June 2018 – Google Releases Security Update for Chrome

Content Security Policy (CSP) provides a standard HTTP header that allows website owners to declare approved sources of content that browsers should be allowed to load on that page.

Browser based XXS protection mechanism. Least privilege approach that whitelists content you trust. Nothing else will execute. Assumes that inline scripts are bad.


High CVE-2018-6148: Incorrect handling of CSP header


May 2018 – Moodle security announcements

LMS (Learning Management System) become popular because it wasn’t limit learning area and time zone. Learner or student can start the tution when computer connect to internet. Such learning atomosphere are popular in the world. LMS not restricted to high school and university educations. It also covered internal training in business environment. Moodle is a free and open-source learning management system written in PHP and distributed under the GNU General Public License. Education authority can download the software onto your own web server. Moodle does not generate SCORM content. Moodle presents the content in SCORM packages to learners, and saves data from learner interactions with the SCORM package.

SCORM content can be delivered to learners via any SCORM-compliant Learning Management System (LMS) using the same version of SCORM.

The market share shown that Moodle open source growth in significant recently. However there are vulnerabilites occurs in Moodle. Now please download version 3.5 because it fixed the design bug. Bug details shown as below :

Portfolio script allows instantiation of class chosen by user – https://moodle.org/mod/forum/discuss.php?d=371204

User can shift a block from Dashboard to any page – https://moodle.org/mod/forum/discuss.php?d=371202

Users can download any file via portfolio assignment caller class – https://moodle.org/mod/forum/discuss.php?d=371200

Portfolio forum caller class allows a user to download any file – https://moodle.org/mod/forum/discuss.php?d=371201

Calculated question type allows remote code execution by Question authors – https://moodle.org/mod/forum/discuss.php?d=371199

June 06, 2018 – Cisco Releases Security Updates for Multiple Products

CVE-2018-0321 – Cisco Prime Collaboration Provisioning Unauthenticated Remote Method Invocation Vulnerability


CVE-2018-0315 – Cisco IOS XE Software Authentication, Authorization, and Accounting Login Authentication Remote Code Execution Vulnerability


CVE-2018-0353 – Cisco Web Security Appliance Layer 4 Traffic Monitor Security Bypass Vulnerability


CVE-2018-0320 – Cisco Prime Collaboration Provisioning SQL Injection Vulnerability


CVE-2018-0318 – Cisco Prime Collaboration Provisioning Unauthorized Password Reset Vulnerability


CVE-2018-0319 – Cisco Prime Collaboration Provisioning Unauthorized Password Recovery Vulnerability


CVE-2018-0317 – Cisco Prime Collaboration Provisioning Access Control Bypass Vulnerability


CVE-2018-0322 – Cisco Prime Collaboration Provisioning Access Control Vulnerability


CVE-2018-0274 – Cisco Network Services Orchestrator Arbitrary Command Execution Vulnerability


CVE-2018-0316 – Cisco IP Phone 6800, 7800, and 8800 Series with Multiplatform Firmware Session Initiation Protocol Denial of Service Vulnerability


CVE-2017-6779 – Multiple Cisco Products Disk Utilization Denial of Service Vulnerability


CVE-2018-0263 – Cisco Meeting Server Information Disclosure Vulnerability


CVE-2018-0296 – Cisco Adaptive Security Appliance Web Services Denial of Service Vulnerability


The influence of CVE-2018-11235 more than expected. Even the Hyperledger project is included.

Git community disclosed a high serverity of vulnerabilies (CVE-2018-11235). Since the impact of this vulnerabilities might influence many software application.

The major design weakness of this vulnerability is that when you git clone a repository, there is some important configuration that you don’t get from the server includes .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow. For instance, the post-checkout hook will be run anytime git checks files out into the working directory. As a result hacker can appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. As a result, hacker has way to implant malware to the library.

This vulnerability also jeopardizing hyperledger project. Please refer to above diagram for reference.

For details of vulnerability. Please refer below:



  • Examine submodule’s folder names closely.
  • No longer contain .. as a path segment, and they cannot be symbolic links.

The programming parameter must be within the .git repository folder.

4th June 2018 – SAML Authentication Bypass ((Symantec) CVE-2018-5241)

SAML for single sign-on (SSO) makes it possible for your users to authenticate through your company’s identity provider when they log in to Cloud computing platform. SSO allows a user to authenticate once and then access multiple products during their session, without needing to authenticate with each of those. Please be remind that SSO will only apply to normal user accounts instead of privilieges level user account.

Symantec Security Advisory (4th June 2018). So called SAML Authentication Bypass (CVE-2018-5241).

A remote attacker can modify a valid SAML response without invalidating its cryptographic signature. This may allow the attacker to bypass user authentication security controls in ASG and ProxySG.  For more details about this issue, please refer below url for reference.



Hyperledger Iroha v1.0 beta-2 version to remediate CVE-2018-3756 (May 2018)

The earlier generation of blockchain technology empower encryption power let the world know his capability. As times goes by people found the design weakness of blockchain technology is the performance of synchoization of the peer nodes. Such design weakness cause double spending vulnerability. The next generation of technology so called HYPERLEDGER. It enhance the design weakness of blockchain. As a result cryptocurrency especially Ethereum relies on Hyperledger Fabric in demand. A blockchain project developed by several Japanese firms including by startup Soramitsu and IT giant Hitachu has been accepted into the Hyperledger blockchain initiative. A fix has been released by Hyperledger IROHA project two weeks ago. Hyperledger Iroha v1.0 beta-2 version is avaliable for download. The reason is that a critical vulnerabilities discovered during the security audit.

On 2017, Cambodia central bank taps Hyperledger Iroha for blockchain settlement. Perhaps they update to beta 2 already.

Should you have interest to know the detail, please refer below:

Cambodia central bank taps Hyperledger Iroha for blockchain settlement – https://www.cryptoninjas.net/2017/04/20/cambodia-central-bank-taps-hyperledger-iroha-blockchain-settlement/

Beta 2 (download): https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2

Dark power (malware) jeopardize the open geospatial data


The geospatial digital environment supports planning, management, modeling, simulation and visualization related to smart initiatives across the city.

Quick understanding – Basic data structure for GIS

  1. Vector
  2. Raster
  3. Tringulate irregular network

4. Tabular data (attribute table)

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system.

So, can we store big data in RDBMS? The fact is that the specifics of data get pretty large fairly quickly and therefore it’s not very well suited to huge quantities of data.

Remark: A traditional database product would prefer more predictable, structured data. Big data design fundmentally backend contains extremely dynamic data operations.

One of the key capabilities of a NoSql type environment is the ability to dynamically, or at least easily, expand the number of servers being used for data storage. This is the reason why does NoSql DB become popular in big data infrastructure environment.

DBMS ranking and technical details

Top 5 NoSQL database engines closer look

The advantage for deploy NoSQL Database for Management of Geospatial Data

NoSQL database are primarily called as non-relational or distributed database. NoSQL is not faster than SQL. They are exactly the same. However the non relational database (NoSQL) provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

Redis, an open source, in-memory, data structure server is frequently used as a distributed shared cache (in addition to being used as a message broker or database) because it enables true statelessness for an applications’ processes, while reducing duplication of data or requests to external data sources. Thereby redis being growth the usage in big data infrastructure environment (specifications are shown as below):

  • Redis is very fast and can perform about 110000 SETs per second, about 81000 GETs per second.
  • All the Redis operations are atomic, which ensures that if two clients concurrently access Redis server will get the updated value.

Hacker targeted Redis server recently

Redis general security model

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket (see below)


  • default port of SSH 22/TCP
  • default port of REDIS Server 6379/TCP

Redis improved access control since version 3.2. It was implemented protected mode. As of today the version 4.0.9 released. They are not in high priority focus on cyber security protection. Since Redis is designed to be accessed by trusted clients inside trusted environments. But what’s the reasons lets hackers follow it?


The cyber criminal divided into 3 interested parties of existing technology world. The cyber criminal dark force are divided into three different group in the world nowadays.

The famous one is the Advanced Persistent Threats (APT). In normal circumstances their attack are according to the political reasons.

  • Looking for financial interest on demanding crypto currencies zone. Hacker create malware or implant malicious code for bitcoin mining.
  • Looking for benefits on crypto currencies market. Hacker create malware or implant malicious code to the compromised web site or end user web browser for fulfilling their objective. It is bitcoin mining.
  • Ransomware spreading group – Interference business operation and suspend public services. Their goal is looking for ransom.

Perhaps the design weakness on current situation of Redis servers fulfill above hacker objectives and let them doing a lot of reverse engineering works for achievement.Below picture show the famous Case of vulnerability on Redis 3.2 server. So called “crackit”.

Attacker compromises the Redis server instance and add an SSH key to /root/.ssh/authorized_keys and login to compromised Redis server with SSH connection. Since there are certain amount of Redis servers is on the way to provides geospatial data services. The classification of spatial data services are based on the geographic services taxonomy of EN ISO 19119. This taxonomy is organised in categories, the subcategories defining the value domain of the classification of spatial data services.

In general speaking, hacker might not interest of those data but they can re-engineering the compromised server become a C&C server, APT botnet and sinkhole.

How to enhance Redis server protection level

In order to avoid Redis server has been compromised by hacker. The official website has security improvement solutions suggest to user.

Network layer:

Bind Redis to a single interface by add the following command line to the redis.conf file:


And therefore external anonymous client not able to reach Redis server.

Application layer:

Three Must-Have Redis Configuration Options For Production Server

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

The above disables three powerful and dangerous commands. You could take it a step further and disable other questionable commands, like KEYSDEBUG SEGFAULT and SAVE.

Should you have interest of the security protection recommended by Redis. Please visit below official website for reference.


— End —

1st June 2018 – Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe on 1st June 2018. The Visa payment service resumed on 2nd June 2018. Visa announced that systems now operating at ‘full capacity’ after crash cripples payments  (See below url for reference)


The service interruption because of hardware failure, said Visa. Observation – The fellow payment card systems MasterCard and Maestro are not affected.

My comment is that see whether is there any design limitation of the enhanced 3-D Secure 2.0 causes this incident? No problem, cyber world looks no secret. Even though it is non-disclosed at this time. May be we will know the details in future.

Have a nice Sunday.


A vulnerability found in becton dickinson DB Manager (CVE-2018-10593 and CVE-2018-10595)

On May 2017, Ransomware attack suspended UK healthcare system services. It shown the security weakness in hospital and clinic IT system infrastructure. BD is a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics and the delivery of care. A vulnerabilitiy found on Becton Dickinson causes a series of products being effected. It includes BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The vendor state that this vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.According to the vendor solution , their product allow both thick client and thin client (web base) access. And therefore the vendor requires to remind the client who engaged the web base function to staying alert. Should you have interested to find out the details. Please refer below url for reference.