Our Future especially Smart City is waiting for 5G mobile communication. Does your body ready for 5G signal?

Preface: When mobile phone was born. Some of the people had concerning about the impact of electronic device to human health. As time goes by, seems we forget about it because we need smartphone now!

Historical background: The FCC has established a policy for human exposure to radio frequency electromagnetic fields. Seems it looks fine, the specifics policy defined, right? However if you review related policy (see below url). You might have doubt? Does our existing policy synchronize with modern technology? https://www.fcc.gov/general/radio-frequency-safety-0

About vulnerability: The medical industry not specify such technology will be potentially harmful to human body. But brain cancer, salivary cancer, acoustic neuromas and two other types of cancer go up with cell phone use. I was strange that European countries are the leader to promoting healthcare. However it looks that they are also the technology supporter. Regarding to strategic project plan especially infrastructure of the country. The major elements should be included in design phase but I did not seen the renewal policy of Human Exposure to Radio Frequency Electromagnetic Fields.

User opinion – Would you mind your user credential naked running? Facebook scandal (Mar 2019)

Preface: Do I Really Need To Encrypt Every File on My Computer?
May be answer is simple, all depends on your data classification label…..

The focus: Informed sources told that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

What is the objective of external audit?
The objective of external audit is for the auditor to express an opinion on the truth and fairness of IT operations.

Doubt? From information security point of view, developer role should not access production environment especially data. Meanwhile what is the job role for engineers? Seems the job role very messes.

Headline News: https://www.bbc.com/news/technology-47653656

Cisco managed to conduct the remediation of IP Phone 8800 Series vulnerabilities – 20th Mar 2019

Preface: Cisco has announcement yesterday that there are vulnerabilities found on IP Phone 8800 Series.

About IP Phone 8800 Series: The Cisco IP Phone 8800 Series delivers HD video and VoIP communications, and integrates with your mobile device to meet your business needs.

Vulnerability details are shown as below:

  • Cisco IP Phone 8800 Series Path Traversal Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipptv
  • Cisco IP Phone 8800 Series File Upload Denial of Service Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipfudos
  • Cisco IP Phone 8800 Series Authorization Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ipab
  • Cisco IP Phone 7800 Series and 8800 Series Remote Code Execution Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-rce
  • Cisco IP Phone 8800 Series Cross-Site Request Forgery Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190320-ip-phone-csrf

Synopsis of 2 items of vulnerability: Perhaps Cisco did not provides the vulnerability details on CVE-2019-1716 and CVE-2019-1763. However there are hints let’s we can speculate those issues. Web applications are highly vulnerable to input validation errors. Inputting the invalid entry “!@#$%^&*()” on a vulnerable web application may cause performance issues or denial of service on a vulnerable system or invalid passwords such as “pwd’” or “1=1— ” may result in unauthorized access.



Do not ignore integer overflow attack. His power equivalent with torpedo.

Preface: Malware detection, SIEM and predictive technology enhance the detective and preventive control in cyber security world. However the hacker still have solutions to conduct infiltration thus compromise the system. Attacker exploit integer overflow do the evasion. From technical point of view. It is difficult to detect.

Historical records of cyber attack who exploit integer overflow vulnerability:

Total 329 ethereum tokens vulnerable for integer overflow – 9th Jul 2018 – http://www.antihackingonline.com/potential-risk-of-cve/9th-jul-2018-total-329-ethereum-tokens-vulnerable-for-integer-overflow/

CVE-2018-6983 VMware Workstation and Fusion updates address an integer overflow issue – 22nd Nov 2018 – http://www.antihackingonline.com/potential-risk-of-cve/cve-2018-6983-vmware-workstation-and-fusion-updates-address-an-integer-overflow-issue-22nd-nov-2018/

CVE-2018-20181 rdesktop seamless_process() Heap-Based Buffer Overflow Memory Corruption Vulnerability – https://cxsecurity.com/cveshow/CVE-2018-20181

Observation: According to my observations, there are technical limitation on software engineering, most likely the cyber criminal keen to develop a technique sound like F117. That is invisible to radar (IDS) and infrared (SIEM). Perhaps online web application shall require user input function. Even though software developer introduce pull down menu function. However it is not able to lack of name and password input. So this is the objective we highlight today. Integer overflow technique exact can provides silent attack. As a result it form a bridge let attacker execute the 2nd phase of attack. For instance in C environment, The range of unsigned char is (0 – 255). So if the input password length is 260, it will cause integer overflow . So passwd_len actually has a length of 4, so you can bypass the length limit. If buf parameter has design limitation, stuffed 260 length of data into it, it will cause stack overflow.

CVE-2019-0804 Azure Linux Agent Information Disclosure Vulnerability (14th Mar 2019)

Preface: To speed up the deployment of your cloud computing readiness. Use the image deployment is faster than mounting an ISO and manually installing a VM.When system admin created images for an OpenStack provider, he will pre-installed cloud-init and haveged. Azure has similar feature, it is so called Azure WaLinuxAgent.

Vulnerability detail: An information disclosure vulnerability exists in the way Azure WaLinuxAgent creates swap files on resource disks. An authenticated attacker who successfully exploited this vulnerability could view data in swap that is normally hidden.

My speculation: In WALA, it uses “fallocate” instead of “dd” to create swapfile. When an ext4 filesystem is used, a local attacker can call the fallocate() function, in order to read fragments of deleted files.

Remedy solution: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0804

12th Mar 2019 – Intel® Software Guard Extensions SDK Advisory

Preface: Space Layout Randomization (ASLR) to defend against memory corruption attacks. However, Intel Software Guard Extension (SGX), it is capability protects selected code and data from disclosure or modification. From security point of view, it provides an advance protection than before.

Vulnerability detail: Double free in Intel(R) SGX SDK for Linux before version 2.2 and Intel(R) SGX SDK for Windows before version 2.1 may allow an authenticated user to potentially enable information disclosure or denial of service via local access.

Synopsis: About double free vulnerability
Refer to the scenario of attach diagram, it shown that the same chunk will be returned by two different ‘mallocs’. Both the pointers will point to the same memory address. If one of them is under the control of an attacker, he/she can modify memory for the other pointer leading to various kinds of attacks (including code executions).

Official announcement: https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00217.html

Security Focus – CVE-2019-5513 VMware Horizon update addresses Connection Server information disclosure vulnerability: 14th Mar 2019

Preface: VMware Horizon Client for Android and iPhone makes it easy to work on your VMware Horizon virtual desktop and hosted applications from your smartphone.

About security advisory annoucement by VMware: The VMware Horizon Connection Server contains an information disclosure vulnerability. Successful exploitation of this issue may allow disclosure of internal domain names, the Connection Server’s internal name, or the gateway’s internal IP address.

My observation: Refer to route path 1,2,3 and 4 (refer to diagram). Because this application can run at Layer 4, transparency is enforced. Transparency takes a higher priority than Subnet Originating Requests. Therefore, if transparency is enabled on the Virtual Service and Subnet Originating Requests is enabled globally, the Virtual Service still uses transparency. The Real Server sees traffic from this virtual service originating with the client’s source IP address (transparency).

Reference: VMware announcement – 14th Mar 2019

https://www.vmware.com/security/advisories/VMSA-2019-0003.html

https://www.vmware.com/security/advisories/VMSA-2019-0002.html

PHP EXIF exif_process_IFD_in_TIFF Method Arbitrary Code Execution Vulnerability

Preface: With the exif extension you are able to work with image meta data. PHP capable to update the date in the exif photo headers by script. The headers includes the following: Time taken,Time modified,The camera make,The camera model,..

Design objective of exif_process_IFD_in_TIFF:
Parse the TIFF header.

Vulnerability Found:
When execute test script, Memcheck by valgrind.org determined that an undefined value is being used in a dangerous way from exif_process_IFD_in_TIFF.

My speculation:
Short registration process helps to get more subscribers to your website. Login with Facebook is a quick and powerful way to integrate registration and login system on the website. PHP SDK allow accessing the Facebook API from the web appliction. But to get started with the latest version of Facebook SDK v 5.x, make sure your system meets the following requirements.
PHP version should be 5.4 or greater.
What if, servers whose originally connect to facebook which install PHP version 7.X. They are all compromised because of vulnerability. In the mean time, they will start attack to the facebook. Do you think this is the story began on 14th Mar 2019?

Remedy: Upgrade http://php.net/downloads.php

Citrix Internal Network Hacked – Press release on Mar 2019

Preface: Citrix Systems, Inc. is an American multinational software company that provides server, application and desktop virtualization, networking, software as a service (SaaS), and cloud computing technologies.

About data breach occurred on Dec 2018:
Citrix says that the late 2018 attack appears to be distinct from the likely password-spraying attack that was the focus of the FBI’s Wednesday warning to the technology firm.

Doubt? Believe that enterprise firm should have SIEM deployment. If SIEM has in placed, could it be something wrong of their correlation rules? Or there is another reasons behind?

What do you think?

Headline news: https://www.zdnet.com/article/citrix-discloses-security-breach-of-internal-network/

CVE-2019-1723 Cisco Common Services Platform Collector Static Credential Vulnerability – 13th Mar 2019

Preface: The CSP-C’s basic function is to discover the network elements and collect information from those elements.Basically the design goal is to enhance the overall detective and preventive control in the IT infrastructure.

Technical highlight: To perform the Network Discovery and Data Collection operations the CSP-C needs the following credentials: SNMP Read Only community,Telnet or SSH credentials,HTTP or HTTPS credentials.Not every device needs to be accessed via CLI or SOAP; however SNMP is required for all devices.

Vulnerability detail: The affected software has a user account with a default, static password.

Vendor announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190313-cspcscv