All posts by admin

2017, Blockchain, cyber security incident news highlight

Would you mind someone sharing your CPU power during your site visit?

1 Comment

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

https://hk.news.appledaily.com/local/daily/article/20171203/20233090

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.

 

2017, cyber security incident news highlight

Nautilus & Neuron

3 Comments

The hostile country collect the government confidential information and business economic details not similar 70’s. A group of people so called spy infiltrated to foreign country. It reduces the overall injury. The conceptual idea of malware implement to computer world equivalent the task of spy. National cyber security center urge the IT admin around the world staying alert to current suspicious network activities issued by Turla Group. Read few technical articles, the overall comments is that they are support by country. The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. The new tools primary focusing on two microsoft products (Exchange and IIS server). However the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference). 

https://www.microsoft.com/en-us/wdsi/products/scanner

Asia, country cyber law

China IPv6 implementation Road map. Will it be burden on current surveillance task?

A tough new cyber security law has been in placed in China on June 2017. The United States submitted document to WTO Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad. A IP V6 road map announcement by General Office of the State Council of the PRC on 26th Nov 2017. The road map driven whole network, application and computer prioritize IPV6 connectivity.We known that RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address. As a result it is better to avoid surveillance and tracking. The surveillance program in China has difference comparing with other country. Since monitoring network behavior or so called surveillance is the China government policy. See whether RFC 4941 will be a burden in coming future.

What’s happen on next?

2017, cyber security incident news highlight

NECURS BOTNET – Alert

Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.

https://threatpost.com/necurs-based-dde-attacks-now-spreading-locky-ransomware/128554/

2017, cyber security incident news highlight

There are more windows OS components did not included ASLR protection feature

Seems heard a vulnerability occurs on microsoft product did not trigger your interest. The easy way for IT guy to mitigate the risk is conduct a patch update. But CVE-2017-11882 heads up the world that there are more windows OS components did not included ASLR protection feature. May be you could say Microsoft product do not relies on ASLR since they has Data Execution Prevention (DEP). We known Data Execution Prevention (DEP) is a system-level memory protection feature. However a practical example of CVE-2017-11882 occured on Microsoft office product could compromised your machine. Hacker more focus to dig out vulnerability on word processing product since human relies on electronic documentation daily.  Microsoft release the patch to mitigate this risk (see below). But a reminder to the world there are more MS components do not enable randomizes address function. Yes, no randomizes address function will be benefits to hacker. Which industry on demand to use MS equation editor function. Scientist, high tech industry especially military and nuclear power facilities management.

https://portal.msrc.microsoft.com/en-US/security-guidance

2017, cyber security incident news highlight

Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url:

https://forum.kaspersky.com/index.php?/topic/382512-exploit-avgater/

2017, cyber security incident news highlight

Doubt? See whether similar problem will be happen in future?

Heard that in Infineon chip set has vulnerability occurs. Since security expert found the vulnerability in new German national ID card since 2010. However a technical article (ZdNet) report last week that a chip crypto flaws vulnerability occured in Spain ID card. Per announcement by NIST, this vulnerability file to CVE database (CVE-2017-15361). A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. Any doubts? For more details about this vulnerability. Please see below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

Reference: Hong Kong Government to Use Infineon’s Chip Card Technology in Smart Identification Card Project – announcement June 2002 (see below url for reference)

https://www.infineon.com/cms/en/about-infineon/press/market-news/2002/129155.html

2017, cyber security incident news highlight

To usher the wolf into the S3 Cloud

CNN interview a research Friday (17th Nov 2017) in discussion of US government Pentagon exposed huge amounts of web-monitoring data in a security failure which given by Amazon S3 buckets. I was wondering the similar data breaches not only happened in Pentagon. As far as we know ,a consulting firm found data breach few month ago on S3 bucket. But the scalability of Amazon Cloud are huge. How does bad guy or people who carry with interest find out the details? It looks that the culprit is Amazon itself. A useful tool open to public so called (ip-ranges.json). You relies on this tool can locate the IP address range of Amazon S3 bucket. Since IP address and service package expose to public. It such away increasing the attack surface. Should you have interest of CNN news. Please refer to below url for reference. Reminded that CNN did not provide those json script.Maybe you dig out the hints of my picture.

http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html

Oct 2017 – Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server(see below url):

http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm

Updated on November 28, 2017 – Top Secret NSA and Army Data Leaked Online:

https://www.upguard.com/breaches/cloud-leak-inscom

1st Dec 2017 – Over 100GB of Secret Consumer Credit Data Leaked Online. Claimed that misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/?es_p=5544850

 

Application Development

Perspective of e-Wallet Vulnerability

8 Comments

Preface:

Java, NodeJS, Python, ObjC with Xcode and GO are the popular programming language for develop of e-wallet application. It looks that some of the programmer favor of Java language since it is a common programming language.

New technology, but targeting approach by hacker remain unchanged

Reporting of Cybersecurity Incidents – InfoSec Resources

Jul 2017 – Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Nov 2017 – Parity wallet vulnerability freezes US$278 million of ethereum. The company patched the bug encountered on July 2017. However the code still present bugs and therefore freeze the crypto currency in the wallet.

* Ethereum wallet is implemented in C++ programming language

Feb 2012 – exposes a PIN vulnerability in Google Wallet security.

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

Common Security Vulnerabilities in a Digital Wallet

  • The registration process does not identify fraud verification of the user’s information card information.
  • Develop programming language encountered design limitation (vulnerability).

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

How is e-wallet different from cryptocurrency wallet on cyber security viewpoint?

Bitcoin is a cyrptocurrency. You need a wallet to keep your bitcoins. But Bitcoin underlying technology is block chain which cannot be counterfeited. If ever there is an issue with a transfer of funds, Bitcoin protocol settles it through consensus.

The e-wallet currency is traditional currency.It uses the secure 256bit Advanced Encryption Standard (AES) for encrypting information in your wallet. If a hacker tries a brute force attack relies on computer enter possible random-number strings at top speed it would take more than a billion years to exhaust all the possibilities.

Observation: It  looks that  both type of wallet contained hack proofed feature. But is there any underlying reason make those wallet in risk?

The Java, NodeJS, Python, ObjC with Xcode and GO are the main trend of the programming language today. Why does application developer like Java? Java is a platform Independent. Means Java does not depend on hardware and OS. Java platform fully compatible with all computers. Even through it is a mainframe computer. However the cyber security incidents from past awake the IT world that even though you are using block-chain technology platform. The other side of end point might encounter cyber attack which causes data breach or compromised of both machines. From security point of view, the overall risk rating for e-business applications including cryptocurrency or traditional currency payment transfer system are equal.

Traditional way bring people consider endpoint security but ignore other possibilities factors which are in risk!

About programming language

Python

Language: Python is a dynamically type language. Java is better characterized as a low-level implementation language.

Use of VARIABLE: No requires to declare any variables. You can mix object-oriented and imperative programming you run the code directly.

Run time speed: Slower than Java

Java

Language: Java is a statically typed language. Python is much better suited as a “glue” language.

Use of Variable: Requires to define the type of each variable, it’s object oriented in the sense that you cannot write any code without defining a class, you also invoke a compiler to compiler the code then you can run it.

Runtime speed: Run faster than python

Node.js

Language: Node.js is not a programming language. The programming language is Javascript. But Node.js not similar JavaScript framework. A group of authors define a new frameworks specifically for Node.js, It includes Express.js, Restify.js, and Hapi.js.

Use of Variable: When you declare methods without using var (function <function_name>() {}), those function declarations are moved to the top of the local scope. If you manually declare you functions, you have to wait until they are both declared before you can use them.

Runtime speed: Refer to benchmark table

C++ vs. Python vs. PHP vs. Java vs. Others performance benchmark (2016 Q3)

GO

Language: Go is an open source programming language designed for building simple, fast, and reliable software. The introduction phase for GO is written in C. The libraries are written by google developer itself. Now the compiler has been rewritten in Go, so it is fully self-hosting by Google.

Variable: The type of variable is automatically judged by the compiler based on the value passed to it.

Runtime speed: Refer to below benchmark table

ObjC with Xcode

Language: Xcode supports C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, Rez, and Swift source code with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.

Variable: It is important to note that ObjC does not support class variables. But developer can simulate static variables

Runtime speed: Objective-C is slightly slower than straight C function calls because of the lookups involved in its dynamic nature.

Security Focus

 

Since no bug proof software or hardware in the world and therefore the practical operation expose the design weakness (vulnerability). Refer to informative diagram table below , Java and php looks unsecure because of the accumulate vulnerability records.

But why Java and PHP programming language are popular in the IT world. Even though Node.js framework make use of Java language. I believe that it is the fate of the IT product market. Perhaps Java bring security worries to the world. However java language provide a comprehensive functions. E-wallet looks has benefits running on Apple iPhone OS. Since it is a proprietary environment. From security prospective, it is better than opensource OS since it looks a black hole. Perhaps vulnerability occurs, the vendor (Apple) will conduct the remediation immediately. As mentioned iOS is a proprietary environment and such away avoid multiple vulnerabilities occurs simultaneously.

Example of multiple vulnerabilities: For instance Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products (September 2017). On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. However those vulnerability affected a series of Cisco products since those voice and media management products deployed Apache Structs 2.

E-Wallet on top of mobile device platform

The Near Field Communication (NFC) payment wallets designed by GSMA program project. It relies on SIM based technique support the payment service in past. But Android M break the ice develop other alternative for online payment electronic wallet. From security point of view, the new android system architecture of the design provide sandbox feature enhance the security (see below). If we believe that it is a trustworthy environment then we move our security concerns to e-wallet SDK.

Most likely the technology trend will be form into two different way. The retail shop remain to use near field communication technique secure the payment transaction. For online payment transaction like Master card, Paypal and Alipay will lead the online payment solution. As mentioned the vulnerability found in online e-wallet SDK more or less will involved in programming language. For more details, please see below:

Instance 1: A cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter (CVE-2017-6099).

Instance 2: The Android source code file (internal/telephony/SMSDispatcher.java) does not properly construct warnings about premium SMS messages, which allows attackers to spoof the premium-payment confirmation dialog via a crafted application, aka internal bug 28557603 (CVE-2016-3883)

Reference: Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01

Instance 3: Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page (CVE-2017-5110).

Instance 4: Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Refer to above details, the argument can confirm that programming language is the important factor in e-wallet development. Even through it is a cryptocurrency wallet. The overall security level of protection for a eletronic payment system must include programming language as a major factor.

End of discussion……!

Information Supplement (under observation)

Typically, a program consists of instructions tell the computer what to do. Thus what types of data will be used when it is running will be responsible by variable. In the Java programming language, the words field and variable are both one and the same thing. Variables are devices that are used to store data, such as a number, or a string of character data. The enumerate() is one of the built-in Python functions. It returns an enumerate object. In our case that object is a list of tuples (immutable lists), each containing a pair of count/index and value. However variable can be rebound at any time, so no consistent use as an enumerator. This is a vulnerability encountered in python.

* An enumeration is a set of symbolic names (members) bound to unique, constant values.

But comparing with Java and Python CVE checklist. It shown that Python programming language hit vulnerability less than Java programming language .

 

 

Blockchain, IoT

Reveal block chain technology secret – he is the Genesis-of-Bible

7 Comments

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).