Category Archives: Application Development

He is a bird – Taiwan supercomputer (Nov 2018)

Preface: There are many reasons for wanting to combine the two parallel programming approaches of MPI and CUDA. A common reason is to enable solving problems with a data size too large to fit into the memory of a single GPU, or that would require an unreasonably long compute time on a single node. The message passing interface (MPI) architecture successful exchanging messages between multiple computers running a parallel program across distributed memory. Thereby single system can group together form a big power.

Synopsis:
The open source refers to any program whose source code is made available for public use. Open MPI is a Message Passing Interface library project combining technologies and resources from several other projects. Meanwhile it is a potential power driving the technology world in this century. It is hard to imagine that Xeon processor type computer machine will go to supercomputers world. With assist of QuantaGrid D52G-4U GPU. The dream come true now. Tesla V100 can deliver up to 896 tensor Tflops to training deep learning model with 8 NVIDIA Tesla V100 (dual-width 10.5″). Taiwania 2 supercomputer take the role to handle big data , AI and scientific research functions.

Ref: https://www.taiwannews.com.tw/en/news/3575187

Supercomputer – You focus the speed of CPU, but my design goal is efficiency (Nov 2018)

Preface:

The art of driving a car in a race comes from the ability to maximize the performance of the car. Everything you do on a track takes skill when you are reaching the limits of performance. This concept also suitable on computer design.

Japan supercomputer rating:

Fujitsu ranks supercomputers seventh in the world.

Cores: 391,680

Memory: 417,792 GB

Processor: Xeon Gold 6148 20C 2.4GHz

Historical background:

The traditional supercomputer architecture contains HIGH SPEED VECTOR PROCESSORS, crossbar switch, LPARs architecture. Since CPU speed is most important element on calculation. Meanwhile LPARs design can let system allocate the function feature and requirements.
Remark: Logical partitions (LPARs) are, in practice, equivalent to separate mainframes.

Synopsis:

But the military, scientific and public safety requirements of the world in today more demanding. The traditional Supercomputer LPARs design still have space for improvement. And therefore Linux high performance cluster and docker infrastructure become a key components. It boostup the system efficiency. Even though Fujitsu ranks supercomputers seventh in the world. But it maximum the efficiency.

SWIFT Customer Security Controls Framework

 

Preface:

All SWIFT users must comply with the mandatory security controls by the end of 2018.

Objective:

Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar.

Technical details:

Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
2. Reduce Attack Surface and Vulnerabilities
3. Physically Secure the Environment
4. Prevent Compromise of Credentials
5. Manage Identities and Segregate Privileges
6. Detect Anomalous Activity to Systems or Transaction Records
7. Plan for Incident Response and Information Sharing

Observation:
Swift system is on the way do the enhancement continuously. But do you think such continuous program will be effectively avoided cyber security attack? For instance Bangladesh heist.
It is hard to tell what is the next cyber attack challenge in the moment. Let’s keep our eye open. Stay tuned!

Reference:

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Advisory on PHP Vulnerabilities – 12th Oct 2018

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released an advisory on multiple Hypertext Preprocessor (PHP) vulnerabilities today (refer below url):

https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/

Perhaps PHP program version will make you frustrated. Why? The vulnerabilities addressed by MS-ISAC only for Version 7.2.11 & Version 7.1.23. However there is another fix coming soon (see below):

PHP 7.1.24

Core:

Fixed bug #76946 (Cyclic reference in generator not detected)

Date: unknown

Fixed bug #75851 (Year component overflow with date formats “c”, “o”, “r” and “y”). (Adam Saponara)

FCGI:

Fixed bug #76948 (Failed shutdown/reboot or end session in Windows).

(Anatol)

Fixed bug #76954 (apache_response_headers removes last character from header

name). (stodorovic)

FTP:

. Fixed bug #76972 (Data truncation due to forceful ssl socket shutdown).

(Manuel Mausz)

intl:

. Fixed bug #76942 (U_ARGUMENT_TYPE_MISMATCH). (anthrax at unixuser dot org)

Standard:

. Fixed bug #76965 (INI_SCANNER_RAW doesn’t strip trailing whitespace).

(Pierrick)

XML:

. Fixed bug #30875 (xml_parse_into_struct() does not resolve entities).

Should you have interested, please review above diagram. PHP look likes a game.

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

About vulnerabilities of PHP – Aug 2018

PHP is a popular open source general-purpose scripting language. It capable for web development and can be embedded into HTML. Perhaps a fundamental weakness of PHP and therefore we seen common problem especially SQL Injection and Trusting user input to execute code happens in frequent.

Below details are the php vulnerabilities found on Aug 2018.

(CVE-2018-14883) An Integer Overflow leads to a heap-based buffer over-read in exif_thumbnail_extract of exif.c

https://bugs.php.net/bug.php?id=76423

(CVE-2018-14851) Allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.

https://bugs.php.net/bug.php?id=76557

(CVE-2018-14884) Inappropriately parsing an HTTP response leads to a segmentation fault because http_header_value in ext/standard/http_fopen_wrapper.c can be a NULL value that is mishandled in an atoi call.

https://bugs.php.net/bug.php?id=75535

Reference: Vulnerability found on Jul 2018

Jul 2018 – PHP 7.2.x through 7.2.7 allows attackers to trigger a use-after-free (in exif_read_from_file)

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil

 

 

Node.js hits arbitrary command injection (CVE-2018-13797)

Node.js framework become popular today. Node.js can build the application on ethereum (cryptocurrency). Node.js is a JavaScript runtime built on Chrome’s V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. Node.js’ package ecosystem, npm, is the largest ecosystem of open source libraries in the world.

Meanwhile, npm is a package manager for the JavaScript programming language. It is the default package manager for the JavaScript runtime environment Node.js. Software developers must stay alert on CVE-2018-13797. Should you have interested, please refer below:

Fixes arbitrary command injection by using execFile instead of exec:

https://github.com/scravy/node-macaddress/commit/358fd594adb196a86b94ac9c691f69fe5dad2332

https://github.com/scravy/node-macaddress/pull/20/

Integer overflow weakness similar kill the Ethereum. But SafeMath to protect from overflows.

Integer overflow weakness similar kill the Ethereum – for more details, please see below (url):

Jul 2018 – Integer overflow may killed Ethereum!

But SafeMath to protect from overflows.

c >= a causes integer overflow happen

arithmetic: c=a+b-M (where M = 2**256 is the max unit256 plus one)

If c >=a replace to get a + b -M >=a

Cancelling and recording terms and get b >= M

Result: b is a uint256 and thus b < M

write an algebraic expression in a certain order. We start with the terms that have the largest exponents and work our way down to the constants. Using the commutative property of addition, we can rearrange the terms and put this expression in correct order, like this.

Reference:
Before you evaluate an algebraic expression, you need to simplify it. This will make all your calculations much easier. Here are the basic steps to follow to simplify an algebraic expression:

remove parentheses by multiplying factors
use exponent rules to remove parentheses in terms with exponents
combine like terms by adding coefficients
combine the constants

http://www.math.com/school/subject2/lessons/S2U2L5DP.html

How does the SafeMath library of OpenZeppelin protect your code from integer overflow?

https://ethereum.stackexchange.com/questions/38525/how-does-the-safemath-library-of-openzeppelin-protect-your-code-from-integer-ove?rq=1