Preface: Key component of smart city are the IoT devices. The communication protocol of the IoT devices are Lora, SigFox and NarrowBand (NB).
Background: In realistic, smart city cannot lack of wifi setup for assistance. So, WiFi is one the key component in this family (Smart City).
Vendor Cisco follow up TI BLE chips vulnerability – CVE-2018-16986: Suggest verify with the following command on wireless AP device. If device show not support BLE function and therefore confirm device not vulnerable.
ap# show controllers bleRadio 0 interface
BLE not supported on this platform
Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.
Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.
Preface: As time goes by, an evolution in technology offers best-of-class in rendering for both VFX and feature film animation.
What does VFX stand for? Visual effects (abbreviated VFX) is the process by which imagery is created or manipulated outside the context of a live action shot in film making. RenderMan offers a combination of unbiased and biased rendering techniques which provide both accuracy and technical efficiency
Vulnerability details: Pixar’s Tractor software, versions 2.2 and earlier, contain a stored cross-site scripting vulnerability.
Preface: Docker’s introduction of the standardized image format has fueled of interest in the use of containers in the enterprise recently. A Docker container look likes a Virtual machine.
It is without antivirus or malware detector facilities install to Docker container platform. Is that secure?
On the market, there is no such product available in the market. However if you would like to find out something 101 about preventive control. It can find on this short discussion.
Hints: When a container accesses a database or service it will require a secret, like an API key or username and password. An attacker that gains access to the secret will also have access to the service. For more details, please refer to attached diagram.
Ensure that processes in containers do not run as root, so when attacker try to exploiting privileges command, it will be restricted by role base control.
Cut down on the kernel calls that a container can make to reduce the potential attack surface.
So called “something 101” as usual technical details not suitable describe in long format. See whether we have chance to discuss more in future.
Preface: Since we launched it in 2014, Kubernetes running strong. It is becoming “the Linux of the cloud,” according to Jim Zemlin, Executive Director of the Linux Foundation. Analysts estimate that 54 percent of Fortune 100 companies use Kubernetes across a spectrum of industries including finance, manufacturing, media, and others.
CVE-2018-1002101 – In Kubernetes versions 1.9.0-1.9.9, 1.10.0-1.10.5, and 1.11.0-1.11.1, user input was handled insecurely while setting up volume mounts on Windows nodes, which could lead to command line argument injection. Reference: Reference: https://github.com/kubernetes/kubernetes/issues/65750
CVE-2018-1002103 – The attacker can use DNS rebinding to indirectly make requests to the Kubernetes Dashboard, create a new Kubernetes Deployment running arbitrary code. If minikube mount is in use, the attacker could also directly access the host filesystem. Reference: https://github.com/kubernetes/minikube/issues/3208
Preface: Remote code execute and Privileges escalation are the critical vulnerabilities topics which lure end user attentions. On patch Tuesday (remedy program) issued by Microsoft this week. Their product design limitation contains priviliges escalation vulnerability.
CVE-2018-8611 – Vulnerability details: With reference of CVE-2018-8611 inform customer that exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system.
Technical background: So far, the the win32k.sys kernel module is a well-known attack surface. The function NtUserSetWindowLongPtr replaces the target window’s spmenu field with the function’s argument without any checks when using GWLP_ID and the target window’s style is WS_CHILD. NtUserSetWindowLongPtr is a win32k service function which can be called from user mode (use the corresponding system call ID). In the nutshell, this gives a way to attacker to replace the target window’s spmenu value to anything.
Background: On 28th Nov 2018, a SQL injection vulnerability found on Cisco Prime License Manager. Vendor (Cisco) with immediate action release the patch to remediate this design weakness.
Technical issue found on patch: Update (2018-December-10): Installing the ciscocm.CSCvk30822_v1.0.k3.cop.sgn patch may cause functional issues. Workarounds are available for some of these issues. Rolling back this patch as described in the Fixed Releases section will correct these functional issues, but the device will be affected by this vulnerability again when the patch is not in place. See the Fixed Releases section for details. An official announcement in regard to this issue.
Preface: Intel Software Guard Extensions (SGX) is a set of central processing unit instruction codes from Intel that allows user-level code to allocate private regions of memory, called enclaves, that are protected from processes running at higher privilege levels.
SGX design limitation: L1 Terminal Fault aka Foreshadow found in August 2018. Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-seal.
The Foreshadow / L1-terminal-fault attack were assigned the following CVE numbers:
CVE-2018-3615 for attacking SGX.
CVE-2018-3620 for attacking the OS Kernel and SMM mode.
CVE-2018-3646 for attacking virtual machines.
Regarding to this vulnerability. Siemens Security Advisory by Siemens Product has following announcement to their product. For more details, please see below:
Preface: What is your expectation from our robot counterparts in the future?
Before Professor Stephen Hawking leave the world. The final warning for humanity: AI is coming for us. In the world now in preparing the 5G mobile technology, Big Data technology and Smart City. A silent force unintend to drive human go to next generation of world. We believe all the regime in the world now get into this competitions. A quick idea to you is that the term so called Smart or intelligence most likely are efficiency and productivity. All the components within the earth are running fast in the moment. But what is your expectation from our robot counterparts in the future? Because they are coming!
Why do we recommend thinking about it at this time?
For instance, the global surface temperature increases while climate change includes global warming and everything else. The extreme changes was began in mid 80’s. Why? Manufacturer cost allocation & development country boots up their power. Now we understand the impact. But seems too late!
So this is the right time to consider.