Edward Snowden Heads up! Stranger, what do you want?

Enterprise firm execute data classification to protect corporate important data. Follow the code of practise, confidential data contained high level of sensitivity label requires encryption. The whistleblower Edward Snowden alerts the people in the world on 2013. But you might have question to ask till now, what sort of personal data we need to protect. Seems end user computing mostly ignore by users. The traditional idea is that we enforce the preventive control from server end. As times go by, mobile phone twisted the IT world. IT Renaissance, literally reborn. The usage of computer not limit to location and time zone. We can execute the remittance or payment on mobile phone. You do a backup or synchronize mobile data when go home. Sure you can upload everything on cloud.

In regards of global surveillance program by US government

It looks that surveillance program is a never ending story! Why? From official perspective domestic surveillance program can effectively monitoring terrorist attacks and criminal activities. NSA web page slogan have the following statement.

“Defending our nation. Securing the citizens.”

We have no objection that collection of internet data, mobile phone voice and data exchange as a weapon fright againts crime. To be honest we don’t have rights! But question raised how to identify the usage of this data?We are not the perpetrator, logically we might not afraid of this control?

Highlight the NSA data collection methoglogy:

  • Real-Time Yahoo Email Scanning
  • Domestic Intercept Stations
  • Bulk Collection of U.S. Citizens’ Phone Records
  • The PRISM Program: Source of Raw Intelligence
  • Google Cloud Exploitation
  • Cellphone Tracking
  • Spying Toolbox: Servers, routers, firewall devices, computers, USB, keyboard, wireless LAN, cell phone network & mobile phone
  • FBI Aviation Surveillance Operations (FBI Hawk Owl Project)
  • XKeyscore: Our Real-Time Internet Monitoring Capability

Above details not a confidential data, you can easy find this information. Please take a visit to NSA front page, for more details please see below:

https://nsa.gov1.info/surveillance/

US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE”. When an US speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/english” fingerprint (denoting language settings). When a browser visits a site that uses Yield Manager, a cookie will be set. This cookie is used to identify whether the browser has loaded an advert and when and where it loaded it (which detects Yahoo browser cookies).  Yield Manager also collects information such as:

– the date and time of your visit to the website.

– IP address.

– the type of browser you are using.

– the web page address you are visiting.

XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

XKEYSCORE features highlight:

  1. Tracking Bridge Users
  2. Tracking Tor Directory Authorities
  3. Tracking Torproject.org Visits

See below part of the XKEYSCORE sourcecode can bring you an idea XKEYSCORE focus on TOR routers.

 

Traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern.

But how about the hackers? Hacker also have interest of these data which NSA does. I believed that below checklist details lure hacker interest.

Internet application coding create a loophole make this cyber games become a never ending story.

Example:

  • Email accounts or passwords using session cookies
  • A common use for XSS is stealing cookies to hijack sessions and gain access to restrictedweb content
  • When cookie doesn’t have Secure flag set, then it can be sent over insecure HTTP (provided that HSTS is not used; HSTS is described in the next section). When this is a case, the attacker controlling the communication channel between a browser and a server can read this cookie. If the cookie stores session ID, then disclosure of this cookie over insecure HTTP leads to user impersonation.
  • When a cookie doesn’t have HttpOnly flag set, then JavaScript can read a value of this cookie. That’s why XSS attack leads to user impersonation if there is no HttpOnly flag set for a cookie with session ID. When a cookie has HttpOnly flag set, then attacker can’t read a value of the cookie in case of XSS attack. The problem is that access permissions are not clearly specified in RFC 6265. It turns out, that cookie with HttpOnly flag can be overwritten in Safari 8.

Short term conclusion:

No way because we are living on earth!

Reflections of memory resources management technique – Malware might say that his day is coming.

Few days ago, Linux world found potential vulnerability. A memory resources management , a technique so called COW (Copy-on-write) struggles IT world. The problem was that an unprivileged local user could use this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation.

What is Copy-on-write memory structure?

Copy-on-write finds its main use in sharing the virtual memory of operating system processes.

Does it make whether apply to all computer OS system?

Typically the system structure involve fork system call are the Unix and Linux OS system – The fork() System Call .

Remark: In Linux, the key data structure is the struct task_struct. This contains pid (the thread ID), tgid (the process ID), and pointers to the parent process’s task_struct.

What is fork() system Call?

System call fork() is used to create processes. It takes no arguments and returns a process ID. The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call.

Major flaw of implicit sharing or shadowing (Copy-on-write)

The key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. But get_user_pages () do not check pte_dirty() bit properly.

Vulnerability found by Linus Torvalds. For more detail, please refer below url for reference.

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619

 

How about Cloud computing architecture? Does it impact by similar flaw?

Since the flaw found on Unix or Linux base machine, a Linux based hypervisor have inherent risk before patch. It looks that this flaw may lure of attacker interest especially on cloud computing server farm. From technical point of view, the key to implementing direct I/O in the 2.6 kernel is a function called get_user_pages. A pointer to the task performing the I/O; its main purpose is to tell the kernel who should be charged for any page faults incurred while setting up the buffer. However get_user_pages () do not check pte_dirty() bit properly. What if an unprivileged local user infected by malware. The attacker relies this bug to gain write access to additional read-only memory mappings. And thus execute a privilege escalation. It looks that even though you install the advance defense mechanism is hard to detect this type of suspicious activities.

Suggestion

Since this bug contains unpredictable potential risk, it is better to patch your Unix or Linux system with immediate action.

We can foresee that the impact of this bug struggle the IT world. Since web server, local balancer, security devices, even though malware detector are using linux OS. It looks like it is a tsunami.

Information Supplement on 25th Oct 2016

The XNU kernel is used widely on many Apple devices, ranging from the iMac, to the iPhone. List of system calls from iOS 6.0 GM – see below:

Entry point is 0x80085084....This appears to be XNU 2107.2.33
Syscall names are @2a70f0
Sysent offset in file/memory (for patching purposes): 0x2ef0c0/0x802f00c0

Suppressing enosys (0x800b3429)  T = Thumb
1. exit                  801d4a74 T
2. fork                  801d7980 T
3. read                  801eb584 T
4. write                 801eb958 T
5. open                  800b13a4 T
6. close                 801ccab4 T
7. wait4                 801d56bc T
9. link                  800b18e8 T

The purpose of fork() is to create a new process, which becomes the child process of the caller. After a new child process is created, both processes will execute the next instruction following the fork() system call. Therefore, we have to distinguish the parent from the child. XNU kernel derived on BSD Unix. Believed that iOS might have similar vulnerability but not discovered yet!

Status update 10th Nov 2016 – For dirtyCow yara rule

rule DirtyCow Unix-Linux only {

strings:
   $a1 = { 48 89 D6 41 B9 00 00 00 00 41 89 C0 B9 02 00 00 00 BA 01 00 00 00 BF 00 00 00 00 }

   $b1 = { E8 ?? FC FF FF 48 8B 45 E8 BE 00 00 00 00 48 89 C7 E8 ?? FC FF FF 48 8B 45 F0 BE 00 00 00 00 48 89 }
   $b2 = { E8 ?? FC FF FF B8 00 00 00 00 }

   $source1 = "madvise(map,100,MADV_DONTNEED);"
   $source2 = "=open(\"/proc/self/mem\",O_RDWR);"

   $source3 = ",map,SEEK_SET);"

   $source_printf1 = "mmap %x"
   $source_printf2 = "procselfmem %d"
   $source_printf3 = "madvise %d"
   $source_printf4 = "[-] failed to patch payload"
   $source_printf5 = "[-] failed to win race condition..."
   $source_printf6 = "[*] waiting for reverse connect shell..."

   $s1 = "/proc/self/mem"
   $s2 = "/proc/%d/mem"
   $s3 = "/proc/self/map"
   $s4 = "/proc/%d/map"

   $p1 = "pthread_create" fullword ascii
   $p2 = "pthread_join" fullword ascii
condition:
   ( uint16(0) == 0x457f and $a1 ) or
   all of ($b*) or
   3 of ($source*) or
   ( uint16(0) == 0x457f and 1 of ($s*) and all of ($p*) and filesize < 20KB )

}

 

 

 

Black Friday malware vs Lucky 13 – Keep away from anything labeled thirteen

We are living on earth. The human being ancestor went through different generations of reforms. As a result modern civilization today. The foundation of civilization build by different elements and objects. A major element named logic, it structure cause and effect. Above definition involve successful factor of result. However some sort of things happen on earth looks mystery. Quote an example, Friday the 13th is considered an unlucky day in Western superstition. From scientific view point, such superstition it doesn’t make sense and no background factor support. By coincidence when you go to cosmopolitan city like Chicago or New York. You couldn’t found 13th Floor on escalator? Even though without scientific factor support this superstition whereas No.13th or Black Friday bring us psychological impact. We continue this discussion but our focus will go to cyber security. Up to this point, you might have question to ask? Why do we spend time on preface mention superstition topic?

Do you remember Jerusalem virus?

A virus first detected in Jerusalem, in 13th October 1987 (Black Friday). This virus hook itself on MS DOS services and capable run malware function. But internet communicate services not available at 80’s. How does it work? The virus program contains one destructive payload that is set to go off on black Friday (Friday the 13th). This is the 1st time let IT guru know a cyber attack schedule Friday the 13th Jan 2016. Below is the source code highlight for reference:

mov ah,02Ah             ; Get system data
int 021h
mov byte cs:[zap],00H
cmp cx,07C3h            ; CX->Year, 7C4h=1987
jz done                 ; Do nothing if1987
cmp al,05h              ; AL->Day,05h=Friday
jnz otherpload          ; No zap if not Fri
cmp dl,00h              ; DL->Date, 00h=13
jnz otherpload          ; No zap if not 13th
inc byte cs:[zap]       ; Else turn on ZapFlag
jmp done
nop

Attack concept and idea – take advantage of the computer instruction set design limitation. For more details, please see below:

  1. If the interrupt flag (IF) is set (=1) then external hardware can initiate an interrupt via the INTR input of the microprocessor.
  2. If IF flag is clear (=) then the external device cannot initiate an interrupt.

Jerusalem code itself hooks into interrupt processing and other low level DOS services. This type of infection technique looks similar of the privileges escalation method run by malware today!

Keep away from anything labeled thirteen

Unfortunately, cyber incident occurs in 2013, coincidence that magic number thirteen was involved in the naming convention scheme. It is a crypto TLS vulnerability. Before we discuss what is lucky 13. Let’s do a quick review of TLS & SSL/TLS protocol architecture in below info graphic diagram.

Overview of TLS & SSL/TLS protocol architecture

 

As we know, there are total 4 types of SSL attack recently.

  • Beast attack
  • Crime attack
  • Lucky 13 attack
  • RC4 attack

To be honest, lucky 13 not equivalent to the meaning of his name. It is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol originally.

What is timing attack? (see below)

The attack allows a man-in-the-middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode (cipher-block chaining) encryption is used. Man-in-the-middle timing attack against TLS that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication.

CVE-2013-0169 – The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets.

Predict more security bug in future, it is a fundamental design limitation so called MAC then encrypt

Encryption algorithm tried to apply it to TCP/IP but the model does not match well TCP/IP. Some things don’t fit in the layers, and SSL/TLS is one of them.

D(TLS) encryption process (see below):

  • SSL/TLS uses an underlying transport medium that provides a bidirectional stream of bytes. That would put it somewhere above layer 4.
  • SSL/TLS organizes data as records, that may contain, in particular, handshake messages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6 or 7.
  • However, what SSL/TLS conveys is “application data”, which is, in fact, a bidirectional stream of bytes. Applications that use SSL/TLS really use it as a transport protocol. They then use their own data representation and messages and semantics within that “application data”. Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.

The Lucky13 attack triggered a series of TLS technical concerns . Yet another Padding Oracle vulnerability found in May 2016 (see below)

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
======================================================

Severity: High

A MITM attacker can use a padding oracle attack todecrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be inconstanttimeby making sure that always the same bytesarereadand
compared against either the MAC or padding bytes. But it no longer
checked that there was enough datato have both the MAC and padding
bytes.

OpenSSL 1.0.2users should upgradeto1.0.2h
OpenSSL 1.0.1users should upgradeto1.0.1t

This issue was reported to OpenSSL on13th of April 2016by Juraj
Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx
of the OpenSSL development team.

Interim summary:

A good practise on web server to mitigate the risk:

Control requirement on web server

  • Do not configure wild card certificates
  • Certificate to be signed by trusted certificate authority (CA)
  • Ensure session cookies have “secure=true” flag set
  • Ensure HSTS header is set for domain and sub domain

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Stuxnet a famous malware to sabotage Iran’s nuclear program. From technical of view, malware change the shape of computers in the world convert to a cyber weapon. Who’s the team take responsibility? For sure that is not you and me.

Stunext attack scenario:

Heard that malware activities in South Korea run serious recently. Headline news were told the military defense of south Korea was hacked. Regarding to the articles the goal of such malware attack focus South Korean nuclear facility. We don’t have related information and not going to predict who is the attacker of this incident. But malware focus nuclear power facilities not only occurs today. Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Do you think SCADA system is the culprit of attack on nuclear power system?

What is SCADA?

SCADA is an acronym for Supervisory Control And Data Acquisition, which is a computer system for gathering and analyzing real-time data.

Where is SCADA used?

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant.

SCADA application:

WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries.

Historical incident record:

June 2010 – Stuxnet relies on MS zero day implant malware granted control and monitor functions in SCADA system.

Malware attack triggered by Microsoft Zero day (MS08-067, MS10-046 & MS10-061)

Malware relies on vulnerability (CVE-2010-2772) and execute privileges escalation on database of WinCC MSSQL server. As a result hacker allow to view information on SCADA system.

Oct 2011Duqu executables share injection code with the Stuxnet worm. The Duqu design was based on the same source code as Stuxnet. The similarity of features shown as below:

  • Duqu use XOR based encryption for strings (key: 0xAE1979DD)
  • Decrypted DLLs are directly injected into system processes instead of dropped to disk.
  • Rootkit to hide its activities

May 2012 Flame malware targeted cyber espionage in Middle Eastern countries.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

The number and geographical location of Flame infections detected by Kaspersky Lab on customer machines.

  • Iran = 189
  • Israel Palestine = 98
  • Sudan = 32
  • Syria = 30
  • Lebanon = 18
  • Sudi Arabia = 10
  • Egypt = 5

Apr 2016Virus:Win32/Ramnit.A, German nuclear plant infected with computer virus. As Reuters reports, viruses with names like “W32.Ramnit” and “Conficker” where found in a computer system that deals with data visualization.

The virusesWin32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

  • File MD5: 0x5CC31D49CAFC508238259616583332A2
  • File SHA-1: 0xC775A22B4B150989F57AB129591F4DA328F52B7C

Aug 2016Virus:Win32/Ramnit.A (checksum changed)

  • File MD5: 0x25C1DE8838ADBC0DCFF61E6B44458CF4
  • File SHA-1: 0xDF6B04BA2103B2EB43B51EBDFB705A37BE5F28A9

1st Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Interim summary:

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant. WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries. Since zero-day vulnerability found each week especially Miscrosoft products. Do you think SCADA system is the culprit of attack on nuclear power system?

The project development of Nuclear power budget huge amount of money and covered with disaster recovery plan. Do you think current disaster recovery plan will cover up Zero day attack on SCADA system? What do you think?