Category Archives: Application Development

See whether Bitcoin signatures do not comply with RFC 6979

Have you heard a song by Dinah Washington ? The song title is what a difference a day made? In crypto currency world, bitcoin is the big brother. However technology world still concerns Bitcore signatures is able to comply with RFC 6979 specification?

Bitcoin owner must protect the private key. The conceptal idea is that generating random number k in elliptic curve is crucial and in any transactions signature in Bitcoin, random number k is required to compute a point k*G. If this k is chosen not randomly, it instantly leaks the private key.

Do you think attached diagram can provide the resolution to you in this regard?

What A Diff’rence A Day Makes Lyrics: What a difference a day made? Twenty-four little hours. Brought the sun and the flowers.Where there used to be rain……..

Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA):

https://tools.ietf.org/html/rfc6979

Attention: Stay Alert – Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution

Preface:

PHP is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.

Security concern by security experts

The security issues are typically exposed when PHP code makes use of system-level calls.

Found critical security problem today! – Original release date: April 27, 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities. An attacker could exploit one of these vulnerabilities to take control of an affected system.

NCCIC encourages users and administrators to review MS-ISAC Advisory 2018-046 and the PHP Downloads page and apply the necessary updates.

See whether any short term remediation can take before upgrade?

1.Restrict PHP Information Leakage

expose_php=Off

2.Disable Remote Code Execution

Allow_url_fopen=Off

allow_url_include=Off

3.Not show errors to the visitors

(/etc/php.d/security.ini file)

log_errors=On

error_log=/var/log/httpd/php_scripts_error.log

4.Disable Dangerous PHP Functions (php.ini)

disable_functions =exec,passthru,

shell_exec,system,proc_open,popen,curl_exec,

curl_multi_exec,parse_ini_file,show_source

5.Upload Files (/etc/php.d/ directory)

file_uploads=Off

6.Control File System Access

always keep the open_basedir directive set to the /var/www/html directory.

open_basedir=”/var/www/html/”

7.Control the POST Size (/etc/php.d/security.ini)

post_max_size=1k

— End —

Realistic threats exists in NFC. Are they all secure?

The mobile payment is aggressive in some sort of area. As seen, it fully utilized in China market. From the economey point of view, this new payment design driven the retail business in parallel. The traditional banknote concept convert to digitalization silently.Is this a prelude of digital currency? The people doubt of the NFC (near field communcation) technology embedded in Visa payment earlier. As times goes by, it is popular today. The new smartphone market similar pushing the NFC techonology into next phase. The new form of payment method integrated both smartphone (iPhone and Android) and payment card with near field communication. How Secure Are NFC Payments? NFC technology comes with a range of security features that help protect financial data from stolen. But are they capable to avoid modern cyber attack? Perhaps if the computer product contains Java programming element. It is hard to avoid vulnerability. As a matter of fact, Java bytecode Verification is a key element in Java world. If this feature applied in the overalll design. It will significant reduce the malware infection because it is not easy to execute the malicious code. Do you have doubt after this discussion?

Why REST (API) is so popular? But how to hardening the API security features?

REST (API) is key component to building powerful, scalable web-based applications today. So how to enhance the security feature, since it is working with HTTP communication method. Thence:

1. We should ensure that the HTTP method is valid for the API key/session token and linked collection of resources, record, and action.

2. Authentication – It is better to deploy multi-factor authentication and token-based authentication.

3. Token validation errors should also be logged for audit purpose.

4. Input sanitization.

5. If the classification label of data is private or confidential. A symmetric cryptography will be used to encrypt the data transmitted.

6. Hardrening REST API status return codes instead of 404 (errors) and 200 (success).

Perhaps above items of enhancement not easy to fulfill. However the system developers should be fulfilled the standard requirements. Following the web server security best practice. Apart from that it compliance with HTTP security (RFC7230 – section 9).

Should you have interested of RFC7230 – section 9 standard. Please refer to below url for reference.

https://tools.ietf.org/html/rfc7230#section-9.1

Firebase Analytics – To be compliance or not to be compliance on personal privacy

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions

Computer technology world vulnerability exposure can’t slow down. A design weakness on Bouncy Castle BKS-V1 keystore files found. If you are a java program developer. It is a alert signal. 

The Bouncy Castle APIs consist of the following:

  • A lightweight cryptography API for Java and C#.
  • A provider for the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA).
  • A provider for the Java Secure Socket Extension (JSSE).
  • A clean room implementation of the JCE 1.2.1.
  • A library for reading and writing encoded ASN.1 objects. Lightweight APIs for TLS (RFC 2246, RFC 4346) and DTLS (RFC 6347/ RFC 4347).

Generators for Version 1 and Version 3 X.509 certificates, Version 2 CRLs, and PKCS12 files. Generators for Version 2 X.509 attribute certificates.

Generators/Processors for the following:

  • S/MIME and CMS (PKCS7/RFC 3852)
  • OCSP (RFC 2560) – TSP (RFC 3161 & RFC 5544)
  • CMP and CRMF (RFC 4210 & RFC 4211).
  • OpenPGP (RFC 4880) – Extended Access Control (EAC)
  • Data Validation and Certification Server (DVCS)
  • RFC 3029 – DNS-based Authentication of Named Entities (DANE).
  • RFC 7030 Enrollment over Secure Transport (EST). A signed jar version suitable for JDK 1.4-1.7 and the Sun JCE.

The vulnerability note can be find here:

https://www.kb.cert.org/vuls/id/306792

 

Application security awareness – Before Html5 full cover up, we must stay alert of Html4

Preface:

The bitcoin mining malware, cyber espionage program and malicious malware merely relies on iframe. Where are they from?

Understanding

Frame: The main advantage of frames is that it allows the user to view multiple documents within a single Web page. It is possible to load pages from different servers in a single frameset.

iframe: Iframes are often used to load third party content, ads and widgets. The main reason to use the iframe technique is that the iframe content can load in parallel with the main page.

embed: The <embed> tag defines a container for an external application or interactive content (a plug-in).

Object: The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin.

Discussion topic

Above description summarize the feature of iframe, frame, embed and object. It shown the advantage of those components. However IFRAME element explicitly contains a security risk if any page on your site contains an XSS vulnerability which can be exploited.

a. Clickjacking – see below diagram for reference

A kidding way to conduct clickjacking (see below). To be honest, this scenario may let spy or secret agency to evade surveillance. So, it is not a hacking. It is a methodology.

b. Hidden iframe linking to malicious website – see below diagram for reference

c. Java script for pages with iFrame embedded (do tricks especially sharing victim CPU resources to do bitcoin mining).

Threats actor develop a page with an iframe that manipulates the document within the iframe. Their goal is for bitcoin mining.

 

  1. Create a VSTO Word document level project using Visual Studio

2. Drag a WebBrower onto document’s surface.

3. Edit ThisDocument_Startup to navigate the WebBrowser (code sample displayed below).

Code Snippet
private void ThisDocument_Startup(object sender, System.EventArgs e)

{

this.webBrowser1.Navigate(@"http://www.microsoft.com/en/us/default.aspx");

}

For more details, please refer to below diagram for reference.

Mitigation Strategy Tips, Hints and Tricks

Overview of programming language

The top seven most in-demand coding languages as we move into 2018. Some languages like Swift didn’t make the top seven because they have lower job demand.

Since there are many programming languages are available and therefore it is difficult to closing the vulnerabilities in effective way. Let’ take a overview of existing programming language utilization status.

Hints and Tricks

PHP code to prevent iframe loading on dynamic php pages

<?php
header("X-FRAME-OPTIONS: DENY");
?>

JavaScript code to prevent loading iframe on Static HTML pages

<?php
// php header to prevent iframe loading of your web page
header("X-FRAME-OPTIONS: DENY");
?>
JavaScript code to prevent loading iframe on Static HTML pages
<script type="text/javascript">

// Prevent iframe loading of your web page and redirect to iframe target.
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

Prevent iframe loading in Static HTML pages

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Iframe Blocker</title>

<script type="text/javascript">
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

</head>
<body>
<h1>Welcome</h1>

</body>
</html>

Prevent iframe loading on Python web development framework (django)

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X_FRAME_OPTIONS = 'DENY'

General principle: X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

Summary

The <iframe> scrolling attribute is not supported in HTML5. Use CSS instead. However CSS has design weakness occurs. A injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities.

 

Should you have the goal to require more, please let me know.

—- End —–

 

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

Preface:

SCADA systems are the backbone of many modern industries, including: Energy, Food and beverage, Manufacturing, Oil and gas, Power, Recycling, Transportation, Water and waste water,….etc

SCADA evolution:

The first generation of SCADA system relies with mainframe computers. As time goes by, the evolutionary of SCADA build on top of open system foundation (Unix) in 80’s. Perhaps the Microsoft product dominate the computer world. And such away engaged the transformation in 90’s. The SCADA software that utilizes the power of SQL databases provides flexibility and advantages to traditional SCADA system.

One big benefit of using SQL databases with a SCADA system is that it makes it easier to integrate into existing MES and ERP systems, allowing data to flow seamlessly through an entire organization.

  • (MES) – Manufacturing execution systems are computerized systems used in manufacturing, to track and document the transformation of raw materials to finished goods.
  • (ERP) – Enterprise resource planning is the integrated management of core business processes, often in real-time and mediated by software and technology.

Evolving from classic program (non web access) to Web Platform

SCADA system on the Cloud (cope with modern technology trend with access anywhere function)

Before we start the discussion in security topic, we do a quick introduction of big-data frameworks. Since the Hadoop and Apache Spark pay the key role on this architecture especially big data function. For more details, please see below:

Big-data frameworks:

Hadoop is essentially a distributed data infrastructure: It distributes massive data collections across multiple nodes within a cluster of commodity servers.

Features: 

  • Indexes and keeps track of that data
  • Enabling big-data processing and analytics

Apache Spark is an open-source cluster-computing framework.

  • Spark can interface with other file system including Hadoop Distributed File System (HDFS).

Remark: From technical point of view, Spark is a data-processing tool that operates on those distributed data collections; it doesn’t do distributed storage.

Go to discussion

As of today, more and more business migrated their system application to Cloud platform including SCADA industry. Since SCADA system belongs to energy, food and beverage, manufacturing, oil and gas, Power, Recycling, Transportation, water and waste water. And therefore cyber security news and articles lack of their news. Perhaps we can hear the news is that after nuclear power station encounter hacker or malware attack.

Actually SCADA now expand their user function to mobile device. Even though a mobile phone can do a remote monitoring of the system. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets (see below picture for reference) development and management.

Let’s think it over, the WebAccess SCADA system involved in energy, aerospace and public facilities control. However those product sound like your IT devices. The SCADA hits vulnerabilities and recorded in CVE database not the 1st time. We know that hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015. Lets reader judge by yourself, let review their vulnerabilities found so far. Does it relate to SCADA vulnerability occurs which causes denied of services. Or it is really server malfunction?

Quote: Hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015.

Quote: A United spokeswoman said that the glitch was caused by an internal technology issue and not an outside threat or hacker.

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs. Let’s take a closer look on Advantech scada webaccess products vulnerabilities so far.

The vulnerabilities found on 2014 include an OS command injection, CVE-2014-8387, in the Advantech EKI-6340 series, a stack-based buffer overflow, CVE-2014-8388, in Advantech WebAccess, and a buffer overflow, CVE-2014-8386, in Advantech AdamView, CVE-2014-0770 – Advantech WebAccess SCADA webvact.ocx UserName Buffer Overflow. It looks that the design weakness keeps appear till today! For more details, please refer below details for references.

https://nvd.nist.gov/vuln/detail/CVE-2015-3947

https://nvd.nist.gov/vuln/detail/CVE-2018-5445

https://nvd.nist.gov/vuln/detail/CVE-2018-5443

Our observation in regards to above known vulnerabilities.

Regarding to WebAccess support specifications. It support the following open real-time data connectivity : OPC, Modbus, BACnet, DDE Server and the following open offline data connectivity: SQL Server, Oracle, MySQL, and Microsoft Access Database. If the repository is the MS SQL server. The IT administrator must staying alert of the SQL injection vulnerability. Since the OS user privilege escalation via Windows Access Token abuse is possible also via SQL injection.

End discussion. Thank you.

Reference:

Information appending on 3rd Feb 2018 – additional technical information supplement. My study on SCADA system risk factors to nuclear facilities (see below):

Potential black force – digitize Godzilla

 

Say Goodbye to 2017 cyber incidents

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

Out of memory bounds implication – a never ending story

Preface

In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system

  • 0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  • 0X139: KERNEL_SECURITY_CHECK_FAILURE
  • 0x3B: SYSTEM_SERVICE_EXCEPTION

Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.

Conclusion:

Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.