马上就要年终了，在这辞旧迎新的时刻，让我们一起回望2018，展望2019，看看今年的“最烂密码榜单”，这次你上榜了吗？

打开2018年最烂密码榜单，首先揭晓TOP1――“123456”，从2014年开始连续五年夺冠，成为当之无愧的最“烂”！

不仅如此，从下面的统计表格来看，最近五年的最烂密码前五其实都变化不大，除了“111111”在2016年突然冲进榜单之外，其他时间都是由“12345”及相关相对简单的数字组合占据前位。而“qwerty”进榜的主要原因是键盘右上方的六位字母组合而成。

榜单信息来源人民日报、密码管理公司 SplashData

所谓“烂都有烂的道理”，而这些“最烂密码”的共同特质都是简单、方便记忆。除此之外，也在一定程度上反映了我们当下对于密码的使用习惯和困扰。

1. 密码太多，想不出来；

2. 密码想的太简单了怕被盗（有时候平台要求各种数字、符号结合很难想啊…）

3. 复杂密码想出来了记不住（几十上百个平台真记不住…）

4. 随手记在备忘录或者其他地方回头也不方便查找……

而根据企鹅智库发布的《2018年中国网民个人隐私状况调查报告》显示，我们当下对于密码的使用还是存在非常大风险的，不少人都是一套密码走天下。

以“几个密码通用于大多数账号”的中国网民占比达到50.8%，对自己拥有的多个账户采取同一套密码的人占14.9%。（emmmm…我就是那个50.8%中的一员）

从国外报告来看，在严重信息泄露时，有60%左右的人选择只修改泄露平台的密码。的确如此，甚至有时候一个都没改…(反面案例别学我）

在设置密码的时候，只有29%的用户是考虑到安全的原因才去更换密码的。绝大多数人更换密码的原因简单明了――他们忘记了之前的密码。用户对密码安全性的重视度：银行账户等财务相关(69%)>网购(43%)>社交媒体(31%)>娱乐(20%)。（对对对，就是这样滴）

这些数据和这些困扰都反映了当下密码管理存在很大问题。那么究竟如何才能拥有一套完美的密码管理体系呢？

首先，第一步要做好密码分级。

比如将临时注册登录的网站和软件密码分为一类；娱乐不太涉及真实信息的平台密码分为一类；

常用的社交、邮箱等密码分为一类；最后将涉及财产安全的支付、银行卡秘密分为一类。根据不同类别构建属于自己的密码体系，按级别设置密码，这样就会方便管理多啦~

其次，这里给出三种方式教你设置完美密码：

1. 用谐音或相似符号设置密码。比如“我今天要吃吃吃”就直接设置为“wjt1777”。（这是个什么鬼密码？？？？）

2. 多用造句设置密码。热爱诗歌的朋友们嗨起来，“doWhile(1){LeavesFly();YangtzeRiverFlows();”，多么炫酷的密码（鬼都记不住），其实是“无边落木萧萧下，不尽长江滚滚来”。

3. 数字+符号+大小写混合，越复杂安全系数越高。

除了上面的解决思路，我们充满智慧的广大网友也给出了不少参考思路，贡献出一系列神级密码！

比如“来一瓶82年拉斐”。

还有对联呢。

不仅对联随便来，吟诗作赋也不在话下。

实在不行。。。。

我们就来句绕口令吧，内心默读的时候可别嘴瓢了。

或者，脑洞来凑也是棒棒哒。

从上我们就能了解到，这密码实在是太重要了，不光保护资产，有时候还可以激发无限潜能。不仅如此，有时候密码还能逆天改命，带你走向人生巅峰。

国外网友Momo所在的公司对于员工有密码管理的要求，每30天需要修改一次密码，并且至少使用一个大写字母、一个小写字母、一个符号和一个数字。

小哥Momo沉浸在离婚的悲痛中，又赶上迟到，一肚子委屈都快溢出来了。正在这时，电脑突然出现“请修改密码”的提示，小哥此刻灵魂突然升华，在这至暗时刻，他决定改变自己的生活，就从密码开始吧。

于是他开始修改第一个有意义的密码――Forgive@her （原谅她），背后的含义是“ 致甩了我的前妻”。神奇的事情发生了，每一天输入这个密码，强大的心理暗示起作用了。有一天小哥突然发现自己终于可以接受婚姻结束时发生的事情了。

就这样，他开始了将目标期望变成密码字符。

Quit@smoking4ever （永远不再抽烟）← 真的管用了。

Save4trip@thailand （攒钱去泰国玩）← 也管用。

Eat2times@day （每天只吃两顿）← 没用，我还是个胖子。

Sleep@before12（12点之前睡觉）←有用。

Ask@her4date （约她出来）← 有用，我又坠入了爱河。

No@drinking2months （两个月不喝酒）← 有用，真爽！

MovE@togeth3r（和女友住一起） ←有用。

Get@c4t! （养只猫）←有用，我们养了只漂亮的猫咪。

Facetime2mom@sunday（周日和妈妈视频通话） ←有用，我每周都和妈妈通话

Save4@ring（攒钱买戒指）←是滴，没多久我的人生又要开始改变了。

就这样每一次更换密码都变成了Momox心愿达成的时刻，最终不仅甩去了阴霾，还有了新的伴侣，生活一帆风顺，人生都走上了巅峰！（这是不是比转锦鲤还有用！）

小哥这么厉害。。。你说我现在去修改我的那些脑残密码还来得及吗？

1. 有哪些高大上的密码？――知乎

3. 《How a Password Changed My Life》――Momo Estrella Momo Estrella

Continuing with our series on the Hack the Box (HTB) machines, this article contains the walkthrough of another HTB machine. This one is named “Bank.”

HTB is an excellent platform that hosts machines belonging to multiple OSes. It also hosts some other challenges as well. Individuals have to solve the puzzle (simple enumeration and pentest) in order to log into the platform so you can download the VPN pack to connect to the machines hosted on the HTB platform.

Note: Only writeups of retired HTB machines are allowed. The machine in this article, known as “Bank,” is retired.

Let’s start with this machine.

1. Download the VPN pack for the individual user and use the guidelines to log into the HTB VPN.

2. The Bank machine IP is 10.10.10.29.

3. We will adopt the same methodology of performing penetration testing. Let’s start with enumeration in order to gain as much information for the machine as possible.

4. Below is the output of the nmap scan. As we can see, there are lot of ports opened on this machine, including port 22, 80 and 53. Note that DNS is listening on TCP port 53, so Zone transfer is also possible.

<<nmap -sC -sV -oA nmap 10.10.10.29 >>

5. We’ll start with port 80 enumeration. However, it just points to a standard apache page installation. It looks like that for further enumeration on port 80, it needs a hostname. At this point, the hostname had to be guessed for this machine; this turns out to be bank.htb. This follows the standard convention of HTB machines of the format <machinename>.htb.

6. In order to resolve it, let’s add the entry in /etc/hosts. The screenshot below depicts the same thing.

7. And it can be seen now. The login page is presented now if port 80 is browsed again.

8. We tried several things on this login for an early and easy win, but to no avail. So that means we’re going back to enumeration. We can launch dirbuster to find out if more directories exist by following these steps:

9. After this, observe the output of dirbuster. An interesting point to note is that for the page support.php, we have a 302 redirect, but the size is too big.

10. Let’s try to see if we can analyze the support.php page contents before the redirection happens.

11. Start up Burp and enable the server intercept response as shown below.

12. Let’s browse to the login.php page again. Now that we can control the redirection, we can see that the support.php page has a complete html page served before any redirection happens.

13. Redirecting the same request to Burp’s responder, we can see the complete request and response for the support.php page.

14. Opening the loaded html for support.php in the browser presents the page below.

15. To load this in Firefox, we can install the NoRedirect plugin and add the URL hxxp://bank.htb/login.php so that no automatic redirects happen under this URL.

16. Now if we browse to the login page, we can see the support.php page, which gives us the ability to upload files.

17. Before we start exploiting the upload feature, looking into the source code of the page reveals an important configuration, which states that .htb files will be executed as php. This means that we have to upload php files in a .htb wrapper.

Ethical Hacking Boot Camp ― 93% Exam Pass Rate

18. Following the analysis as described above, we will try to upload the php shell as an .htb file in support.php page. But before we do that, let’s edit the file to point back to the attacking machine IP and port.

19. After making the required changes to php backdoor , the file is saved as shell.htb and uploaded as shown below.

20. Before we browse the uploaded file, let’s start a netcat listener on port 1234.

<<nc -nlvp 1234>>

21. Browsing the uploaded file spawns back the shell, as shown below.

22. The shell is spawned back as www-data, but we are allowed to visit the directory of user “chris,” as shown below. The commands below were used to grab user.txt file.

<< cd chris>

<< ls >>

23. To perform privilege escalation, one of the first things I always check is to find out which binaries which have SUID bit set.

<< find / perm -u=s -type f 2>/dev/null >>

24. We can see that there is binary under /var/htb/bin/emergency, which is a SUID bit. Browsing to directory and looking into file type and executing it, we can see that the file is 32-bit ELF executable. Upon executing, we are root.

<< cd /var/htb/bin >>

<< ls -l >>

<< file emergency >>

<< ./emergency >>

25. Since we are root now, we’re browsing to get the root.txt file.

<< cd /root >>

<< ls >>

So this was another machine from the HTB platform. One interesting thing to learn from this machine was how to analyze 302 redirects. Privilege escalation was straightforward.

We will continue this series with more walkthroughs of such machines.

The antagonistic approach of a Red Team makes things challenging to an organization’s system, policies, anticipations and adaptations. These days, organizations want the Red Teams to challenge the physical security in addition to the digital security.

The term originally came from the military. In that context, the purpose of a Red Team was to organize a team of skilled professionals to break in or attack the security setup in order to test the security measures in place.

Speaking in terms of information technology, a Red Team comprises of a group of skilled professionals. The organization wants this team to act like real hackers and intruders. This means that the Red Team divides the operation into smaller projects and uses different techniques, replaces one plan to another if needed and even rejects a plan altogether in a given situation.

Before we dig in deeper, it is important to clarify the difference between a Red Team assessment and conventional penetration testing.

A Red Team assessment is not a component of penetration testing. Even though they may feature similar components at times, they are two different things.

Penetration testing involves the evaluation of configuration and vulnerabilities. It exploits existing vulnerabilities to measure the level of risk

This means that penetration testing is about evaluating the expected or the existing rather than trying to see what else could cause issues. During penetration testing on an organizational level, general objectives revolve around gaining access to:

The Red Team assessment is well-targeted and goes beyond the identification of vulnerabilities. The Red Team tries to challenge the organization’s ability to

The main objective of a Red Team assessment is to minimize the risk of cognitive errors. In an organization, being incisive and objective is highly important for critical thinking. The planning can go wrong if there is a lack of objectivity at any level the planning phase.

For an organization, Red Teaming has become a popular practice to ensure foolproof security.

A Red Team tries to challenge an organization’s:

The organization’s confidential and sensitive information is the prime target and the Red Team tries to access it invisibly by using any method whatsoever. It is a long procedure and requires as much as a month, whereas penetration testing requires less than a couple of weeks.

Red Team Assessment is not for every organization. You first need to consider the maturity level of the information security posture. Penetration testing suffices in most of the cases.

The Red Team Assessment is generally meant for:

Let’s think of a scenario where your organization wants your Red Team to break in its internal network and take away a confidential document.

So the Red Team assessment planning begins with thinking of the possible ways to silently access the organization’s internal network. To keep things simple, there are a couple of possible ways

These days, most Red Teams require to work on both.

Experts call this phase the Initial Recon and it requires utmost precision, because the whole operation depends on the accurate collection of necessary information.

A search engine aggregator is a good tool to facilitate the Open Source Intelligence (OSINT). The websites, press releases and domains of the organization often reveal important information about the employees and the executives. This information is crucial for social engineering.

Then comes the Digital Recon, which involves the quest for the company’s security devices, domains and IP address. Most of the big organizations tend to have static IP addresses. They help in identifying the servers. The Digital Recon phase also requires information about open ports, database software along with the version, operating systems and the services facilitating the file transfer.

Physical Recon is also important these days because it has become harder to reveal all the required information by just focusing on the Digital Recon. Marlon Brando’s The Score (2001) is a must-see movie if you want to know how exactly physical recon works. Remember, invisibility is the key!

During Physical Recon, never forget to carry a Wi-Fi antenna booster and wireless signal scanner to sneak in if you have the chance to access a router. It may take a team of two or three intruders to efficiently record each and everything within the premises. Locking technology, employee timing, checkpoints and security features ― you need to precisely record each and everything.

This stage begins with sorting the recon data. It is important to reject the useless information, which mainly comes from OSINT.

First, you need to target the individuals: email addresses of the employees and the executives, their social media accounts and so on. You need to determine the relevance of each of these individuals to know which information is useful.

Secondly, focus on the technologies prevailing in the organization. Get to know the infrastructure of the organization and how it works with the networks. DBMS, CRM and other front-end and back-end technologies are important. These are the things which give you an idea of what you can do to use the possible loopholes.

Remember, each and every feature of the organization’s IT infrastructure is going to tell you something. You can’t proceed with guesswork. You can only finalize your line of action if you know the operating systems, file-sharing servers, and software and applications.

Ethical Hacking Boot Camp ― 93% Exam Pass Rate

Once your Red Team finalizes the plan, you need to go through a trial run. If something goes wrong, you have the chance to make the necessary changes. If you try to jump on your target straight away, the slightest of mistakes can ruin the whole effort.

Don’t focus on one or two weak links. A Red Team assessment is all about contingency plans, so you need to have plan B and plan C in your mind.

The execution phase is not only important for the Red Team but is also highly significant for the organization. The results are going to change the thinking of the executives and decision-makers. Everything must work according to the plan. You don’t control the organizational setup, so you can’t be certain when something unexpected will occur. This is why you need to test plan B and plan C during the Dry Run.

Controlling your nerves is crucial because often it happens that if any member of the Red Team fails to get someone to perform an action for some reason, he/she tends to feel adrenaline rush. You need to train yourself for such a situation. Keep calm, because panic is going to trigger the alarm. For instance, if you fail to access the laptop of a targeted employee, there is no point in blaming him/her for not opening the patched file. Jump to plan B rather than thinking why plan A didn’t work.

The Red Team assessment is far effective than the penetration test, but it doesn’t mean that every organization needs outsource or build a Red Team. It depends on the organization’s security requirements. If penetration testing is continuously generating the desired results, then there is no need to push things further. But if your organization is of a type mentioned under “Organizations That Need Red Team Assessment,” you need to take things seriously.

It is that time of year where security professionals the world over end up talking with friends and family about security. It will be inevitable, almost as inevitable as someone wearing a stupid Christmas sweater they are a little too proud of.

The standard advice we've been giving for years is pretty simple:

Anyone that has done technical support for anyone that isn't as familiar with IT knows well that as soon as you complicate something, you end up getting twice the calls, even for things that are not your fault; "Well, since you setup that password thing my printer won't print" ...

It is fantastic advice, it is where we should all strive to be, we should all have password managers and should never re-use passwords.

However let's change one single password. Start small.

There is likely to be a single account that is the root of trust for all other accounts. An email address, either at an ISP somewhere (and maybe this is the year you get them to switch from that old Earthlink email address?) or more likely a free email provider.

That's the account we want to target.

If we can secure the root of trust, the email address that can be used for password reset emails and for phishing we've already won a large battle. Individual accounts may still be "vulnerable", but now we've closed one giant hole.

After all, we all learn to walk before we learn how to run. This small step can set the tone for even more and better security later.

Should we go further? Absolutely, identify the primary accounts that are high risk, as an example:

Facebook Login/Twitter is used across many different websites, Apple's iCloud allows remote wipe of devices, and Microsoft Account is used for access to local machines and likely to OneDrive and other online accounts storing personal documents and files.

There are many more that I am missing, those can be next, but even the above tend to roll back up to a single email address.

There is nothing new under the sun, and password re-use is well known and ridiculed, even Randall Munroe of XKCD fame published a comic about password re-use a long time ago, however there is one comic that comes to mind to help create better passwords:

correct horse battery staple

Pick four random words from the English language, create a funny sentence and you are off to the races. Don't use correct horse battery staple as a password, it's a terrible password now, but the idea behind generating such a password is fantastic.

Just changing one password can increase someones security posture just a little bit, and who knows, next year you'll have received less spam email that can be traced back to their address book being siphoned off and then abused.

For bonus points, have them sign up for ';--have i been pwned? , now each time a new service is breached your friends or relatives will get a little bit of notice, and can get an idea for why different passwords are a necessity these days, and maybe next year they will ask you to show them how to set up that password manager so they can be even more secure!

Happy Holidays, and good luck with your IT help desk duties this year, especially getting that printer driver installed, because lets be honest, we'll get blamed for the broken printer in two months whether we touched it or not.

The latest report from ESETThreat Radar Report indicates that the year 2019 will not stop showing the number of crypto jacking courses. Despite the downtrend in most altcoins, crypto jacking attacks are increasing with the hackers being set on more crypto jacking malware.

According to the Eset’s report, hackers are eyeing on smart devices and home assistants to build crypto mining farms. The report further declares that the cybersecurity in 2019 will likely to be more in numbers and will impact the businesses in the coming year.

Cryptomining continues to rise Despite the severe crash in 2018, experts believe the mining of cryptocurrency will increase in upcoming year which will be processed via ‘crypto jacking’. A security researcher David Harley of Eset senior says;

Up-gradation social engineering campaigns Crybercriminals are more likely to use ‘the automation and machine learning’. The usage of these advanced technologies will enable hackers to gather more data of users to frame out the best social engineering campaigns.

Data Privacy There was a number of cases on data privacy and privacy missteps found in the year 2018 including the case of Cambridge Analytica. Stephen Cobb, Eset senior security researchers, and Lusa Myers asserted that the most effective firm which manages data privacy at its best can stay in the business ecosystem in the year 2019.

Move to a global privacy law California, Brazil and Japan are more likely to follow the footstep of EU legislation for a ‘global privacy law’. It’s quite difficult to manage the customer’s data and ensure the privacy of sensitive information of the users globally. Moreover, it will take GDPR-style privacy a step forward.

Attackers set their sights on smart home devices Crypto attackers are taking the increasing number of smart devices which are connected to the internet as a way to enter for crypto attacks. Crypto adoption and such devices are paving the way for crypto mining farms in 2019. It is to be noted that the earlier this year, attackers have widely used IoT devices to get into the planning of attacks and thus the increasing apps and the connected devices will push them for cryptocurrency mining through the scam and hijack.

The post Crypto Hijackeing Shows No Signs of Slowing down Eset Report appeared first on Coingape .

我写了一个项目，项目的功能是抓取服务器上的http包，当有人通过http 访问我的服务器的时候，我的项目就把request请求显示出来。

此项目代码运行在我的服务器上。

运行一段时间后非常惊奇，发现我的一个小小网站会被黑客攻击。

黑客会扫描各种php程序。

下面是其中一张截图，就是扫描phpadmin的。非常恐怖。

屏幕快照 2018-12-25 下午5.09.59.png

大家也可以看我的后台在线数据： http://www.cpython.org:8080/html/

如果你经常观看，你就会发现，攻击的不仅仅是这写列表中的文件名，

还有很多其他方法，基本都是php的。有的会执行install.bak.php 什么的。

还有的执行sql注入。

另外：项目源代码是用golang 写的，

放在 github 上了。 https://github.com/asmcos/httpdump

主要利用了golang 的gopacket库。gopacket 其实是libpcap的封装。

屏幕快照 2018-12-25 下午5.47.27.png

With the holidays approaching, one of the most discussed questions at STATWORX was whether we’ll have a white Christmas or not. And what better way to get our hopes up, than by taking a look at the DWD Climate Data Center’s historic data on the snow depth on the past ten Christmas Eves?

But how to best visualize spatial data? Other than most data types, spatial data usually calls for a very particular visualization, namely data points overlaying a map. In this way, areal data is automatically contextualized by the geographic information intuitively conveyed by a map.

The basic functionality of ggplot2 dosen’t offer the possibility to do so, but there is a package akin to ggplot2 that allows to do so: ggmap . ggmap was written by David Kahle and Hadley Wickham and combines the building blocks of ggplot2 , the grammar of graphics as well as the static maps of Google Maps, OpenStreetMap, Stamen Maps or CloudMade Maps. And with all that, ggmap allows us to make really fancy visualizations:

Above-average snow depth on Christmas Eve (2008-2017)

The original functionalities of ggmap used to be somewhat more general, broad and “barrier-free”, but since those good old days aka 2013 some of the map suppliers changed the terms of use as well as mechanics of their APIs. At the moment, the service of Stamen Maps seems to be the most stable, while also being easily accessible e.g. without registering for an API that requires one to provide some payment information. Therefore, we’re going to focus on Stamen Maps.

Conveniently, ggmap employs the same theoretical framework and general syntax as ggplot2 . However, ggmap requires one additional step: Before we can start plotting, we have to download a map as backdrop for our visualization. This is done with get_stamenmap() , get_cloudmademap() , get_googlemap() or get_openstreetmap() or the more general get_map() . We’re going to use get_stamenmap() .

To determine the depicted map cutout, the left, bottom, right and top coordinates of a bounding box, have to be supplied to the argument bbox .

Conveniently, there is no need to know the exact latitudes and longitudes of each and every bounding box of interest. The function geocode_OSM() from the package tmaptools , returns whenever possible the coordinates of a search query consisting of an address, zip code and/or name of a city or country.

The zoom level can be set via the zoom argument and can range between 0 (least detailed) and 18 (most detailed, quick disclaimer: this can take a very long time). The zoom level determines the resolution of the image as well as the amount of displayed annotations.

Depending on whether we want to highlight roads, political or administrative boundaries or bodies of water and land different styles of maps excel. The maptype argument allows to choose from different ready-made styles: "terrain" , "terrain-background" , "terrain-labels" , "terrain-lines" , "toner" , "toner-2010" , "toner-2011" , "toner-background" , "toner-hybrid" , "toner-labels" , "toner-lines" , "toner-lite" or "watercolor" .

Some further, very handy arguments of get_stamenmap() are crop , force and color :

As implied by the name, color defines whether a map should be in black-and-white ( "bw" ) or when possible in color ( "color" ).

Under the hood get_stamenmap() downloads map tiles, which are joined to the complete map. If the map tiles should be cropped so as to only depict the specified bounding box, the crop argument can be set to TRUE .

Unless the force argument is set to TRUE , even when arguments changing the style of a map have been altered, once a map of a given location has been downloaded it will not be downloaded again.

When we’ve obtained the map of the right location and style, we can store the “map image” in an object or simply pass it along to ggmap() to plot it. The labels, ticks etc. of axes can be controlled as usual .

Example for maptype = terrain“ with zoom = 7 (left) vs. zoom = 5 (right).

We then can layer any ggplot2 geom we’d like on top of that map, with the only requirement being that the variables mapped to the axes are within the same numeric range as the latitudes and longitudes of the depicted map. We also can use many extension packages building on ggplot2 . For example, we can use the very handy package ggimage by Guangchuang Yu to make our plots extra festive:

近日，《纽约时报》刊登了一份据称是被黑客窃取来的欧盟外交电报摘录。很显然，这份数据报告是由某家网络安全公司专门“泄露”给记者同志们的。

《纽约时报》表示，这1100份外交电报是由一家名叫 Area1 的信息安全初创公司提供给他们的，而这家公司据说是由三名前美国国家安全局官员创立的。

NSA上一次被爆出与窃取国家机密相关的新闻是当时与NSA前系统管理承包商Edward Snowden的那件事情（NSA窃取全球互联网通信数据）。

据该报称，攻击者当时已网络钓鱼的方式成功黑掉了一名塞浦路斯外交官的设备，并获取到了他的用户凭证。拿到用户凭证之后，攻击者成功进入了存储欧盟外交信息和电报的底层数据库，最终将这些窃取来的欧盟外交电报以明文纯文本的形式公布在了网络上。

Area1的研究人员BlakeDarche在对此次攻击所采用的技术手段以及恶意代码进行了分析，并与之前已知的攻击进行了相似性对比，最终得出的结论是：此次攻击背后的始作俑者很可能是“天朝”政府。当然了，有很多国家级黑客组织也会通过使用其他黑客组织的技术来转移研究人员的注意力，这也是需要考量进去的。

目前，《纽约时报》已经在网上发布了一份经过数据筛查的PDF版泄露数据。从英国的角度来看，这批数据中似乎并没有包含多少令人非常感兴趣的内容，因为其中大部分都是外交会议的摘要，而这些摘要记录此前已经分发给各个欧盟成员国外交使团的欧洲对外行动处的工作人员了。

1.阿富汗目前的政治局势仍不稳定，并且毒品产量居高不下，这意味着美国、俄罗斯和欧盟均会认为这个地区有维和需要。

2.所有成员国均同意在朝鲜放弃核武器计划之前，应该继续对朝鲜实施制裁。

3.南海是中国领土的一部分这毋庸置疑，但多国认为天朝违反了国际条约，美国、英国和法国正在通过军事手段予以阻扰。

4.各个国家与政治集团之间的例行访问以及贸易谈判基本上仍在继续。

《纽约时报》还认为，目前很多国际谈判的细节内容在对外公布时仍然是模糊不清的，广大民众甚至对谈判细节一无所知，而此次事件背后的攻击者很可能是想让这些“秘密”公之于众。

为此，欧盟理事会专门发表了一份声明，并在声明中表示：“我们目前无法确认泄漏事件是否真实发生，因此我们对此事件暂时不予置评。”

《纽约时报》还援引了一条不明来源的消息：“美国曾多次警告过欧盟，他们的通信设备已经过时，并且很容易受到来自中国、俄罗斯、伊朗以及其他国家的黑客攻击。但是，欧盟方面一直对此不以为然。”

这下好了，尴尬了吧？

*参考来源： theregister ，FB小编Alpha_h4ck编译，转载请注明来自CodeSec.Net

Last week, the Scientific Working Group on Digital Evidence published a draft document -- " SWGDE Position on the Use of MD5 and SHA1 Hash Algorithms in Digital and Multimedia Forensics " -- where it accepts the use of MD5 and SHA-1 in digital forensics applications:

This is technically correct: the current state of cryptanalysis against MD5 and SHA-1 allows for collisions, but not for pre-images. Still, it's really bad form to accept these algorithms for any purpose. I'm sure the group is dealing with legacy applications, but I would like it to really push those application vendors to update their hash functions.

Tags:algorithms, identification , MD5 , SHA-1

When it comes to securing a public cloud infrastructure, many organizations are under the impression that the workloads they run are secured by their cloud services provider. This just isn’t so, and the lackadaisical attitude has resulted in a number of high-profile breaches, including the exposure of 1.8 million records pertaining to U.S. voters.

These events continue to occur despite the steady reminders from Amazon (and others) that public cloud, when it comes to security and regulatory compliance, is a shared responsibility model . As you can see, the reality is organizations have to keep their workloads in the cloud secure. Increasingly those workloads are software containers.

Right now software containers are hot as enterprises seem ways to workloads to easily move from one environment to another environment. The application container market is one of the most rapidly growing technology markets today. According to the Application Market Research Report the global application container market is expected to grow from its 2017 $890 million in to $4.4 billion by 2023. That’s a compound annual growth rate of roughly 31 percent.

While application containers promise to help developers to more effectively build and manage applications, more readily adopt microservices, and improve software environment portability ― they can also increase risk. This is especially true if not managed properly, as we covered in a number of posts including When it Comes to Container Security Enterprises Are Their Own Worst Enemy , The significant impact of containers on security , and the Five keys to consider when it comes to securing containers .

While traditional applications installed on servers require those dependencies to run, containers are software packages that include all of the application code and dependencies so that, unlike traditional servers, the application can easily move from one environment to another.

Of course, agility and portability aren’t free. Nothing comes without a tradeoff. And containers, just like with virtualization, make it all too simple for bad habits to slide in and containers that aren’t managed to security policy or kept up to date to spread throughout the environment. Soon, these poorly managed, or unmanaged, containers pose a significant risk.

Good container and cloud security should provide minimal impact, be as elastic as the cloud service, and be easily to integrate into the cloud and workflow.

Recently, there’s been movement to help rein in container risk.

At AWS:Invent, AWS announced its secure micro-virtual machine manager dubbed Firecracker . Firecracker promises to provide fast and secure microVMs in non-virtualized environments. Additionally, AWS announced AWS Marketplace, which enables AWS users to deploy AWS containers from the marketplace. AWS also announced a private marketplace that enables IT administrators to create their own organizational catalogue of containers from third-parties that are deemed safe for their staff to run.

The CIS(Center for Internet Security, Inc.) recently announced the availability of its Hardened Container Image on the Cmazon Web Services Marketplace for Containers. CIS Hardened Images are cloud-based images secured according to the proven configuration recommendations of the CIS Benchmarks. The CIS Benchmarks are recognized as global standards and best practices for securing IT systems and data against cyber threats. The CIS Hardened Container Image reflects baseline requirements in accordance with applicable CIS Benchmarks to optimize systems running containers. AWS customers can now use the Amazon Elastic Container Service (Amazon ECS) console and AWS Marketplace for Containers website to discover, produce, and deploy container solutions including the CIS Hardened Images.

Security recommendations that prep a host machine that will run containerized workloads. By securing the Docker host and implementing infrastructure security best practices, a foundation for securely executing containerized workloads.

Docker daemon configuration

Security recommendations to security the Docker server (daemon). This will help secure all instances running from the server by reviewing Docker related files and directory permissions.

Container Images and Build File

Base images and their build files are what guide how the container behaves, which is vital to a healthy container infrastructure.

Container Runtime

By securing the launch, risks of the container being infected are greatly mitigated. The guidance in this section of the document for verifying the veracity of the runtime environment.

Docker Security Operations

This section is a solid overview of current security best practices that should be extended to the container environment.

With the container now on now available on the marketplace, it’s easier to make certain that needs to deploy a container can grab a hardened container without much concern.

Snap employees perceive their chief executive Evan Spiegel as an aloof leader, thanks to the fact he takes private jets and wants full-time armed guard.

That's according to a Wall Street Journal dive into Spiegel's character as a leader, after its stock sank below $5 for the first time .

According to employees speaking to the newspaper, Spiegel flew on his own private jet during Snap's investor roadshow last year, while bankers handling its IPO flew on another plane. The 28-year-old CEO is also super hot on security, often accompanied by a heavy security team that clears out several floors before he arrives at other Snap offices. According to the report, Spiegel once requested armed guard thanks to a spate of violent incidents near Snap's headquarters, but executives pushed back over worries about having guns in the office.

Read more: A 'nonsense' valuation of $1 billion, a failed sale to Snap, and an investor fight: Inside Blippar's dramatic collapse

Spiegel, the report says, also sits on the top floor of Snap's Santa Monica headquarters with two assistants. Employees have reportedly nicknamed this the "ivory tower."

That distance appears to feed into an overall sense that Spiegel wields a huge amount of control at Snap. He controls almost 50% of the firm's voting shares and takes gut decisions, such as introducing Snapchat's disastrous redesign apparently without seeking input from his executive team.

Business Insider has contacted Snap for comment.

Part of Spiegel's privacy may stem from his celebrity status. Unlike most other Silicon Valley CEOs, Spiegel is married to an A-lister, the model Miranda Kerr.

The attitude appears to filter through into Snap. The company famously held secret gatherings at the advertising festival Cannes in a secret compound marked only by a subtle ghost logo on the gate.

Speaking to Business Insider in September , Snapchat's international chief Claire Valoti said the company had a "perception versus reality" problem.

"I can only speak to my own experience, but I haven't felt the secrecy," Valoti said at the time. "I have never felt so connected to my peers or the wider company, so I've never faced that challenge."

You can read the full Wall Street Journal report here .

本文主要介绍了供水行业采用自动化和信息化的原因、自动化和信息化的目前发展状态、管理相关的各类要素、补丁管理的流程以及未来发展趋势。

供水行业是一个笼统的说法，对于城镇供水完整的业务流程包含“产、供、销、服”四个方面。产，即供水厂对源水进行净化处理；供，即供水管网进行水的输送；销，即营销进行查表销售；服，即客户服务负责立户及售后服务中的各环节。其中承担净化处理任务的水厂目前供水运行方式及自动化和信息化的程度差异比较大，供水管网基本实现了地理空间数据管理和数据服务体系为主要结构的供水管网运行管理的信息系统；供水销售基本实现了与银行、邮政储蓄等多家金融机构及自来水各营销站点的实时连接，方便了用户缴费、查询，满足客户用水、交费等咨询服务。本文着重于水厂目前的自控系统信息安全现状。水厂区域内的控制系统结构图如图1所示

水行业与其他工业行业一样，随着改革开放的步伐，大量先进技术和设备涌入市场。给水企业对自动化系统的需求，已由自行立项研究、制造，转向商品化市场招标采购，系统的集成、建设和服务逐步由社会化的专业系统集成公司提供。在应用方面，已由科学实验转入了实用阶段，并且已从简单的一般应用，升华到优化运行和对企业效益的追求。

图1 控制系统结构图

因为水质是灵魂，为给广大群众提供安全优质的生活用水，保证出厂水质符合国家标准已成为供水企业的主要目标和责任；供水企业采用新的净水工艺，消毒技术如预氧化强化处理、强化混凝－沉淀膜处理技术等，及臭氧－氯、紫外－氯等联合消毒技术，和可靠的自动化控制技术，是提高和保障水质核心。

供水厂目前基本摆脱了技术上低水平重复建设的局面，不仅在净化工艺方面采用了国内外较先进和成熟的模式，选配了性能较好的设备，并且部分水厂实现了制水过程自动化控制，先进的在线检测仪器、仪 表也得到广泛使用。

采用计算机配合各类自控设备，在线仪表，实现了对沉淀、过滤、加药、消毒诸环节的自动或半自动控制，对水质保障、生产安全、水厂经济运行起到了至关重要的作用。再比如滤池冲洗过程中自动化系统的应用，起到了节约人力成本、精准冲洗控制、优化工艺运行、保障供水水质方面具有积极意义。但是全过程实施全自动化的水厂目前比较少。

自动化和信息化技术在供水行业得到普遍应用，并已普及到产供销服的各个生产、业务环节，但是总体发展水平、应用情况尚不均衡。供水行业不同于电力、石化等由行业管理，统一部署，供水行业基本为署地管理，由于各水司的运行方式、业务模式的差异导致了其在自动化和信息化的应用程度上的差异。

目前大部分的供水企业自控系统均采用了PLC、工业以太环网结构，中控室设大型屏幕墙监视设备，现场设闭路电视监视系统、门禁系统，部分水司采用现场无人值守运行模式。比如监视滤池的摄像头与自控系统联动，当某格滤池开始反冲洗时，自动切换到该格滤池对其反冲洗过程进行监视，采用了多功能电量仪表，通过总线方式将监控信号传送到中控室进行监视，如同亲临现场。

视供水厂规模，供水厂都配备多名自控系统的维护人员和运行管理人员，具体负责管理系统的日常维护工作和一般故障的及时排除，以保证系统的正常运行。维护人员掌握了自动化（计算机）专业知识和给排水专业及电气自动化专业的一般知识，能熟练使用计算机技术，熟悉所用系统的结构、性能，具备系统的维护、检修能力。同时维护人员一般都了解供水厂生产的工艺过程、各工艺环节的主要核心设备的运行规律、供水厂供水量、水压的变化规律、国家对水质、水压、电耗的要求与标准等，以保证本系统的正常运行。另外运行管理人员也是相关专业的技术人员，能够掌握和使用系统以达到了解和掌握供水厂生产运行状况的目的，人员数量可根据具体情况配备。

供水厂自控系统的运行管理大致可分为人员、设备管理及数据管理等多个方面。包括管理机构的设置，维护人员的配备及相应的工作条件，维护制度的建立和执行，系统运行、维护、检修等情况记录，备件的管理，数据的分析整理及挖掘使用等。

系统的设备维护一般采取两种方式：一是自身具备专业技术力量和维护能力；二是委托企业内部或社会力量进行维护。无论采用哪种维护方式，都根据网络拓扑图结合所配置的自动化系统、在线监测仪表及其它电子设备，如安全防护设备、变频调速设备、“综保”设备等，制定出各自相应的日常维护、检修制度，并按制度进行维护和检修。除日常维护外，每年应进行至少两次设备清扫工作。通常安排在每年的供水高峰前后进行，并与其它电气设备清扫维护工作同期进行。针对计算机等电子设备的定期维护工作的特殊性，除例行检查，更需要加强对软件系统的维护。如磁盘的整理、清除软件“垃圾”、病毒防护、信息资料备份等。

供水企业都建立了包括组织体系、事件分类、工作原则和响应机制等在内的数据监视系统信息安全突发事件等应急预案。

自控系统档案资料包括系统设计方案、系统操作说明书、系统测试报告、系统和应用软件等各类材料。自控系统生产运行资料包括日常维护、检修记录、年度清扫、点检记录、故障事件及处理记录、系统软件升级、应用软件修改记录和硬件系统更新等，以及生产分析和自动监测各类数据等。

为保证自动化控制系统的正常运行，储备一定数量的备品备件。应视备品备件获得的难易程度，储备可满足日常维修的备品备件数量即可。

软件的备份主要是系统软件、应用软件和存储的各种监测数据。采用移动硬盘、磁带机等方式进行备份并异地存放。

系统故障还可分为硬件和软件两类。硬件故障按级别分为系统崩溃、局部某设备无法工作和不影响大系统和局部模块的正常运行且可恢复的；软件故障分为功能错误、系统错误、过程错误、数据错误等。对于系统故障的发现和处理也有相应的规程以指导运维人员进行正确的操作。

供水厂自动化控制系统所收集的数据有几百种，长年累月完整地积累下来是一个巨大的信息资源宝库，尤其是各类水质参数。如果管理不慎造成丢失或损坏，必是企业的巨大损失，因此管理好这些信息是供水厂自控系统的重要工作内容之一，而应用好这些信息则成为相应管理人员的重要工作内容。因此供水厂里面有完善的自控系统数据管理的各类制度和检查措施，对于自控系统的数据主要应用也做了详细的分类和规定，如运行人员了解和掌握厂区内所有系统和关键设备的运行工况，随时根据需要对运行参数进行调整，保证生产出符合国家卫生标准的自来水；供水企业可利用供水厂自控系统存储的历史数据，如各种出厂水的历史参数，结合管网压力监测的历史数据，分析管网的历史运行状况，为管网改造和供水设施的新建、改建或扩建决策，提供科学依据。

运行维护和日常巡检都做了明确的规定，制度完善、执行明晰，这些都有力地保证了仪器仪表以及执行机构的正常工作。

近年来，供水厂在新建或升级的过程中充分考虑了自控系统的安全性，尤其是老供水厂的升级改造。基本上按照收集信息、规划与实施、补丁测试、补丁部署等程序来进行。

信息收集主要是确定自控系统的组件和设备，包括所有可更新型设备类型，例如：服务器、工作站、交换机、路由器、防火墙、可编程逻辑控制器（PLC）等以及所有可能会被修补或更新后设备代替的不可更新型设备等。

规划与实施包括了最初的详细项目规划，以建立自控系统的补丁管理程序。开发可向上级领导提交的业务案例，以确保足够的资金、资源和支持。在整个供水厂中明确定义和沟通所有权、责任、角色和责任来执行补丁管理是项目成功的关键。另外的步骤可以包括关于测试环境的实施准则、补丁自动部署和安装基础设施以及备份/恢复基础设施。

补丁测试与部署包括了补丁的适用性，这可以通过三个问题来确定。（1）控制系统产品供应商是否有资格批准安装补丁；（2）可用的补丁是否适用于当前正在使用的设备或应用程序；（3）与安全性相关的更新是否减轻漏洞。如果上述所有问题的答案都是“是”，那么补丁或更新被认为是适用的，部署补丁包括了通知、准备、计划、安装、验证和培训等环节以保障项目安全实施。

随着两化融合的深入以及智能制造的发展，供水行业会更加充分地利用自动化技术和信息技术，可靠地实现对生产过程的监控和维护，逐步向净水处理和供水配送过程优化的方向过渡，基本实现自控系统和信息系统的全面整合，为行业“优化水质，保障供水，节约成本，提升服务”的中心任务提供有效的技术手段，力求创造更好的经济和社会效益。

王玉敏，女，教授级高工，现就职于机械工业仪器仪表综合技术经济研究所，北京邮电大学研究生毕业，从2006年开始主要研究方向为工业控制系统信息安全，是IEC/TC65/WG10（网络和系统安全）工作组成员、ISA99工作组成员等，主持制定了GB/T30976-2014工业控制网络信息安全等国家标准。

张晨艳

摘自《自动化博览》2018工业控制系统信息安全专刊（第五辑）

声明：本文来自工业安全产业联盟，版权归作者所有。文章内容仅代表作者独立观点，不代表安全内参立场，转载目的在于传递更多信息。如需转载，请联系原作者获取授权。

According to Nessus 8.1.0 release notes, Tenable finally solved the problem with Mixed Plugin groups. At least partially. I will briefly describe the problem. Let’s say we found out that some Nessus plugins crash our target systems. This happens rarely, but it happens. So, we decided to disable these plugins in the scan policy:

Ok, problem is solved. But here is the question: what will happen with the new NASL plugins that will be added by Tenable in the same group, for example Misc. ?

The answer is quite sad: Nessus doesn’t know if they should enabled of disabled, so they will be disabled in the scan policy by default. And this can lead to some False-Negatives. For example, on this screenshot you can see a fresh plugin “Xen Project Guest p2m Page Removal Error Handling DoS (XSA-277)” Published: December 13, 2018 was automatically disabled.

Previously, it was necessary to monitor this situation and add these plugins to Enabled manually or via API. But now with a new Dynamic Scan Policy template, this might be changed.

A new universal template looks like this:

And it’s pretty much like the Advanced Policy Template, but there is no Compliance section (I don’t know why) and the Plugins (Dynamic Plugins) tab looks differently:

In fact, these are the same filters that we can use in the scan results. We can combine them by AND or OR:

We can use any properties of the plugin:

And set the conditions:

Thus, we can exclude the following plugins from the scan policy:

As a nice bonus, we can also choose some interesting groups of plugins, for example, only the plugins with a link to Metasploit and preview these plugins in each plugin group:

It seems to me that there may potentially be problems with some linked plugins, but I hope Tenable already thought about it.

A pretty convenient feature, but there are some drawbacks:

蔓灵花（T-APT-17、BITTER）APT组织是一个长期针对中国、巴基斯坦等国家进行攻击活动的APT组织，该APT组织为目前活跃的针对境内目标进行攻击的境外APT组织之一。该组织主要针对政府、军工业、电力、核等单位进行攻击，窃取敏感资料，具有强烈的政治背景。该组织最早在2016由美国安全公司Forcepoint进行了披露，并且命名为“BITTER”，同年国内友商360也跟进发布了分析报告，命名为“蔓灵花”，鉴于对“谁先发现谁命名”的原则，我们继续沿用友商们对该组织的命名。

该组织的名称的命名由来为，该组织的特马数据包头部以“BITTER”作为标识，因此命名为“BITTER”。但是值得注意的是，自从该活动被曝光后，该组织就修改了数据包结构，不再以“BITTER”作为数据包的标识，改为五字节的随机字符进行代替。

腾讯御见威胁中心在今年五月份捕捉到了疑似该组织对我国境内敏感单位的攻击活动，但是由于当时无法下载到具体的攻击模块，因此无法进行进一步的关联和分析。而在十月底，腾讯御见威胁情报中心再次捕捉到了疑似该组织对我国的军工业、核能、政府等重点单位的攻击，并且获取到了完整的攻击武器库，经过进一步的关联分析，我们确认该攻击组织就是2016年曝光的蔓灵花。而有趣的是，我们进一步分析溯源发现，该组织跟“白象”（摩诃草、HangOver、Patchwork）也有千丝万缕的关系。

该组织主要采用鱼叉钓鱼的方式，对相关目标单位的个人直接发送嵌入了攻击诱饵的钓鱼邮件。此外，为了提高成功率，也会先对目标发送安全提示相关的钓鱼邮件，诱使被钓鱼用户修改邮件账户密码，从而获取用户的邮箱密码，而后再用被控制的邮箱继续对企业内的其他人进行嵌入攻击诱饵的钓鱼邮件。

最近的几次攻击捕捉到的诱饵文件均为rar压缩包，而压缩包里为一个伪装为word图标的自解压文件。如图：

运行后，除了会执行恶意文件外，还会打开一个doc文档，用于迷惑用户，让用户以为打开的文件就是一个doc文档。诱饵文档内容极尽诱惑力，如下：

诱饵1：

诱饵2：

诱饵3：

诱饵4：

诱饵5：

可以看到，诱饵文件名和诱饵内容完全不同，针对不同的攻击对象，完全定制化。

1）Dropper文件为winrar自解压文件，使用英文版winrar打包压缩，运行后将文件释放到c:\intel\logs目录，并打开欺骗文档和木马文件，我们捕获的最新的针对不同目标进行攻击的4个诱饵文件释放出来的最终恶意文件都完全相同。

2）木马运行后首先解密配置信息，解密方式为每个字节+0xd，配置信息内容包含启动方式、C2、要检测的杀毒软件信息等。

downloader解密后的配置信息：

3）获取主机名、计算机名、操作系统名、机器guid信息格式化成字符串。

上报信息格式如下：

4）拼成HTTP GET请求头并发送到C2：

数据包内容如下：

6）将提取到的字符拼接到url后边，同时也拼接到木马所在目录后边，拼接出的url处下载文件到木马目录，随后将其重命名为.exe结尾的文件名，最后调用ShellExecute执行。完成下载功能。

成功下载功能模块的数据包格式如下：

1）模块一：

下载url： http://aroundtheworld123.net/healthne/healthne/regdl

功能：设置开机启动项

设置启动项模块解密后的配置信息：

2） 模块二：

下载： http://aroundtheworld123.net/healthne/healthne/igfxsrvk

功能：键盘记录

该模块通过设置键盘钩子记录用户按键信息，保存到%appdata%\syslog0812AXbcW1.tean中：

设置键盘钩子相关代码：

按键信息记录相关代码：

3）模块三：

下载： http://aroundtheworld123.net/healthne/healthne/spoolvs

功能：远程控制木马（RAT）

该模块是个远程控制模块，RAT模块解密后的配置信息：

通讯数据包加密算法如下，密钥为：m50e!sq&n67$t

RAT命令分发相关代码：

RAT功能如下表：

RAT数据包特征：

本次受害者主要为相关的军工企业、政府等人员。而从腾讯御见威胁情报中心对该次攻击的C&C监测的数据来看，该攻击在11月5日到达了一个高峰：

对本次攻击的武器库和攻击方式进行深入的分析和关联，我们确认为蔓灵花组织所为。

具体的关联分析如下：

关联一：TTPs关联性

本次攻击活动跟之前友商曝光的TTPs极其相似。如诱饵为伪装成word图标的自解压文件；木马的释放路径为c:\intel\logs；下载功能模块执行的方式，且模块包含RAT、Keylogger等功能。见参考文章1、2、3、4。

关联二：pdb的关联性

本次攻击活动中的pdb，跟参考文章3中的文件的pdb极其相似。发布该文章时，友商提到是疑似蔓灵花组织的攻击活动，本文给出实锤证据。

如参考文章3的downloader的pdb为：

而本次捕捉到的downloader的pdb为：

以及keylogger的pdb为：

可以看到，pdb路径是非常之类似。此外，从pdb中看该组织非常喜欢以事件的描述来作为目录的命名，这都跟之前的攻击活动中的高度相似，如：

关联三：代码的关联性

本次的RAT代码在无论是逻辑结构还是代码细节均有极大相似性，可以确定本次木马为该组织最新木马变种。参考文章1。

数据包加密算法完全相同：

命令分发代码逻辑结构相似：

RAT命令分发代码细节高度相似：

此外，本次下载到的功能模块keylogger，跟友商报告中提到的keylogger也几乎一致。虽然友商并未提供相关的文件hash，但是从报告中的流程图看，跟本次下载到的keylogger的几乎一致。见参考文章2。

综上所述，我们确认，该次攻击活动来自于APT组织蔓灵花。

有意思的是，继续关联和分析，我们发现，之前paloalto披露的另一个针对巴基斯坦等地的攻击活动中的MY24后门，实际上也是蔓灵花组织所为。见参考文章5。

相关关联证据如下：

关联一：代码关联

从参考文章5里提到MY24后门来看，跟本次我们捕捉到的RAT高度相似：

如蔓灵花样本：

跟参考文章中提到的：

共用一个基础设施zmwardrobe.com：

而捕捉到的利用Inp漏洞CVE-2017-12824针对巴基斯坦进行攻击的样本：SOP forRetrieval of Mobile Data Records.inp（863f2bfed6e8e1b8b4516e328c8ba41b）的下载地址为 http://khurram.com.pk/js/drv ，而该地址的关联样本正好为c3f5add704f2c540f3dd345f853e2d84，该样本确认为蔓灵花。此外，某诱饵（e152b5b7e9079f689ebaaa9b8fe2ed66）拉取蔓灵花的网络地址为 http://hartraders.com/wp-sig （拉取到的蔓灵花样本hash为68a1ca909e2fa34b5ffe42fa62312766），而该地址也跟文章中提到的地址结构高度相似：

而有意思的是，该文章提到，该后门跟confucius组织相关，而根据趋势的分析文章披露（见参考文章6、7），confucius又跟白象（Patchwork）疑似存在有一定的关联：

此外，我们也在腾讯御见威胁情报中心的样本库中进行挖掘，同样发现了白象和蔓灵花的一些相似的地方。我们以样本：Karachi violence hands of Indian intelligence agencies.exe（9dd90551b6299787ddb478e5a0ab9eab）为例进行分析。

该样本同样采用自解压的方式，且icon和释放路径和本次发现的蔓灵花类似：

而dropper释放的恶意文件为slidebar.exe（md5:734e552fe9ffd1ffdea3434c62dd2e4b，pdb：E:\Data\User\MFC-Projects\KeyLoggerWin32-spectram\Release\slidebar.pdb），是一个keylogger，而该样本正好是之前国外安全公司曝光过的白象的样本（见参考文章8）

针对释放的keylogger，我们进行相似性分析，关联到一个蔓灵花的keylogger：f099cd511e9d10d80105d96f29dd28b7，发现代码存在很大的相似性。

如字符串加密算法：

加密后的字符串为：

蔓灵花：

白象：

除此，无论是白象还是蔓灵花，从pdb的路径来看，作者一样都很喜欢在文件路径里描述一些东西。

而从诱饵内容来看，都疑似跟印度有一定的关联性：

蔓灵花：

该组织自从2016年被曝光后，也在不断的进行自我升级，无论是dropper、downloader还是具体的RAT均有变化。

dropper其实变化的不大，都采用winrar自解压包的方式。变化是从之前释放jpg变为了doc。当然严格来说，该变化不能称之为演变的过程，更多的是为了不同的攻击目标进行的定制化服务。

老版本：

新版本：

我们在腾讯御见威胁情报中心的样本库里挑选了数十个downloader进行分析，如下：

分析后发现，downloader主要有两个大版本，我们以pdb路径作为区分，分为downloader和new_downloader两个大版本。目前，这两个大版本依然都在持续不断的更新中。

以下，我们简单的介绍他们之间的关联及变种演进。

2）new_downloader：该下载器主要用于自解压类型诱饵的攻击，由dropper直接释放到指定目录，因此后期取消了将自身拷贝到指定目录的操作，而早期与downloader一样也是释放到%appdata%目录下，此外在自启动方面，早期通过HKCU RUN注册表实现，后期（如本次版本）则把设置开机启动单独列为一个模块由控制端下发。

3）两种版本的下载器也有很多相同或者相似之处：拷贝文件及修改注册表操作均通过cmd进程进行，且很有特点的是创建一个cmd.exe进程，通过管道写入命令执行，随后关闭cmd.exe进程。此方式在其他样本中较为少见。

两种版本的请求包比较：

RAT的变化相对downloader，变化稍小，且总体逻辑结构具有极大相似性，如线程分工、通讯协议、数据包结构等。但是在代码细节方面也可以看出明显的变种迭代特征：

（我们以2016年曝光的RAT记为V1、2017年paloalto曝光的MY24记为V2，而本次捕捉到的RAT记为V3）

1）RAT的通讯数据包加密算法，均为异或加密一段key，在V1中没有对密钥长度做限制，密钥被配置为8字节数据，而到V2时，已经被写死13位有效数据，而到本次的变种V3，又取消了13字节有效限制，但是本次木马配置的密钥长度依然为13位。

2）V3相比于V1和V2，最大的更新在于控制指令的更新，本次精简和改良了部分控制指令，总体支持的指令数量也由原来的17个减少至现在的12个，而从V1到V2的更新并没有对指令进行改动。

3） 汇总

根据公开的报告（见参考资料），以及我们对该组织的攻击活动的分析后，我们对该组织的情况有了一个初步的了解，我们整理如下。但是对于该组织具体的组织画像依然还是缺少一些关键的拼图，因此我们希望友商和安全社区的研究员，一起来完善该组织的拼图。

此外，除了针对中国境内的目标外，我们还发现了多起该组织针对巴基斯坦的攻击活动，截止发文前，我们刚刚又获得了一个该组织最新的攻击活动，而最终的RAT跟攻击我国的目标的RAT完全一致（hash都一致）：

诱饵 ：cocktail andthe dinner in last week of dec.doc（488f39e81fa6ab497062631595da2bb8）

payload 下载地址： http://fst.gov.pk/images/winsvc

payload：ctfmon.exe(7cc0b212d1b8ceb808c250495d83bae4)

RAT下载地址：

http://hewle.kielsoservice.net/Engset.php

http://hewle.kielsoservice.net/rankin.php

RAThash ： spoolvs.exe(fc516905e3237f1aa03a38a0dde84b52)

而有意思的是，该payload的下载地址放在了巴基斯坦的联邦服务法庭的官网上：

蔓灵花是近几年针对我国境内目标进行攻击活动的最活跃的APT组织之一，意在攻击军工、能源、政府等敏感目标而窃取资料。虽然，该组织被曝光多次，但是该组织完全没有收手的意图，反而不断的改进攻击武器库以进行更多的攻击。

这足以说明，随着中国国力的不断增强，一些境外组织会不断的对我国的敏感机构进行攻击，意图窃取情报和进行破坏活动，并且攻击会越来越猛烈。因此相关单位一定不能掉以轻心，且不断的提升人员的安全意识。

本次事件主要时间线：

2018年10月29日，发现该次攻击；

2018年11月5日，完成攻击报告初稿；

2018年12月21日，最终发布。

1.不要打开不明来源的邮件附件；

2.及时打系统补丁和重要软件的补丁；

3.使用杀毒软件防御可能的病毒木马攻击；

4.使用腾讯御界高级威胁检测系统。御界高级威胁检测系统，是基于腾讯反病毒实验室的安全能力、依托腾讯在云和端的海量数据，研发出的独特威胁情报和恶意检测模型系统。

c5de8edeaadc6495999bcb174a58592e

23a8ce358b16128f1ca291a284c0f6ef

3614f736035e1cf1792bf64f5864683b

13b283464f9401c653b81d9e6afe6fe4

62bb4224d8e8ec5c3495090b09b52e1c

7195c706fab11b258c769649c7e4cce0

a1bdb1889d960e424920e57366662a59

be171b4df9b7db48c67f31c678421bfd

fc516905e3237f1aa03a38a0dde84b52

efec7464f07633415cbc36a97b900587

f413ad5233cdf707fd1cddd53b858027

38ba17b9ae3a4a4733d716c2ecade70d

3c4bed8d649375050dba3a3a8df87d12

adb46f52791b5e3ba26256daf3936dc8

ecca8f4c7e14bbc1e3a06b9f8a41b53a

1c2a3aa370660b3ac2bf0f41c342373b

5b942290149f5666ddfb1e2dd81a03ea

e402c05ce9c46c0cf2f4e3db6f0ba4b5

68a1ca909e2fa34b5ffe42fa62312766

4cbfd989a44cf8f1a0025bbd07069d19

25689fc7581840e851c3140aa8c3ac8b

f9aeac76f92f8b2ddc253b3f53248c1d

c3f5add704f2c540f3dd345f853e2d84

8dda6f85f06b5952beaabbfea9e28cdd

25689fc7581840e851c3140aa8c3ac8b

c3f5add704f2c540f3dd345f853e2d84

525105d4f6904d567a98fac2eb25873e

84c96f8dd42d79679ce1e5dee643c58b

f099cd511e9d10d80105d96f29dd28b7

84c96f8dd42d79679ce1e5dee643c58b

863f2bfed6e8e1b8b4516e328c8ba41b

1960ac9d5b1192a9b2bfec15842cf3d1

aa2ed003ae8a2ccaa999aad38898d060

488f39e81fa6ab497062631595da2bb8

7cc0b212d1b8ceb808c250495d83bae4

6d175ac27b4554885b5c3d2ec9c6769

http://aroundtheworld123.net

http://nethostsupport.ddns.net

The CompTIA A+ is an entry-level PC computer service technician certification. This is often the first certification one earns in their IT career and can help land you a job that will be a springboard into the wide-open world of IT job positions. However, before one can use a job as a springboard, you first have to land that first job.

This article will detail what questions you can expect during an A+ job interview, with interview questions categorized according to their difficulty level: Entry-Level, Intermediate Level and Advanced Level. Job interviews can be stressful, but don’t worry use this article as a refresher before your interview and you will be in a good spot to ace the interview.

This first level of A+ interview questions covers the most basic, yet some of the most necessary, interview questions for related positions (since A+ is just a certification that can be applied to many different types of computer service technician jobs). It goes without saying that computer fundamentals are required for these positions, and this first level of questioning will be one of the most important measuring sticks for the apparent value that an interviewee will bring to their organization.

1. What Operating Systems Do You Have Experience Working With and How Long Have You Been Working With Them?

OK, so there it is: an icebreaker question that also serves as a basic gauging of a computer technician’s experience level. Organizations will want to know that you have a significant amount of experience working with the operating system used at the organization, but they also want someone well-rounded in their experience set. With that said, use this time to elaborate on your experiences and show your prowess around computers.

This may seem like a curveball, or possibly a red herring question given the job description, and you are right to think so. Positions relying on A+ as their certification benchmark for candidates will not likely require you to use much coding, or any at all, on the job. Organizations sometimes just like to ask a question that will establish a candidate’s familiarity (and possibly mastery) of quasi-related topics; for a “coding” question to come up on an interview like this would be a bit out of left field but should be totally expected at the same time.

You will definitely face some questions that may seem basic for A+ positions, but there is a reason for questions like this. They let the interviewers better see if you are at the competency level to excel at the position. Yes, a motherboard is a basic component to a PC and you should answer back that it is the main board of a PC. Throw in a bit about your specific experience level, such as “I am very confident around motherboards and have installed/changed out many in my previous position(s)”.

As in many other, if not all, positions in IT and information security, being a team player will be crucial to your success. This definitely extends to A+ computer technicians, as they can often be seen as the “front line” of the IT squad when interfacing with other employees within the organization that encounter computer issues.

Moreover, if you are using your A+ certification for a Tier 1 support position (such as with an MSP) being a team player is vital because you will be the first contact point for support within the organization. This does not mean you have to be the most outgoing person of the bunch, but you definitely have to be approachable, friendly and a good listener.

5. Let’s Assume That a Printer Is Printing Dirty Pages. What Would Be the Best Way to Test to See If the Issue Is Resolved?

As a CompTIA A+ certified technician, you will probably spend a good portion of your day solving issues related to printers and other peripheral devices for organization employees. When a problem such as this arises, you test to see if the issue is resolved by running several blank pages through the printer. If they come out dirty, then you will know that the issue has not been resolved and other means must be used to solve it. True, this is a bit of a softball question, but it uses the basic logic and reasoning required to be good at this position, so it should be in your roster of questions to expect.

One of the most important functions of an A+ certified computer technician is to communicate with end users to solve their day-to-day computer and other work-related technology issues. Common issues to expect may be replacing a computer mouse, fixing an office shared printer and, if you have administrator rights, even changing a user’s network ID password. All of these tasks should be expected of your position, so you should indeed be quite comfortable with this.

This question is related to the last one, and how you will answer it should just be an honest answer of whether you have been granted custodianship of an organization administrator password. As you most likely know, often A+-certified computer technicians will need access to this password in order to make changes to end user computers and/or user profiles. This position would actually be quite limited to only basic tasks without the use of an administrator password, so if you have practical work experience in this area you probably have used this password before.

Another way for interviewers to gauge your experience level is to ask about common tasks you were responsible performing in a previous job. When you are asked this question, the interviewers are not trying to find out the outlier tasks you have performed, such as the one time a previous manager asked you to image a drive. Give them a general idea of the tasks you were responsible for performing on a daily basis and you will be conveying the right information to make the right decision in hiring. Remember, although you may need a job, if you are not the right fit for the position you will not be the right fit for the organization.

9. Tell Me About a Time When You Had to Solve an Issue for an End User by Thinking on the Spot, and How Was it Resolved?

As important as your ability to communicate is your ability to think well on your feet, with as much creativity as the occasion calls for, when you are not sure how to resolve an issue. Problem-solving is paramount for an A+ certified computer technician and the interviewers know this. Bring up a time when your problem-solving skills saved the day, such as when you googled the issue and found an appropriate solution from a (hopefully reputable) source online.

While this question is not necessarily required for you to excel in this role, answering in the affirmative may help you better secure the job. If you have any other information-related certifications (which you may not, since the A+ is an entry-level certification), bring them up. Besides just information-related certifications, other professional certifications such as management can be applied to this role as well. For example, if you have a management-related certification, it may help you secure a future role of team lead or manager of other A+-certified computer technicians.

The next level of A+ certified computer technician interview questions is, drumroll please … Intermediate Level! This level of interview questions will be more difficult than the last, but not anything that even an inexperienced candidate could not swing.

This type of question is trying to see if you have internalized just how the CompTIA A+ certification will impact your desired position at the organization. Before the interview, take time to map out the skills that A+ certifies you are competent in. To do this, match up the different responsibilities and tasks to the skills covered by the A+ certification to show that you have done your homework on the position and ready to put A+ to real-world use.

When you are faced with this kind of question, the interviewers are trying to gauge how you will be as an evolving technician. Staying on top of current technologies is important because technological changes impact the workplace. As new technology emerges, the business world modifies its approach and adapts what they can use from what is new. Staying on top of these changes will make you a better technician.

As a technician, you had better have a good troubleshooting procedure established! This is the bread and butter of a lot of the responsibilities of an A+-certified computer technician, so they will be expected to have at least some plan established.

For example: When issues arise, you can say that you first ask the end user the following questions.

Then follow this up with your following steps, such as research, testing the solution and then ultimately resolution.

This is a common question in job interviews generally, and A+-certified computer technician jobs are no different. When you encounter this question, please note that interviewers are also trying to measure your pet peeves; if they are related to basic job functions, then the interviewer’s job is made easy because it shows the candidate is not a good match. For this answer, use something that is secondary to the position, such as filing paperwork, and then differentiate yourself from candidates that would be disqualified by this question.

Let’s be honest, everyone has “cheat sheets” that they go to when things get tough at work. CompTIA A+ computer technicians have (as you know) a vast wealth of knowledge at their fingertips with the Internet and I know that you personally have some favorite sites or forums that you visit for tips. Simply name a short list of some places that you go to, such as InfoSec Institute , SpiceWorks, EServiceInfo.com or Stack Overflow, and you will be golden.

It goes without saying that A+-certified computer technician positions can feel like stress-laden, thankless jobs. You are the first line of support for end users and these positions are often the ones that will be asked to work longer hours at times, and even some weekends. You will definitely want to convey not only your comfort level but also your approach. Make sure to indicate that you have a high ability to work well under pressure, that you have 5-star prioritization skills and that you are efficient when troubleshooting.

17. Let’s Say a Test Server We Use Needs Servicing. How Comfortable Would You Be Working on It?

Servicing servers is sometimes required by A+-certified computer technicians. The one caveat here is that some technicians are a bit wary when working on servers. Part of this may be caused by the importance of servers in organizations. You should be comfortable working on servers and should definitely convince the interviewer that you have the skills to at least diagnose the issue often times, new parts are needed, and many times organizations have service contracts that will send a technician from the manufacturer to service the device. However, if you are a true dynamo at this, then insist that you can handle all service and repairs of servers as long as you have the required parts/materials.

18. We Have a Production Server That Is Still Online But an Existing Issue Requires a Reboot to Resolve Itself. What Do You Do?

This is one of the best questions to measure the ability of a computer technician to think on their feet with appropriate focus on the business. If the server can still be accessed and used by users, then say that you will just wait to reboot when all the users go home at night because of the server’s importance to the organization. If the server cannot be used by users, then it does not matter when the reboot occurs and frankly, the sooner the better in this case. The key is that you can discern when it would be acceptable to reboot a heavily-used production server, given its importance to the organization’s daily business.

There are different CPU technologies in use today and they have different uses. Some examples include multicore, hyperthreading, overclocking and throttling. Make sure to convey that you are knowledgeable in this area and that you know when the different technologies are used.

Again, this question will gauge your experience and knowledgeability as an A+-certified computer technician. Although this information can easily be learned on the job, it is also covered by A+, so you should know this even if the interview is for your first job in IT. Different connector types include SATA, IDE/EIDE/PATA and SCSI.

We have finally reached the third and last level of A+-certified computer technician interview questions Advanced Level! As you can guess by now, this level is more difficult than the last. By my estimation, the most difficult questions will stem from actual practice of the skills covered by the CompTIA A+ certification. Buckle in and prepare for the last level of interview questions but do not worry, this is nothing that you can’t handle!

21. What Has Been the Most Difficult/Advanced Task You Have Had to Perform From a Computer Technician Perspective?

Simply put, organizations want to hire somebody who is knowledgeable, confident and can be trusted with even the most difficult technician situation if it pops up. To this end, think back on your experience and be truthful here no one wants to hire somebody who says they can do something that they cannot. Aim high, provide detail and the interviewer is going to be impressed.

While just examples were asked for, make sure to inject a bit of your knowledge about when they are used which is basically in the background and for various boot tasks for computers. Some examples include SYS, Registry Data Files, INI, NTLDR and others. Also make sure to include a little about what they do. For example, INI files allow you to choose boot options as well as which OS to use if more than one is installed.

What this question comes down to is essentially how you would deliver this installation. There are multiple methods available, such as installation from boot media such as a CD, alternative boot media including USB flash drives, imaging and network installation. As long as you provide examples here, you should have all your bases covered.

24. Most of Our Computers Are From Dell. Do You Know How You Would Install an Operating System on a Dell Computer With How They Currently Do It?

Different companies may use preferred methods to install operating systems and Dell is no exception here. Currently, Dell requires users to download a media creation file that will allow you to create media, such as a USB flash drive, that will be the installer for the operating system. This extends to upgrades as well, such as when you upgrade from windows 8 to Windows 10 on a Dell computer.

25. Do You Have Experience Working With Antivirus Systems? To What Extent Have You Managed AV Solutions?

Sometimes, as a computer technician, you will be responsible for managing AV for an organization. This generally happens when there is no information security department, or when they are too busy with other tasks and delegate it to the technicians. Regardless, you will probably be asked to perform at least some AV solution tasks. If you have, think of some situations where you had to install AV or respond to an AV issue and that you brought it to a favorable resolution.

26. If You Were Asked to Estimate How Long It Would Take You to Expand a PC’s RAM, How Quickly Could You Perform This Task?

Alert! Another quick-thinking, real-world-practice technician question emerges! This is one of the easier hardware/software tasks that a technician will have to perform, which essentially requires you to pop the PC case off and carefully insert a RAM stick into an available RAM slot. Make sure to include that unplugging the system will be vital to your safety and to not jeopardize the PC as well.

27. Let’s Say Our CEO Needs Support on Their Work Office PC. How Comfortable Would You Be Helping Them?

A+-certified computer technicians have to be comfortable helping everyone in the organization, not just lower-level end users that need their passwords changed. C-level executives are not always the most tech-savvy, and they often require support or assistance quickly because of their importance in the organization. Convey that you are very comfortable with helping the CEO and the interviewers will be satisfied.

This is one of the most difficult questions, because it will require you to think a few levels deep to where a system first processes memory. The answer is that memory is first counted from the system board before anywhere else.

BIOS is an important part of computing and can be thought of as the most primitive level to interface with a computer on. The acronym BIOS stands for Basic Input Output System, and it is where you can change boot order and perform other basic, yet vital, system tasks.

30. We Have an Older (and We Do Mean Older) PC That We Keep for Historical Purposes. What Is the Purpose of the 34-Pin Connection on Its I/O Card?

While these questions are for 2019 A+ computer technician position roles, once in a blue moon you may be asked to work on an old PC. The 34-pin connection on its I/O card connects to the floppy drive. Yes, this is a brutal trick question and possibly the hardest in the interview; you may see this question, though, so you should have it in your repertoire of answers.

The CompTIA A+ certification is a solid first certification for those entering the IT industry. After you earn the certification, perhaps get some experience (somehow) and start applying for your first technician jobs, use this article as a guide before your interview. Between reviewing these questions and your resume (for an experience refresher), you will perform well at the interview and will be on your way toward a bright career!

Deck the hall with sad employees, Fa, la, la, la, la, la, la, la, la!

‘Tis the season to be swindled, Fa, la, la, la, la, la, la, la, la!

I am not too proud to admit that I was a victim of Business Email Compromise by being duped into buying gift cards for my “CEO” for the holidays. As a professional in the security industry, it becomes even more difficult for me to come to terms that I actually fell for one of these social engineering attacks. You get inundated with phishing awareness training and think that you are smarter than the attackers but somehow… you recoil in horror when you realize that you, too, are ‘Dave’, the embodiment of human error:

You see: the dilemma is that I spent my whole career trying to encourage organizations to adopt products that protect them from users like ‘Dave’. Whether it is a multi-factor authentication (MFA) solution or a phishing simulation product, I have done countless customers calls trying to convince them that they cannot rely on their users to do the right thing.

We all think that we are above our natural human instincts: that we are somehow better, smarter, faster than the malicious actors who are trying to take advantage of our very visceral reactions.

People will continue to make mistakes: to click on links, to respond to fake CEO emails, to give out sensitive information, to download executables unsuspectingly. In a very lovable way, we are conditioned to trust others and that is where the problem lies:

BEC compromise works because it exploits our basic human instincts to follow authority. This is especially true during the holidays when people are in merrier spirits and are more willing to help out customers, fellow employees, and especially authority figures. While the typical BEC compromise usually targets someone in HR/Finance as they have the sensitive financial information, attackers have gotten more sophisticated and found creative ways to target and groom other personnel in an organization: like me . BEC gift card scams work like a traditional BEC scam:

But instead of a wire transfer or a document containing sensitive financial information, scammers will request the unwitting victim to send over images of the back side (with the pin exposed) of a gift card to the person of authority. The scammers will then cash out the gift card before the unsuspecting victim has any idea what just happened.

Here are some tips from the FBI on how to protect your employees against BEC gift card scams during the holidays:

Look at the email header of the sender. Keep an eye out for email addresses that look similar to, but not the same as the ones used by your work supervisors or peers (abc_company.com vs. abc-company.com).

Be wary of requests to buy multiple gift cards, even if the request seems ordinary.

Watch out for grammatical errors or odd phrasing.

Notice language that tries to pressure you to purchase the cards quickly.

Finally, be wary if the sender asks you to send the gift card number and PIN back to him.

Don’t rely on email alone. Talk to your CEO directly.

Human error will never go away and will always be the weakest link in information security. While the FBI gives good advice to the end user on how to deal with a potential BEC gift card scam, we cannot simply rely on the end users to protect against BEC attacks. There needs to be a more automated solution, based on modern technology, that can circumvent human error.

In general, my philosophy towards information security is to take an approach that reduces the amount of human decision-making. We need to stop relying on the end user (or even the administrator) to do the right thing. With advances in machine learning and other tools that can help protect against risky activities, organizations should always leverage security products that remove burden and decision making. Tools that allow auto-remediation or active enforcement should always be prioritized over products that could introduce more human error.

For example, machine learning and analytics have made it completely easy to detect anomalous behavior. When an intelligent solution is deployed into an organization’s network, it can start tracking the behavior of the users and accounts and see what normal behavior looks like. Based on that risk profile that is created, they can tell what behavior is normal and what isn’t. It would have to take an email security solution with visibility and real-time remediation capabilities to stop this particular BEC compromise from happening as referenced in this blog .

The steps as outlined by Proofpoint are applicable to every security product. Most notably, customers need to take into account three critical steps in protecting against malicious actors:

Getting Visibility: In order to understand what is going on in your organization, you must first start out with visibility of all threats you may face. This requires you to gain insights into all users, accounts, and access activities within your network and continuously monitor which accounts may have the potential to be compromised. Reducing risk is the easiest way to reduce the attack surface and prevent compromised credentials. Find a solution that lets you see all identities across your organizations so that you can have a single source of truth.

Detecting Threats: Getting visibility is not enough if you do not have the context to be able to detect suspicious activities or risky behavior. Gaining deeper context with network traffic, and data sources (such as VPN gateways or SSO) allows for more robust behavioral analytics and risk scoring. With an intelligent view of user and account activity in your network and cloud applications, you can not only spot risky users but also protect against the use of reconnaissance and attacks tools such as MimiKatz, Powershell, PsExec, and Bloodhound. Real-time threat detection helps reduce false positives, identifies specific attack tools, and enhances the investigative and threat hunting process.

什么是单向加密算法。简而言之就是不可解密的加密方法，也叫作非可逆加密， 用这种方法加密过的东西，地球上现有的人类在有限的时间内是无法解密的，包括加密者自己。

主要有：BASE64、MD5、SHA、HMAC，其中最为常见的就有MD5，BASE64。这里我们主要介绍最常使用的MD5算法。该算法可以用来得到一个128bit的值，既可以作为K-V中的key，也可以对密码进行加密从而确保其在传输中"不可见"。

函数原型：

返回数据data的MD5校验和。

初始化一个MD5对象.Sum 函数是对hash.Hash对象内部存储的内容进行校验和计算然后将其追加到data的后面形成一个新的byte切片。因此通常的使用方法就是将data置为nil。

该方法返回一个Size大小的byte数组，对于MD5来说就是一个128bit的16字节byte数组。

Looking forward to 2019

Computer Business Review wishes all of our loyal readers a wonderful Christmas.

We will be back, bringing you the news, interviews and insight that count in 2019.

It has been a intriguing year, punctuated by myriad large-scaledata breaches, tough new regulations likeGDPRandNIS, andmajor acquisitions.

The technology we cover is evolving at a breath-taking pace and the capabilities it brings enterprises is ever more crucial to commercial success.

What is around the corner in 2019?

We see it as a year in which AI and machine learning will be trulydemocratised; Open Source’smidlife crisis will reach a zenith; lessons about Critical National Infrastructure security may be learned the hard way; and one of industry consolidation insemiconductors,DevOps andinformation security (expect some big deals).

We also see it as a year in which the power of technology to drivesocial andenvironmental as well as commercial transformation becomes more of a talking point: expect to read more about big data analytics in public policy making, a powerful environmental Internet-of-Things as sensors get ever cheaper and smaller and some breakthroughs in drug development, powered by Artificial Intelligence.

Looking back, we have enjoyed some fantastic interviews and events: our engagements with theCEOs of Mitel andDatabricks,Founder of Mulesoft, andAWS’s blockbusterRe:Invent all stand out. Thank you to all our industry readers for your interest and invitations; keep them coming!

We’vebroken scores of stories, kept you abreast ofmajor UK tenders and covered everything from autonomous troop carriers to emergingcoding languages;subterranean sensors tocloud migrations and UK intelligence’s new foundlove of transparency. Expect more robust reporting in 2019.

The broader macroeconomic and geopolitical backdrop shows every sign of being volatile in 2019.Enterprises wanting to sustain a competitive edge in a challenging climate will increasingly be looking to automate, streamline and personalise products.

Team Computer Business Review will keep you top of all the tools and techniques you need to stand out. We’ll be bringing you investigations, more interviews with industry leaders, including the B2B tech world’s emerging rock star C-suite; insight and analysis from peers; fast-paced reporting on industry earnings and much more.

Meanwhile, the mulled wine is brewing…

Wishing you Merry Christmas and a Happy New Year.

Ed Targett (Editor).

There are few areas in IT that receive more scrutiny than information security. Barely a week goes by without news of a major data breach. These incidents are often followed by reports of the ever-growing information security job gap ― a gap that’s only expected to get worse .

Given that fact, breaking into the security field is a smart move. The ever-growing field is extremely relevant ― even to professionals outside the IT sphere. Everyone from CEOs to admins and analysts can benefit from a fundamental understanding of security issues.

However, figuring out the right entry point into InfoSec can be challenging. There is such a wide variety of certifications covering a broad spectrum of issues. As a result, it can be confusing ― even intimidating ― to decide which first step is right for you.

Here are six certifications that are ideal for IT professionals hoping to enter the high-demand field of InfoSec. Keep in mind that this list is also great for general professionals looking to gain a better understanding of how to protect their systems and data.

Microsoft’s MTA Security certification is a great jumping-off point for anyone interested in working with Microsoft tech. Familiarity with those products is recommended, but there are no formal prerequisites to take the exam.

The MTA Security Fundamentals exam covers security matters relating to operating systems, networks and software in 30-50 multiple choice questions, which a test-taker has 50 minutes to complete. Because individual exams vary, passing scores are scaled.

Most IT certifications expire, but the newer MTA does not. While the MTA is not a direct stepping stone to a more advanced certification, it does provide foundational knowledge that can be useful as you build your credentials.

At $127, the MTA is a cost-efficient way to lay a foundation for working in information security.

Another excellent starting point for InfoSec is the CompTIA Security+ certification. It’s vendor-neutral, so you do not need to be familiar with any specific products. It is recommended that you have at least two years of experience as an IT admin with a focus on security. So, don’t let the entry-level tag fool you.

The 90-minute exam consists of 90 questions with a passing score of 750 (out of 900). It covers threats and vulnerabilities, network security, and access, identity and risk management.

The exam fee is $320 and the certification is valid for three years. To stay current, you’ll need to earn 50 continuing education credits (CEU) within those three years, as well as pay an annual maintenance fee of $50.

An approved baseline certification for U.S. Department of Defense (DoD) Level II IAT security positions, the Security+ certification is a well-respected credential. It represents a solid first step in demonstrating your dedication to the security field and lays the groundwork for a career in InfoSec .

Unlike the others on this list, the Cybersecurity Nexus (CSX) Fundamentals credential is a certificate, not a certification. As such, it might not have as much clout with employers. But it is a solid starting point for budding security professionals. The CSX will give you some of the latest security skills, increase your ability to tackle threats hands-on, and give you a base to chase higher-level opportunities.

The CSX Fundamentals exam, priced at $150, covers introductory concepts in network, applications and data systems ― as well as evolving technologies in the cybersecurity realm. It has 75 multiple-choice questions that need to be completed within two hours. A score of 65 percent is required to earn the certificate.

IT professionals can make the most of a CSX Fundamentals certificate by treating it as a stepping stone toward earning the more-robust CSXP certification . The CSX also shows a basic knowledge of security fundamentals for managers, auditors, and other non-IT professionals.

If you work with Check Point security products ― or plan to ― you’d be well-served to pursue the CCSA certification. At least six months of product experience and having a solid understanding of networking principles and TCP/IP is recommended.

Both the R77 and R80 exams have 100 questions and 90 minutes to reach a passing 70 percent score. R77 is more product-focused than R80, which covers unified policy and threat management, as well as security consolidation and cloud technologies.

The cost for either exam is $250 and the certification is valid for two years.

It’s worth pointing out that the R77 certification is rumored to be retired soon. So if you’re thinking about sitting for this exam, do your research. Your long-term InfoSec goals might be more aligned with the CCSA R80 certification.

The Systems Security Certified Practitioner (SSCP) is another DoD baseline certification for Level II IAT security positions. Vendor-neutral and covering a full range of security concerns, the SSCP is an excellent way to break into InfoSec.

A bit more demanding than some of the other credentials on this list, qualifying for the SSCP exam requires at least a year of experience in one of the (ISC)2 Common Body of Knowledge (CBK) domains. You can also just happen to have a B.A. or M.A. in a cybersecurity program, and that’ll fill the prerequisite.

The exam will run you $250 and has 125 questions that need to be completed within a three-hour period. A score of 700 (out of a 1,000) will earn you the certification, which needs renewed every three years. To do that, you need to earn 60 Continuing Professional Education credits (CPE).

Getting certified in ethical or “white hat ― hacking is an outstanding way to show your dedication to InfoSec skills. White Hat hackers learn and implement cybercriminal practices to help good guys, using hacking techniques in a preventative and productive way.

Candidates for associated certifications should have at least two years of experience in the cybersecurity space. The four-hour exam involves 125 questions, with a passing score being between 60-85 percent. If you possess the prerequisite experience, the exam will cost you $500. But it’s $600 if you don’t have the recommended experience.

Any cert on this list can be your entry point into the high-demand field of InfoSec. Whether you stick with one cert, build upon it to advance along a specific track, or use it as one part of building your stackable credentials, an InfoSec certification will be useful to you.

With the daily need for IT security specialists and the constantly growing InfoSec job gap, the value of an InfoSec certification is unquestionable. Putting the time and effort into establishing InfoSec credentials will benefit your career. Building on these certifications only leaves room to raise the demand for your InfoSec skills and expertise.

*本文作者：littt0，本文属 CodeSec 原创奖励计划，未经许可禁止转载。

在应急响应的过程中，客户反馈深信服防火墙AF 报告客户服务器僵尸网络警告，服务器试图解析恶意域名msupdate.info。于是客户使用360，火绒剑等杀毒软件均没有发现异常现象。于是求助我，遂有此文章。

病毒virustotal.com的报告，可以看到很多国内厂商依然无法检出：

文件名： cspsvc.exe

https://www.virustotal.com/zh-cn/file/c765ba5eedcd87b6f98eb503df640f5a8b077d3a30f02c6019feec1b5a553981/analysis/

接到应急，远程登录一把梭，netstat -ano 查看异常外连，由于病毒发起的外连已经被深信服防火墙AF所拦截，重点关注SYN_SENT和TIME_OUT，经过排查。并未发现异常外连，于是通过process hacker 查看异常进程。然而也没有发现异常进程，也没有挖矿进程占用大量的cpu资源。于是排查一度陷入江局。

这时候束手无策的我只能上微软闭环工具sysmon 对系统进行监控。观察病毒的一举一动。

sysmon需要安装使用：

昨天种下一颗种子，今天就是收获日啦。

深信服防火墙AF依然在报僵尸网络，不过已经拒绝了：

查看sysmon日志，根据深信服下一代防火墙AF报僵尸网络的时间果然找到可疑的点。

可以看到服务拉起了一个可疑文件。

接着排查发现它拉起一个可疑powershell脚本，以服务的方式启动。

接着这个ps脚本执行。

这个脚本还利用注册表生成了一个用户名为adm：

至此，我们已经找出了挖矿程序。查看ps脚本就可以看到他的钱包地址：

首先看cspsvc.exe文件：

cspsvc.exe 是启动程序用于加载ps脚本程序。

ps脚本是一个内容丰富的木马也是主要的程序：

可以看到脚本提供了丰富的命令行参数，我们之前看到的就是SCMStart。

接下来使用：

获取了命令行参数执行相关操作：

程序获取了登录名，默认启动setup：

setup里面包含了编译了一个c#文件的功能：

由

可知编译的文件就是我们发现的cspsvc.exe

接着就从C:\windows \fonts\arial\config.xml或者C:\Windows\SoftwareDistribution\config.xml 读取配置文件，不存在就新建了一个fonts\arial\ 目录：

写入配置后并拷贝一份：

继续往下看发现了主要执行的Service：

发现执行了一处加密内容。

加密内容为一个新的powershell脚本。可以看到它新建了一个adm的用户。密码是从之前的配置文件中读取的密码：

从域名msupdate.info通过 网络下载矿机：

接着释放又释放了一个加密的ps脚本：

结合通过autoruns发现计划任务GpCheck.ps1计划任务，和下面的写操作可以发现该脚本写入位于system32\drivers\en-US\GpCheck.ps1 的该文件：

此次由于防火墙的存在成功阻挡了恶意程序下载挖矿程序进行挖矿。并及时警报客户，使得客户业务没有受到影响。

对于此木马的分析只是浅显的分析了下，主要是想分享一下这种没有执行成功的挖矿病毒如何排查的经验。希望能够抛砖引玉。

*本文作者：littt0，本文属 CodeSec 原创奖励计划，未经许可禁止转载。