SCADA environment staying alert – Security updates for the OPC UA stacks on 12th Sep 2018

SCADA helps people automate our world. It includes water, wastewater, and storm water management,Oil and Gas,Electricity,Transit systems and traffic,Facilities,Agriculture and Manufacturing.

OPC UA can be used for supervisory control, now eliminating the use of Windows-based intermediate systems to streamline the data transfer process from the field and control levels vertically to the management and enterprise levels. Recently found Buffer overflow in OPC UA applications. It allows remote attackers to trigger a stack overflow with carefully structured requests. Stack buffer overflow can be caused deliberately as part of an attack known as stack smashing. Buffer overflows in the stack segment may allow an attacker to modify the values of automatic variables or execute arbitrary code.

Official announcement shown as below URL:

https://opcfoundation-onlineapplications.org/faq/SecurityBulletins/OPC_Foundation_Security_Bulletin_CVE-2018-12086.pdf

BIND 9 flaw – krb5-subdomain and ms-subdomain update policy rules ineffective

 

What is BIND 9? BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet, and to resolve DNS queries for your users.

On 2006, named.conf parser design limitation found by Anonymous Monk. He list out the following.

  • BIND::Conf_Parser – doesn’t deal with 9.x
  • BIND::Config::Parser – bails out with ‘Bad text’ on my named.conf
  • Cpanel – near to impossible to cut out something usable outside cpanel
  • Webmin – seems to deal only with bind 8.x
  • the /usr/sbin/named-checkconf utility packed with bind.9 – gives just an OK/not ok verdict upon named.conf, no way to store the underlying structure.

Announce design flaw – Sep 2018

The krb5-subdomain and ms-subdomain update policy rule types permit updates from any client authenticated with a valid Kerberos or Windows machine principal from the REALM specified in the identity field, to modify records in the zone at or below the name specified in the name field.

Remark: A Kerberos realm is a set of managed nodes that share the same Kerberos database.

CVE-2018-5741: Update policies krb5-subdomain and ms-subdomain – https://kb.isc.org/docs/cve-2018-5741

Summary:

ISC BIND before releases 9.11.4-P2 and 9.12.2-P2 does not properly document the behaviour of the krb5-subdomain and ms-subdomain update policies.

Reference – Vulnerabilities announced last few months

8th Aug 2018 – ISC Releases Security Advisory for BIND

June 13, 2018 – ISC Releases Security Advisory for BIND

May 18, 2018 – ISC Releases Security Advisories for BIND

 

 

 

 

Don’t underestimate – Adobe release security update – Sep 2018

Adobe has released security updates to address vulnerabilities in Adobe Acrobat and Reader. Electronic document transform to an attacking tools are worry in cyber security world so far. The fact is that it is hard to detect such indirect attack. The simple we will know it is easy to evade the defense machanism. A malicious user can pass a `cff` font file to the application to cause a heap-based buffer overflow that can lead to an out-of-bounds write. This can cause the application to crash or overwrite values in the heap. If it overwrite chunk header, corrupt free(), but program doesn’t crash. It will be very dangerous!

Don’t underestimate! Offical URL shown as below:

https://helpx.adobe.com/security/products/acrobat/apsb18-34.html

Vulnerability in SIMATIC WinCC OA V3.14 and prior – Sep 2018

SIMATIC WinCC Open Architecture enables handling with bigger amounts of data with even smaller hardware solutions. However WinCC OA v3.14 found critical vulnerability. Do you think below detail is the root causes? A remote attackers execute arbitrary code or cause a denial of service (invalid pointer write) via a crafted packet to TCP port 5678. So we must Protecting C Programs from Attacks via Invalid Pointer.

Vulnerability record in SIMATIC WinCC OA V3.14 (see below):

https://cert-portal.siemens.com/productcert/pdf/ssa-346256.pdf

 

Quick review of OpenSC vulnerabilities – Sep 2018

Basic Understanding:

What is smart card? A smart card is a security token that has an embedded chip. Smart cards are typically the same size as a driver’s license and can be made out of metal or plastic

Basicaly you can get smart card in two states: either blank or initialized. For blank cards OpenSC has code to initialize the card in PKCS#15 format.

PKCS#11 – The PKCS#11 interface is used to communicate or access the cryptographic devices such as HSM (Hardware Security Modules) and smart cards. The primary purpose of HSM devices is to generate cryptographic keys and sign/encrypt information without revealing the private key to the others.

PKCS#15 – PKCS 15 (Public Key Cryptography Standard 15) defines the standard for the storage of keys on smart cards. OpenSC implements PKCS#15 and thus stores everything in the directory 5015, creates certain files in defined formats, subdirectories and so on. Not all software implement PKCS#15. Many cards in EU and elsewhere have ID cards for their citizens with keys for digital signatures and authentication, and often those cards and not in PKCS#15 format.

OpenSC implements the standard APIs to smart cards

OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OpenSC implements the PKCS #15 standard and the PKCS #11 API. It is possible to use the Smartcard via OpenSC with the Microsoft CNG library. CNG can be used together with CryptoAPI.

Vulnerability Details

CVE-2018-16418

A buffer overflow when handling string concatenation in util_acl_to_str in tools/util.c in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to cause a denial of service (application crash) or possibly have unspecified other impact.

CVE-2018-16427

Various out of bounds reads when handling responses in OpenSC before 0.19.0-rc1 could be used by attackers able to supply crafted smartcards to potentially crash the opensc library using programs.

Reference: Fixed out of bounds writes

https://github.com/OpenSC/OpenSC/commit/360e95d45ac4123255a4c796db96337f332160ad

OpenSC before 0.19.0-rc1 vulnerabilities summary:

Highlight concerns

Buffer overflow – Attacker would use a buffer-overflow exploit to take advantage of a program that is waiting on a user’s input. There are two types of buffer overflows: stack-based and heap-based. Heap-based, which are difficult to execute and the least common of the two, attack an application by flooding the memory space reserved for a program. Stack-based buffer overflows, which are more common among attackers, exploit applications and programs by using what is known as a stack: memory space used to store user input.

Double free errors – Double free errors occur when free() is called more than once with the same … Calling free() twice on the same value can lead to memory leak.

Endless recursion vulnerability – This weakness describes a logic error within the application, which results in an endless loop.

OpenSC-019.0 released 14th Sep 2018

Fixed multiple security problems (out of bound writes/reads, #1447):

CVE-2018-16391, CVE-2018-16392, CVE-2018-16393, CVE-2018-16418, CVE-2018-16419, CVE-2018-16420, CVE-2018-16421, CVE-2018-16422, CVE-2018-16423, CVE-2018-16424, CVE-2018-16425, CVE-2018-16426, CVE-2018-16427

URL shown as below:

https://github.com/OpenSC/OpenSC/releases

Demonstrate buffer overflow

 

About Apple security update – released September 17, 2018

We are free to download apps in Google Play Store and App Store. And we believe the Apps are secure without any problem. Apple has removed “Adware Doctor” from the macOS App Store and claims that the program was uploading browser histories. As far as we know, our browse history collect by 3rd party is not the first time. Even though your defense software will be collect your internet activities in silent way. The collection of internet activities is hard to avoid today. Since we are living in so called big data world. On the other hand, App Store (Apple) found that threat actors may craft a malicious code embedded in application put in App store. The goal is going to read persistent account identifier. It looks that it is the way to receive your credential to evade the detection. So there is an security announcement on apple products this week (see below):

iOS 12: https://support.apple.com/kb/HT209106

Apple Support 2.4 for iOS: https://support.apple.com/kb/HT209117

Safari 12: https://support.apple.com/kb/HT209109

watchOS 5: https://support.apple.com/kb/HT209108

tvOS 12: https://support.apple.com/kb/HT209107

The fundamental of data sharing versus data privacy

Preface:

What is “Fair Information Practices,” the principles of privacy protection are internationally recognized and are found in most privacy legislation around the world. These principles inform the way private organizations collect, secure, use and disclose personal information.

What is the bottleneck of data sharing?

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. And therefore this is the fundamental limitation of the data sharing. In the sense that you must consensus the data owner or object before use.

Can we found out the easy way to implement data sharing?

If you agree above standpoint is the bottleneck. I believe that you will continue to read this article. Ok, let’s take a quick way to elaborate.

The successful data analytic technology can tell the truth but not include survillance type. Because survillance program in my view point will categories as monitoring feature instead of data sharing categories. The phenomenon we have seen shown below table:

Above table perhaps not the official survey, it can’t provide the significant and reliable reference. However it shown an hints that the bottleneck of data sharing concept driven by Fair Information Practices.

As a matter of fact, even though the extreme regime governance country also not shown government will lead open his repository including personal information. The realistic so far is the private company collect their customer data for business goal or do a re-engineering of the usage of their customer data.

Potential hidden power

Natural & Non-Human Activities data contain huge potential power build a comprehensive big data infrastructure. We haven’t seen traditional database structure weakness until big data analytic born. As a result even though data sharing not mature in the moment however it can develop a perfect infrastructure waiting for the future.

Global Positioning System pioneer build the data sharing infrastructure

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system. As time goes by, GPS system build the data sharing architecture established.

Revolution of database technology

Big data is a term used to refer to the study and applications of data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.

Big data technologies break the ice, it improve traditional database model fundamental limitation on data access speed and usage efficiency. SQL was originally designed for relatively static data structured as a table. IoT-generated data is the data generated by the sensors fitted into interconnected devices. In the IoT scheme of things, each device will have an IP address so that it is able to communicate with destination peer. The IoT-generated data is a dynamic data because it is not the human input data model. So, a Key-Value Store technology can receive the advantage. In the market do far there were many different types of non-SQL, or non-relational, databases. The high-end system model is the famous IBM mainframe VSAM access method. But low end products can do similar things today. Below top 5 (low end) NoSQL database engines closer look.

IoT data require to do analytic before use. The data analytics focusing process device status data and sensor readings to generate descriptive reports and alarm.

Real-time analytics tools usually support controlling the window of time analysis, and calculating rolling metrics. For example, to track hourly averages over time rather than calculating a single average across an entire dataset. As a result the system require quick reponse and processing power.

Remark: What are rolling metrics good for? Get numbers faster – every day or minute if you want

Speed up an access

A general-purpose distributed memory caching system boost up the data access speed. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Below architecture can provide hints to you in this regard.

Summary:

So far, not seen any feature will be improved the data security. Since we are focus Natural & Non-Human Activities data. So it did not touch with any confidential data. The key factor of data sharing bottleneck not the limitation of technology. The fact shown that the successful factor to promote data sharing concept depends on you how to treat people with respect.

 

It is a hurricane, but it happen in cyber world – Multiple vulnerabilities in PHP (Sep 2018)

The United States and Asia were hit by hurricanes. It looks that the similar situation is happen in cyber world. MS-ISAC Releases Advisory on PHP Vulnerabilities urge technology world to staying alert. For more details, please refer below hyperlink:

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-101/

Hacker exploit the PHP design weakenss (Arbitrary Code Execution or RCE) for attack must fulfill below conditions.

  1. The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks.
  2. Pass untrusted user input to unserialize() regardless of the options value of allowed_classes. Unserialization can result in code being loaded and executed due to object instantiation and autoloading.
  3. The data passed to unserialized comes from a file, so a file with serialized data must be present on the server.

Sep 2018 – Veeam MongoDB left unsecured, 440 million records exposed

Sanitization process is important in IT world. If without correct validation, it may allow malicious code pass to trust boundary. As a result it may causes remote code execution, SQL injection, trigger Zero day attack, ….etc. So…… Headline News this week. Should you have interest, my picture can tell my speculation.

https://www.scmagazine.com/home/news/veeam-mongodb-left-unsecured-440-million-records-exposed/

Vulnerability looks scary! However, as the variety and volume of data has increased in recent years, non-relational databases like MongoDB have arisen to meet the new needs of our fluid data.

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.