August 1th Week business Wind Control concern | Apple App Store, imessage by xxx, xxx information "bombing"

The Wind control weekly reports the security technologies and events that are worth paying attention to, including but not limited to content security, mobile security, business security and network security, and helps enterprises to be vigilant and avoid these security risks, which are small and large and affect the healthy development of the business.

1. Apple App Store, imessage by xxx, xxx information "bombing"

Recently, many netizens reflect, imessage garbage information more and more, sometimes a day can receive two or three, report also no matter use, follow-up will still receive. The reporter contacted Apple-related officials to get a response and is exploring more ways to further reduce spam, including using more advanced machine learning models to identify spam and more tools to block malicious sender accounts. Apple also revealed that it is in contact with domestic telecoms companies and exploring other ways to mitigate the problem of spam.

In addition, CCTV's 13th set of news channels at 9 Point of the news in the column, CCTV, "Apple's official App Store management loopholes" for the title of the topic, reported exposure to the App Store network xxx, vest bags, illegal apps and other problems. On the same day, the official account of Xinhua News agency issued an article called "Yellow, gambling, medicine are dare to send!" Apple, how can you not even care about such a thing? "Article, directly criticized Apple's negligence in the audit, ignoring the imessage loopholes caused users to include XXX, XXX, loans and other spam content information bombing.

2. Strictly check the vulgar content! Wen Travel Department Check B station, vibrato, quick, etc. 27 websites

Recently, in order to standardize the network culture market operations, strict search contains vulgar content of the network culture products, culture and Tourism department deployment of Special investigation work, according to law from the re-investigation of part of the content of the network culture operating units, organize network animation, network music market centralized law enforcement inspection, 27 major network animation, Online music websites are listed on the list of objects to be inspected.

Beep "" Quick look Comics "and other anime video sites and comic sites to provide content containing vulgar Web animation products problem, the Ministry of Culture and Tourism to deploy Beijing, Shanghai cultural Market Administrative Law Enforcement Corps to investigate the Shanghai wide Entertainment Digital Technology Co., Ltd., see the World (Beijing) Technology Co., Ltd. of the illegal business behavior. Ministry of Culture and Tourism requires 11 major network animation business units to strengthen the content of self-examination, to carry out clean-up, off-line illegal network animation products, has been offline suspected of illegal animation video 977, comic 167.

Among them, the second shot and other platforms are under the frame, including the bomb screen community website beep miles (hereinafter referred to as: B station), onion video, including some video sites suspended under the frame, internal rectification.

3. Zhejiang Province 10 million student status data is in the dark net sale

Yesterday afternoon, the threat hunter through the dark net to monitor, Zhejiang Province 10 million student status data is in the dark online sale. From the dark screen display, the sale of the student data covering most of Zhejiang's urban areas, the information is leaked contains the student name, XXX, school number, domicile, Guardian, Guardian number, residence address, place of birth, the name of schools. A photo link is also available in the data for sale, with data at around 100G.

4.Reddit re-exposure data leakage incident, 05-07 years was xxx***

U.S. social media Reddit yesterday announced that several of the company's systems were xxx***, causing some user data to be stolen, including the e-mail address users currently use and a 2007 database backup containing the old encryption password. Reddit said that XXX acquired a copy of the old database backup, which contained early Reddit user data, spanning from 2005 to May 2007.

5. The security of account information, the two third-party payment agencies are fined

XXX official website 30th, xxx verified that dealspot Payment Service Co., Ltd. (hereinafter referred to as "Dealspot Company") and pay the Financial Co., Ltd. (hereinafter referred to as "pay the company") there are a number of violations, the People's bank confiscated its illegal income and high fines.

It is verified that the Dealspot company has violated the rules of receiving and trading information management, illegal retention of bank card sensitive information, failure to maintain transaction records in accordance with the regulations, and serious violations of the rules of the real name management of the merchant. The company is in breach of the merchant real-name management rules, violations of the transaction information management regulations and other violations. Finally to the Dealspot company to give warning, confiscated illegal income of 920,000 yuan, and a fine of 2.49 million yuan, the total penalty amount of more than 2.58 million yuan. To deal with the company to give warning, confiscated illegal income of 1.47 million yuan, and a fine of 7.45 million yuan, the total penalty amount of more than 8.92 million yuan. At the same time, in order to prevent financial risk, two non-bank payment institutions in a year orderly exit from the serious offending area of the bank card receipt business.

6. SMS Verification code is not secure, two-step verification app is in need of popularity

At present, SMS verification code has been widely used in social media, websites and other platforms. can help users to do a series of sensitive operations, but also allows users to login without losing the account password directly. SMS Verification code is always the most widely used two-step verification method. But there are many security risks.

SIM hijacking can be implemented in a number of ways (such as SIM card cloning), with full control of a mobile phone number. The lower-level approach can even be found on the web, and the 2017 Black Hat conference demonstrated how to hijack a SIM card within a minute with just one mobile phone number.

Based on this, a two-step verification app based on the TOTP mechanism, which does not require any network connection (including Wi-Fi), and does not require SMS and SIM cards, is generated entirely locally on the phone. The existence of two-step verification of the app will significantly reduce the likelihood of sim hijacking.

7. COSCO Group Americas Computer Network was blackmailed software xxx

The state-owned COSCO Group of the Americas computer network around the ransomware xxx,48 hours after the situation is still not improving. In a statement issued in Thursday (PDF), Cosco said the affected networks included the United States, Canada, Panama, Argentina, Brazil, Peru, Chile and Uruguay. The statement said that those who want to contact Cosco Group employees in these areas must use a specific email address to contact, the company provided the e-mail address in addition to Cosco Group's own mailbox, there are free email service Yahoo, Gmail and Hotmail. Ransomware will lock the system by encrypting the computer files, it is unclear what kind of ransomware the COSCO Group has been xxx. Cosco Group's representative, through Twitter, said the company had initially quarantined all regional networks and would gradually restore connectivity after confirming security.

8.xxx stole $7.7 million worth of digital money from Kickico

XXX stole $7.7 million worth of digital money from the Kickico platform, using a novel approach-destroying existing coins and then creating the same amount of SGD to xxx-controlled addresses. This approach escaped Kickico's surveillance because it did not change the number of Kickico tokens issued. XXX first tried to steal the encryption key of the Kickico intelligent contract control. Kickico didn't know the key was stolen until the user complained about the loss of about $800,000 worth of digital money in the wallet.

Kickico said it had recovered the stolen token and returned it to the original owner. Kickico said that XXX used the key to destroy 40 addresses of the digital currency, in another 40 addresses to create the same amount of new tokens. It does not disclose how XXX is stealing the key.

August 1th Week business Wind Control concern | Apple App Store, imessage by xxx, xxx information "bombing"