All posts by admin

CVE-2018-17195 – Apache NiFi Template Upload API Endpoint Cross-Site Request Forgery Vulnerability

Preface: What Is Big Data and Why Do We Need It?

A complex reason of this question. In short sentence to describe, business and human being looking for operational efficiency to improve the daily life.

Technical background of Apache NiFi:
Apache NiFi can help you get your S3 data storage into proper shape for analytic processing with EMR, Hadoop, Drill, and other tools.
Drill is primarily focused on non-relational datastores, including Hadoop, NoSQL and cloud storage.

Vulnerability found on Apache NiFi:
A vulnerability in the template upload API endpoint of Apache NiFi could allow an unauthenticated, adjacent attacker to conduct a cross-site request forgery (CSRF) attack on a targeted system which could be used to conduct further attacks.

Reason: The vulnerability is due to improper validation of user-supplied input by the template upload API endpoint used by the affected software.

Remedy: Official announcement shown as below

https://nifi.apache.org/download.html

Vulnerability in Java Deserialization Affecting Cisco Products – 2019 Jan

Cause: A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code.

Remark: Researchers have found complex object graphs which, when deserialized, can lead to remote code execution in most Java software.

Official announcement:https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization

Apocalypse – Is that the correct way? But this is the destiny!

Preface: The 2012 phenomenon was a range of eschatological beliefs that cataclysmic or otherwise transformative events would occur on or around 21 December 2012.

In the moment: We are still alive, but climate in the earth running in irregular way. Changes in the amount of sea ice can disrupt normal ocean circulation, thereby leading to changes in global climate.

Prediction: But what my final speculation of Maya calendar? My comment is that Maya calendar inform that the new generation of Artificial Intelligence was born during December 2012 (see below Appendix 1). As a matter of fact we are on the way go to Artificial Intelligence world. However , the truth is that it there is a lot of uncertainty on this AI age. Even though Professor Stephen Hawking’s also urge mankind must staying alert!

Appendix 1: In June 2012, the New York Times reported that a cluster of 16,000 computers dedicated to mimicking some aspects of human brain activity had successfully trained itself to recognize a cat based on 10 million digital images taken from YouTube videos.

Reference: Stephen Hawking’s final warning – https://www.vox.com/future-perfect/2018/10/16/17978596/stephen-hawking-ai-climate-change-robots-future-universe-earth

Exploitation of vulnerability transform to APT (Advanced Persistent threat) facility

Preface: On 4th Jan 2019 CERT/CC Reports Critical Vulnerabilities in Microsoft Windows, Server…

Report details:
The report recall vulnerabilities found on 13th Dec 2018 (see below):
CVE-2018-8626 Windows DNS Server Heap Overflow
Vulnerability – https://www.kb.cert.org/vuls/id/531281/

CVE-2018-8611 Windows Kernel Elevation of Privilege Vulnerability – https://www.kb.cert.org/vuls/id/289907/

But vulnerability (CVE-2018-8611) successfully bypasses modern process mitigation policies, such as Win32k System call Filtering that is used, among others, in the Microsoft Edge Sandbox and the Win32k Lockdown Policy employed in the Google Chrome Sandbox.

My observations:
Perhaps you applied the MS patch but it is hard to avoid similar evasion of technique in the moment because of the following reason.
C++ Exception Handling. An exception is a problem that arises during the execution of a program. A C++ exception is a response to an exceptional circumstance that arises while a program is running, such as an attempt to divide by zero. Exceptions provide a way to transfer control from one part of a program to another.

Suggestion: Enforce the control by SIEM or deploy MSS services.

2019 headline news – a data breach may impact nearly 2.4 million Blur users

Preface: Data breaches continue to be a threat to consumers. Many companies were hacked and likely had information stolen from them since January 2017.

Headline news Jan 2019:  Abine announced that they learned on 13th December 2018 that a file containing information from customers who had registered prior to January 2016 was exposed online.

Who is Abine? Abine is a Boston-based privacy company. Led by consumer protection, privacy, and identity theft experts.

Official findings of data breaches: The file was in a “mis-configured Amazon S3 storage bucket that was being used for data processing.

User Tips: AWS code of law

  • You can enable Block Public Access settings only for buckets and AWS accounts. Amazon S3 doesn’t support Block Public Access settings on a per-object basis.
  • When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Should you have interest to know more details, please refer to official announcement: https://www.abine.com/blog/2018/blur-security-update/


Does QR Codes can pose a risk to your security and safety?

Preface:
QR codes have become common in consumer advertising. Friendly speaking, it make your finger and mouth more relaxed!

Is the QR code safe?
Most risks with QR Codes stem from QR Codes not being readable to humans. Since the QR codes not being able to easily identify a code as the original where the problems arise. As a result, the mobile application authentication design will be a key factor for security protection.
In addition, malware hidden in the QR-Reader app can infect your smartphone. Malware known as ‘Andr/HiddnAd-AJ’ was able to load itself onto a number of apps designed to read QR-Codes. And compromise your smartp

Realistic:
Even if it involves risk, the modern world likes to take a risky approach. So how to enhance the QR code system security?

Possible ways:

  1. QR code system uses fingerprints and face recognition.
  2. Awareness training
  3. Mobile device management especially patch management and antivirus system.

Should you have interest to find out more, please refer below url for reference:
Security Considerations of Using QR Code – https://www.polyu.edu.hk/its/general-information/newsletter/144-year-2018/feb-18/732-security-considerations-of-using-qr-code

Security Notification – Schneider EVLink Parking (Dec 2018)

Preface: Electric vehicles (EVs) have no tailpipe emissions. Replacing conventional vehicles with EVs can help improve roadside air quality and reduce greenhouse gas emissions.

Technical background: Level 2 electric car chargers deliver 10 to 60 miles of range per hour of charging. They can fully charge an electric car battery in as little as two hours, making them an ideal option for both homeowners who need fast charging and businesses who want to offer charging stations to customers.

Subject matter expert:
EVlink Parking a charging stations for shared usage or on-street developed by Schneider Electric.

Vulnerabilities found:
Schneider Electric has become aware of multiple vulnerabilities in the EVLink Parking product (see below):

  • A SQL Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier, which could give access to the web interface with full privileges.
  • A Code Injection vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier
  • A Hard-coded Credentials vulnerability exists in EVLink Parking, v3.2.0-12_v1 and earlier

Official announcement shown below url: https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2018-354-01-EVLink.pdf&p_Doc_Ref=SEVD-2018-354-01

Celebration 2019! Coming Soon! But…? The most serious data breach in 2018… So far, do you know where they are?

Preface: The internet contains at least 4.5 billion websites that have been indexed by search engines. But may be more data not shown there?

Technical background – Dark Web Synopsis:
What is dark web? It is the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.The dark web is a huge marketplace for stolen data and personal information.

Attack surface:

So far, social media companies have often experienced data breaches. However, the healthcare industry is the priority attack target.

Data theft action:Once the company has been hacked. the situation will be as follow

  1. the data will be posted to dark web immediately
  2. if company management not intend to pay for ransom. they will sell the data in dark market.

Expert findings:
Please refer below url for reference: https://www.network-box.com/front_newsletter

Behind growth of APT attack

Preface: The objective of an APT attack is usually to monitor network activity and steal data. But the APT historical records shown that there are APT attacks intend to damage the network or organization.

APT might not easy to detect:
VM handler able to relocate and move code because of ASLR (address space layout randomization) applied. Example shown below for refernce.
For example the instruction AND has opcode 0x17 when you print.
The 32-bit code to run is stored entirely into the variable section with the value at offset 5 specifying the number of bytes to be copied and executed.
However the ability of conditional opcodes, the variable part can contain the next JIT packet ID or the next relative virtual address (RVA) where code execution should continue. So it such a way increase the difficult to detect the malware behaviour.

Prevention:
In order to fight against APT activities. Try to understand their goal of action. For example, we can learn from security report. For more details, please find below URL for reference.

Kaspersky Threat predictions for 2019 – https://www.brighttalk.com/webcast/15591/340766?utm_source=kdaily&utm_medium=blog&utm_campaign=gl_Vicente-Podz_organic&utm_content=link&utm_term=gl_kdaily_organic_link_blog_Vicente-Podz