All posts by admin

Believe it or not? Homeland security twin brother!

Chinese people mantra, your face may similar to other people. This theory also apply to everything. I agree and believe the US government homeland security web site are unique. Believe it or not , the web site naming convention and contents looks similar to homeland security. However the web site not protected by Akamai network . They do not belongs to US government. To be honest, it make you confused! URL shown as below:

The picture diagram can provides the details to you for reference.

The Force Awakens – but it is Apache struts vulnerability!

Apache struts seems a instigator on Equifax data breach incident. An announced by US Homeland security this week to urge IT guy staying alert on New found Apache Struts vulnerability again (see below URL). My comments on this vulnerability is that it expand the attack space or vector . Why? Are you familiar with REST client. It reproduce a new playground for hacker since it is allow to start the attack to Apache Strust product on mobile phone.  We noticed that Cisco products are also the Struts users (see below)

Vulnerability detail (see below):

Cisco products are also the Struts users (see below)

Out of memory bounds implication – a never ending story


In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system


Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.


Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.

How much is your data privacy value today?

We all aware that our activities in cyber world are under surveillance. But do you alert that even though there is no any surveillance, malware to sniff your data. Your loyal and data protection guard install on your workstation and server keep track of you daily. Perhaps you have the basic understanding on how antivirus vendor make use of your data. It is so called meta data. From on going computer cyber trend, artificial intelligence and Big data analytic intend to collect the data. But take oversight over the world. It looks that there are gap of the data collection policy. For instance, we are chosen Brand A antivirus band this year. But next year, we would like to use another brand of antivirus program. As far as I know, the disclaimer of antivirus vendor do not mention in detail how they are going to disposal the meta data belongs to you. To be honest, it is hard to erase your workstation meta data in their repository. Perhaps the vendor told you no personal information will be collected on this function. They are only keep track the antivirus or malware attack behavior. If such monitor not running in 24 hours. How does the monitor and detect functions work well. You may aware that  your loyal antivirus program also keep track of your activities!

Would you mind someone sharing your CPU power during your site visit?

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.


Nautilus & Neuron

The hostile country collect the government confidential information and business economic details not similar 70’s. A group of people so called spy infiltrated to foreign country. It reduces the overall injury. The conceptual idea of malware implement to computer world equivalent the task of spy. National cyber security center urge the IT admin around the world staying alert to current suspicious network activities issued by Turla Group. Read few technical articles, the overall comments is that they are support by country. The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. The new tools primary focusing on two microsoft products (Exchange and IIS server). However the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference).

China IPv6 implementation Road map. Will it be burden on current surveillance task?

A tough new cyber security law has been in placed in China on June 2017. The United States submitted document to WTO Services Council, said if China’s new rules enter into full force in their current form, as expected by the end of 2018, they could impact cross-border services supplied through a commercial presence abroad. A IP V6 road map announcement by General Office of the State Council of the PRC on 26th Nov 2017. The road map driven whole network, application and computer prioritize IPV6 connectivity.We known that RFC 4941 defining “privacy extensions for IPv6” autoconfiguration. This standard defines a mechanism where a device generates a random host address and uses that instead of the device’s MAC address. As a result it is better to avoid surveillance and tracking. The surveillance program in China has difference comparing with other country. Since monitoring network behavior or so called surveillance is the China government policy. See whether RFC 4941 will be a burden in coming future.

What’s happen on next?


Heard that NECURS BOTNET activities growth rapidly.Their major goal is deliver ransomware through email spam or email scam. A announcement broadcast by SANS on 1st Nov 2017 alert that Necurs Botnet malspam pushes Locky using DDE attack. Necurs bot relies on MSword document embedded malware compromise your machine. For instance a Word document embedded objects that call Powershell to compromise your machine. Apart from that they will make use of DDE. NEcurus botnet has a brilliant history. Since his design feature can protect itself to bypass the current detection mechanism. Even through DNS protection is a popular defense mechanism today. But he is not afraid. His program design looks like a assembly so it enhance his infection feature. Should you have interest to know more details, the attach picture can tell. For more details about the status update. Please refer below url for reference.

There are more windows OS components did not included ASLR protection feature

Seems heard a vulnerability occurs on microsoft product did not trigger your interest. The easy way for IT guy to mitigate the risk is conduct a patch update. But CVE-2017-11882 heads up the world that there are more windows OS components did not included ASLR protection feature. May be you could say Microsoft product do not relies on ASLR since they has Data Execution Prevention (DEP). We known Data Execution Prevention (DEP) is a system-level memory protection feature. However a practical example of CVE-2017-11882 occured on Microsoft office product could compromised your machine. Hacker more focus to dig out vulnerability on word processing product since human relies on electronic documentation daily.  Microsoft release the patch to mitigate this risk (see below). But a reminder to the world there are more MS components do not enable randomizes address function. Yes, no randomizes address function will be benefits to hacker. Which industry on demand to use MS equation editor function. Scientist, high tech industry especially military and nuclear power facilities management.

Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url: