All posts by admin

More regulations has been implemented in China. Hey CIO,CTO and CISO any doubt?


The policies enforcement trend in China eager to enhance existing cyber security and governance in China. Perhaps our focus of this discussion pure on IT operation and information security and therefore any other background we are not going to surmise.

Censorship People’s Republic of China on behalf of Legal basis and regulations

As usual, different country maintain their regulations and view point in order to enhance their governance in their country. It looks that there is no way to refuse since you are entitle to enjoys the social benefits of their country includes environment and culture. And therefore a obligation to the individual able to follow the Law and regulations.

An official announcement of new regulations bring misgiving to business industries especially technology units.

Since cryptographic techniques implement to all business industries nowadays especially banking financial, publisher, pharmaceutical and manufacturing. In order to fulfill their company costs saving plan, The IPsec site-to-site VPN tunnel deployment is in high demand. Since it is easy to setup once Firewall and Internet are ready in your company. However this method not compliance to China regulation so far. Perhaps last few years China government not proactive enforce the regulation. And such away lets the world believe that this is the appropriate data communications method for cross border environment solution in China.

Internet Security Law of the People ‘s Republic of China let foreign country IT department in hover !

The new cyber security law has been ennounced on 1st June 2017. The Article 5 looks with powerful privileges which causes solicitor, data privacy expert headache! Let take a closer look of Article 5 (see below)

Article 5 The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Techincal view point: In the sense that even though your web hosting not located in Greater China area once there is one endpoint located in Greater China the computer owner require to follow the new law.

What’s the status today?

Since popular personal VPN client services provider was all blocked. The government objective is avoid a Chinese language term (翻牆). The English language term that is pass through firewall wall. As of today whatsapp messenger is not able to use in China. The expertise speculated that a major communist party gathering next month and therefore China government now tighten the censorship activities. it looks that the speculation make sense! The next action is to block internet unauthorized VPNs from 2018.

Let’s review the implementation time table


Hints! Provide short cut information to CIO, CTO and CISO

As of today, there are total three communication vendor are authorizes to run the internet private circuit in China (see below). The definition of internet private circuit is MPLS instead of IPSec VPN.

  • China telecom
  • China Unicom
  • China Mobile

For data encryption product, there is no solid guideline since the approved product list looks not shown up yet.


Since China has launched 14-month nationwide campaign against unauthorized internet connection includes VPN services (IPSec site-to-site and VPN client) to bypass the China country firewall (Great Firewall). The “cleanup” activities will be end until March 2018. As such, it is hard to drawn into summary at the moment.


China ban VPN connectivity – current status Aug 2017

Greater China – New version of cyber security law with effective 1st June 2017

Assurance level of 3rd party software – Part 1


As we know google did the 3rd party application assurance last few months. Their objective is intend to fight against unknown malicious code embedded in software.

Hidden malicious code history

Metamorphic code (Win32/Simile)  was born on 2002 written in assembly language which target Microsoft software operating system products. As time goes by, the 2nd generation of metamorphic code capable changing what registers to use, changing flow control with jumps, changing machine instructions to equivalent ones or reordering independent instructions.

*Metamorphic code can also mean that a virus is capable of infecting executables from two or more different operating systems (such as Windows and GNU/Linux) or even different computer architectures.

Malware/RootKit infection from software device driver to Smartphone

A revolution of technology world on 2007 driven by Apple iPhone and Android. Thus such a way driven malware and rootkit re-engineering their architecture. As a result, their implant destination not limit on device drive itself. It also includes smartphone 3rd party application.

Part 1 – Microsoft OS products, rooting your software driver technique overview 

An important step lets the hacker do the hook or infiltrate job is to identify the usable memory space.  A parameter so called KeServiceDescriptorTableShadow. Using KeServiceDescriptorTable variable exported by ntoskrnl.exe, we can get the address of KeServiceDescriptorTableShadow variable. KeServiceDescriptorTableShadow is an extension of
KeServiceDescriptorTable variable.

Below syntax get the address of KeServiceDescriptorTableShadow by comparing memories around KeServiceDescriptorTable.

typedef struct _SERVICE_DESCRIPTOR_TABLE { PULONG ServiceTable; // array of entry-points PULONG puCounterTable; // array of counters ULONG uTableSize; // number of table entries PUCHAR pbArgumentTable; // array of byte counts } SERVICE_DESCRIPTOR_TABLE, *PSERVICE_DESCRIPTOR_TABLE;

Below syntax is retrieves its address in different version of Windows.

 ULONG Index;
 UONG MajorVersion, MinorVersion, BuildNumber;
 PsGetVersion(&MajorVersion, &MinorVersion, &BuildNumber, &CSDVersion);
 if(MajorVersion == 5 && MinorVersion == 1) // Windows XP
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable - 0x40);
 else // Windows 2000, or Windows Vista
 SDTShadow = (PUCHAR)((ULONG)&KeServiceDescriptorTable + 0x40);
 for(Index = 0; Index < 0x1000; Index ++, SDTShadow ++)
 KeServiceDescriptorTableShadow = (PSERVICE_DESCRIPTOR_TABLE)SDTShadow;
 if(KeServiceDescriptorTableShadow == &KeServiceDescriptorTable)
 if(memcmp(KeServiceDescriptorTableShadow, &KeServiceDescriptorTable, 0x10) == 0 
 && ((UCHAR)KeServiceDescriptorTableShadow->ServiceTable & 3) == 0)
 return NULL;
 return NULL;

Below details on the picture left hand side show you the step how to relies on driver hook into the kernel process. In end-user point of view, there is a simple way to identify the current driver load into your PC or server. You just execute a command fltmc in your MS-DOS prompt. There is not require any assembly language knowledge. It is a simple and direct path to let you know how many 3rd party driver load into the windows kernel. For more details, please refer to right hand side in below picture.


Hacker is difficult to find available address space due to ASLR technique. (see below URL for reference)

The enemy of ASLR (Address space layout randomization) – memory leak

Even though ASLR has design limitation might have possibility let hacker implant malware. However a better idea is that take easy way instead of difficult way. A way confirm that it is possible. From technical point of view, ASLR avoid hacker know the actual memory address.  How about run the malicious code driver and ASLR mechanism at the same time (simultaneously).That is pre-install a 3rd party driver with malicious code embedded then load the software driver during operating system startup. The way similar antivirus product using API hooking allows the antivirus to see exactly what function is called.

- Loading drivers
- Starting new processes
- Process executable image
System DLL: ntdll.dll (2 different binaries for WoW64 processes)
- Runtime loaded PE images – import table, LoadLibrary, LoadLibraryEx[1], NtMapViewOfSection

Antivirus software may use SSDT hooking (System Service Dispatch Table hooking) on 32-bit operation.  On a 64-bit system, a KM (kernel module) driver can only be loaded if it has a digital signature. And therefore hacker could be focus on 32 bit OS instead of 64 bit.

How to run 32-bit applications on x64?

In order to maintain complete code separation, running 32-bit code on a 64-bit operating system design with a destinate folder named \Windows\SysWOW64 that is used to store the 32-bit DLLs to meet the design objective. Meanwhile the x64 version of Windows uses the \windows\system32 folder for 64-bit DLLs. Below diagram shown that the WOW64 emulator responsible for file system redirection for several key components of the Windows operating system.

To identify 32 bit and 64 bit environment changes depending on the registry key. For instance, the ‘rundll32’ is point to the specify registry (HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\CurrentVersion\Run).

Therefore it will execute the following command.


This is the 32-bit version program thus everything will be remapped accordingly (see below diagram for reference)

Above details shown the registry and file redirection mechanism to execute 32 bit application on 64 bit of operating system. It looks fine that application not possible to work with incorrect bits environment since it governance by registry. However a fundamental design architecture looks provide benefits to the hacker (see below diagram for reference):

Above diagram indicated that software device driver module allow 32-bit software driver go thought module (WOW64) communicate with 64-bit Kernel function. So it has possibility go through the software driver then compromise the system. From security point of view, the server or workstation Antivirus processes will keep track all DLL activities on directory (c:\windows\SysWoW64). So what is the malware next action?

Malware next action

A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring. A hacking technique so called Register load image callback (see below)


How to prevent PsSetLoadImageNotifyRoutine

Microsoft have solution available against register load image callback flaw. Developer can define a minifilter (FltGetFileNameInformationUnsafe) to confirm the routine returns name information for an open file or directory. And therefore it is the way to avoid the fundamental design limitation of API system Call mechanism (PsSetLoadImageNotifyRoutine).

But what is the causes for system developers not intend to use this preventive mechanism.

FltGetFileNameInformationUnsafe allocates it’s own memory for the structure. As a result it will encountered blue screen and system crash once 3rd party software driver not follow the SDLC (software development life cycle).

Alternative type of attack  (This time does not intend to discuss in detail)

A rootkit will create a hidden partition, at the end of the drive, 1 – 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Rootkit categories:

Operation feature

Persistent rootkit is one that is activated every time the system starts up.

Non-persistent rootkit is not capable of automatically running again after the system has been restarted.

Operation mode

User mode: this kind of rootkit hooks system calls and filters the information returned by the APIs (Application Programming Interface)

Kernel mode : these rootkits modify the kernel data structures, as well as they hook the kernel’s own APIs. It compromise the antivirus program at the same time. This is the most reliable and robust way of intercepting the system.


Even though your IT infrastructure install full scope of detective and preventive control facilities. The 3rd software driver will broken your security facilities. Perhaps you have SIEM and central log event management product however such malicious activities is hard to detect since it is running in Kernel (Ring 0).  So a standard policy on software usage is critical goal on today cyber technology world. Believe it or not, a 3rd party software driver embedded malicious code can break your great wall.








Military or Business Industry, Windows OS peripheral control bring to attention.



Since the version of Windows XP, the Windows operating system feature embedded functionality of industrial applications.  However the motivation of factor on re-engineering of system depends on customer demand.

Case study details:

The US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015 

Information Background – According to SPAWAR official announcement on Jun 2015. The renewal process will buy the Navy time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities.

* The Space and Naval Warfare Systems Command (SPAWAR), based in San Diego, is an Echelon II organization within the United States Navy and is the Navy’s technical authority and acquisition command for C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), business information technology and space systems.

Doubt – known design limitations

a. Windows OS system – The re-engineering schedule instead of Windows XP operating system.

  1. US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015. As of today, we believed that the operating system update has been done. However a valid design weakness on Windows operation system found on 2014 till today. It found by security expert that a kernel flaw appears to all version on Microsoft operating system platform since end of 2014 (see below picture diagram for references). From my personal point of view. I agree with Microsoft official comment on their announcement, this is not a security issue (device driver inject rootkit). My stand point is that the Windows operating system fundamental design objective does not catering for mission critical industries especially Nuclear power facility and military industry.  However the modern technology industries deploying in formal fashion of manner. Yes, I agree that the manufacture industry and business automation not shown the side effect of design limitation. But on mission critical industries, the design capability limitation similar a technology kill chain! Information security is a continuous program. Microsoft operation system  don’t have exception. A group of security expert re-open this flaw recently (Inside NT’s Asynchronous Procedure Call).  Asynchronous Procedure Calls (APCs) are a fundamental building block in NT’s asynchronous processing architecture. This architecture still valid till today.

The security expert highlight the flaw in regards to the following items. 

If you are not interested in technical descriptions detail, you can skip and jump to below item 2.

As a device driver writer, you can rely on APCs to execute a routine in a particular thread context without that thread’s intervention or consent whenever no guarantee of its address space’s availability can be made.  Since APC mechanism not on Ring 3 and therefore the fundamental of design not enforce protect this mechanism. As a result, a weakness was found in this place. The PsSetLoadImageNotifyRoutine function registers a notification function that is called when the image is loaded or the image is mapped to memory. The operating system calls the registered callback function after displaying the image executed in the user space or in the kernel space (just what we need, because the drivers are just loaded into the kernel), before the execution of the image. The main weakness of software driver integration with operating system is given by PsSetLoadImageNotifyRoutine.

* The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

As we know, antivirus software using kernel driver to inject code into all all running processes. The antivirus software register for image creation notification and then queue some APCs that will execute in user mode and do the injection. Since the security level of protection of device driver on Windows OS all depends on 3rd party developer design.  A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring.

Device driver rootkit code (sample)

mov eax, [ebp+ImageInfo]
push dword ptr [eax+4]


Do you think the developer alert this issue on their design phase? From logical point of view, this unknown threat not announce to the world. Most of the protection mechanisms are implement falls under File, Registry, Process, DLL Load. Microsoft don’t allow anyone to hook the SSDT. For my comments, the system development cycle is division of job and therefore this protection mechanism will be fall into cyber security team job scope. As are result, the protection mechanism will be relies on antivirus and malware detection software. But the specific threat might evade malware scanner custodian.

It looks that remediation step on critical industries especially Nuclear Power facilities and Military Dept might do a audit.  As soon as possible to develop the protection mechanism through SSDT hooking.

2. Satellite communication systems design limitation

Since this topic has been discuss previous.  For more details of related article. Please see below url for reference.

Perhaps military battleship can destroy everything, but it could not win in the digital war!



As of today (12th Sep 2017), my comments in regards to mission critical industries remain unchanged.  That is please re-confirm existing operating system peripherals issue before next action.

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology



Hedge funds will often use borrowed money to amplify their returns. One aspect that has set the hedge fund industry apart is the fact that hedge funds face less regulation than mutual funds and other investment vehicles. The Enigma team wants to build an environment where traders can also become hedge fund managers.

Understanding of the Enigma (Catalyst) system Platform


Enigma project objective: Enigma (Catalyst) platform wants to make it easy for developers to create trading robots and cryptocurrency funds, and then allow other users to emulate their success by purchasing funds/robots through an open marketplace.

Comment: In the sense that they would like to become the pioneer centralize the bitcoin types digital currencies. It looks like a global digital current exchange headquarter. In regards to the digital currency trend, the economic position of Bitcoin & Ethereum will be equivalent to traditional currencies in future. Regarding to our observation, the solid model of finance especially currencies of US dollar looks no longer become the leader of the world. It is better to develop a new concept to consolidated all the cash flow around the world compatible with popular OS system nowadays. According to the fundamental design, Enigma is the protocol run on protocol layer. In additional a platform so called catalyst. Catalyst is an algorithmic trading library for crypto-assets written in Python.


(Catalyst) system Platform OS requirement – Linux, Mac OS and windows 10

Catalyst platform – You are allowed to download  the source code from Website (GitHub) setup your environment for development.

Trading Strategies – You can browse a list of strategies submitted by the community through the Enigma’s web application: open an account, learn from others and create your own!

3rd Party APIs – Quantopian, Zipline, Pandas, Numpy & Matplotlib

matplotlib is a plotting library for the Python programming language and its numerical mathematics extension NumPy.

Quantopian is an online platform for algorithm development, testing and execution.  It offers a web-based Python editor interface with tight integration with a hosted version of their open-source back-testing framework Zipline.

Zipline is a Pythonic algorithmic trading library. It is an event-driven system that supports both backtesting and live-trading.

pandas is a software library written for the Python programming language for data manipulation and analysis

NumPy is a library for the Python programming language

Discussion checkpoint 1: The project objective of Enigma is going to build an environment where traders can also become hedge fund managers.

A common criteria on programming language – banking environment

J.P. Morgan uses Python for its Athena programme, and Bank of America Merrill Lynch has built Quartz using it. Python is now wide-spread across investment banking and hedge funds.

Discussion Checkpoint 2 : We known that Enigma introduce encryption technique so called homomorphic encryption. A way to encrypt data such that it can be shared with a third party and used in computations without it ever being decrypted.

A technical limitation is that bitcoin takes an average of 10 minutes before a transaction receives a network confirmation. What the benefits of Enigma?

  • Bitcoin’s block time is 10 minutes
  • Ethereum’s block time is 15 seconds.
  •  LITECOIN – It takes an average of 2.5 minutes for this process to complete.
  • MONERO – 1/5th of the time bitcoin generates a block, which does not include any anonymity features
  • RIPPLE – The average Ripple network block is generated in as little as 3.5 seconds.

What is the benefits of faster block time from cyber security viewpoint

Empty blocks are often actually good for the network. There is always a non-zero amount of time before miners calculate their next block template. From technical point of view it avoid a duplicate transaction counterfeit by anonymous party.

Defense in depth

It looks that new technology implement on Enigma digital currency platform (Catalyst) looks perfect. So can we say this is a perfect solution? But what is the background reason lets half million worth of digital currency in unknown status? News article claimed that the incident has been caused by email scam.  For more details, please see below url for reference.

With Enigma, the attackers used their access to announce a “pre-sale” via Enigma’s site, messaging channels, and email. They provided an Ethereum “address” they controlled for investors to send money to. And that’s exactly what happened, with users handing over 1,492 Ether — around $480,000 at current prices said Business insider UK.

Enigma crypto technology (see below) found by Nazi Germany during World War II.

Alan Turing (United Kingdom) and his attempts to crack the Enigma machinecode during World War II. The decryption method so called banburismus technique (see below)

But Hacker did not going to spend too much man power to break through the crypto system. They are smart to use social engineering technique (SCAM EMAIL) to mislead the investor send the money to a counterfeit site. This technique similar break through enigma crypto system use intercept technique.


My imagination (assumption and proof of concept)

Banburismus was a cryptanalytic process developed by Alan Turing at Bletchley Park in England during the Second World War. A program was initiated by Bletchley Park to design much faster bombes that could decrypt the four-rotor system (Enigma) in a reasonable time. The conceptual ideal shown as below:

A deduction step used by the bombe; while the actual intermediate values after the plugboard P — the “steckered” values — are unknown, if one is guessed then it is possible to use the crib to deduce other steckered values. Here, a guess that P(A) = Y can be used to deduce that P(T) = Q because A and T are linked at the 10th position in the crib.

Above conceptual idea looks have possibilities to crack the Enigma. But this is not the true structure of Enigma (Catalyst) platform. However value and Y and Q are the significant value and apply to similar concept of architecture design to other crypto system. So this is the design weakness of the equivalent.

Apart from that (Catalyst) system Platform & 3rd party APIs are deployed on Python programming language intensively. We agreed that it is hard to avoid vulnerability found on software and hardware today. But hacker execute code can more easy execute on system platform which install python on top.

A critical vulnerability occurs on Sep 2016 in Python.The vulnerability allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow (CVE-2016-5636). As a result it leading to arbitrary code execution. If similar vulnerability happen in future, Hacker not only compromise the fund manger Enigma (catalyst) platform, it might possibilities to amplifying the attack to the Enigma exchange.

Discussion checkpoint 3:  Engima official announcement  will be held on 11th Sep 2017. Let’ s see how the status of finance market to cryptocurrency world.  For sure that we will keep track the activities see whether any details let us to start another discussion.

We hope that the  Enigma (catalyst) system will succeed in the future.

Goal and Objective




Scientific versus Prejudice – Cyber war Part II


The scandal of NSA let the world know large scale survillence program over the world. Perhaps the objective of the NSA not only this matter. We known that a vulnerability happened on VSAT satellite system. It allow malicious SMS signal obfuscate the system operation. For more details, please refer to below URL.
The war happens today hard to avoid to involve cyber technology battle. This is the prelude of the discussion today. What if, my imagination comes true, what will happen in this battle?

NSA’s backdoor catalog (OS system and Network) exposed:

On exposed information, a group list of vendors name are included in their target list. As we know, we believed that Microsoft, Cisco products hidden their backdoor. However CEO of Cisco tell the world that their products did not have embedded backdoor. Microsoft president Brad Smith blamed the NSA spy agency tarnished their system design. Do you think those two big head is a actor or they are really don’t  know?
Conspiracy theory point of view on OS system ( merely personal opinion )

In conspiracy theory point of view, what is the reason for operation system vendor maintain SMB version 1 until NSA scandal exposed to the world then take the patching action. Perhaps if not WannaCry ransomware attack outbreak tarnished SMB 1 design limitation. Meanwhile hacker claimed that they are appreciate for NSA found this secret! Since nobody aware this issue until secret leak to the world! But who know what is the true factor let OS vendor delay SMB version 1 patching schedule till incident happen afterwards? (Microsoft released patches for all supported versions of Windows on the March 2017).

Conspiracy theory point of view on Network system ( merely personal opinion )

Based on the Shadow Brokers disclosed. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new. From logical point of view, it is hard to imagine that such big technology company did not know the design weakness of their product? Maybe they are trustworthy. Or Who know, God know?

Who dare say there is no unknown backdoor in hardware unit including CPU

Information Update on 31st Aug 2017 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Headline news today report that CPU vendor design computer according the requirement by customer , sometimes the client is a government. For instance, US government might compliance to their security standard (High Assurance Platform program so called HAP). However a design limitation was found. An official announcement by Intel in regards to this vulnerabilities on May 2017. Furthermore security experts found a unknown backdoor on Intel ME Chip. From technical point of view, this is not coincidence and speculated that both vulnerabilities has relationship.

From safety view point, it is impossible to use hostile national science and technology products


In defense and protective prospective, it was not possible to use hostile national science and technology products in military zone. Even though the hardware and operation system vendor are trustworthy. However the hostile country will try different to implant malware or infiltrate techniques to related system. For instance, Network equipment vendor (router, switch and firewall) do not know the design weakness will trigger such critical level of destructive result.  Below is a simple example to proof this concept.

Picture A is the reference of normal network operating scenario. We understand that internet world coexists with BGP network protocols.  The zoning driven by AS number (autonomous system number). The AS Using BGP to Distribute Routes. For instance, on picture B. The ISP D network equipment hits SNMP design flaw and encountered core OS buffer overflow causes privileges escalation. As a result the core router has been compromised. Base on BGP protocol hijack concept, the compromised router might obfuscate the network. It might have way to control the network routing path. I am not going to explain into details since it is a very long discussion. However if you base on above techincal terms and concept do a google search. You will be able to find the details. Yes, internet world is the big data. It  is free. 

Put above concept to the realistic world

Since above example is my imagination, however it will bring a solid idea to you. How serious level of destruction will be occurs in similar circumstances. So to protect yourself in cyber war battle seems better do not let your enemy know what type of equipment you are in use. Even though they are using CVE attack or Zero day attack. You equipment will be ignore those kind of cyber attack.

The focus of the discussion

I can’t written down a term of summary or conclusion right now. Since there are more and more information coming. However I need to study the details before continues this discussion. Ok, have a nice weekend. We discuss next time, Thank you! Bye!

Picture A – Normal scenario (request to reach adjacent side IP address)

Picture B – Telecommunication service provider network equipment compromised by hostile national.(As a result, the network traffic will route to their area and under their control)


Electronic War reference:








Perhaps military battleship can destroy everything, but it could not win in the digital war!

We heard battleships accident occurs this year. The most recent accident was that it collides with oil tanker near Singapore! (see below BBC news)

I am interested of cyber security technology and believed that Navy already has advanced cyber defense mechanism. The errors which occurred was taken by careless mistake! Headline news was told that a possibility might causes by cyber attack. It is hard to believed in earlier stage that this is a possible factor. But now change my mind, since (VSAT) Satellite Communication Systems rife with security flaws. It was vulnerable to Remote Hacks path! This technical limitation not the news today. It was found on 2014. The subject matter expert found that just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems.

Remark: Rumors told that a weakness happen on VSAT Firmware.

A design weakness was found on the system based on Information security design best practice (see below information for reference)

Identification – identify trusted source (malicious SMS or crafted message)

Authentication – permit or denied request (an authentication mechanism system authorize the electronic computing process)

Silence (behalf of penalty) of the lambs

We all known the discipline of Military is serious. Any change management requires inform the duty officer (captain). For instance, management team define the fairway. It requires authorize person acknowledgment before modifications. If the specify accident not a low level mistake (absence duty or incorrect operation procedure). It looks that the hardware manufacturer might bare the responsibilities. However do the firmware upgrade not a difficult way in IT world because Microsoft do the software patching weekly!

My comments

Since the overall political atmosphere looks unstable in APAC countries. The United States Seventh Fleet responsible to equality of power and peaceful of this area (after finished the battle of World War II). However a technical limitation (hiccup) shown to the world in military force. Even though you have anti-defense to offence missile send by South Korea. But any military plan it is a dangerous game indeed.


Perhaps Enigma contains iron wall, but it couldn’t defense the a simple word processing technology



Enigma crypto currency Platform told the world they are next generation of cypto currency Exchange. Banking and financial industry believes that this is a trustworthy platform. Not Kidding, enterprise invests to build and support. Apart from that MIT expertise develop and design a prefect cryptographic mechanism. A shock to the world this week said that they are fall into the victim group of cyber attack.

Headline news claimed that it cause by “DUMB MISTAKE” – Slack account with administrative privileges, had previously leaked

What if! We assume that their Enigma design architecture is not vulnerable. And there is another reason let this incident occurs. Is it a insider threat caused by end user computing?

This incident under law enforcement investigation. since we do not know the root cause. But we can setup a virtual reality scenario see whether we can find out the possibility.

PDF format of file, a benefits bring to malware

  1. Hidden inside a Word document that’s hidden inside a PDF


Step 1: Emailed spam with a PDF attachment
Step 2: PDF has an attached document inside, which is trying to get opened by the Acrobat Reader
Step 3: Once the document is opened in MS Word, it asks you to enable editing (social engineering attack)
Step 4: Runs a VBA macro, which downloads and runs the malicious code
Step 5: Insider threat happens. Try to collect the sensitive data includes credential

2. Open source applications lure malware infection

Sounds not possible! Enterprise firm less implement software application open source concept. As a matter of fact, similar idea happened in enterprise firms including broker firm and investment banking. It is hard to image that such profit making industries concerns about software licenses. But it is a factual case.


A critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer.

CVE-2017-10951 –  vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location

Remark: Foxit refused to patch both the vulnerabilities because they would not work with the “safe reading mode”

3. Vulnerability in LinkedIn Messenger 


Even though enterprise firm will be included Linkedin into the white list. It allow their staff access without restriction. Regarding to subject matter expert vendor (Checkpoint), Linkedin message Would Have Allowed Malicious File Transfer. LinkedIn allow the following file extensions to be uploaded and attached within a message:

Documents – csv, xls, xlsx, doc, docx, ppt, pptx, pdf, txt.
Images– gif, jpeg, jpg, png.

As a result, the specific issue triggers inherent risk fall into above item 1 information security design weakness.

Current status

Let stop discussion here, there are more possibilities or ways once the attack vector happens on insider threat (end user computing). We keep our eye open see whether any new findings later on.

Common vulnerability on application – who’s the perpetrator – Part 1


We heard cyber security incident daily, seems like a habit forming or it will be happened daily. We wasn’t gutted ( Feeling sad and unhappy) since we have already become insensitive!

Who’s the perpetrator?

The design limitation not only found on hardware (BIOS), OS (system kernel , dynamic link library and software driver). Besides, the critical risk sometimes found on application program design.  Since mobile phone become the technology world main stream in the market because of BYOD enable concept.May be you observe this factor earlier. Both personal computer and BYOD device looks has common criteria (not the security standard common criteria). The fact is that they are heavy duty to deploy of Java application. From technical point of view, the difference in between personal computer and BYOD device application platform might have minor things. For instance application cannot display on small size display screen. Web browser compatibility issue. Perhaps those problem enough to annoys application developers. However in regards of application infrastructure both personal computer and BYOD devices are sharing the similar application source. And such a way carry out a visible securiy bottle neck on application design. Yes, we select one of the bottle neck on software application development to discuss today. It is the API key, so I dubbed API key is the perpetrator.

What is API key?

With reference to Wikipedia (see below details for reference)

An application programming interface key (API key) is a code passed in by computer programs calling an application programming interface (API) to identify the calling program, its developer, or its user to the Web site.

API keys can be based on the universally unique identifier (UUID) system to ensure they will be unique to each user. The API key often acts as both a unique identifier and a secret token for authentication, and will generally have a set of access rights on the API associated with it.

Appendix i :

API key = public unique identifier for your app.

Access token = another secret! But a new one is generated every time a new person installs your app. Each one is used for authentication of regular API calls to a particular shop.

API Key fundamental design weakness 

Kill chain – scenario A (Application program design weakness)

  • User gets infected with malicious program
  • Malicious program opens up /rest/config
  • Malicious program navigates to / and takes the CSRF token from the cookie it receives
  • Malicious program now has complete control over the REST POST interface

Kill chain – scenario B (system application software package (library) design weakness)

JSON Web Token (jwt) vulnerability includes the following authentication mechanism : node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512)

The original design of JSON Web Token structure contains 3 parts , a header, a payload, and a signature.  See below details for reference.

Prerequisite – require X509 Private/Public Key Pair to generate the digital signature.

The Base64-URL encoded representation of the Secure Header
The Base64-URL encoded representation of the Payload
The signature that is generated from the combined "payload.header"
Assembling all of these together as payload.header.signature

Below simple node.js code that uses the jsjws node module to create the JWS

var assert = require('assert');
var jsjws = require('jsjws');
var fs = require('fs');

var privKeyFile = fs.readFileSync('./dsig-key.pem');
console.log("privKeyFile: " + privKeyFile);
var priv_pem = jsjws.createPrivateKey(privKeyFile, 'changeit','utf8');
var pubCertFile = fs.readFileSync('./dsig-cert.pem');
console.log("pubKeyFile: " + pubCertFile);
var pub_pem = jsjws.X509.getPublicKeyFromCertPEM(pubCertFile.toString())

var header = { alg: 'RS256' };
console.log("Header: " + JSON.stringify(header));
var payload = { 'a':'b',
'e': 1.0
console.log("Payload: " + JSON.stringify(payload));

var sig = new jsjws.JWS().generateJWSByKey(header, payload, priv_pem);
console.log("Signature: " + sig);
var jws = new jsjws.JWS();

assert(jws.verifyJWSByKey(sig, pub_pem, ['RS256']));
assert.deepEqual(jws.getParsedHeader(), header);
assert.equal(jws.getUnparsedPayload(), JSON.stringify(payload));

console.log("UnparsedHeader: " + jws.getUnparsedHeader());
console.log("UnparsedPayload: " + jws.getUnparsedPayload());

Found Critical vulnerabilities in JSON Web Token libraries (March 31, 2015)

A design limitation on library occurred, some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. This is so called “none” algorithm.

Therefore hacker can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

Remediation & Mitigation

It looks that the vulnerability found on library has security remediation today. As we know the vulnerabilities in JSON Web Token libraries can settle by latest version of software libraries. But how about the application program design weakness item?  As far as I know. Even though you are going to manage your API Keys with Java, Jersey, and Stormpath. The common standard on API Key management in the market more relies on the following solution.

  1. Filter  (regular expression). As far as I know,  It requires the preventive control filtering function to avoid
  2. Define full scope of authentication mechanism (something you have,something you know and something you are)
  • Define authentication protocol
  • Based on the authentication result object do the integrity check
  • Check the token that received, and appropriately gives appropriate action (forbid or access).


In regards of API key, authentication Token & XML language are hard to avoid the risks once they are working together. However it is hard to avoid in such operation manner in business world. But I would like to let this opportunities to urge software developer that JSON Web Tokens should be avoided in your application design.  If your design insists to adopt such methodology. You must re-confirm the data classification level in your local repository and business criteria. If both two domain subjects not in DCL 3,4 and not the critical business operation. May be it still a green light signal. If not it is better to find other alternative.

China ban VPN connectivity – current status Aug 2017



The objective of China government ban VPN connectivity goal to control over its national internet, free from undue foreign influence.

Schedules (Milestone)

Action 1 – China Government Seeks Public Comments on the Cryptography Law (May 2017)

Action 2 – Telecommunication services providers includes China Mobile, China Unicom and China Telecom, to bar people from using personal VPN with effective Feb 2018. This is a mandatory action.

Action 3 – An official announcement of New cybersecurity regulation especially on Virtual Private Network connectivity (see below for reference) with effective on 1 June 2017.

Act:  The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Action 4 – Green VPN, a China-based VPN service mainly employed by native Chinese users to bypass the Great Firewall, has been shut down on Jul 2017.

Action 5 – Apple has removed VPN apps from China’s App Store

Action 6 – China moves to block internet VPNs from 2018

Current VPN activities in China

The latest crackdown is focused on individuals, which means companies and other organizations will still have the ability to access VPNs or VPN-like services as long as they are registered.

Great wall (China Firewall) responsibility

Denied internet connectivity to Facebook, Twitter, YouTube, and Instagram. The new blocked sources include the New York Times and the Wall Street Journal, along with sites such as Google Scholar.

Next Step

1. All internet users in China go online using services run by the state-owned carriers.

2. Forcing companies to store information within the mainland.

3. The government has ordered China’s three telecommunications companies to completely block access to virtual private networks, or VPNs, by February 2018. For those who requires VPN function, it require to apply the registration license.

Highlight – Major objective of new cyber security regulation

Forcing companies to store information within the mainland.

The electronic certification service vendor (approved by China government) list displayed below:





Bitcoin – Break the traditional rule of the world!



It looks a silent revolution, bitcoin technology spreading to the world. Even though government unsupported this financial tool and proprietary financial firm not accept this technology.
But he is valid in the finance and investment market. As a matter of fact, the activities running strong today (7th Aug 2017).

Our earlier study on block chain technology motion

Comparison table:

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java


Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)

The maturity business model of bitcoin today

The fundamental design concept of bitcoin improvement program are based on vote or user input. And therefore Bitcoin is not controlled by any single entity or company. Whereby an improvement program framework has been introduced. It is so called BIP (Bitcoin Improvement Proposal).

Remark 1: A Bitcoin Improvement Proposal (BIP) is a design document for introducing features or information to Bitcoin. The BIP should provide a concise technical specification of the feature and a rationale for the feature. This is the standard way of communicating ideas since Bitcoin has no formal structure. The first BIP (BIP 0001) was submitted by Amir Taaki on 2011-08-19 and described what a BIP is?

Proposal 91

Upcoming Bitcoin activation of Bitcoin Improvement Proposal 91 (BIP 91). Bitcoin Improvement Proposal 91 (BIP 91, also known as Miner Activated Soft Fork) recently locked in over 90 percent of all mining hash power, signaling majority support for this proposal. BIP 91’s lock in effectively makes BIP 148 (User Activated Soft Fork scheduled for August 1) obsolete and discard the chances of the Bitcoin network forking through UASF (User Activated Soft Fork). What is the reason to nullifies UASF?

Bitcoin Possible Crisis, User Activated Soft Fork(UASF BIP-148)-Vulnerability encountered CVE-2017-9230

For more details about the vulnerability, please refer below url for reference

Bitcoins tell the world,  sunrise is on the way.

The Bitcoin Improvement Proposal (BIP) expect to meet the goal on 1st August 2017. The goal is launch of a new coin and Bitcoin Cash (BCC). These coin should include strong replay protection. All you need to do to be able to access your BCC is control your bitcoin (BTC) private keys on this day.

BIP 91 objective – BIP 91 requires 80% of the coin miners to support. Besides, it require to locking  SegWit2x’s (SegWit) update on 1st August 2017.

Remark 2: SegWit was proposed by Bitcoin Core volunteers to increase network capacity and solve transaction scalability through soft folk on 2015.

Remark 3: SegWit2x (BTC1): Supported by miners and start-up companies, the proposal aims to develop SegWit through a soft fork.

Breakthrough – below voting status shown that BIT 91 receive miner fully support


As of today, bitcoin looks running strong in the market. We keep our eye open see whether any unforeseen matter happen in coming month.
…… deo speramus