All posts by admin

Outline the definition of data breach law in five major U.S. population areas – Mar 2020

Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.

Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?

About who must obey the law:

New York (N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208)-

California (Cal. Civ. Code §§ 1798.29, 1798.82) –

Illinois (815 ILCS §§ 530/1 to 530/25) –

Texas (Tex. Bus. & Com. Code §§ 521.002, 521.053) –

Arizona (Ariz. Rev. Stat. § 18-545) –

Pennsylvania (73 Pa. Stat. §§ 2301 et seq) –

Security Focus – Local Privilege escalation vulnerability in Cortado Thinprint (CVE-2020-3948) – 12thMar2020

Preface: ThinPrint technology offload the print burden on all virtual and physical desktops, and keeps all client hardware free of printer drivers.

Background: VMware Workstation is a type 2 hypervisor. Type 2 hypervisors are essentially treated as applications because they install on top of a server’s OS. If the host gets cracked, the hypervisor gets cracked. If the hypervisor gets cracked, it depends on the host will have vulnerability let hacker to be use. From technical point of view, it is difficult but it may possible.

Vulnerability details: Linux Guest VMs running on VMware Workstation (15.x before 15.5.2) and Fusion (11.x before 11.5.2) contain a local privilege escalation vulnerability due to improper file permissions in Cortado Thinprint. Local attackers with non-administrative access to a Linux guest VM with virtual printing enabled may exploit this issue to elevate their privileges to root on the same guest VM. For the details of attack. Please refer to diagram.

Official announcement

For my imagination only – Mona Lisa smile – Mar 2020

In order to prevent people know the information, Da Vinci use wrote backwards handwriting. Also known as mirror-writing, where the words appear as normal when seen with a mirror.

Modern people know very little about Da Vinci’s early life, and he only recorded two childhood story. This happened during Da Vinci’s expedition in the mountains. Da Vinci discovered a cave during his expedition. He was afraid that there would be some huge monster lurking in the cave, but he was driven by curiosity and wanted to know what was inside. When he walked into the cave and found a huge unknown object lying quietly in the cave, Da Vinci was shocked. Later, several non man kind emerged from the unknown object, and they imparted knowledge to Da Vinci. Before he pass away, Da Vinci spend decade to finish his Arts work. It is the famous Mona Lisa smile.

I can seen the cave in his art work. How about you?

When we received the SMB V3 failure message from Microsoft on March 11, 2020, Citrix actually hinted to its customers in early September last year.

Preface: Microsoft has released a security advisory to address a remote code execution vulnerability (CVE-2020-0796) in Microsoft Server Message Block 3.1.1 (SMBv3) on 11th Mar 2020.

Vulnerability details: A remote attacker can exploit this vulnerability (CVE-2020-0796) to take control of an affected system. A “potentially wormable” vulnerability exists in SMBv3 and specifically the compression. Citrix already hints that SMB3 has design limitation occurs (see below):

CIFS compression—CIFS connections are compressed automatically whenever they meet the requirements for CIFS protocol acceleration. In addition, SMB3 connections are compressed when unsigned and unsealed.

Why is it dangerous? SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Remedy solution by Microsoft –

should Intel CSME, as stated in the headline, not be solved easily? If the statement is correct, how can we avoid it? Mar 2020

Background: CVE-2019-0090 told that Insufficient access control vulnerability in subsystem for Intel(R) CSME before version 12.0.35, Intel(R) SPS before version SPS_E3_05. may allow unauthenticated user to potentially enable escalation of privilege via physical access. On 5th Mar, 2020, cyber security expert firm has following findlings.Intel CSME firmware in the boot ROM first initializes the page directory and starts page translation. IOMMU activates only later. Therefore, there is a period when SRAM is susceptible to external DMA writes (from DMA to CSME, not to the processor main memory), and initialized page tables for Intel CSME are already in the SRAM.

Impact: Nonlinear write will bypass stack protector!

Remedy: When Stack-Protector XORed with Return address implemented, the Nonlinear write to bypass stack protector become difficult.

Current status: Please do the patching even though it is not perfect –

Political and Justice – 2020

Wyden and Khanna proposed amending the Espionage Act of 1917 to protect journalists, whistleblowers, and security researchers who discover and disclose classified government information. (see below url)

If you are also interested of cyber security information developing state. Perhaps you will seen the cyber security protection will be transform to preventive instead of defensive. But who can imagine that the computer technology will be transform a weapon style of attack. In our world there is no absolute correct state . If the hostile state doing aggressive activities. Therefore the adjacent side will doing the defense. Conducting the spy in digital technology relies on malware. It conduct the Infiltration . So it is not limit to computer backdoor, email phishing and advanced espionage technologies will be used. But sometimes, it will have contradition. Furthermore it can become a political fight tool.

Meanwhile, we can only give a salute to the Whistleblowers.

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness,..

Let’s review on cve-2019-11043, it is still valid today! (8th Mar, 2020)

Preface: Let’s review on CVE-2019-11043, it is still valid today!
An underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx.

Background: Too many people have criticized the performance of Apache Server. And therefore , web application developers sometimes will decide turned their architecture focus to Event-driven Server. The design objective of event-driven server typically has a single thread which manages all connections to the server. The thread uses the select() system call to simultaneously wait for events on these connections. As such , event driven architecture greatly increased the volume and speed of connection services.
NGINX uses an event-driven architecture with nonblocking I/O. The design concept waits for events on the listen and connection sockets.

Nginx itself is just a simple HTTP server. If you need to run programs, you have to use the help of CGI.Sometimes use Nginx + PHP-FPM.But a drawback of CGI is that each page load incurs overhead by having to load the programs into memory. Scripts that process remote user input, such as the contents of a form or a “searchable index” command, may be vulnerable to attacks in which the remote user tricks them into executing commands.

Impact: Attack can exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx PHP-FPM configurations are exploitable. So, be alerted!

PPP daemon vulnerable to buffer overflow due to a flaw in EAP packet processing – 5th Mar 2020

Preface: PPP daemon (pppd) which is used to manage network connections between two nodes on Unix-like operating systems. The EAP extension to PPP was first defined in RFC 2284, now obsoleted by RFC 3748.

Synopsis: A 17-year-old defect in Linux system found! The impact will be included dial-up modems, DSL broadband connections, and Virtual Private Networks. The Linux system including Debian, Ubuntu, SUSE Linux, Fedora, NetBSD and Red Hat Enterprise Linux has been impacted. In the old technology world, PPP over Ethernet, defined in RFC 2516, is a method of transmitting PPP over Ethernet. It provides the ability to connect a network of PPPoE client hosts to a service provider access concentrator over a single bridging access device. Above communication protocol do the interconnect function on automation system and SCADA architecture. The impact of this issue was included different industry especially Manufacturing, Food Production, Electric and Gas Utilities & Waste Water Treatment. Even though the business equipment do not have exception. The business products including Cisco CallManager, TP-LINK products and Synology products. The OpenWrt Project is a Linux operating system targeting embedded devices. Embedded computing platforms are responsible for many of the of the lower-level mechanics that drive the IoT. It seems that the area of impact will be included of this area.

Official announcement –

The CVE-2020-0688 vulnerability affects Exchange Control Panel (ECP) components. Maybe it fixed it. However, because OWA is Internet-oriented, you still worry about it. 5th Mar 2020

Preface: To do the remedy of CVE-2020-0688, you need to install the security update in addition to the Cumulative Updates.

Vulnerability Background: Microsoft using the same set of cryptographic keys on every Exchange Server installation. The keys being stored in plain text in a web.config file on every server.

Details: Microsoft release the patch on 11th Feb, 2020. Less than 2 weeks later. Researchers released proof of concept (POC) exploits for this vulnerability on February 24, 2020. If you have chosen publish Exchange externally. This patch must be applied.
Attacker exploit this vulnerability is easy. The social network sometimes unintentionally leave the finger print (company email address). When attacker got the email address on hand. The elaborate email subject and content presents challenges for traditional security tools, because it is designed specifically to evade detection. If victim fall to the trap (phishing mail) which lure they provide the credential. Even though it is a non privileges user.Attacker can activated this vulnerability to conduct the remote code execution.

“They will try to locate you OWA server. If your existing Exchange SRV is vulnerable. The attack channel can pass through your OWA.”

Remedy: Official announcement –

Have you been renew and replace your current “Let’s Encrypt” certificate? 4th Mar 2020

Preface: Certificates will begin being revoked at 3 PM EST. 4th Mar 2020

Security Focus: Due to design defect, Let’s Encrypt had to rush to inform users about the revocation the SSL server certification that’ll be completed in less than 24 hours. The SSL/TLS certificates will be revoke by tomorrow, March 4 (at 00:00 UTC at the earliest). Sites with revoked certificates may begin showing insecure icons in browser. Affected site publishers will have to reapply for a new certificate in order to regain secure status.

Official announcement: The bug: when a certificate request contained N domain names that needed CAA rechecking, Boulder would pick one domain name and check it N times. What this means in practice is that if a subscriber validated a domain name at time X, and the CAA records for that domain at time X allowed Let’s Encrypt issuance, that subscriber would be able to issue a certificate containing that domain name until X+30 days, even if someone later installed CAA records on that domain name that prohibit issuance by Let’s Encrypt.

To check if your domain is affected by this bug and needs to be renewed, you can use the tool at