All posts by admin

2017, cyber security incident news highlight, Potential Risk of CVE, System, Under our observation

Potential black force – digitize Godzilla

7 Comments

Preface

Can you remember that Science fiction movies Godzilla. The sea monster dubbed Godzilla, his body empowered by nuclear radiation then become huge. However his target is attack the Tokai Nuclear Power Plant and feeding on the nuclear reactor. The Japanese government concluded that nuclear power was what attracted Godzilla.

The World in demand of electricity power

The electricity power generation scheme, like plants that burn coal, oil and natural gas, produce electricity by boiling water into steam. This steam then turns turbines to produce electricity. Nuclear power plants obtain the heat needed to produce steam through a physical process. Apart of environmental pollution and Harmful radiation. Nuclear power looks is the quick and dirty way to resolve the natural resources supply limitation in the earth.

Example: Water energy reactor located in Ukraine

Stuxnet malware ages evolute the function to the new generation of malware

Cyber attacker follow Stuxnet objective, the group re-engineering a powerful DDOS tool on 2016. The attack target are the media outlets and electric companies in Ukraine. The new version of BlackEnergy does not contains destroy feature. It oppositely able to download and execute a binary or shell command, uninstall itself, modify internal settings, or load additional modules. The conceptual idea of the design is evade the defense mechanism detection. In short to summarize such design is that new version of black energy combined spear phishing email with embedded link file contains path to the module (.dll) .

The functionality of BlackEnergy can be extended with additional modules. These modules are stored in encrypted form in a separate file, which can be referred to as a plug-in-container. The attacker will be executed and download payload afterwards (see below diagram for reference)

We known the vulnerability known as CVE-2010-2568 and used by the Stuxnet computer worm can be weaponized to remotely execute code over a Windows computer without the user’s knowledge. It target the Siemens WinCC SCADA systems.

DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems especially electric and water supply facilities. The distributed network protocol (DNP3) play a major control role in SCADA system especially used by SCADA Master Stations (Control Center). A hints in below diagram shown that programmable logic controller responsible centrifuge status control and monitoring.

How Iran’s nuclear centrifuges facilities work?

As times go by, more and more manufacturer involves to nuclear facilities hardware re-engineering and installations. The well known vendor not limit to Siemens, it now have Schneider Electric, Allen-Bradley, General Electric (GE)…. But another 0-day vulnerability found few months ago.

The Modbus is a serial communications protocol originally published by Modicon (now Schneider Electric) in 1979 for use with its programmable logic controllers (PLCs). The Modbus protocol is the major communication protocol communicates with programmable logic controller. However it is a UN-encrypted data traffic. And therefore sensitive information is run in clear text (see below diagram for reference).

Remark: Both DCS and SCADA are monitoring and control systems used in industrial applications. The systems monitor equipment and processes to ensure all processes and equipment are performing within the required tolerances and specifications.

A design weakness was discovered in Schneider Electric Modicon Modbus Protocol. Sensitive information is transmitted in cleartext in the Modicon Modbus protocol, which may allow an attacker to replay the following commands: run, stop, upload, and download (CVE-2017-6034). Besides, the Modicon Modbus protocol has a session-related weakness making it susceptible to brute-force attacks.

Quote:

UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system said CTO and founder of CRITIFENCE.

* It may not be entirely patched within the coming years, since it affects a wide range of hardware and vendors.”

December 14, 2017 announcement by FireEye – Found Triton Malware

It looks critical that Schneider programming logical controller could soft patch not issue yet. The expertise by FireEye found security alert on Triconex cotroller. The expert believe that Fireye believe that this masqueraded trilog application was deployed by Sandworm Team. This team engage cyber attack to Ukraine nuclear power facilities in 2016.

 

Information Supplement

Supervisory control and data acquisition (SCADA) is a control system architecture that uses computers, networked data communications and graphical user interfaces for high-level process supervisory management. How does this function to operate? Below diagram provides hints for reference.

Conclusion:

The suspicious attack found on Schneider Electric brand this time. It is hard to tell that similar attack will be happen on other brand name soon.

Information appending on 3rd Feb 2018 : related SCADA information for your reference

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Blockchain

Is Quantum technology an existential threat to blockchain?

1 Comment

The world are obsessed with Bitcoin.We heard Quantum Computing earlier this year.Quantum computing found quantum bit theory. Boolean Algebra base on ‘AND’, ‘OR’ And ‘NOT’ condition. Therefore implementing to Quantum bit might have problem(attach picture can provide hints)! Blockchain theory empower cryptocurrency powerful features.But blockchain technology work with tradition computer. So, Quantum technology is blockchain technology enemy! The quantum computing is the traditional currency bodyguard.Following url can provide the hints.

https://singularityhub.com/2017/11/05/is-quantum-computing-an-existential-threat-to-blockchain-technology/

Information security perspective -Hyperledger (Blockchain Technology) article shown as below:

Overview of hyperledger (Blockchain Technology) security design

 

Blockchain

Overview of hyperledger (Blockchain Technology) security design

10 Comments

Preface

The deluge push the earth to next generation. The scientists found Noah’s Ark fingerprint on top of the hill in India. The tremendous trend of the cryptocurrency (Bitcoins) like deluge. It such a way change the financial industry framework.

The fundamental technology concept

What is the difference in between blockchain and hyperledger?

A consensus of the blockchain technology foundation have the following idea. The blockchain technology feature better implement in public ledger that is crypto currencies. Hyerledger should have benefits to business industries. Since the fundemental of the cryptocurrencies concept is a direct electronic payment.The specific technology objectives encryption and integrity of the record (it cannot counterfeit), once the block is use it cannot be use reuse anymore.

 

As times go by, the cyber attack incidents on IT technology world bring the enhancement idea to blockchain technology. In order to cope with on-going technology and business perspective. Blockchain technology transform the technology focus to enhance its framework structure. And therefore hyperledger was born.The most popular hyperledger framework models are the following models.

Refer to the Hyperledger Modular Umbrella approach. Each Hyperledger framework empower different advanced function in order to cope with business industry requirements.

There are total 5 different framework of approach.

Burrow Framework

Provides a modular blockchain client with permissioned smart contract interpreter partially developed to the ethereum virtual machine (EVM) specification.

From security point of view: Eris makes use of Docker containers for its services and much of the Eris and Tendermint tooling is written in Go.You’ll need to have at least as many EC2 instances available as you want nodes. Again, you’ll need at least four nodes for the network to operate. If you don’t want to use AWS to host your nodes, you’ll need to have access to hosts that have Go version 1.4.x and Docker version 1.8.x installed. The programming language is Go. This development language not popular but it is secure. But it is hard to find programmer familiar with GO programming background.

Observation: (CVE-2016-3958/CVE-2016-3959) Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function (CVE-2016-3958).

Iroha

An blockchain framework designed for simple and easy incorporation into infrastructure projects requiring distributed ledger technology.

From security point of view: Since Iroha framework contains the following features:

  • Creation and management of custom complex assets, such as currencies or indivisible rights, serial numbers, patents, etc.
  • Management of user accounts
  • Taxonomy of accounts based on domains — or sub-ledgers in the system
  • The system of rights and verification of user permissions for the execution of transactions and queries in the system
  • Validation of business rules for transactions and queries in the system

Comparing the actual functions (see below diagram). My comment is that the integrity check looks run in precise way on each transaction. Iroha try to improve the anti-tamper solution of the data. The fundamental design concept of Iroha focuses on Blockchain-based Data Management.

Observation: Since Iroha focuses on blockchain based data management. How about the end point protection? It looks the design did not provide a clear visibility on the end point.

Remark: The Iroha project is a bit of an outlier within Hyperledger. It originated with some developers in Japan who had built their own blockchain technology for a couple of mobile use cases. It’s implemented in C++ which can be more high performance for small data.

A modular platform designed for building, deploying and running versatile and scalable distributed ledgers. Heard that the Sawtooth consensus software targets large distributed validator populations with minimal resource consumption. “It may give us the ability to build very broad and flat networks of hundreds to thousands of nodes,” said Behlendorf. “It’s harder to do with traditional consensus mechanisms without having the CPU burden of cryptocurrencies.”

From security point of view: No conclusion at this moment.

Fabric Framework

An implementation of block chain technology intended as a foundation for developing blockchain application or solutions. Fabric is Hyperledger’s most active project to date. Hyperledger Fabric intends to offer a number of SDKs for a wide variety of programming languages. The first two delivered are the Node.js and Java SDKs.

From security point of view: Since the first two delivered are the Node.js and Java SDKs. In order to avoid the denial of service or avoid unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. It is better to make use of GO for application development in future.

Below details are the recently vulnerabilities occurred on above 2 programming languages for reference.

http://www.cvedetails.com/cve/CVE-2017-10388/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Indy

Sovrin is a specific deployment of the Hyperledger Indy codebase. Sovrin developed the Indy code base as part of its mission to build a global public utility for self-sovereign identity. Sovrin Foundation contributed the code to Hyperledger under the Hyperledger Indy brand to expand the developer community and allow greater participation. But Sovrin and Indy are distinct. Sovrin is a specific, operating instance of the Hyperledger Indy code that contains identities that are interoperable at the global scale.

Remark: The best way to start develop Sovrin would be with the Indy SDK. (Indy is the technology under Sovrin, and its SDK provides a C-callable library.

From security point of view: Vulnerability (Slow nodes can be stalled after a view change)

Description – The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number

Detail explanation: What if A is malicious, and C and D during a catch up get inconsistent catchup messages from A and B? Perhaps the PRIMARY declaration message needs a root hash, and f+1 consistent responses for both Last Ordered Batch number AND Txn Root Hash

Remedy: The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number.

Summary:

IT security from 90’s encountered virus infection till today malware infection causes data breach. The appearance of blockchain (hyperledger technology) goal to mitigation the data leakage issue. The design objective of the data encryption is going to protect your data. As of today, an advanced technology enhanced server side and data storage. Block chain technology breakthrough traditional key algorithm encryption. The hash encryption technique and blockchain (accumulate) (N+1) data encryption scheme awaken the world. However the product design limitation let hacker exploit the vulnerabilities and such away expand the risk to application layer including programming language. On the other hand a hidden factor in client side (end point) looks without significant improvement. Apart from that the smartphone geometric level of growth . So, I forseen that information technology world requires a new revolution to end point platform. See whether there is a new concept of client platform technology announces tomorrow?

Note: AWS, Azure and Office 365 are ready for Blockchain (hyperledger) services (see above diagram). Be a innovative IT management. Don’t wait. Now please try to jump to Blockchain (hyperledger) services. You will love it!

Status update 19th Feb 2018 – The deluge push the earth to next generation.Bitcoin and hyperledger technologies such a way transform their new generation to the financial business world. Dubai a former big brother leading the natural resources supply to the world especially petroleum. Now they are keen to leads bitcoin and hypledger technologies. I wishes of their success. See whether what is the new technique can be renovate the blockchain and hyperledger world.

 

 

2017, cyber security incident news highlight

Another Force Awakens – Bleichenbacher Attack on TLS

Leave a comment

X’mas is coming soon! I am waiting to watch the movie “Star War – The last Jedi” coming Friday. The cyber attack so called ROBOT (Return of Bleichenbacher’s Oracle Attack) looks doing the celebration. looks doing the celebration coming Star War movie. TLS base attack type hottest recent year.. Vendors remediation details shown as below:

Cisco https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171212-bleichenbacher

Citrix https://support.citrix.com/article/CTX230238

F5 https://support.f5.com/csp/article/K21905460

Oracle – https://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

Virus & Malware

Descendants of the spyware or malware

Malware activities life not easy since malware detector is common and popular. Even though the malware circumvent the detector but it is hard to bypass the monitor of SOC because of SIEM product. It looks that it limit space for spy or malware to hunt your data. The design weakness of malware is that it requires a static connectivity to C&C. I foresee that the descendants of spyware or malware will deploy similar of  smartphone technology relies on HTTP connection (Setting headers in POST request with Java). The spyware or malware make use of this method is able to dynamic connection to destination. Such method benefits to fool the defense mechanism.  To be honest, send JSON data from the client side is popular today. It is hard to judge. Hacker more focusing on application design weakness is ongoing trend of cyber security world. Should you be interested of related details, please refer to following url for reference.

Layer 7 (application layer) – What is the information security key factors?

Blockchain

Sunday (10th Dec 2017) – Crypto currencies won the battle at this moment.

On Sunday (10th Dec 2017), Chicago Board Options Exchange has allowed investors to place their bets on crypto currencies commodities. Seems Crypto currencies won the battle at this moment. Perhaps we now living in digital world. IoT, BYOD, AI, and enterprise firm keen to do the digital transformation. Similar Charles Dickens said in his famous fiction (A Tale of Two Cities), it was the best of times, it was the worst of times. Let’s celebrates Chicago Board Options Exchange has allowed investors to place their bets on commodities from corn to steel (see below URL – CNN News)

New step for Bitcoin’s wild ride: Futures trading

http://money.cnn.com/2017/12/10/investing/bitcoin-chicago-board-options-exchange/index.html

2017, cyber security incident news highlight

Believe it or not? Homeland security twin brother!

Chinese people mantra, your face may similar to other people. This theory also apply to everything. I agree and believe the US government homeland security web site are unique. Believe it or not , the web site naming convention and contents looks similar to homeland security. However the web site not protected by Akamai network . They do not belongs to US government. To be honest, it make you confused! URL shown as below:

http://www.homelandsecurity.com

The picture diagram can provides the details to you for reference.

2017, cyber security incident news highlight

The Force Awakens – but it is Apache struts vulnerability!

1 Comment

Apache struts seems a instigator on Equifax data breach incident. An announced by US Homeland security this week to urge IT guy staying alert on New found Apache Struts vulnerability again (see below URL). My comments on this vulnerability is that it expand the attack space or vector . Why? Are you familiar with REST client. It reproduce a new playground for hacker since it is allow to start the attack to Apache Strust product on mobile phone.  We noticed that Cisco products are also the Struts users (see below)

Vulnerability detail (see below):

https://tools.cisco.com/security/center/viewAlert.x?alertId=56116&vs_f=Alert%20RSS&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Apache%20Struts%20REST%20Plugin%20JSON%20Library%20Denial%20of%20Service%20Vulnerability&vs_k=1

Cisco products are also the Struts users (see below)

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Application Development

Out of memory bounds implication – a never ending story

Preface

In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system

  • 0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  • 0X139: KERNEL_SECURITY_CHECK_FAILURE
  • 0x3B: SYSTEM_SERVICE_EXCEPTION

Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.

Conclusion:

Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.

Data privacy

How much is your data privacy value today?

We all aware that our activities in cyber world are under surveillance. But do you alert that even though there is no any surveillance, malware to sniff your data. Your loyal and data protection guard install on your workstation and server keep track of you daily. Perhaps you have the basic understanding on how antivirus vendor make use of your data. It is so called meta data. From on going computer cyber trend, artificial intelligence and Big data analytic intend to collect the data. But take oversight over the world. It looks that there are gap of the data collection policy. For instance, we are chosen Brand A antivirus band this year. But next year, we would like to use another brand of antivirus program. As far as I know, the disclaimer of antivirus vendor do not mention in detail how they are going to disposal the meta data belongs to you. To be honest, it is hard to erase your workstation meta data in their repository. Perhaps the vendor told you no personal information will be collected on this function. They are only keep track the antivirus or malware attack behavior. If such monitor not running in 24 hours. How does the monitor and detect functions work well. You may aware that  your loyal antivirus program also keep track of your activities!