports on U.S. national security requests for user data, bringing its procedures more in line with those of technology rivals such as Microsoft Corp and Alphabet Inc’s Google,” Stephen Nellis reports for Reuters.

“In its first-half 2018 transparency report on government data requests to its website, Apple separated out National Security Letters and requests under the Foreign Intelligence Surveillance Act, or FISA. Apple had combined numbers for the two items since it began reporting them in 2014. Apple had previously published its aggregate number sooner than other technology companies that broke them out separately because the FISA numbers are subject to a six-month reporting delay by law,” Nellis reports. “Apple will also report the number of FISA requests for a user’s content versus those not inquiring about such content.”

“The changes will mean longer delays in Apple’s reporting of overall national security requests,” Nellis reports. “But the new format is similar to those for companies such as Microsoft and Google, making it easier for researchers and the public to compare.”

Read more in the full article here .

MacDailyNews Note: Apple’s latest Transparency Report, which covers January-June 2018, is here .

Cybersecurity researchers and analysts are rightly worried that a new type of computer, based on quantum physics rather than more standard electronics, could break most modern cryptography . The effect would be to render communications as insecure as if they weren't encoded at all.

Fortunately, the threat so far is hypothetical. The quantum computers that exist today are not capable of breaking any commonly used encryption methods. Significant technical advances are required before they will be able to break the strong codes in widespread use around the internet, according to a new report from the National Academy of Sciences.

Still, there is cause for concern . The cryptography underpinning modern internet communications and e-commerce could someday succumb to a quantum attack. To understand the risk and what can be done about it, it's important to look more closely at digital cryptography and how it's used and broken.

Cryptography basics

At its most basic, encryption is the act of taking an original piece of information a message, for instance and following a series of steps to transform it into something that looks like gibberish.

Today's digital ciphers use complex mathematical formulas to transform clear data into and out of securely encrypted messages to be stored or transmitted. The calculations vary according to adigital key.

There are two main types of encryption symmetric, in which the same key is used to encrypt and decrypt the data; and asymmetric, or public-key, which involves a pair of mathematically linked keys, one shared publicly to let people encrypt messages for the key pair's owner, and the other stored privately by the owner to decrypt messages.

Symmetric cryptography is substantially faster than public-key cryptography. For this reason, it is used to encrypt all communications and stored data.

Public-key cryptography is used for securely exchanging symmetric keys, and for digitally authenticating or signing messages, documents and certificates that pair public keys with their owners' identities. When you visit a secure website one that uses HTTPS your browser uses public-key cryptography to authenticate the site's certificate and to set up a symmetric key for encrypting communications to and from the site.

The math for these two types of cryptography is quite different, which affects their security. Because virtually all internet applications use both symmetric and public-key cryptography, both forms need to be secure.

Breaking codes

The most straightforward way to break a code is to try all the possible keys until you get the one that works. Conventional computers can do this, but it's very difficult. In July 2002, for instance, a group announced that it had found a 64-bit key but the effort took more than 300,000 people over four and a half years of work. A key twice the length, or 128 bits, would have 2 possible solutions more than 300 undecillion, or a 3 followed by 38 zeroes. Even the world's fastest supercomputer would need trillions of years to find the right key.

A quantum computing method called Grover's algorithm , however, speeds up the process, turning that 128-bit key into the quantum-computational equivalent of a 64-bit key. The defense is straightforward, though: make keys longer. A 256-bit key, for example, has the same security against a quantum attack as a 128-bit key has against a conventional attack.

Handling public-key systems

Public-key cryptography, however, poses a much bigger problem, because of how the math works. The algorithms that are popular today, RSA , Diffie-Hellman and elliptic curve , all make it possible to start with a public key and mathematically compute the private key without trying all the possibilities.

For RSA, for instance, the private key can be computed by factoring a number that is the product of two prime numbers as 3 and 5 are for 15.

So far, public-key encryption has been uncrackable by using very long key pairs like 2,048 bits, which corresponds to a number that is 617 decimal digits long. But sufficiently advanced quantum computers could crack even 4,096-bit key pairs in just a few hours using a method called Shor's algorithm.

That's for ideal quantum computers of the future. The biggest number factored so far on a quantum computer is 15 just 4 bits long.

More and more devices in our homes and workplaces are gaining smart capabilities as the Internet of Things starts to move from niche to mainstream.

But greater adoption also means an expanded threat surface. So what can we expect to see from the IoT in 2019? We’ve rounded up the opinions of some industry experts.

Manufacturers are increasingly turning to smart features to make their products stand out, says DH2i CEO and co-founder, Don Boxley. "Making smart products, IoT devices, is the new product differentiator -- even ovens have IP addresses now. Companies that have been investing in IoT initiatives understand that the IoT gateway layer is the key that unlocks a high return on those IoT investments. IoT gateways manage device connectivity, protocol translation, updating, management, predictive and streaming data analytics, and data flow between devices and the cloud. Improving the security of that high data flow with a Zero Trust security model will drive enterprises to replace VPNs with micro-perimeters. Micro-perimeters remove an IoT device's network presence eliminating any potential attack surfaces created by using a VPN."

Sastry Malladi, CTO of FogHorn thinks a new generation of audio and video sensors will bring big advantages. "There is industry-wide excitement about the capabilities that audio and video sensors can bring to the IIoT. Edge computing technology can play an important role in the further deployment of audio and video data in commercial and industrial IoT systems. The fusing of asset data with audio and video analytics will allow for faster and more accurate device and machine maintenance (including updates on systems health and more), and a whole host of new innovative applications. One such example of the video analytics is the use of flare monitoring at oil and gas operations to track environmental compliance and flare state remotely for large volumes of flare stack towers."

Connected medical devices will deliver benefits too but these don’t come without risks says Marcin Kleczynski, CEO of Malwarebytes . "With the ability for medical devices to connect directly to the Web, the growing Internet of Things (IoT) model offers many benefits. Greater connectivity means better data and analytics and patient care, but it also opens the door for data loss of personal health information and unauthorized access to devices. The healthcare industry will need to closely examine a new era of connectivity and patient security. Similar to the electronic health record conversion, security protocols will need to change and evolve to meet the growing threat. Devices should have strict authentication, limited access and heavily scrutinized device-to-device communications. Encryption will be a crucial element of securing these devices, a responsibility that if not adopted by device providers and manufacturers, is likely to be driven by third-party security providers."

The industrial Internet of Things is also expected to introduce new risks for businesses saysOphir Gaathon, CEO and co-founder of DUST Identity . "Industrial IoT is driving an explosion of connected parts and assets. From power plants to vehicles and HVAC systems. More connectivity and accessibility introduces more attack vectors, and thus ensuring the integrity of the parts is more critical than ever before. Asset owners control over their parts supply chain is diminishing -- leading to higher risk and greater impact of breach and disruption. Without a new approach and use of modern tools the changing threat environment compounded by the anticipated increase in regulatory pressure companies and government stakeholders will experience a significant increase in resource allocation to stay compliant."

The potential for attacks on IoT devices and infrastructure worries many experts. Gene Stevens from Protectwise says, "The number of incidents occurring from unknown attack surfaces within an organization could increase, such as IoT and BYOD. Publicly accessible private data and poorly secured devices are expected to increase into 2019 due to the addition of IoT and cloud services by organizations while lacking the proper network hardening and monitoring capabilities."

This is a particular worry for industrial installations believes Justin Fier, director of cyber intelligence and analysis at Darktrace . "Since the attacks on the Ukrainian power grid in 2016, and Triton in 2017, attacks on industrial environments have become mainstream. With several nation states providing warnings in 2018 about ongoing targeting of their energy grids, 2019 looks set for increasing numbers of high profile cyber-attacks on our critical infrastructure. Darktrace is specifically looking at three threat vectors: smart meters and IoT devices, disruption of core logistics and transportation services (specifically in shipping), and sporting events infrastructure."

This echoed by Joe Lea, VP of product at Armis , "Since the Mirai botnet in 2016, we’ve witnessed a rapid evolution of IoT attacks. Within the past year alone, IoT devices have been harnessed maliciously for cryptomining, ransomware and mobile malware attacks. In 2019, IoT threats will become increasingly sophisticated, shifting from botnets and stray ransomware infections to APTs for surveillance, data exfiltration and direct manipulation of physical world to disrupt operations."

Do you have any other hopes for, or worries about, the spread of IoT devices? Let us know.

Image credit: Jirsak / Shutterstock

Regulation

By

-

Two U.S. congressmen have introduced a bill aimed at amending the country’s securities laws to exclude cryptocurrencies from the definition of a security. The bipartisan bill also seeks to adjust taxation and create tax exemptions for certain cryptocurrency transactions.

Also read: Indian Supreme Court Moves Crypto Hearing, Community Calls for Positive Regulations

Cnbc explained that the bill resultedprimarily from a September roundtable hosted by Davidson. More than 50 industry participants attended including Fidelity, Nasdaq, State Street, Andreessen Horowitz and the U.S. Chamber of Commerce, the news outlet noted, adding that this bill has been in the works for months.

Last month, U.S. District Judge Gonzalo P. Curielruled that the commission was not successful at showing the court that Blockvest tokens were securities based on the Howey Test. The agency has beencracking down on numerous cryptocurrency projects this year.

SEC Chairman Jay Clayton has emphasized that he does not intend to update the commission’s standards to include cryptocurrencies. At the Senate hearing earlier this year, he said that every ICO he had seen is a security. The only exceptions were BTC and ETH, he clarified, noting that the two cryptocurrencies are regulated as commodities by the Commodity Futures Trading Commission (CFTC).

“This week’s bill is largely symbolic,” Cnbcelaborated. “Friday is likely the last day Congress is in session and the bill will need to be reintroduced next year, when Democrats are in control of the House.”

Do you think cryptocurrencies will be excluded from the definition of a security? Let us know in the comments section below.

Images courtesy of Shutterstock.

Need to calculate your bitcoin holdings? Check ourtoolssection.

In early November, 22-year-old Hank Fordham logged into an Arizona man’s Nest security camera from his home in Calgary, Alberta, and started broadcasting his voice , talking to the owner directly and warning him about his insecure device. It wasn’t the first time that Fordham had done this.

In the last year, Fordham says he and his colleagues in the Anonymous Calgary Hivemind―a collective of white hat hackers―have hacked into between five and 10 different smart home security camera accounts and communicated with people on the other end.

Fordham told me in a phone call that his goal in the much-publicized Arizona incident wasn’t to frighten anyone, he simply wanted to warn users about the fact that their accounts weren’t as secure as they may have thought.

“The goal was that after enough interaction we would prompt some kind of response from Nest in the form of mitigating the vulnerability,” Fordham said.

I contacted Fordham via the Anonymous Calgary email. Someone responded and said they would put the right person in touch. Shortly after I got an email, Twitter DM, and voicemail all from Fordham. He even recited my initial email to Anonymous Calgary back to me in the voicemail to verify that he got my information from the group.

Read more: More Than 120,000 Internet Connected Cameras Can Be Easily Hacked, Researcher Warns

Fordham told me he gained access through a simple technique known as credential stuffing . When a large scale data breach happens, such as the Quora leak earlier this month , the database of stolen information―which may include emails and associated passwords― often gets bought and sold across the web. Those lists of emails and passwords can be easily accessed; you don’t even need to go on the dark web .

If you use the same email and password to log in to multiple accounts, a hacker can easily gain access to them just by popping in credentials leaked in a previous breach. There is even software that will automatically try the logins of all the users in a dataset to find which ones work. It makes it an all-too-easy hack to pull off, Fordham warned.

“There are plenty of these tools becoming available even on the clear web,” Fordham said. “It’s not even uncommon now to go on Facebook and find Fortnite cracking groups, with younger people selling Fortnite accounts they’ve received through this exact same method. There are literally kids out there doing this.”

The Arizona call in early November was filmed by the Nest user himself, Phoenix-based realtor Andy Gregg. Gregg then shared the video with a local news source to try to raise awareness about the risks of insecure internet-connected devices. In the video, Fordham’s voice can be heard over the speaker telling Gregg that he was contacting him in the creepiest way possible to warn him.

Motherboard was able to verify that Fordham was the same person who hacked the device through screenshots he shared that included the name of the camera Gregg set up, which we corroborated with Gregg. He also had Gregg’s email address, and Gregg said he had spoken to Fordham over the phone since the incident and is convinced it is the same person.

Gregg told me he has since unplugged his Nest cam altogether and does not plan to use it anymore, even with a different password or two-factor authentication enabled, because he’s too disturbed by the whole experience.

“It was so freaky,” Gregg said. “It was a similar feeling to how I imagine it feels to get robbed, with all your stuff scattered everywhere. I was totally freaked out.”

Fordham told me he recognized how creepy this approach is, and said he and his fellow hackers agonized a bit over whether this was the best way to contact people.

It’s a scenario that Fordham is convinced could have been avoided if Nest took some simple precautionary measures, he told me, such as prompting users to set up two-factor authentication (2FA.) and changing their re-used passwords when its been compromised in a hack on another site.

Nest has previously sent out emails to users when their password has been detected in a leak, as it did May this year . Gregg told me he never received such an email.

“Nest has reset all the accounts where customers reused passwords that were previously exposed through breaches on other websites and published publicly,” a Nest spokesperson told me in an email. “For added password security, we’re preventing customers from using passwords which appear on known compromised lists. As before, we encourage all customers to use two-factor verification for added account security, even if your password is compromised.”

But Fordham, who himself is a Nest user, said it’s not really intuitive to set up 2FA for a Nest unit, and it’s clear that not all users are getting the message, as evidenced by the number of accounts Fordham and his fellow hackers at the Calgary Anonymous Hivemind logged into. Fordham told me about one user, a hair salon in Toronto, that also recorded the encounter, though he hasn’t seen the footage shared online yet.

While taking the time to set up basic security and privacy protections can help reduce the risk of this kind of thing happening to you, it’s also a good reminder that big corporations don’t necessarily have your privacy and security top of mind.

Many people take for granted that nobody is peering into their home through their internet-connected cameras, but that’s not an assumption that’s safe to make.