博碩士論文 104522095 詳細資訊



以作者查詢圖書館館藏 以作者查詢臺灣博碩士 以作者查詢全國書目 勘誤回報 、線上人數:51 、訪客IP:18.222.118.161
姓名 劉念奇(Nien-Chi Liu)  查詢紙本館藏   畢業系所 資訊工程學系
論文名稱
(CCS: A Credibility Checking Service in Windows System to Support Automatic Update in Application Allowlisting)
檔案 [Endnote RIS 格式]    [Bibtex 格式]    [相關文章]   [文章引用]   [完整記錄]   [館藏目錄]   至系統瀏覽論文 ( 永不開放)
摘要(中) 應用程式允許名單技術透過嚴格的存取控制控管,使系統只能執行經由企業或設備廠商所允許的合法程序。與過去傳統的拒絕名單技術概念相反,其目的即是打造端點系統上的最終防線,無論惡意程式經由什麼媒介或手段入侵,系統都只會執行被允許的程式,惡意程式在被啟動時就會被及時阻擋。
在當今數位化發展蓬勃的社會上,對資訊的安全保護意識不斷被推廣,除了應注意社交詐騙手法、小心來路不明的程式之外,若在使用的軟體有更新的版本或是補丁程式時應立即做更新也是非常重要的防護概念。因此,上述提到的應用程式允許名單防護技術也會面臨軟體更新的問題,儘管是對於部署在穩定、少變動的生產線機臺環境的允許名單而言,允許名單政策也總會有需要更新或維護應用程式版本的一天。
然而,近年來發生震驚社會的供應鏈攻擊,即便是信譽良好的供應商所使用的數位簽章保護,也可能遭受盜用而讓更新環境暴露在風險之中。如 ASUS Live Update 或 Solarwinds 攻擊事件,兩件事件被駭客入侵的手法皆利用軟體更新,將惡意程式散佈至端點系統之中。由於一般應用程式允許名單為了要讓允許清單內的應用程式做有效更新,都會將軟體供應商視為可信任的更新方,讓軟體供應商發佈的程式更新能夠自動更新至清單之中,這樣的作法讓上述兩種攻擊有效地透過更新而將惡意程式順利的新增進允許名單中。由此可見,軟體更新是必要的,但更新來源內容的安全性也不可忽視。因此,本研究針對允許名單與應用程式更新做了研究,提出了能讓應用程式允許名單更新時確保更新來源可信度的方法,取名叫CCS。此方法基於非所有系統都同時被竄改過的假設,透過比對多個更新資源的作法,將可疑的更新內容過濾排除,收集可被信任的更新資源並提供給應用程式允許名單做更新使用。實驗結果顯示出,CCS能夠有效過濾可疑檔案,並且可信任更新資源亦能更新至應用程式允許名單且正確無誤的執行。
摘要(英) The application allowlist technology uses strict access control so that the system can only execute legal procedures permitted by the enterprise or equipment manufacturer. Contrary to the traditional concept of denylist technology in the past, its purpose is to create the ultimate line of defense on the endpoint system. No matter what medium or paths the malicious program is invaded, the system will only execute the allowed program and the malicious program will be blocked in time when it is activated.

In today′s thriving digital society, the awareness of information security protection is constantly being promoted. In addition to social fraud and beware of unknown programs, it is also very important to update the software immediately when it has an updated version or patch program. Therefore, the application allowlist protection technology will also face the problem of a software update. Even though the allowlist is deployed in a stable and less-changing production line machine environment, the policy rules or the application lists will always need to be maintained and updated to a newer application version.

However, in recent years, there have been many supply chain attacks that affect the update server that shocked society. Even the digital signature protection used by reputable suppliers may be misappropriated and expose the update environment to risk. For example, in the ASUS Live Update or Solarwinds attacks, the two hacking methods used software updates to spread malicious programs to the endpoint systems.

In order to allow the applications in the general application allowlist to be effectively updated, the software supplier will be regarded as a trusted updater, so that the program updates issued by the software supplier can be automatically updated to the application list in the allowlist. But this approach caused the above two attacks to effectively add malicious programs to the allowlist and without checking. We can know that software updates are necessary, but the security of the update source′s content cannot be ignored. Therefore, this research focuses on the allowlist and application update, and we proposed a method to ensure the credibility of the update source when the application allowlist is updated, named Credibility Checking Service (CCS).

CCS assumes that not all systems have been tampered with at the same time. By comparing multiple update resources, suspicious update content is filtered out, and trusted update resources are collected and provided to the application allowlist for update use. The experimental results show that CCS can effectively filter suspicious files, and trusted update resources can also be updated to the application allowlist and executed correctly.
關鍵字(中) ★ 應用程式允許名單
★ 存取控制
★ 軟體安全
★ 軟體更新		 關鍵字(英) ★ Application Allowlisting
★ Access Control
★ Software Security
★ Software Update
論文目次 Contents

中文摘要 i
Abstract iii
Acknowledgement v
Table of Contents vii
List of Figures xi
List of Tables xiii
1 Introduction 1
1.1 Organization 5
2 Background 7
2.1 Installation 7
2.2 Upgrade 9
2.3 Update 10
2.3.1 Update Flow 12
2.3.2 Updating medium 14
2.3.3 Updaters and Installers Types 15
2.3.4 Update Timing and Triggering 16
2.3.5 Update Behaviors 17
2.4 Brief Summary for Installation, Update and Upgrade 20
3 Allowlist 23
3.1 Other Forms of Allowlisting 24
3.1.1 Email Allowlisting 24
3.1.2 Advertising Allowlisting 24
3.1.3 Network and Device Allowlisting 24
3.1.4 Application Allowlisting 25
3.1.5 Difference with Application Denylisting 26
3.2 Application Allowlisting Implementation 27
3.2.1 File Path 27
3.2.2 File Name and File Size 28
3.2.3 Digital Signature or Publisher 28
3.2.4 Cryptographic hash 29
3.3 Allowlist Bypassing 29
3.4 Allowlist Self-Defense 30
3.5 Allowlist Environment 31
3.5.1 General User Environment 31
3.5.2 Enterprise/Factory Environment 32
3.5.3 Customized Environment 34
3.6 Allowlist Maintenance 35
3.7 Allowlist Updating 36
3.7.1 Full Scan 37
3.7.2 Scan Directory 38
3.7.3 Update Mode 39
3.7.4 Specific Updater 40
3.7.5 Auto Update 41
3.7.6 Group Policy 42
3.7.7 Manually Approved Update 42
3.7.8 Trusted Update Pre-defined Rules 43
3.7.9 The Credibility of Updated Resources 44
4 Related Work 47
4.1 The Advantage of Application Allowlisting 47
4.2 Implementation of Allowlisting 47
4.3 Update Handling in Allowlist 48
4.4 Commercial Application Allowlisting Tool 49
4.5 Software Supply Chain Attack 52
4.6 Summarized 54
4.7 Contributions 55
5 The Credibility Checking Service 57
5.1 Detection Server 60
5.2 Update Management Server 62
5.3 Client-Side Allowlisted Host 64
6 Evaluation 67
6.1 The ability of Detection Server and the Controller 67
6.2 Trusted Updaters 70
7 Discussions 73
7.1 Comparisons 73
7.2 Limitation 74
7.3 Practical Implementation 75
8 Conclusion 77
8.1 Future Work 77
8.2 Conclusion 78
Reference 81
參考文獻 Reference

[1]Russell Brandom. Ukranian company that spread petya couldface criminal charges for vulnerability.https://www.theverge.com/2017/7/3/15916060/petya-medoc-vulnerability-ransomware-cyberattack. Accessed:2020/05/31.

[2]Tom Warren. Hackers hid malware in ccleaner software.https://www.theverge.com/2017/9/18/16325202/ccleaner-hack-malware-security. Accessed:2020/05/31.

[3]Charlie Osborne. Hijacked asus live update software installs back-doors on countless pcs worldwide. https://www.zdnet.com/article/supply-chain-attack-installs-backdoors-through-hijacked-asus-live-update-software/. Accessed: 2020/05/31.

[4]Siyavula Textbooks. Software installation.https://intl.siyavula.com/read/cat/grade-11-cat/hardware-software-and-computer-management/05-hardware-software-and-computer-management?id=sec5-2. Accessed: 2021/01/11.

[5]Margaret Rouse. End user license agreement (eula).https://searchcio.techtarget.com/definition/End-User-License-Agreement. Accessed: 2021/01/11.
[6]Oriana Pawlyk. Pay for more than 6,000 airmen de-layed over software glitch.https://www.military.com/daily-news/2019/08/08/pay-more-6000-airmen-
-over-software-glitch.html. Accessed: 2021/01/11.

[7]Clea Skopeliti. Thousands stranded at heathrow due tocheck-in systems meltdown.https://www.theguardian.com/uk-news/2020/feb/17/thousands-stranded-amid-heathrow-check-in-systems-meltdown. Accessed:2021/01/11.

[8]Susan Potter. Using binary delta compression (bdc) technology toupdate windows xp and windows server 2003.Microsoft Corp, 2005.81

[9]Susan Potter. Using binary delta compression (bdc) tech-nology to update windows xp and windows server 2003.https://web.archive.org/web/20040829073928/http://www.microsoft.com/downloads/details.aspx?FamilyID=4789196c-d60a-497c-ae89-101a3754bad6&DisplayLang=en. Ac-cessed: 2019/11/29.

[10]Microsoft Document. Enable third-party updates.https://docs.microsoft.com/en-us/configmgr/sum/deploy-use/third-party-software-updates. Ac-cessed: 2019/11/26.

[11]. Understanding the Difference Between .exe and .msi .https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=0e501eb2-b17e-471a-abcb-a638045342ce&CommunityKey=41d8253b-a238-4563-8718-ed7623beafbc&tab=librarydocuments. Accessed:2020/18/18.

[12]. Notepad++ for Windows.https://notepad-plus.en.softonic.com/. Ac-cessed: 2021/04/29.

[13]Emmanuel Gbenga Dada, Joseph Stephen Bassi, Haruna Chiroma,Adebayo Olusola Adetunmbi, Opeyemi Emmanuel Ajibuwa, et al.Machine learning for email spam filtering: review, approaches andopen research problems.Heliyon, 5(6):e01802, 2019.

[14]Wang Xiujuan, Zhang Chenxi, Zheng Kangfeng, Tang Haoyang, andTao Yuanrui. Detecting spear-phishing emails based on authentica-tion. In2019 IEEE 4th International Conference on Computer andCommunication Systems (ICCCS), pages 450–456. IEEE, 2019.

[15]Nasim Maleki.A Behavioral Based Detection Approach for Busi-ness Email Compromises. PhD thesis, UNIVERSITY OF NEWBRUNSWICK, 2020.

[16]Maryam Shuaib, Olawale Surajudeen Adebayo, Oluwafemi Osho,Ismaila Idris, John K Alhassan, Nadim Rana, et al. Whale opti-mization algorithm-based email spam feature selection method us-ing rotation forest algorithm for classification.SN Applied Sciences,1(5):390, 2019.82

[17]. AdBlocker Ultimate.https://adblockultimate.net/. Accessed:2020/18/19.

[18]Shuai Zhao, Achir Kalra, Chong Wang, Cristian Borcea, andYi Chen. Ad blocking whitelist prediction for online publishers.In2019 IEEE International Conference on Big Data (Big Data),pages 1711–1716. IEEE, 2019.

[19]Action Nechibvute and Courage Mudzingwa. Wireless sensor net-works for scada and industrial control systems. 2013.

[20]DongHo Kang, ByoungKoo Kim, JungChan Na, and KyoungSonJhang. Whitelists based multiple filtering techniques in scada sensornetworks.Journal of Applied Mathematics, 2014, 2014.

[21]Dick O’Brien. Istr ransomware 2017. Technical report, July 2017.

[22]David Moore, Vern Paxson, Stefan Savage, Colleen Shannon,S Staniford, and Nicholas Weaver. Inside the slammer worm. InIEEE Security & Privacy, volume 1, pages 33–39, July-August 2003.

[23]Adam Sedgewick, Murugiah Souppaya, and Karen Scarfone. Guideto application whitelisting. Technical report, October 2015.

[24]Microsoft Document. Applocker.https://docs.microsoft.com/zh-tw/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview. Accessed: 2020/05/25.

[25]Microsoft Documentation. Installutil.exe.https://docs.microsoft.com/en-us/dotnet/framework/tools/installutil-exe-installer-tool?redirectedfrom=MSDN.Accessed: 2021/04/27.

[26]Andrew Black. Application whitelist bypass.https://attackiq.com/2018/05/21/application-whitelist-bypass/. Accessed: 2021/04/27.

[27]Josphat Mutai. What is a dll file and how to openit.https://computingforgeeks.com/what-is-dll-file-and-how-to-open/. Accessed:2021/04/27.

[28]Raj Chandel. Windows exploitation: rundll32.exe.https://www.hackingarticles.in/windows-exploitation-rundll32-exe/. Accessed: 2021/04/27.83


[29]ANDY GREEN.The malware hiding in yourwindows system32 folder:More rundll32 andlol security defense tips.https://www.varonis.com/blog/the-malware-hiding-in-your-windows-system32-folder-more-rundll32-and-lol-security-defense-tips/.Accessed: 2021/04/27.

[30]Shanhong Liu. Global market share held by operating systemsfor desktop pcs, from january 2013 to january 2019.https://www.statista.com/statistics/218089/global-market-share-of-windows-7/. Accessed:2019/11/19.

[31]McAfee Knowledge Center. Differences between observation modeand update mode in application control.https://kc.mcafee.com/corporate/index?page=content&id=KB78223&locale=zh_TW. Accessed: 2021/03/11.

[32]Kaspersky Lab. About adaptive anomaly control.https://support.kaspersky.com/KESWin/11.1.1/en-US/175452.htm. Accessed: 2021/03/11.

[33]Long Cheng, Fang Liu, and Danfeng Yao. Enterprise data breach:causes, challenges, prevention, and future directions.Wiley In-terdisciplinary Reviews: Data Mining and Knowledge Discovery,7(5):e1211, 2017.

[34]TONY PEPPER.Accidental internal databreaches are on the rise. here’s how to pro-tect your business.https://www.cpomagazine.com/cyber-security/accidental-internal-data-breaches-are-on-the-rise-heres-how-to-protect-your-business/.Accessed: 2021/03/11.

[35]Adam Sedgewick, Murugiah Souppaya, Karen Scarfone, LarryFeldman, and Editors. Stopping malware and unauthorizedsoftware through application whitelisting.https://csrc.nist.gov/csrc/media/publications/shared/documents/itl-bulletin/itlbul2015-12.pdf. Accessed:2021/03/29.

[36]Keith Jarvis and Jason Milletary. Inside a targeted point-of-sale data breach.https://krebsonsecurity.com/wp-content/uploads/2014/01/Inside-a-Targeted-Point-of-Sale-Data-Breach.pdf. Accessed: 2021/03/29.84


[37]Tracey Caldwell. Securing the point of sale.Computer Fraud &Security, 2014(12):15–20, 2014.

[38]Jim Beechey. Application whitelisting: Panacea or propaganda.Global Information Assurance Certification Paper. SANS Institute,2010.

[39]Himanshu Pareek, Sandeep Romana, and PRL Eswari. Applicationwhitelisting: approaches and challenges.International Journal ofComputer Science, Engineering and Information Technology (IJC-SEIT), 2(5):13–18, 2012.

[40]Josh Powers, Rhett Smith, Zafer Korkmaz, and Husam Ahmed.Whitelist malware defense for embedded control system devices. In2015 Saudi Arabia Smart Grid (SASG), pages 1–6. IEEE, 2015.

[41]Christopher Gates, Ninghui Li, Jing Chen, and Robert Proctor.Codeshield: towards personalized application whitelisting. InPro-ceedings of the 28th Annual Computer Security Applications Con-ference, pages 279–288, 2012.

[42]Seth AC DeCato. Increasing the security on non-networked groundsupport equipment: Analyzing the implementation of whitelistingprotection. In2016 IEEE AUTOTESTCON, pages 1–5. IEEE, 2016.

[43]Sandeep Romana, Amit Kumar Jha, Janardhan Reddy, HimanshuPareek, and PR Eswari. Practical application whitelisting.Journalof Information Assurance & Security, 10(1):48, 2015.

[44]Hasan Turaev, Pavol Zavarsky, and Bobby Swar. Prevention ofransomware execution in enterprise environment on windows os:Assessment of application whitelisting solutions. In2018 1st In-ternational Conference on Data Intelligence and Security (ICDIS),pages 110–118. IEEE, 2018.

[45]Ivanti. Rules items.https://help.ivanti.com/ap/help/en_US/am/10.1/Content/Application_Manager/Rule_Items.htm#ArgumentsEG. Accessed: 2020/05/25.85

[46]Ivanti. Mcafee application control 8.2.0 - windows product guide.https://docs.mcafee.com/bundle/application-control-8.2.0-product-guide-windows/page/GUID-38D1E508-5FDE-4AFA-A33E-3F63C16999AF.html#. Accessed: 2020/05/25.

[47]Kaspersky Lab. Kaspersky endpoint security for windows.https://www.kaspersky.com/small-to-medium-business-security/endpoint-windows. Accessed:2021/04/28.

[48]Kaspersky Lab. Application control rules.https://support.kaspersky.com/KESWin/11/en-US/128030.htm. Accessed: 2021/04/28.

[49]Kaspersky Lab. About database and application module up-dates.https://support.kaspersky.com/KESWin/11/en-US/128097.htm. Accessed:2021/04/29.

[50]Trend Micro. About endpoint application control.https://docs.trendmicro.com/en-us/enterprise/endpoint-application-control/2.0. Accessed:2020/04/13.

[51]Trend Micro. About trusted sources.https://docs.trendmicro.com/en-us/enterprise/endpoint-application-control-20/rulesandpolicies/rulesandpoliciesabout/rulesallowruletrustedsources.aspx. Accessed: 2020/04/13.

[52]William J Heinbockel, Ellen R Laderman, and Gloria J Serrao. Sup-ply chain attacks and resiliency mitigations.The MITRE Corpora-tion, 2017.

[53]Abel Yeboah-Ofori and Shareeful Islam. Cyber security threat mod-eling for supply chain organizational environments.future internet,11(3):63, 2019.

[54]Stephen Pritchard. Software supply chain attacks–ev-erything you need to know.https://portswigger.net/daily-swig/software-supply-chain-attacks-everything-you-need-to-know.Accessed:2021/04/07.

[55]Joram Borenstein Cristin Goodwin.Guarding againstsupply chain attacks—part 3: How software becomescompromised.https://www.microsoft.com/security/blog/2020/03/11/86
guarding-against-supply-chain-attacks-part-3-how-software-becomes-compromised/.Accessed: 2021/04/08.

[56]Electric Helpdesk.Examples of supply chain attacksand how to prevent them.https://www.electric.ai/blog/examples-of-supply-chain-attacks-how-to-prevent-them. Accessed: 2021/04/08.

[57]Microsoft Defender Security Research Team. Windows de-fender atp thwarts operation wilysupply software supplychain cyberattack.https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/.Accessed: 2021/04/07.

[58]Microsoft Defender Security Research Team.Rivit.https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanDownloader:Win32/Rivit.A!dha. Accessed: 2021/04/07.

[59]GReAT, AMR from Global Research, and Kaspersky Lab Anal-ysis Team. Operation shadowhammer.https://securelist.com/operation-shadowhammer/89992/. Accessed: 2021/04/08.

[60]GReAT, AMR from Global Research, and Kasper-sky Lab Analysis Team.Operation shadowhammer:a high-profile supply chain attack.https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/. Accessed:2021/04/08.

[61]Lucian Constantin. Solarwinds attack explained: And whyit was so hard to detect.https://www.csoonline.com/article/3601508/solarwinds-supply-chain-attack-explained-why-organizations-were-not-prepared.html.Accessed: 2021/04/08.

[62]FireEye Threat Research. Highly evasive attacker leveragessolarwinds supply chain to compromise multiple global victimswith sunburst backdoor.https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html. Accessed: 2021/04/08.

[63]Dan Chemistruck.How do you protect againstsupply chain attacks?assume you’re breached.87
https://www.infusedinnovations.com/blog/secure-intelligent-workplace/how-do-you-protect-against-supply-chain-attacks-assume-youre-breached. Accessed:2021/04/08.

[64]Scott Rose, Oliver Borchert, Stu Mitchell, and Sean Connelly. Zerotrust architecture.https://csrc.nist.gov/publications/detail/sp/800-207/final.Accessed: 2021/04/12.

[65]Zachary A.Collier and Joseph Sarkis. The zero trust supply chain:Managing supply chain risk in the absence of trust.InternationalJournal of Production Research, 0(0):1–16, 2021.

[66]Josh Zelonis. Don’t drink from a poisoned well—miti-gate supply chain risk with zero trust.https://go.forrester.com/blogs/dont-drink-from-a-poisoned-well-mitigate-supply-chain-risk-with-zero-trust/. Ac-cessed: 2021/04/07.

[67]Virsec. The need for zero trust workload protection.https://securityboulevard.com/2021/04/the-need-for-zero-trust-workload-protection/. Ac-cessed: 2021/04/12.

[68]Microsoft. Zero trust maturity model.https://www.microsoft.com/en-us/security/business/zero-trust. Accessed: 2021/04/12.

[69]OSR Open Systems Resources. An introduction to stan-dard and isolation minifilters.https://www.osr.com/nt-insider/2017-issue2/introduction-standard-isolation-minifilters/. Accessed: 2021/06/7.

[70]Bill Kindle. How to use traceroute in windows 10 (tracert).https://adamtheautomator.com/traceoute-windows-10/. Accessed: 2021/06/7.

[71]Google. Google safe browsing.https://safebrowsing.google.com/. Accessed:2021/03/22.

[72]Google. Safe browsing apis (v4).https://developers.google.com/safe-browsing/v4. Accessed: 2020/08/17.

[73]Microsoft Document. What is a driver?https://docs.microsoft.com/en-us/windows-hardware/drivers/gettingstarted/what-is-a-driver-. Accessed:2020/08/17.88


[74]McAfee. What is fileless malware?https://www.mcafee.com/enterprise/zh-tw/security-awareness/ransomware/what-is-fileless-malware.html. Ac-cessed: 2021/06/7.

[75]Microsoft Document. Overview of file sharing using the smb 3 proto-col in windows server.https://docs.microsoft.com/zh-tw/windows-server/storage/file-server/file-server-smb-overview. Accessed: 2020/08/17.

[76]Maxat Akbanov, Vassilios G Vassilakis, and Michael D Logothetis.Ransomware detection and mitigation using software-defined net-working: The case of wannacry.Computers & Electrical Engineer-ing, 76:111–121, 2019.

[77]Nikolay Pankov. Cve-2020-0796 new vulnerability in smb pro-tocol.https://www.kaspersky.com/blog/smb-311-vulnerability/33991/. Accessed:2020/08/17.

[78]Stefano Sebastio, Eduard Baranov, Fabrizio Biondi, Olivier De-courbe, Thomas Given-Wilson, Axel Legay, Cassius Puodzius, andJean Quilbeuf. Optimizing symbolic execution for malware behaviorclassification.Computers & Security, page 101775, 2020.

[79]OWASP. Fuzzing.https://owasp.org/www-community/Fuzzing. Accessed:2020/08/17.

[80]Google. Google cloud compute engine.https://cloud.google.com/compute.Accessed: 2021/06/02.

[81]Amazon. Cloud computing with aws.https://aws.amazon.com/what-is-aws/?nc1=h_ls. Accessed: 2021/06/02.

[82]Windows OS Hub. Using native package manager (winget) on win-dows 10.http://woshub.com/using-winget-package-manager-windows/. Accessed:2021/07/21.

[83]Chocolatey Software. The package manager for windows-chocolatey.https://chocolatey.org/. Accessed: 2021/07/21
指導教授 許富皓 卓傳育(Fu-Hau Hsu Chuan-Yu Cho) 審核日期 2021-8-9
推文 facebook   plurk   twitter   funp   google   live   udn   HD   myshare   reddit   netvibes   friend   youpush   delicious   baidu   
網路書籤 Google bookmarks   del.icio.us   hemidemi   myshare   

若有論文相關問題,請聯絡國立中央大學圖書館推廣服務組 TEL:(03)422-7151轉57407,或E-mail聯絡  - 隱私權政策聲明