每日安全简讯(20161130)

1、研究人员2017年预测：勒索软件模式转向新平台
2、勒索软件Kangaroo由开发者经远程桌面手动安装
3、PayPal修复导致应用程序OAuth令牌被劫持漏洞
4、德国电信攻击事件元凶为新发现路由器高危漏洞
5、列支敦士登银行遭入侵，攻击者向储户勒索赎金
6、xHamster色情网站数据泄露，数十万账号被售卖

【安天】搜集整理（来源：paloaltonetworks、virusguides、threatpost、arstechnica、theregister、vice）

1、研究人员2017年预测：勒索软件模式转向新平台
标题：2017 Cybersecurity Predictions: New Norms Expected in Threat Landscape

作者信息：November 28, 2016 at 5:00 AM  By Ryan Olson

//BEGIN
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that
are less likely to happen) in cybersecurity in 2017.
Here’s what we see coming on the threat landscape in 2017:
本文是一个预测报告文件的部分，它展示了明年一定会发生的安全事件或者趋势；以及一些可能发生的安全事件或者趋势。
特别提到的一点是关于勒索软件，其实它并不是一个恶意软件，它是一种犯罪分子采用的商业模式而已。恶意软件只是其达到其目标的手段之一。一般来讲一个勒索软件完成其一次攻击需要5个步骤：
第一：控制系统和设备：可以是一个单台机器、移动电话、一个IoT设备以及其他任何能运行软件的系统。
第二：阻止用户对以上的系统和设备的访问：其通过的方式包括加密、锁屏甚至吓唬用户。
第三：以某种方式威胁受害者：已经被勒索以及如何支付赎金。这看起来简单的一步，但是有时却很难实现：比如攻击者和受害者有时并不使用同一种语言，因此这一步并不容易。
第四：从受害者处收到钱。如果这一步被国家强制部门定位和跟踪发现，那么以上的几步都白做了。因为等待他们的不是赎金，而会是冰冷的手铐。
第五：如果第四部成功完成，能到最后一步的话，那么勒索者应该是能完全给受害者恢复系统或者设备的控制权或者数据。可以想象如何不能这样做的话，那么即使勒索者没有被执法部门抓住，仅仅从商业模式上讲，这个勒索软件也不会持久。

//END
If you are wondering if you should return to simply making phone calls when you want to share a private message, that’s not a bad idea, but take a look at any teenager’s phone when considering a technology solution. Snapchat’s killer feature is messages that automatically delete themselves after the recipient reads them. This allows users to send messages with less concern about them being shared with others. There are now many security-focused messaging systems, including Telegram, Wickr, Signal and Allo, which feature end-to-end encryption and self-deleting messages. While it’s still possible for someone to grab a screenshot of one of these messages, they are often much safer than e-mail.
Widespread adoption of these services in 2017 is still a long shot, as many users may not be comfortable making the transition from e-mail. However, those who’ve learned from widespread leaks will look for alternative ways to share their private thoughts with others.
What are your cybersecurity predictions around our threat landscape? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for network security.
为了安全，做为一个安全工作者而言，有时甚至会只是打电话来交流隐私信息而不是通过网络传送的方式。当然这也是个不错的主意的。但是看看时下的年青人习惯使用智能移动设备也可见一般：一些厂商推出了相应的安全手段。比如有的能在接受者收到信息后自动彻底删除，不在网络的任何位置留存信息；有的还提供端对端加密的方式，这样除了接受和发送方，任何第三方看到的就都会是加过密的信息；有的还采用了能自动删除的信息发送方式；当然有时不能避免拍照留存的方式，但是总而言之会比发送邮件来得安全一些。一些人会很不适应这种分享信息的方式，但是看看日前一再暴露的各种数据库、各种隐私信息，也许是到了该换换信息发送方式的时候了，这就会出现智者见智仁者见仁的局面了。

点评：勒索应该是个重要趋势。预防手段建议还是备份备份再备份。

1、研究人员2017年预测：勒索软件模式转向新平台
标题：2017 Cybersecurity Predictions: New Norms Expected in Threat Landscape

作者信息：November 28, 2016 at 5:00 AM  By Ryan Olson

//BEGIN
This post is part of an ongoing blog series examining “Sure Things” (predictions that are almost guaranteed to happen) and “Long Shots” (predictions that
are less likely to happen) in cybersecurity in 2017.
Here’s what we see coming on the threat landscape in 2017:
本文是一个预测报告文件的部分，它展示了明年一定会发生的安全事件或者趋势；以及一些可能发生的安全事件或者趋势。
特别提到的一点是关于勒索软件，其实它并不是一个恶意软件，它是一种犯罪分子采用的商业模式而已。恶意软件只是其达到其目标的手段之一。一般来讲一个勒索软件完成其一次攻击需要5个步骤：
第一：控制系统和设备：可以是一个单台机器、移动电话、一个IoT设备以及其他任何能运行软件的系统。
第二：阻止用户对以上的系统和设备的访问：其通过的方式包括加密、锁屏甚至吓唬用户。
第三：以某种方式威胁受害者：已经被勒索以及如何支付赎金。这看起来简单的一步，但是有时却很难实现：比如攻击者和受害者有时并不使用同一种语言，因此这一步并不容易。
第四：从受害者处收到钱。如果这一步被国家强制部门定位和跟踪发现，那么以上的几步都白做了。因为等待他们的不是赎金，而会是冰冷的手铐。
第五：如果第四部成功完成，能到最后一步的话，那么勒索者应该是能完全给受害者恢复系统或者设备的控制权或者数据。可以想象如何不能这样做的话，那么即使勒索者没有被执法部门抓住，仅仅从商业模式上讲，这个勒索软件也不会持久。

//END
If you are wondering if you should return to simply making phone calls when you want to share a private message, that’s not a bad idea, but take a look at any teenager’s phone when considering a technology solution. Snapchat’s killer feature is messages that automatically delete themselves after the recipient reads them. This allows users to send messages with less concern about them being shared with others. There are now many security-focused messaging systems, including Telegram, Wickr, Signal and Allo, which feature end-to-end encryption and self-deleting messages. While it’s still possible for someone to grab a screenshot of one of these messages, they are often much safer than e-mail.
Widespread adoption of these services in 2017 is still a long shot, as many users may not be comfortable making the transition from e-mail. However, those who’ve learned from widespread leaks will look for alternative ways to share their private thoughts with others.
What are your cybersecurity predictions around our threat landscape? Share your thoughts in the comments and be sure to stay tuned for the next post in this series where we’ll share predictions for network security.
为了安全，做为一个安全工作者而言，有时甚至会只是打电话来交流隐私信息而不是通过网络传送的方式。当然这也是个不错的主意的。但是看看时下的年青人习惯使用智能移动设备也可见一般：一些厂商推出了相应的安全手段。比如有的能在接受者收到信息后自动彻底删除，不在网络的任何位置留存信息；有的还提供端对端加密的方式，这样除了接受和发送方，任何第三方看到的就都会是加过密的信息；有的还采用了能自动删除的信息发送方式；当然有时不能避免拍照留存的方式，但是总而言之会比发送邮件来得安全一些。一些人会很不适应这种分享信息的方式，但是看看日前一再暴露的各种数据库、各种隐私信息，也许是到了该换换信息发送方式的时候了，这就会出现智者见智仁者见仁的局面了。

点评：勒索应该是个重要趋势。预防手段建议还是备份备份再备份。

2、勒索软件Kangaroo由开发者经远程桌面手动安装
标题：The Kangaroo Ransomware is Here With New Nastier Features

作者信息：November 29, 2016 By Simona Atanasova

//BEGIN
The cybercriminal gang behind the notorious Fabiansomware, Esmeralda and the Apocalypse ransomware pieces have recently added one more threat to their artillery – the Kangaroo ransomware.
However, Kangaroo differentiates from the majority of ransomware infection with a couple of its new features. First, it uses a legal notice as a ransom note, which is displayed right before the victims could log in to Windows. In this way, a victim must see the note before they are able to log in. Second, the ransomware terminates the Explorer process when started and prevents Task Manager from launching and this it locks its victims out of Windows until they pay the ransom sum demanded or remove the infection. This screenlocker can be disabled by pressing ALT+F4 or in Safe Mode but many non-professional users are still prevented from using their machines.
一个名为Kangaroo勒索软件粉墨登场了，其还是带有一些新的特性而来。首先的一个特性是其会在用户登录Windows前，显示一个法律文书格式的提示信息，告知用户已经被勒索。第二是其终止了Windows资源管理器的运行，并阻止用户通过任务管理器的方式来发现该进程并删除它。

//END
Moreover, Kangaroo configures the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon “LegalNoticeText” registry value that shows the victims a legal notice which they must read before being able to login to Windows.
Unfortunately, at the moment a free decryptor for the Kangaroo locked files is not available.
勒索软件是通过修改目标主机的注册表键值来达到其能在Windows登录前显示那些勒索信息的。当然到目前为止还没有发现有工具能解锁这个勒索软件。

点评：对付勒索软件：备份备份再备份。

3、PayPal修复导致应用程序OAuth令牌被劫持漏洞
标题：PayPal Fixes OAuth Token Leaking Vulnerability

作者信息：November 28, 2016 , 3:52 pm by Chris Brook

//BEGIN
PayPal fixed an issue that could have allowed an attacker to hijack OAuth tokens associated with any PayPal OAuth application.
流行支付提供商Paypal日前修复了一个可被黑客利用的OAuth令牌认证漏洞。

//END
Researchers with the University of Hong Kong highlighted a nasty flaw in OAuth 2.0 earlier this month at Black Hat Europe. A trio of academics said at the conference that poor OAuth implementations which allow for Facebook and Google single sign-on functionality can lead to account hijacking in one billion mobile apps.
本月早些时候的黑帽大会上来自香港的研究人员发布过一个关于OAuth 2.0的认证漏洞。由于这个漏洞的存在，Facebook和Google在内的单点登录功能可能导致超过10亿移动APP被劫持。

点评：支付就是钱，支付手段可能会是黑客关注的重点，当然也会是防守的重点。但是双方的能力和攻防布局并不平衡。

4、德国电信攻击事件元凶为新发现路由器高危漏洞
标题：Newly discovered router flaw being hammered by in-the-wild attacks
Researchers detect barrage of exploits targeting potentially millions of devices.

作者信息：11/29/2016, 5:21 AM By DAN GOODIN

//BEGIN
Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service
cannons—have begun exploiting a critical flaw that may be present in millions of home routers.
网络上的犯罪分子并不满足于类似Mirai的行动，它们正在采取行动来利用成千上万的家用路由器的漏洞，来进行攻击。

//END
People who want to lock down their routers and have the necessary technical skills should reboot them and immediately check to see if the devices are
listening for incoming commands on port 7547. As mentioned above, most Mirai-infected devices will be locked down and will display few indications of
compromise, although frequent reboots have been reported in a least some cases. Generally speaking, IoT devices are disinfected each time they're restarted.
A good practice is to reboot them and immediately lock them down with a strong password, or, better yet, to disable remote administration.
如果用户对自己的家用路由器是否处于威胁之中拿不准的话，可以查看其端口7547是否打开等待外部命令。如果用户不是那么技术范，无法达到这个层面的话，那么可以重启其设备，然后立即设置较为复杂的自定义密码，当然最好的办法是直接将远程管理功能Disable掉。当然这虽然可以挡住攻击，但是同时正常的管理也会比较麻烦。

点评：对于用户而言，方便性和安全性有时很难两全。

5、列支敦士登银行遭入侵，攻击者向储户勒索赎金
标题：Hackers crack Liechtenstein banks, demand ransoms
Tiny country creates yuuge problems as crims threaten to expose 'tax evasion'

作者信息：29 Nov 2016 at 05:02 By Team Register

//BEGIN
Hackers have days ago breached a Liechtenstein bank and are allegedly blackmailing customers by threatening to release their account data if ransoms are not paid.
小国列支敦士登也没逃过勒索者的眼睛：他们威胁如果还收不到赎金的话，将曝光这些他们掌握的银行往来账号信息。不过10%的赎金好像还是很高的。

//END
Attackers accused the bank board of not paying them for security services, likely bug poaching rather than legitimate testing, claiming their "intention is
not to harm" and have to "resort to" extortion.
Bild.de has blocked out the Bitcoin addresses so it is not yet possible to track if any ransoms have been paid.
至于公开的原因还是由于其未收到其认为应该得到的安全服务的费用。但是目前是否支付赎金还为未可知。

点评：这个勒索还是真是花样百出。一直提倡的备份策略这里好像不怎么适用了。还得加强自身数据的安全防护，防止被人脱库。

6、xHamster色情网站数据泄露，数十万账号被售卖
标题：Hackers Are Trading Hundreds of Thousands of xHamster Porn Account Details


作者信息：28 November 2016 03:00 PM CET  By JOSEPH COX

//BEGIN
Hundreds of thousands of user account details for porn site xHamster are being traded on the digital underground.
The database of nearly 380,000 users, provided to Motherboard by for-profit breach notification site LeakBase, includes usernames, email addresses, and what appears to be poorly-hashed passwords.
日前在黑客地下黑市流传着据说来自免费色情网站xHamster的注册用户信息，这些信息的规模大约40万，含用户名、邮件地址以及登录密码的HASH值。

//END
Update: After the publication of this article, Alex Hawkins, xHamster spokesperson, told Motherboard in an email, "The only way to respond to this news is to coin a new term: 'Fhack.' A fhack is best defined as a fake hack. There was a failed attempt to hack our database which occurred 4 years ago. The integrity of our user data is secure. Passwords are encrypted and impossible to hack. In short, this was a successful fhack; and a failed hack."
When pressed on how did data traders then obtain a list of xHamster user email addresses, the company said, "We cannot validate that the emails are real and we don't believe that this is a genuine database." This is despite Motherboard's independent verification of the email addresses and usernames.
但是，截止到发表本文，xHamster官方发布回应称，本新闻纯属无稽之谈。该公司的网站是非常安全的，没有发生用户信息泄露事件。该新闻纯粹是一个炒作。至于这些在黑市流传的用户的邮件等信息，其官方称不能确认这些数据的真实性，而且认为这个数据库并不是真实的。

点评：一厢说泄露，另一厢说没有泄露；用户该听哪一方的？