每日安全简讯(20161117)

1、第三届世界互联网大会在乌镇召开
2、PoisonTap技术可向锁定PC安装后门
3、Lynxspring公司SCADA产品存严重缺陷
4、赛门铁克安全产品修复DLL劫持漏洞
5、17岁英国少年承认参与TalkTalk攻击
6、Carbanak犯罪团伙瞄准酒店餐饮行业

【安天】搜集整理（来源：chinadaily、wired、securityweek、securityweek、welivesecurity、threatpost）

1、第三届世界互联网大会在乌镇召开
{CHN}

标题：互联网新科技给经济注入新动能

作者信息：2016-11-16 12:03:35 By  陈婧 王林  

//BEGIN
11月15日，中国江南水乡乌镇再次吸引了全球目光。第三届世界互联网大会的两大科技亮点之一——“互联网之光”博览会14时在乌镇揭幕。16日，另一大亮点——世界互联网领先科技成果发布活动也将登场。
人们急切地希望，能从这个白墙黛瓦掩映的古镇一探世界互联网发展的的端倪，更期盼从酷炫的科技秀中，发现提振世界经济的曙光。DCCI互联网研究院院长刘兴亮对今年乌镇世界互联网大会有更为切实的期待：希望能有更多世界互联网巨头参与、讨论的身影；希望能有更多落地合作，而不仅是坐而论道；希望能展出更多让人眼前一亮的新产品、新科技，给更多产业的转型升级提供支点。

//END
毫无疑问，新科技正成为经济发展的新动能。这也是世界互联网大会吸引大咖前往、世人关注的理由。刘兴亮认为，互联网新科技的发展已经超越了行业的界限和范畴，成为一种社会力量，下一步应该成长为国民经济可以依靠的新引擎，尤其是成为效率、创新的引擎，在经济发展中起到“新的发动机”的作用。刘兴亮表示，在互联网新科技的改造下，过去一些供给不完善的领域已经有了明显的变化，比如互联网金融倒逼了传统金融的升级，滴滴的出现一定程度上缓解了打车难问题。实践证明，互联网新科技与实体经济、传统产业的结合，能给相对低迷的世界经济提供新动能，其更大的价值就在于倒逼产业创新。“用互联网的力量倒逼原有的行业寻找新的经济增长点，这不只在中国发生，还在全世界发生作用。”他说。

点评：中国互联网进入乌镇时间。

2、PoisonTap技术可向锁定PC安装后门
标题：Wickedly Clever USB Stick Installs a Backdoor on Locked PCs

作者信息：11.16.16 7:00 AM By ANDY GREENBERG

//BEGIN
YOU PROBABLY KNOW by now that plugging a random USB into your PC is the digital equivalent of swallowing a pill handed to you by a stranger on the New York subway. But serial hacker Samy Kamkar‘s latest invention may make you think of your computer’s USB ports themselves as unpatchable vulnerabilities—ones that open your network to any hacker who can get momentary access to them, even when your computer is locked.
Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.
“In a lot of corporate offices, it’s pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it,” Kamkar says. The computer may be locked, he says, but PoisonTap “is still able to take over network traffic and plant the backdoor.”
现在基本上每个人都知道不能随便使用来路不明的U盘，但是目前黑客们更进一步发现了一种新的攻击方法：只要给他们一次物理接触计算机的机会，他们就会将其特制的U盘插入目标计算机，同时植入特制木马。其亮点在于即使您的计算机处于锁定状态也不能幸免。
黑客已经公开了其PoC概率验证型代码，供任何知道的人下载，并起了一个名字PoisonTap.有个这个U盘的帮助，只要黑客有机会接近目标，他就能悄悄植入后门（非文件驻留型），这样黑客就能远程登录用户的账户，甚至企业内网和路由器。由于是与浏览器的缓冲Cache相关，因此属于比较新颖的技术，同时检测也相对困难。

//END
For the time being Kamkar says there’s no easy fix for users. To avoid an attack, he suggests someone would need to set their computer to hibernate rather than sleep, a setting that suspends all processes on the computer and causes it to wake up far more slowly. Or they can close their browser every time they step away from their computer, assiduously clear its cache, or even take the more drastic measure of filling their USB ports with glue. “I personally haven’t found a good, convenient way to solve this on my own computer,” Kamkar says.
The clearest and most troubling lesson, perhaps, is to beware who gets physical access to your PC. With a tool like PoisonTap in hand, a hacker walking unattended around your office may soon be moving freely around your corporate network, too.
根据开发该USB设备黑客介绍：对用户来说，目前还很难开发修复程序。为了预防类似的攻击，只能采用防护措施。建议人们在不使用机器的时候，将机器直接关闭或者采用休眠模式。另外就是实在不想这样做的话，也得每次离开计算机时，将您的浏览器关闭、清除浏览器的缓存甚至直接将USB接口封住。因为不这样做的话，一旦有这类黑客在您机器周围走一圈，借助这个工具，然后他就能进入您的企业内网了。
相关网址（技术验证型）
https://samy.pl/poisontap/
https://github.com/samyk/poisontap
//下载： poisontap-master.part1.rar (6.05 MB, 下载次数: 39)

2016-11-17 17:12 上传

点击文件名下载附件

poisontap-master.part2.rar (5.28 MB, 下载次数: 45)

2016-11-17 17:12 上传

点击文件名下载附件

文件名：poisontap-master.zip
文件大小：12，766，753 bytes
MD5     : 3214AE89132584015FD98D7F9BBEC634

点评：互联网安全和传统安全还得相结合。

3、Lynxspring公司SCADA产品存严重缺陷
标题：Serious Flaws Found in Lynxspring SCADA Product

作者信息：November 16, 2016 By Eduard Kovacs

//BEGIN
A researcher has discovered some serious vulnerabilities in a SCADA product from Missouri-based building automation and management solutions provider Lynxspring. The product is no longer supported, but it’s still used by companies.
The flaws were found by researcher Maxim Rupp in Lynxspring’s JENEsys building operating system, specifically the BAS Bridge, which bridges the integration between Modbus TCP/RTU and BACnet IP/Ethernet devices.
虽然发现漏洞的工业控制产品组件（BAS Bridge 的版本为1.1.8或者更早）已经在2014年停止了技术支持，但是漏洞依然被发现，而且不止一个级别还很高。漏洞一共4个，编号分别为:CVE-2016-8357；CVE-2016-8378；CVE-2016-8361以及CVE-2016-8369。

//END
While BAS Bridge is no longer supported, Rupp said he still identified some systems that are accessible from the Internet. “But the fact that they are not directly connected to the Internet does not mean that they are not used in the wild,” he explained.
Lynxspring is not the only building automation company whose products have been analyzed by Rupp. A few weeks ago, ICS-CERT published an advisory describing a couple of high-severity flaws found by the expert in American Auto-Matrix products.
虽然不被支持，但是互联网上依然可以探测到这些产品在使用中。即使不联网也不能代表还没被使用。工业控制产品的漏洞不止在一家公司的一个产品中被发现，而是频频曝光。

点评：工控安全。

4、赛门铁克安全产品修复DLL劫持漏洞
标题：Symantec Patches DLL Hijacking Flaw in Enterprise Products

作者信息：November 16, 2016 By Eduard Kovacs

//BEGIN
Symantec informed customers on Tuesday that it has addressed a DLL loading flaw in several of its enterprise products. These types of vulnerabilities affect software from many major vendors, but they are often seen as low risk issues.
The DLL hijacking flaw, tracked as CVE-2016-6590, was brought to Symantec’s attention by one of its employees, senior threat analysis engineer Himanshu Mehta. The security hole affects Symantec’s IT Management Suite (ITMS) 8.0, Ghost Solution Suite (GSS) 3.1 and Endpoint Virtualization (SEV) 7.x. Updates have been released for each of the vulnerable products.
漏洞编号：CVE-2016-6590。这是本周二赛门铁克宣布的其几个企业级的产品存在DLL劫持漏洞的编号。其实不止一家软件公司的产品受到影响，但是一般认为本漏洞的级别较低。影响的Symantec的产品包括以下三款产品：ITMS 8.0 (Symantec’s IT Management Suite),GSS 3.1 ( Ghost Solution Suite) 以及 SEV 7.x (Endpoint Virtualization).不过，漏洞已经被修复。

//END
Researcher Stefan Kanthak has disclosed DLL hijacking vulnerabilities affecting the installers of roughly 40 applications. Companies such as Oracle, Kaspersky Lab, Rapid7, F-Secure and Comodo patched the flaws after being notified.
However, according to the advisories published by the expert, Microsoft, Google, Malwarebytes, Panda Security, ESET and many others either ignored him or said they did not believe this is an issue that needs fixing.
DLL劫持在很多情况下都存在，而且有时也会造成严重后果，不过源头还是得有恶意的DLL首先被下载到目标机器中。根据统计大约40款应用存在此漏洞，目前接到此通报的安全公司有的已经修复了该漏洞，比如以下公司：Oracle,Kaspersky Lab,Rapid 7,F-Secure以及Comodo等。但是另外的一些安全相关厂家则没有理会，他们是微软、谷歌、MalwareBytes、熊猫软件、ESET等认为这要么不是一个问题要么干脆认为这个问题不值得修复，如果算问题的话。


点评：每次看到这样的新闻都会一惊一炸，不过仔细一看，原来这个漏洞的利用也是有条件的，而且业内也存在不同的声音和看法。

5、17岁英国少年承认参与TalkTalk攻击
标题：Teenager admits to TalkTalk cyberattack

作者信息：16 NOV 2016 - 12:49PM BY NARINDER PURBA

//BEGIN
A teenager has admitted being behind last year’s TalkTalk cyberattack, explaining he compromised the company’s website to “show off” to his friends.
The 17-year-old pleaded guilty to seven offenses at Norwich Youth Court in the UK. He said that at the time he “didn’t think of the consequences” of his actions.
17岁的英国少年为了向朋友炫耀其计算机的技能而黑了TalkTalk公司，并造成大约16万用户受到影响，而且15000名用户的银行账户被泄露。去年事发不久，该少年即被拘捕。由于还未满18岁该少年的名字未公开。而他也在法庭上承认了对其的7项指控，并声称其未曾料想会有如此严重的后果。

//END
Its interim results for the six months to September 30th saw its pre-tax profits triple, which its CEO, Dido Harding, has welcomed.
She said: “We have delivered an excellent uplift in first half profits and expect to deliver materially higher full year profits than last year.
“One year on from the cyberattack, we have maintained a relentless focus on looking after our existing customers and keeping up the pace across a wide range of operational improvements to make TalkTalk simpler and better for customers.”
Commenting on the data breach in October 2016, Harding described cybercrime “as the crime of our generation”.
虽然遭到数据泄露，但是TalkTalk公司的利润并未受到影响。自从发生了该攻击后，公司加强了对用户的服务力度，改进了对用户的服务，使得使用更简单而且效率更高。截止到9月30日半年的利润翻了3倍，至于谈到今年10月的数据泄露，公司的领导层坦承我们所处的时代就是“一个随时可能遇到网络犯罪的时代”。

//下载： Computer Misuse Act 1990 Chapter 18.pdf (294.39 KB, 下载次数: 42)

2016-11-17 17:19 上传

点击文件名下载附件

文件名：Computer Misuse Act 1990 Chapter 18.pdf
备注：1990年发布的长度16页英国计算机滥用处置法（18章）
文件大小：301，451 bytes
MD5     : B73031EB4D33B0F2C0C9A6AB28A5DD04


点评：对普通用户，加强自身防范可能也是个行之有效的办法。

6、Carbanak犯罪团伙瞄准酒店餐饮行业
标题：Carbanak Attacks Shift to Hospitality Sector

作者信息： November 15, 2016 , 3:57 pm  by Tom Spring

//BEGIN
The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.
臭名昭著的网络犯罪团伙Carbanak以从中美德等世界范围的多达100家金融机构盗取超过10亿美金而广为人知。不过，最近他们的战略发生了转移，将矛头对准了酒店餐饮行业。针对该行业开发了应用了新技术的恶意代码。

//END
Trustwave warns that the recent Carbanak campaign is “extremely stealthy” and hard to detect. “Without a general awareness of these new campaigns targets aren’t likely spot the attack until it’s too late,” Hussey said.
安全公司发出警告说当下的这个Carbanak团伙的活动相当隐秘而且难于侦测，必须要保持高度警觉，否则到时信息被盗就为时已晚。

点评：哪个行业都可能成为网络犯罪分子的目标，主要有利可图。