《矽谷快訊》第23期：二戰以來再度攜手

1

美國軍政要聞

1

二戰以來再度攜手：英美聯合防禦網路威脅

UK and US issue joint statement on cyber collaboration

Leaders from GCHQ, the UK』s joint forces command (JFC) and the US National Security Agency (NSA) discussed how to 「counter and defend ourselves」 against online threats. They said: 「Our organizations work extremely closely together to help keep the United States and United Kingdom safe. 「Our discussions focused on how best we deploy and develop our cyber capabilities to counter, and defend ourselves against, malign activity around the world. [thergus.co.uk, 3/25/2018]

2

美網路司令部頒布最新「指揮」戰略

United States Cyber Command』s New Vision: What It Entails and Why It Matters

美國網路司令部近日發布了一項新的戰略——《實現和維護網路空間優勢：美國網路司令部指揮願景》（以下簡稱「指揮願景」），該戰略涉及了美國網路司令部的目的、方式和手段。近年來，隨著網路空間外延的不斷擴張，美國網路司令部與其2009年成立之初相比有了質的變化。該司令部「指揮願景」的發布，標誌著美網路空間領域作戰和戰略思維的重大變革，也將為全球數字安全和網路環境的穩定發展帶去積極影響。[lawfareblog.com,2018年3月25日]

The United States Cyber Command (USCYBERCOM) has released effectively a new command strategy (formally called a 「Command Vision,」 although it addresses ends, ways and means), anchored on the recognition that the cyberspace domain has changed in essential ways since the Command Was established in 2009. The 「Achieve and Maintain Cyberspace Superiority: A Command Vision for US Cyber Command」 Marks a significant evolution in cyber operations and strategic thinking, portending an opportunity to bring about greater security and stability to the interconnected global digital environment. [lawfareblog.com, 3/25/2018]

2

前沿技術

1

研究人員展示了如何通過第三方插件攻擊流行的文本編輯器

Researchers Show How Popular Text Editors Can Be Attacked Via Third-Party Plugins

SafeBreach 公司安全研究人員發現，攻擊者可以利用在線沙箱服務從隔離網路當中滲漏數據，這項最新研究基於先前雲反病毒程序可被用於實施數據竊取的事實。這些在線沙箱服務可被用於同樣的目的，且具體情況也非常類似。但如果攻擊者要實際使用這種方法，可能需要掌握關於目標網路的技術知識。[threatpost.com,2018年3月19日]

Security risks in popular extensible text editors allow hackers to abuse plugins and escalate privileges on targeted systems, according to new research from SafeBreach. Inadequate separation of regular and elevated access modes used in editors and a lack of folder permissions integrity allow attackers to achieve execution of arbitrary code from regular user permissions. [threatpost.com, 3/19/2018]

2

人工智慧對網路安全的意義

Understanding the Relationship Between AI and Cybersecurity

Mimran表示，雖然以人工智慧（AI）為驅動的網路攻擊威脅可能性越來越大，但他不認為 AI 在中短期時間內能夠具備人類思維，進而對人類造成傷害。人類的生活越來越依賴於技術，黑客極有可能利用這一點來傷害我們。然而，如今大多數黑客可以不依賴 AI 就能進行網路攻擊，這也是目前尚未看到融合人工智慧技術開展黑客攻擊的主要原因。[securityintelligence.com,2018年3月22日]

While the threat of cyberattacks powered by AI is increasingly likely, I am less concerned in the short- and midterm about machines making up their minds and being able to harm people,」 Mimran said. 「Our lives are becoming more and more dependent on technology, and this will be exploited by adversaries much before we have conscious machines. Nevertheless, today most of attackers』 goals can be attained without the sophistication of AI, and that is why we don』t see a big new wave of these kinds of attacks.」 [securityintelligence.com, 3/22/2018]

3

產業動態

1

IDC：2018年全球安全解決方案支出有望突破910億美元

Worldwide blockchain spending likely seen at $9.2B in 2021: IDC

根據IDC發布的「全球半年安全支出指南」顯示，2018年全球在與安全相關的硬體、軟體和服務方面的支出預計將達到914億美元，比2017年增長10.2％。這一增長步伐預計還將在未來幾年持續下去，因為各行各業正在加大對安全解決方案的投入，以應對廣泛的威脅和要求。據IDC預測，2016-2021年預測期內全球安全解決方案支出將達到10.0％的複合年增長率（CAGR），到2021年將達到1207億美元。[econotimes.com,2018年3月29日]

In its inaugural Worldwide Semiannual Blockchain Spending Guide, market intelligence firm International Data Corporation (IDC) estimates that the worldwide spending on blockchain solutions will reach $2.1 billion in 2018, more than double the $945 million spent in 2017. IDC sees robust pace of growth in blockchain spending over the 2016-2021 forecast period with a five-year compound annual growth rate (CAGR) of 81.2% and total spending of $9.2 billion in 2021. [econotimes.com, 3/29/2018]

2

Gartner：2018年全球物聯網安全支出達15億美元 法規遵從將是主要影響因素

Gartner: Global expenditure on IoT security to hit $1.5 billion in 2018

最近Gartner的一項調查發現，近20％的企業組織在過去三年中至少發現過一次基於物聯網的攻擊。Gartner公司預測，為防範這些威脅，2018年全球物聯網安全支出將達到15億美元，比2017年的12億美元增長28％。[iottechnews.com,2018年3月23日]

A new report from Gartner has projected that expenditure on IoT security across the globe will hit $1.5 billion in 2018 from $1.2 billion in 2017 due to the growing efforts from enterprises to shield themselves from IoT-based threats. The analyst firm found that over the last three years, nearly 20% of enterprises were hit by at least one IoT-based attack. [iottechnews.com, 3/23/2018]

4

矽谷群英

1

微軟發布KB4100480：進一步緩解Meltdown漏洞

Microsoft Issues Out-Of-Band Security Update for Windows 7 & Windows Server 2008

微軟近期面向Windows 7和Windows Server 2008 R2發布了更新KB4100480，進一步修復今年1月份曝光的Meltdown漏洞。攻擊者需要運行精心製作的應用程序來接管受感染的系統。本次更新修復了Windows內核在內存中錯誤處理對象的漏洞。」 [bleepingcomputer.com,2018年3月29日]

Microsoft issued today an out-of-band security update for 64-bit versions of Windows 7 and Windows Server 2008 R2. The security update —KB4100480— addresses a security bug discovered on January. The bug was caused by a patch meant to fix the Meltdown vulnerability but accidentally opened the kernel memory wide open. [bleepingcomputer.com, 3/29/2018]

2

Cloudflare正式推出1.1.1.1公共DNS服務

Cloudflare"s free DNS service speeds up web browsing and helps protect your privacy

這並不是一個愚人節玩笑，Cloudflare宣布今日正式推出1.1.1.1公共DNS服務，號稱任何人都可以使用它可以加快互聯網訪問速度並並保持連接私密性。Cloudflare聲稱它將是「互聯網上速度最快，隱私優先的消費者DNS服務」 Cloudflare的工作重點在於關注其自身DNS服務的隱私方面，並承諾在其內部每24小時就清楚DNS查詢日誌一次。[techspot.com,2018年4月2日]

It almost sounds like an April Fool"s prank, but it』s not. Cloudflare launched its first consumer product: a new Domain Name System (DNS) resolver that will help protect the privacy of your web browsing sessions while speeding up your internet. With Cloudflare"s free 1.1.1.1 tool, you can connect to a custom Domain Name System that the company is calling the 「the Internet』s fastest, privacy-first DNS service.」 [techspot.com, 4/2/2018]

5

矽谷之聲

Gartner研究總監Ruggero Contu表示：儘管物聯網安全一直被視為主要關注的問題，但大多數物聯網安全實施已經在企業單位層面上進行規劃、部署和運營，並通過與IT部門的合作確保充分解決受設備影響的IT部分。然而，通過通用架構或者一致的安全策略幾乎不存在，廠商產品和服務選擇仍然是臨時性的，基於設備提供商與合作夥伴的聯盟，或者設備增強或者取代的核心系統。

Ruggero Contu said, research director at Gartner Although IoT security is consistently referred to as a primary concern, most IoT security implementations have been planned, deployed and operated at the business-unit level, in cooperation with some IT departments to ensure the IT portions affected by the devices are sufficiently addressed. "However, coordination via common architecture or a consistent security strategy is all but absent, and vendor product and service selection remains largely ad hoc, based upon the device provider"s alliances with partners or the core system that the devices are enhancing or replacing."

大家都在看

喜歡這篇文章嗎？立刻分享出去讓更多人知道吧！