Tomcat – CVE-2018-1305 – Don’t ignore!

Apache and Tomcat server usage covered more than 60% in cyberworld. A common practice is that Apache server hold the static page or it is a front end (Reversed Proxy function). Tomcat server trend to become a major server component. So all your java application, configure and DB service ID will be located in this place.

This week a vulnerability found on Tomcat. The successful expose the design flaw causes exposed resources to users who were not authorised to access them. Folks, do not ignore this vulnerability. stay alert!

Should you have interest of this news. Please refer below url for reference.

https://securitytracker.com/id/1040428

SCADA manufacturer security awareness awaken – ABB

I speculate that APT attack will be proactive doing their engagement in electric Power supply industry and target manufacturer this year. Since they are all deployed SCADA system. Perhaps engage an attack in this zone as much as better than negotiating with world trade commissioner request to reduce other country quota. The SCADA manufacture awaken the severity level of cyber attack will be jeopardizing  firm reputation.

A vulnerability found in ABB SCADA system this month. The severity level not defined yet. But SCADA end user must be stayed alert. For more detail, please refer be URL for reference.

http://search-ext.abb.com/library/Download.aspx?DocumentID=1MRS257731&LanguageCode=en&DocumentPartId=&Action=Launch

Information warfare and arsenal

Preface:

There are different countries located in the world, meanwhile so called regime has different governance concept and strategic task force in different area.

A simple introduction of regimes around the planet

Our story begin with Bear

Bear group views electronic warfare as an essential tool for gaining and maintaining information superiority over its adversaries. Therefore the bear group electronic warfare forces support denial and deception operations. Meanwhile their arsenal keen to developing the interception tools set and disruption equipment. Perhaps the war especially land to land, sea to sea combat does not happen in frequent.In order to control the communications of the enemy. The bear group break through the traditional concept. They weaponizing computer technique become a cyber weapon. As a result a series of cyber weapons was born.

The first cyber weapons aim to show to the world

On 20 July 2008, weeks before the Bear Group invasion of Georgia, the cyber attack vectors being growth. The website of the Georgian president was targeted, resulting in overloading the site.

Remark: This is the beginning phase of APT attack. However there is no such key words APT at that period time. From security point of view, this is the APT prototype. As a result such attack reform the victim workstation as a zombies. The attacks relies on the following attack criteria: OS design weakness especially zero day of attack and social engineering (spear-phishing).

Bear Group was blocking Georgian “internet portals” to supplement its military aggression. It suspend their external communications. The Internet has become a battleground at that time.

Such action provides an idea to the regime. The cyber attack will become a main trend in future since the digital world has been came. A cyber attack tool exploit so called “Black Energy”. This is a well know DDoS attack tool. A tool weaponized a computer software to fulfill the objective of military engagement.

Below picture shown the portable version of black energy

Black energy botnet infection path shown as below:

A cyber attack targeting nuclear facilities on 2010 from Eagle group. It strengthen the concept of bear group electronic warfare unintentionally. Meanwhile the developing team of bear group restructure of their arsenal. They are looking for a new model of attack method which completely suspended the hostile country operation. Thus a new cyber weapon born. It relies on Microsoft vulnerabilities found by Eagle Group security agency. A wannca cry was born and promoted to a arms sales. The preliminary objective of the tool originated South Korean nuclear power plant. But the task force looks not very smooth. And therefore the code free offer to criminal group to use.

Few months later, a enhance version of WannaCry ransomware appears in the cyber world which goal to sabotage nuclear power facilities. What is the advance feature of Not-Petya.

NotPetya spreads on its own. The original Petya required the victim to download it from a spam email, launch it, and give it admin permissions. NotPetya exploits several different methods to spread without human intervention. The original infection vector appears to be via a backdoor planted in M.E.Doc, an accounting software package that’s used by almost every company Ukraine.

Below table show the specifications of wannacry and Petya for reference.

….the attack task force spread it out and become a main trend of hostile countries cyber attack.

End of story….

Bear Group intelligence agency overview:

The Iron Curtain was the name for the boundary dividing Europe into two separate areas from the end of World War II in 1945 until the end of the Cold War in 1991. And therefore people only focusing  former KGB.  Simple because they are not so much aware of GRU (Glavnoe Razvedytalnoe Upravlenie – Russian Military Intelligence). In the world that there is no key word “KGB” anymore. However the GRU substitute KGR original functions. But they more prefer deploy malware ,  malicious code implant to target engage the surveillance.

GRU strategic functions displayed as below:

  1. Political Intelligence
  2. Scientific and Technical Intelligence ( industrial espionage)
  3. Illegal Intelligence (Root kit, malware and ransomware)

This is a fiction. Any similarity is mere coincidence.

 

——- END ——-

 

Blockchain technology can do the magic – EU GDPR new data protection regulation

Preface:

The movie title – when harry met Sally romantic. It is a comedy film written by Nora Ephron. It gives an idea to the world all we are interconnected with fate.

GDPR – High Level Understanding

The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

GDPR principle

General Data Protection Regulation are, quite literally, data protection model. Details are shown as below:

  • Establish data privacy as a fundamental right
  • Clarify the responsibilities for EU data protection
  • Define a base line for data protection
  • Elaborate on the data protection principles
  • Increase enforcement powers

In regards to GDPR, how does blockchain technology assists?

Blockchains are secure by design.Each block typically contains a cryptographic hash of the previous block. By foundation, a blockchain is inherently resistant to modification of the data. This is exactly fulfill the GDRP mandatory requirements. Let’s take a simple understanding of the requirements of data controller.

  • (Article 24) – be accountable, demonstrate compliance
  • (Article 25) – Adopt privacy by design
  • (Article 27) – If not in the EU, appoint a representative
  • (Article 28) – Take care when using 3rd parties (Processors)
  • (Article 30) – Keep records of processing
  • (Article 32) – Do security well
  • (Article 33) – Tell the regulator if they have a breach (72 hours)
  • (Article 34) – Tell Data Subjects about some breaches
  • (Article 35 and 36) – Do privacy impact assessments
  • (Article 37,38 and 39) – appoint a Data Protection Officer where specified

Let’s see how blockchain technology addressing these subject matters

Perhaps reader not interested to read a whole bunch of words.An explicit view and explanation in below informative diagram.

Reminder – New EU GDPR will be effective in May 2018

END of discussion.

Evade sanctions or this is our new world trend – petroleum cryptocurrency

The legitimacy of the crypto currency provides misty seen to everybody. Heard that  it is legal in some countries. However it cannot maintain the legitimacy since we must following the traditional financial currencies system guideline and policy. But think it over. In ancient age, people using material change concept. The revolution of the change since the printing currency depends on country’s gold deposits. Perhaps 80’s we do not have key terms so called digital transformation. From technical point of view, there is no technical issue on printing currency depends on country’s petroleum (Oil). This theory now came true. Venezuela is the 1st country issues crypto currency. The specification of the crypto currency is the oil-backed token as a form of legal tender. It looks that such theory is the alternative solution let’s some countries evade international sanction. From scientific perspective this is the correct way. Why we need to keep a classic financial technology without end of life cycle. Iran is considering the development of its own cryptocurrency now (see below url for reference).

https://www.cnbc.com/2018/02/22/iran-becomes-latest-rogue-state-to-develop-its-own-cryptocurrency.html

The US Securities and Exchange Commission (SEC) new guidance

Big country versus Big discussion:

The US Securities and Exchange Commission (SEC) released a statement urge high-ranking executives not to trade stocks before the disclosing breaches, major vulnerabilities, and other cybersecurity related incidents.

New guidance – https://www.sec.gov/rules/interp/2018/33-10459.pdf

Meanwhile Intel release guidance this week (details of availability and schedule for microcode update). For more details, please see below url for reference.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/02/microcode-update-guidance.pdf

It is a funny cyber and economic world!

 

 

For your attention! Multiple vulnerabilities in both Drupal 7 and Drupal 8

It indeed a tragedy. A multiple vulnerabilities in both Drupal 7 and Drupal 8. Drupal is a free and open source content-management framework written in PHP and distributed under the GNU General Public License.

In short, in order to avoid unforeseen technology risk issue occurs, please read the official announcement shown as below:

https://www.drupal.org/sa-core-2018-001

Synopsis:

Comment reply form allows access to restricted content – Critical – Drupal 8

Users with permission to post comments are able to view content and comments they do not have access to, and are also able to add comments to this content.

This vulnerability is mitigated by the fact that the comment system must be enabled and the attacker must have permission to post comments.

JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8

Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.

The PHP functions which Drupal provides for HTML escaping are not affected.

Private file access bypass – Moderately Critical – Drupal 7

When using Drupal’s private file system, Drupal will check to make sure a user has access to a file before allowing the user to view or download it. This check fails under certain conditions in which one module is trying to grant access to the file and another is trying to deny it, leading to an access bypass vulnerability.

This vulnerability is mitigated by the fact that it only occurs for unusual site configurations.

jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

A jQuery cross site scripting vulnerability is present when making Ajax requests to untrusted domains. This vulnerability is mitigated by the fact that it requires contributed or custom modules in order to exploit.

For Drupal 8, this vulnerability was already fixed in Drupal 8.4.0 as a side effect of upgrading Drupal core to use a newer version of jQuery. For Drupal 7, it is fixed in the current release (Drupal 7.57) for jQuery 1.4.4 (the version that ships with Drupal 7 core) as well as for other newer versions of jQuery that might be used on the site, for example using the jQuery Update module.

Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

When using node access controls with a multilingual site, Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.

This issue is mitigated by the fact that it only applies to sites that a) use the Content Translation module; and b) use a node access module such as Domain Access which implement hook_node_access_records().

Note that the update will mark the node access tables as needing a rebuild, which will take a long time on sites with a large number of nodes.

Settings Tray access bypass – Moderately Critical – Drupal 8

The Settings Tray module has a vulnerability that allows users to update certain data that they do not have the permissions for.

If you have implemented a Settings Tray form in contrib or a custom module, the correct access checks should be added. This release fixes the only two implementations in core, but does not harden against other such bypasses.

This vulnerability can be mitigated by disabling the Settings Tray module.

External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Drupal core has an external link injection vulnerability when the language switcher block is used. A similar vulnerability exists in various custom and contributed modules. This vulnerability could allow an attacker to trick users into unwillingly navigating to an external site.

Solution:

Install the latest version:

Reported By:
  • Comment reply form allows access to restricted content – Critical – Drupal 8

  • JavaScript cross-site scripting prevention is incomplete – Critical – Drupal 7 and Drupal 8)

  • Private file access bypass – Moderately Critical – Drupal 7

  • jQuery vulnerability with untrusted domains – Moderately Critical – Drupal 7

  • Language fallback can be incorrect on multilingual sites with node access restrictions – Moderately Critical – Drupal 8

  • Settings Tray access bypass – Moderately Critical – Drupal 8

  • External link injection on 404 pages when linking to the current page – Less Critical – Drupal 7

Fixed By:

————————-  End ———————————————–

Cisco Releases Security Updates for Multiple Products – 21st Feb 2018

Understanding:

The VOSS platform is integrated in Cisco HCS where it is called Cisco Unified Communications Domain Manager (UCDM). VOSS has web services application programming interfaces (APIs) available to third-party developers.Features of VOSS include Web-based Administration, Centralised Management, Collaboration Lifecycle Management, Collaboration Service Management, Business Process Layer on top Network Infrastructure and Communications Architectures Management.

The Cisco Elastic Services Controller (ESC) provides a comprehensive lifecycle management platform for NFV. It provides end-to-end capabilities to automate various tasks such as deploying, monitoring, and elastically scaling virtualized functions, and make them available as business-level service.

Security updates:

Cisco Unified Communications Domain Manager Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-ucdm

Cisco Elastic Services Controller Service Portal Authentication Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc

Cisco Elastic Services Controller Service Portal Unauthorized Access Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-esc1

Cisco Unified Customer Voice Portal Interactive Voice Response Connection Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180221-cvp

About APT37

A cyber security company (FireEye) so bold to accuse a country. As a matter of fact the APT threat actor make a mistake. It inadvertently show their location. Regarding to the details provided by FireEye. The APT 37 develop total 10 different types of malware to satisfy their goal. Regarding to my observation. I would suggest that staying alert to a backdoor function malware. His nickname is SHUTTERSPEED. The overall specification equivalent to a Trojan spyware. It so called Trojan-Spy.Win32.Agent.jkvl.

Since this spyware is not a new design and therefore window defender and antivirus have capability to kill it. However a multiple types of malware attack might have opportunities let this trojan implant to workstation.

Should you have interest to understand their full picture of attack for APT 37. Please refer below url for reference.

https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

 

UK cyber security agency sticks with China’s Huawei despite US spy fears

The espionage scandal jeopardize the trustworthy reputation. However China is not the espionage program initiator. But America worries about espionage by cross counties. It is hard to tell who’s correct or who’s wrong!

UK cyber security agency sticks with China’s Huawei despite US spy fears. For more details, please refer below url for reference.

http://www.telegraph.co.uk/technology/2018/02/20/uk-cyber-security-agency-sticks-chinas-huawei-despite-us-spy/