China IPv6 implementation Road map. Will it be burden on current surveillance task?

A tough new cyber security law has been in placed in China on June 2017. The United States submitted document to WTO Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad. A IP V6 road map announcement by General Office of the State Council of the PRC on 26th Nov 2017. The road map driven whole network, application and computer prioritize IPV6 connectivity.We known that RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address. As a result it is better to avoid surveillance and tracking. The surveillance program in China has difference comparing with other country. Since monitoring network behavior or so called surveillance is the China government policy. See whether RFC 4941 will be a burden in coming future.

What’s happen on next?

NECURS BOTNET – Alert

Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.

https://threatpost.com/necurs-based-dde-attacks-now-spreading-locky-ransomware/128554/

There are more windows OS components did not included ASLR protection feature

Seems heard a vulnerability occurs on microsoft product did not trigger your interest. The easy way for IT guy to mitigate the risk is conduct a patch update. But CVE-2017-11882 heads up the world that there are more windows OS components did not included ASLR protection feature. May be you could say Microsoft product do not relies on ASLR since they has Data Execution Prevention (DEP). We known Data Execution Prevention (DEP) is a system-level memory protection feature. However a practical example of CVE-2017-11882 occured on Microsoft office product could compromised your machine. Hacker more focus to dig out vulnerability on word processing product since human relies on electronic documentation daily.  Microsoft release the patch to mitigate this risk (see below). But a reminder to the world there are more MS components do not enable randomizes address function. Yes, no randomizes address function will be benefits to hacker. Which industry on demand to use MS equation editor function. Scientist, high tech industry especially military and nuclear power facilities management.

https://portal.msrc.microsoft.com/en-US/security-guidance

Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url:

https://forum.kaspersky.com/index.php?/topic/382512-exploit-avgater/

Doubt? See whether similar problem will be happen in future?

Heard that in Infineon chip set has vulnerability occurs. Since security expert found the vulnerability in new German national ID card since 2010. However a technical article (ZdNet) report last week that a chip crypto flaws vulnerability occured in Spain ID card. Per announcement by NIST, this vulnerability file to CVE database (CVE-2017-15361). A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. Any doubts? For more details about this vulnerability. Please see below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

Reference: Hong Kong Government to Use Infineon’s Chip Card Technology in Smart Identification Card Project – announcement June 2002 (see below url for reference)

https://www.infineon.com/cms/en/about-infineon/press/market-news/2002/129155.html

To usher the wolf into the S3 Cloud

CNN interview a research Friday (17th Nov 2017) in discussion of US government Pentagon exposed huge amounts of web-monitoring data in a security failure which given by Amazon S3 buckets. I was wondering the similar data breaches not only happened in Pentagon. As far as we know ,a consulting firm found data breach few month ago on S3 bucket. But the scalability of Amazon Cloud are huge. How does bad guy or people who carry with interest find out the details? It looks that the culprit is Amazon itself. A useful tool open to public so called (ip-ranges.json). You relies on this tool can locate the IP address range of Amazon S3 bucket. Since IP address and service package expose to public. It such away increasing the attack surface. Should you have interest of CNN news. Please refer to below url for reference. Reminded that CNN did not provide those json script.Maybe you dig out the hints of my picture.

http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html

Oct 2017 – Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server(see below url):

http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm

Updated on November 28, 2017 – Top Secret NSA and Army Data Leaked Online:

https://www.upguard.com/breaches/cloud-leak-inscom

1st Dec 2017 – Over 100GB of Secret Consumer Credit Data Leaked Online. Claimed that misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/?es_p=5544850

 

Perspective of e-Wallet Vulnerability

Preface:

Java, NodeJS, Python, ObjC with Xcode and GO are the popular programming language for develop of e-wallet application. It looks that some of the programmer favor of Java language since it is a common programming language.

New technology, but targeting approach by hacker remain unchanged

Reporting of Cybersecurity Incidents – InfoSec Resources

Jul 2017 – Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Nov 2017 – Parity wallet vulnerability freezes US$278 million of ethereum. The company patched the bug encountered on July 2017. However the code still present bugs and therefore freeze the crypto currency in the wallet.

* Ethereum wallet is implemented in C++ programming language

Feb 2012 – exposes a PIN vulnerability in Google Wallet security.

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

Common Security Vulnerabilities in a Digital Wallet

  • The registration process does not identify fraud verification of the user’s information card information.
  • Develop programming language encountered design limitation (vulnerability).

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

How is e-wallet different from cryptocurrency wallet on cyber security viewpoint?

Bitcoin is a cyrptocurrency. You need a wallet to keep your bitcoins. But Bitcoin underlying technology is block chain which cannot be counterfeited. If ever there is an issue with a transfer of funds, Bitcoin protocol settles it through consensus.

The e-wallet currency is traditional currency.It uses the secure 256bit Advanced Encryption Standard (AES) for encrypting information in your wallet. If a hacker tries a brute force attack relies on computer enter possible random-number strings at top speed it would take more than a billion years to exhaust all the possibilities.

Observation: It  looks that  both type of wallet contained hack proofed feature. But is there any underlying reason make those wallet in risk?

The Java, NodeJS, Python, ObjC with Xcode and GO are the main trend of the programming language today. Why does application developer like Java? Java is a platform Independent. Means Java does not depend on hardware and OS. Java platform fully compatible with all computers. Even through it is a mainframe computer. However the cyber security incidents from past awake the IT world that even though you are using block-chain technology platform. The other side of end point might encounter cyber attack which causes data breach or compromised of both machines. From security point of view, the overall risk rating for e-business applications including cryptocurrency or traditional currency payment transfer system are equal.

Traditional way bring people consider endpoint security but ignore other possibilities factors which are in risk!

About programming language

Python

Language: Python is a dynamically type language. Java is better characterized as a low-level implementation language.

Use of VARIABLE: No requires to declare any variables. You can mix object-oriented and imperative programming you run the code directly.

Run time speed: Slower than Java

Java

Language: Java is a statically typed language. Python is much better suited as a “glue” language.

Use of Variable: Requires to define the type of each variable, it’s object oriented in the sense that you cannot write any code without defining a class, you also invoke a compiler to compiler the code then you can run it.

Runtime speed: Run faster than python

Node.js

Language: Node.js is not a programming language. The programming language is Javascript. But Node.js not similar JavaScript framework. A group of authors define a new frameworks specifically for Node.js, It includes Express.js, Restify.js, and Hapi.js.

Use of Variable: When you declare methods without using var (function <function_name>() {}), those function declarations are moved to the top of the local scope. If you manually declare you functions, you have to wait until they are both declared before you can use them.

Runtime speed: Refer to benchmark table

C++ vs. Python vs. PHP vs. Java vs. Others performance benchmark (2016 Q3)

GO

Language: Go is an open source programming language designed for building simple, fast, and reliable software. The introduction phase for GO is written in C. The libraries are written by google developer itself. Now the compiler has been rewritten in Go, so it is fully self-hosting by Google.

Variable: The type of variable is automatically judged by the compiler based on the value passed to it.

Runtime speed: Refer to below benchmark table

ObjC with Xcode

Language: Xcode supports C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, Rez, and Swift source code with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.

Variable: It is important to note that ObjC does not support class variables. But developer can simulate static variables

Runtime speed: Objective-C is slightly slower than straight C function calls because of the lookups involved in its dynamic nature.

Security Focus

 

Since no bug proof software or hardware in the world and therefore the practical operation expose the design weakness (vulnerability). Refer to informative diagram table below , Java and php looks unsecure because of the accumulate vulnerability records.

But why Java and PHP programming language are popular in the IT world. Even though Node.js framework make use of Java language. I believe that it is the fate of the IT product market. Perhaps Java bring security worries to the world. However java language provide a comprehensive functions. E-wallet looks has benefits running on Apple iPhone OS. Since it is a proprietary environment. From security prospective, it is better than opensource OS since it looks a black hole. Perhaps vulnerability occurs, the vendor (Apple) will conduct the remediation immediately. As mentioned iOS is a proprietary environment and such away avoid multiple vulnerabilities occurs simultaneously.

Example of multiple vulnerabilities: For instance Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products (September 2017). On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. However those vulnerability affected a series of Cisco products since those voice and media management products deployed Apache Structs 2.

E-Wallet on top of mobile device platform

The Near Field Communication (NFC) payment wallets designed by GSMA program project. It relies on SIM based technique support the payment service in past. But Android M break the ice develop other alternative for online payment electronic wallet. From security point of view, the new android system architecture of the design provide sandbox feature enhance the security (see below). If we believe that it is a trustworthy environment then we move our security concerns to e-wallet SDK.

Most likely the technology trend will be form into two different way. The retail shop remain to use near field communication technique secure the payment transaction. For online payment transaction like Master card, Paypal and Alipay will lead the online payment solution. As mentioned the vulnerability found in online e-wallet SDK more or less will involved in programming language. For more details, please see below:

Instance 1: A cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter (CVE-2017-6099).

Instance 2: The Android source code file (internal/telephony/SMSDispatcher.java) does not properly construct warnings about premium SMS messages, which allows attackers to spoof the premium-payment confirmation dialog via a crafted application, aka internal bug 28557603 (CVE-2016-3883)

Reference: Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01

Instance 3: Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page (CVE-2017-5110).

Instance 4: Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Refer to above details, the argument can confirm that programming language is the important factor in e-wallet development. Even through it is a cryptocurrency wallet. The overall security level of protection for a eletronic payment system must include programming language as a major factor.

End of discussion……!

Information Supplement (under observation)

Typically, a program consists of instructions tell the computer what to do. Thus what types of data will be used when it is running will be responsible by variable. In the Java programming language, the words field and variable are both one and the same thing. Variables are devices that are used to store data, such as a number, or a string of character data. The enumerate() is one of the built-in Python functions. It returns an enumerate object. In our case that object is a list of tuples (immutable lists), each containing a pair of count/index and value. However variable can be rebound at any time, so no consistent use as an enumerator. This is a vulnerability encountered in python.

* An enumeration is a set of symbolic names (members) bound to unique, constant values.

But comparing with Java and Python CVE checklist. It shown that Python programming language hit vulnerability less than Java programming language .

 

 

Reveal block chain technology secret – he is the Genesis-of-Bible

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).

Layer 7 (application layer) – What is the information security key factors?

Preface:

We heard shocking news this year especially EQUIFAX breach. The hackers accessed up to 143 million customer account details earlier this year. Thereafter a data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people. Perhaps you could said that the incident given by vulnerability on Apache component Struts CVE-2017-5638. A design limitation was found in the Jakarta Multipart parser. A proof of concept shown that we can set the Content-Type to an OGNL expression such as:

Content-Type: ${(#_='multipart/form-data').

The Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression. As a result the attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands (see below diagram for reference).

API security is important today especially the API infiltration

So far includes myself only focusing in ring 0 attack. It looks that information security bring my attention to kernel hooking. Once upon a time, kernel hooking looks like it is everything. I think it might have similarity and such a way anti-virus manufacturer address in the same place. But when do we awake? I believed that it is the Java application century. API security level equivalent to kernel level.

Actually the defense mechanism not difficult to detect the malware on 32-bit operating system. For instance, on a 32-bit windows system, antivirus software may use SSDT hooking (System Service Dispatch Table hooking). Using SSDT hooking, the Antivirus software can prevent attacks based on the APIs being called by the malicious software.

So, it looks secure that once modern antivirus installed, right?
But what is the reason let cyber attack victims growth rapidly? Even though IDS , firewall and modern antivirus software was deployed?

Closer Look details

Windows 7 x64 is shipped with Patch Guard which doesn’t allow to hook SSDT/MSRa/code section. Disabling PatchGuard is the 1st priority of objective for malware. Since we are the system owner and therefore it is easy to disable the Patch Guard function in your 64 bit window operating system by yourself. The instruction displayed below:

Type msconfig, Go to the boot tab and delete the patched boots.

Or running the following commands in a root-shell and restarting the PC afterwards.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex 

As we know, malware couldn’t conduct manual driven job task. If malware is going to find their target named function. It must go to the correct memory address (refer to table 1). But the objective of the PatchGuard is protect the following data and structures.

• Modifying system service tables, for example, by hooking KeServiceDescriptorTable

• Modifying the interrupt descriptor table (IDT)

• Modifying the global descriptor table (GDT)

• Using kernel stacks that are not allocated by the kernel

• Patching any part of the kernel (detected only on AMD64-based systems)

Remark: The inline hooking 3 step slogan. However it doesn’t work since patch guard is enable.

  1. The Hook – A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code.
  2. The Proxy – This is our specified function (or code) which the hook placed on the target function will jump to.
  3. The Trampoline – Used to bypass the hook so we can call a hooked function normally.

How malware trim down himself, then go to kernel level. How to bypass antivirus or malware detector?

Attempt 1. Find out design limitation on web portal then using the scripting API or dynamic JSP inject command. One of the example has shown from our discussion first page. Try to find out vulnerability on web server side module or component. Or find our the weakness of  programming design (see below for reference) then inject system command.

But is there additional way to conduct API infiltration?

Attempt 2. Hooking Shared Library Function Calls

Phenomenon: Apache web server deployment high coverage in the world. However not less Apache servers are running on Windows operating system.

Variables factor: enable patchguard and ASLR (those functions might be make hack activities more difficulties)

Below diagram is the reference of example how does inline hook jumping to malicious code and then executing the original function.

Since defense function was strengthen today. Antivirus embedded malware detection function, Microsoft PatchGuard verify the instruction and ASLR conduct random address function limit malware infection and therefore below traditional way of cyber attack can not work well!

  • DLLs loaded at runtime into process address space
    For kernel32 – target private addres space between 0x00010000 and 0x7FFE0000
  • Hiding files in a directory
    Replace FindFirstFile(),FindNextFile() in Kernel32 to skip rootkit files

Is there any benefits in below attack methods?

DirectX/OpenGL APIs and time functions – Typically hooked to implement cheating in on-line games.

Status: Possibility high, under our observation.

Winsock API – Hooked to monitor network traffic.

Status: It was happened in frequent. Under observation now.

But a security gap still valid because of today fast growth business strategy

Further to my study on cyber attack incident over past few months, a hints to me that API hook technique on layer 7 (application layer) is the key milestone of hacker today. See below cyber incident records for reference:

February 2017 –  The internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data.

Incident root cause analysis: Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

June 2017 (It discovered the data breach June 19): 198 Million Voter Records Exposed

Incident root cause analysis: Misconfiguration isn’t a malicious hack in itself. However such incident shown to the world that a wide range of component could be impact the information security world. A misleading message bring people major focus on operatio system level from past.

July 2017 (It discovered the hack on July 29) : Equifax recently had 143 million customer records breached in a hack.

Incident root cause analysis: Found security weakness on patch management in IT  operation and vulnerability awareness. The incident given by vulnerability on Apache component Struts CVE-2017-5638.

A major unknown area will be transformed to hacker new target

Technology zone:  The IP telephony technology integrated with  TCP stack more than decade. However business operation keen to enhance the functional features. And therefore do the customization for system integration is hard to avoid. We seen some network communications hardware vendor will be involved in the application interface technologies. Modern business world more tough and demanding competition. Looks  Cisco also become the victim on former vulnerability hiccups. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Summary: Seems, I did not has final checkpoint guide me to drawn any conclusion on this discussion. Hey Guy, keep your eye open. There will be more strange things happened in today such demanding and tough business world!

Be a happy Sunday. I remain with my best regards.

 

Reference table 1: