Does it like science fiction description, computer governance this world?Who we are? – part 1

Did you read science fiction book? For instance Terminator, Matrix …etc. The overall idea of the story reminded that computer system is the governor of human being finally. Human being under their control. Can nightmare come true?

Computer technology growth rapidly after year 2000. Still remember that our team concerns thousand years worm interfere the computer clock during that day. But wake up next morning feeling that the technology go to new century.

This topic brings to my attention and the informations pulling myself go to science technology instead of IT technology. The digital DNA term I heard from HB Gary. Yes, he is the former malware hunter. Their services provides advance detection and prevention solutions to government sector and financial institution. But the nature of digital DNA here looks have difference. This element (digital DNA) is equivalent to human being component. As we know, the origin of human life through chemical evolution. Two important of points drawn to biological evolution shown as below:

  1. Living things descended from a common ancestor and thus have common chemistry.
  2. Living things adapt to their environment.

Without DNA, it would be impossible to pass on adaptations, and evolution would be virtually non-existent.

Genesis element – DNA or digital DNA

Genesis element – Quantum

Quantum theory distributed in major IT technology domains. They are network communications, encryption and quantum computing. The major component of quantum computing is quantum bits. One of the great challenges for scientists seeking to harness the power of quantum computing is controlling or removing quantum decoherence – the creation of errors in calculations caused by interference from factors such as heat, electromagnetic radiation, and material defects.

Read more at: http://phys.org/news/2015-04-scientists-critical-quantum.html#jCp

Genesis element – Adaptation

Adaptation: a characteristic that makes an organism to survive and reproduce in its environment. The adaptations are more likely to survive and procreate. Without DNA, it would be impossible to pass on adaptations, and evolution would be virtually nonexistent.

Up until now, artificial intelligence growth rapidly. 3 major elements has been established. In fact it is not mature today. However nobody know how fast developing in this area. Since some of the technologies are the intellectual proprietary. The simple we can say, …

who have privileges to governance in earth, all depends on intelligence.

Part 1:Blockchain technology situation – A Tales of Two Cities

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT 

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!

 

Radar revolution – from defensive evolve to attack

Electronic technology especially Radar system far away from people common knowledge. May be you and me have chance read the scientific magazine or News learn the idea. It is a advanced technology of defence department for country. Still remember that learn VHF or UHF technologies in school. The frequency ranges are shown as below:

At that time I only focus of walkie talkie technology and did not care of radar system structure!

Bring to my attention till heard a military weapon AN/TPY-2 is going to install in APAC country. It looks that this news struggle especially China and neighbour countries.

Let’s have quick view of radar design types. Then go to discuss AN/TPY-2. Two basic radar types are pulse transmission and continuous wave. For differences between the design type, please refer to below chart.

How powerful is the AN/TPY-2 system

Refer to the picture of this subject matter, a quick overview of X-band and S-band technologies might bring an idea to you that the wave length (lambda λ) affects the precise level of hitting the target. The X-band wavelength is about 1/4 of S-band wavelength. The tolerable level of hitting to target error significantly improved. X band radar system working with military satellite. It can easily destroy the missiles on the land before it fire. The X-band frequency and narrow beam widths add the additional advantage targeting smaller objects.

Narrow beam widths benefits:

Question:

Know above details might have question to ask? It looks that whole bunch of benefits but what the reason we need this facilities. Is it for defence or other reasons?

 

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Virtual machine architecture enemy – LKM rootkit

If someone ask you a question. What is the enemy of cloud computing architecture? Yes, we believed that more details can be provided. For instance Distributed Denial Of Services, malware, virus, misconfiguration,…etc. But what do you think the influence of rootkit? Since Micro-segmentation architecture assists cloud computing services provider build their campus. From general point of view, system OS platform and application run on top of virtual environment are easy to manage. All system and users activities will be managed and monitored by hypervisor. What if unknown signature shell code attack to virtual machine? Is there any possibilities influence the neighbor system on same premises? Let’s do a quick review and then jump to discussion.

The fundamental of hypervisor

Bare-metal hypervisor

Provides partition isolation, reliability and higher security.It has no host OS layer to attack theoretically.The bare metal hypervisor base design products includes Oracle VM Server for SPARC, Oracle VM Server for x86, the Citrix XenServer, Microsoft Hyper-V and VMware ESX/ESXi.

Hosted hypervisor

Low cost, no additional drivers and ease of use and installation.The hosted hypervisor base design products includes VMware Workstation, VMware Player, VirtualBox, Parallels Desktop for Mac and QEMU.

Arm-based hypervisor

System virtualization for ARM is useful for mobile device and future ARM based server.Cell phones and Internet of Things are the arm-based hypervisor setup.

Types of Hypervisor – Informatic diagram:

This section we focus on bare metal hypervisor security outline. In the virtual machine world, linux system are everywhere. Even though the hypervisor is the linux based system or modified linux system built. The critical OS systems being relocated to Linux system platform last 5 years. Besides, the cell phones based on Linux OS become the main trend today. No matter it is Apple or Android, their core is the linux system. We relies on SSH connectivity today, it adopted by IT industry. A question might get in your mind, is it possible to re-engineer the SSH become a cyber weapon?Regarding to the cyber incident historical records, hacker start this idea earlier in 2015. We remember the XOR-DDOS attacks criteria , hackers cocktail the attack mechanism run in hybrid mode. Both SYN and DNS flood generated by the Xor.DDoS Malware. The attacker will send many SYN packs to victim host with multiple sources and launched on port 22 (ssh). Yes, the hacker take the popularity of SSH because it is a harmonized standards across the IT world.

Famous rootkit against linux environment

Phalanx: This rootkit uses /dev/mem/ interface to inject hostile code into kernel memory and hijack system calls. It has been designed for compromising the Linux 2.6 branch. Phanlanx design for harvest SSH keys and other credentials. Since Phalanx attack found on 2008 and file record by CERT. But this attack technology still valid today.

Phalanx characteristic:

Hooking lookup Tables, Code patching & Hooking CPU registers

Ebury SSH Rootkit: In February 2013, CERT-Bund started analyzing Ebury in depth and was able to identify thousands of systems around the world infected with the malware. Ebury is a SSH rootkit/backdoor trojan for Linux and Unix operating systems. The 1st attack phase is going to replacing SSH related binaries on a compromised hosts. The non genuine SSH program so called Ebury, the goal is going to steal SSH login credentials (username/password) from incoming and outgoing SSH connections. But taking about the privileges escalation feature, it was not included in Ebury feature. When it compared with Phalanx , Ebury is easy to detect.

What if hacker sojourn rootkit in kernel. Is there any possibilities influence the neighbor system on same premises?

The guest machine compromised,  however hacker might have difficulties drill down to low level system area. For instance, bare-metal hypervisor contain good isolation level. Is there any possibility engage a ring-0-attack, that is running malicious call in memory level.

Is that no way? But hacker will spend time on harvesting in memory side

When running a virtual system, it has allocated virtual memory of the host system that serves as a physical memory for the guest system, and the same process of address translation goes on also within the guest system. This increases the cost of memory access since the address translation needs to be performed twice – once inside the guest system (using software-emulated shadow page table), and once inside the host system (using hardware page table). Whereby a memory management technology (Second Level Address Translation (SLAT)) was born, his duty is going to enhance the usage of memory resources in the virtual world.

About (Second Level Address Translation (SLAT)) inherent risk

SLAT schemes such as Intel’s Extended Page Tables (EPT) and AMD’s Nested Page Tables (NPT) as shown below diagram are used to manage the virtualized memory directly from the processor. Using a larger Translation Lookaside Buffer (TLB) with additional logic circuitry inside the processor, these schemes provide faster virtual machine memory management by eliminating the intermediary step between the virtual memory address (VA) and the physical memory address (PA).

Refer to above diagram, the TLB table has the option that indicates if the received data is from a virtual machine or the native machine. Also, if the data is generated by a virtual machine, then it is tagged with that specific VM’s Address Space Identifier (ASID). Using this tag, the TLB can keep track of entries from different virtual machines in the physical machine. This method provides a significant performance improvement in VM memory management but also introduces a security risk by giving direct memory access to the guest VMs.

Remark:  Above inherent risk information details (security risk of SLAT) copy from technical article Fine grain Cross-VM Attacks on Xen and VMware are possible!
Gorka Irazoqui Apecechea, Mehmet Sinan Inci, Thomas Eisenbarth, Berk Sunar Worcester Polytechnic Institute {girazoki,msinci,teisenbarth,sunar}@wpi.edu

We stop here! It was too long and boring. I am afriad that reader might lose the interest, right? Will provide update soon!

 

 

Is this a hoax? Or it is National Security Agency?

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

SSL or IPsec , where to go? Critical bug found by Cisco , but its effects might jeopardizing the IT world.

Background Story:

POODLE attack exploit SSL 3.0 vulnerability found in late 2014, such vulnerability proven that hacker can take this vulnerability advantages execute man-in-the middle attack.

The original POODLE attack is CVE-2014-3566.
F5 Networks files CVE-2014-8730 proof POODLE attack also apply to transport layer security. Since the poodle side effects looks widely spread out, Payment card industry authority alerts and announce that they gives 14 months to merchants fix this high risk SSL problem. That means the appropriate way is replacing the SSL function (see below statement).

SSL and early TLS are not considered strong cryptography and cannot
be used as a security control after 30th June, 2016.  Prior to this date, existing
implementations that use SSL and/or early TLS must have a formal Risk Mitigation  and Migration Plan in place.  
Effective immediately, new implementations must not use SSL or early TLS.  
POS POI terminals (and the SSL/TLS termination points to which they connect)
that can be verified as not being susceptible to any known exploit
s for SSL and early TLS may continue using these as a security control after 30th June, 2016.

About the subject matter ( Cisco ASA software IKEv1 and IKEv2 buffer overflow vulnerability (CVE 2016-1287)

CVE 2016-1287 was published Feb this year, the founding was that hacker can make use of IKEv1 and IKE v2 vulnerabilities execute a fragmentation heap buffer overflow. The traditional  heap overflow is a form of buffer overflow. It happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data. Regarding to the information provided by Cisco, such vulnerability affected to Cisco ASA Software running on the following products.

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

But information supplement posted by Cisco bring to my attention. See below:

Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:
Clientless SSL
AnyConnect SSL

My understanding is that you can avoid such vulnerability occurs on Cisco products if you are using SSL 3.0 solution. But how about the PODDLE attacks? Besides, this buffer overflow on IKEv1 and IKEv2 looks not limit to Cisco brand name. May be it does not proof or found in the moment. As far as we know, firewall appliances operartion system build by Linux normally. The vendor hardening the OS and add their proprietary applications on top. If attacker can send crafted UDP packets to the affected CISCO products. Is there any possibilities engage similar attacks to other similar OS platform firewall?

Expert analysis on weakness of design

The IKE protocol uses UDP packets, usually on port 500, and generally requires 4–6 packets with 2–3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. If an attacker can send crafted UDP packets to the related firewall products. It looks that similar vulnerability might occurs? The side effects looks serious. The following areas are vulnerable.

 

  • LAN-to-LAN IPsec VPN
  • Remote access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
  • IKEv2 AnyConnect

Expert solution:

(薑越老越辣) The older you get the more experienced you are,Chinese mantra said. The potential damage of this vulnerability was that both two entities (access control and VPN functions) are seat in the same box. If we define separation of functions might mitigate this risk. That is relocate the VPN feature to another box. Do you still remember that the Father of firewall (Checkpoint). Their Firewall design framework was that access control and  policy server are running in different boxes. The designer foresee that a single point of failure causes compromise of whole defence system. The cyber world atmosphere has been changed after Unified Threat Management appears in the world. As times go by, maybe new generation of firewall coming soon. Hardware are cheap today. Multi layer functions setup is the fashion cope with advanced cyber threats.

 

Cisco technical article in regards to CVE 2016-1278

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

PCI – standard : SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Please refer to attached document (PCI requirement 2.3 on page 5).

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-1.pdf

 

Wide Angle Lens For DNC Hack (Part 1)

The headline news this week focus 2016 election of US president scandal.Just heard email leakage by Mrs. Hillary Clinton. The election in political world is a War instead of competition. This articles focus on unexplored information in DNC hack incident.

Findings by Invincea

The technical report provided the analytic that DNC hack incident caused by Trojan. Hackers modified end-of-life software product. The hacker injects Trojans and Malware functions into software. The software developed by China application vendor (Xten), it aimed to enhance voice stability operations in firewall environment. The software such a way involved unredressed injustice. Regarding to the report, hackers relies on Remote Access Trojan (RAT) technique sojurn to workstations belongs to Mrs. Hillary Clinton. The finger print shown that the hack group might belongs to APT 28. Regarding to the virus incident track records, the source IP address of this Trojan (Malware) came from 85.117.47.0/24.

How was it infect?

The infection method was that unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Wide Angle Lens – invaded DNC

1st version of Trojan (born before 2010):

Check repository of virus database. The anti-virus vendor Symantec found this virus in 2010. His naming convention is “Generic Trojan”. However this Trojan (malware) headache Symantec more than 2 years. The problem was that antivirus program quarantine the execution file of Generic Trojan. The sterilize step is going to rename the original file name DWHwizrd.exe to DWHxxx.tmp. However Symantec customers found that virus alert message pop-up after Trojan quarantined. Symantec technical support provides many solution to client. But unfortunately problem still persists. The customer report that virus alert displayed on screen even though you delete all the temp files. Heard that problem was fixed in mid of 2012.

Why does hacker reuse this Trojan (malware) ?

Since China software house (Xten) created a family of SIP products based on their XTunnel protocol and run on top of windows. The benefits is that the software establish voice IP tunnel might mislead the technical staff and security administrator. They think she is using soft-phone! As usual traffic encrypted and therefore firewall can’t monitor. Or this is her personal computer, no nobody know what is happen?

Hacker relies of the software vulnerabilities re-issue next generation of Trojan.

The Xten software is a windows base open source tool and it is end of product life cycle. I believed that it is a easy way for hacker design a Trojan in short time. Since MD5 checksum different for new generation of Trojan. Therefore antivirus vendor may not aware until user report. But personally, I suspected that hackers might know the weakness of anti virus program install on target machine and custom made virus or trojan (malware). Symantec found the Trojan file name in 2010 is DWHwizard.exe. Invincea found the malicious file on victim workstation with naming convention vmupgradehelper.exe. It looks that anti-virus programs are able to detect this Trojan after 11th July 2016 (Hillary email leaks scandal open to public).

Doubts:

1. Since Xtunnel establish site to site connection. Mrs. Hillary Clinton works with US government at that time. It was confused that the defense mechanism in US government did not alert the victim workstation connect to APT 28?

2. Even though Mrs. Hillary Clinton not working in office. Do you think there is only one cyber defense program (antivirus) install on such important person workstation?

Headline News status update on 31st Jul 2016

http://www.nytimes.com/2016/07/30/world/europe/dnc-hack-russia.html?_r=0

Expert findings – so called Russian Xtunnel

https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/

 

Tragedy – Android bugs, should we wait or we should take pre-emptive action?

Hot topics within this week for sure that is the technical bugs found on Android. Sounds horrible! There are two patches is waiting for vendor to release however the patch release date is unknown.From users point of view, should we wait for the security patches or we should take the pre-emptive action?

Technical bugs information background:

CVE-2016-2059 found in Qualcomm kernel module

Description: The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.

CVE-2016-5340 presented in Qualcomm GPU driver

The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.

What’s your risk?

1. The bigger risk right now are the users using non official OS version. In the sense that the jailbreak version is risky now!

2. Visits unknown website through email phishing or open unknown attachment are at risk.

In regards to these bugs, how attacker compromised your phone?

Found that engaged this so called high risk cyber attack must fulfill the following requirements.

i. Have root privileges on your Android phone.

ii. Relies on shared Memory (ashmem)

Category of attack Attack:

Category 1: How to receive root access premisson through privileges escaltion
Found the msm_ipc_router_bind_control_port() function does not check access privileges. An attacker can use the IPC Router of the CAF Linux kernel for MSM, in order to escalate his privileges.

Category 2: Relies on Shared memory (ashmem) design limitation

Android is designed to be used for resource limited embedded hardware. In order to maximize the memory resources. A system entity so called ashmem (anonymous shared memory) located at $AOSP/system/core which take care of the memory resources utilization. The operation of ashmem as simple as handling generic Linux file descriptor and . A file entry was created in the /dev/ashmem/. From technical point of view, it looks like a memory swap file of each process. However Ashmem allows processes which are not related by ancestry to share memory maps by name, which are cleaned up automatically.

Should we wait or we should take preemptive action?

Since CVE-2016-2059 and CVE-2016-5340 are the design limitation. It looks that the appropriate way is re-engineering the whole OS memory function. I speculated that may be this is the reason causes patch release date is unknown. As such, in the meantime Android users should take pre-emptive action (see below).

1. Do not jailbreak your android phone. If yes, the better idea is install the official OS version.

2. Verify your phone applications. Be aware the communication media software like WeCHAT, Whatsapp, Skype,…etc shall install updated version of software.

3. Avoid to visit online game zone and pornography web site.

4. Think it over before you open unknown email message

5. Think it over before your open unknown file attachment

For more details about these vulnerabilities. Please review below url for reference.

https://source.android.com/security/bulletin/2016-08-01.html

Status update on 11th Aug 2016

Sound strange! Found that the remediation and mitigation solution released by CodeAurora on Jul 2016. For instance CVE-2016-5340 (Invalid access to ashmem area in cases where someone deliberately set the dentry name to /ashmem)

Objective:
Validate ashmem memory with fops pointer

Solution:
Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.

This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.

Comments:

It looks that the solution is available. In the meantime mobile phone users need to wait for the next action of their mobile phone vendor.

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D