Category Archives: Application Development

Application Development

Why REST (API) is so popular? But how to hardening the API security features?

1 Comment

REST (API) is key component to building powerful, scalable web-based applications today. So how to enhance the security feature, since it is working with HTTP communication method. Thence:

1. We should ensure that the HTTP method is valid for the API key/session token and linked collection of resources, record, and action.

2. Authentication – It is better to deploy multi-factor authentication and token-based authentication.

3. Token validation errors should also be logged for audit purpose.

4. Input sanitization.

5. If the classification label of data is private or confidential. A symmetric cryptography will be used to encrypt the data transmitted.

6. Hardrening REST API status return codes instead of 404 (errors) and 200 (success).

Perhaps above items of enhancement not easy to fulfill. However the system developers should be fulfilled the standard requirements. Following the web server security best practice. Apart from that it compliance with HTTP security (RFC7230 – section 9).

Should you have interested of RFC7230 – section 9 standard. Please refer to below url for reference.

https://tools.ietf.org/html/rfc7230#section-9.1

Application Development, Cell Phone (iPhone, Android, windows mobile)

Firebase Analytics – To be compliance or not to be compliance on personal privacy

1 Comment

Perhaps the scandal of Facebook and awaken people in the world concerning their personal privacy. Meanwhile web surfing behavior is a major element to do the behaviour analytic.  Now we fully understand the influence power of social media platform. However the analytic function not only valid today. Firebase is a mobile and web application development platform developed by Firebase, Inc. in 2011, then acquired by Google in 2014. Google Analytics for Firebase is a free app measurement solution that provides insight on app usage and user engagement. I do a survey on popular mobile application software tonight. The reason I chosen this mobile apps software for evaluation is that it contains a series of new claims services includes insurance claim. It  allow insurance claims pay-out at 7-Eleven (Hong Kong). The result is that the mobile apps pass the compliance requirement. The firebase analytics service disabled for legal reasons. For more details, please refer above diagram for reference.

Application Development, Potential Risk of CVE

Bouncy Castle BKS-V1 keystore files vulnerable to trivial hash collisions

1 Comment

Computer technology world vulnerability exposure can’t slow down. A design weakness on Bouncy Castle BKS-V1 keystore files found. If you are a java program developer. It is a alert signal. 

The Bouncy Castle APIs consist of the following:

  • A lightweight cryptography API for Java and C#.
  • A provider for the Java Cryptography Extension (JCE) and the Java Cryptography Architecture (JCA).
  • A provider for the Java Secure Socket Extension (JSSE).
  • A clean room implementation of the JCE 1.2.1.
  • A library for reading and writing encoded ASN.1 objects. Lightweight APIs for TLS (RFC 2246, RFC 4346) and DTLS (RFC 6347/ RFC 4347).

Generators for Version 1 and Version 3 X.509 certificates, Version 2 CRLs, and PKCS12 files. Generators for Version 2 X.509 attribute certificates.

Generators/Processors for the following:

  • S/MIME and CMS (PKCS7/RFC 3852)
  • OCSP (RFC 2560) – TSP (RFC 3161 & RFC 5544)
  • CMP and CRMF (RFC 4210 & RFC 4211).
  • OpenPGP (RFC 4880) – Extended Access Control (EAC)
  • Data Validation and Certification Server (DVCS)
  • RFC 3029 – DNS-based Authentication of Named Entities (DANE).
  • RFC 7030 Enrollment over Secure Transport (EST). A signed jar version suitable for JDK 1.4-1.7 and the Sun JCE.

The vulnerability note can be find here:

https://www.kb.cert.org/vuls/id/306792

 

Application Development, Under our observation

Application security awareness – Before Html5 full cover up, we must stay alert of Html4

3 Comments

Preface:

The bitcoin mining malware, cyber espionage program and malicious malware merely relies on iframe. Where are they from?

Understanding

Frame: The main advantage of frames is that it allows the user to view multiple documents within a single Web page. It is possible to load pages from different servers in a single frameset.

iframe: Iframes are often used to load third party content, ads and widgets. The main reason to use the iframe technique is that the iframe content can load in parallel with the main page.

embed: The <embed> tag defines a container for an external application or interactive content (a plug-in).

Object: The HTML <object> element represents an external resource, which can be treated as an image, a nested browsing context, or a resource to be handled by a plugin.

Discussion topic

Above description summarize the feature of iframe, frame, embed and object. It shown the advantage of those components. However IFRAME element explicitly contains a security risk if any page on your site contains an XSS vulnerability which can be exploited.

a. Clickjacking – see below diagram for reference

A kidding way to conduct clickjacking (see below). To be honest, this scenario may let spy or secret agency to evade surveillance. So, it is not a hacking. It is a methodology.

b. Hidden iframe linking to malicious website – see below diagram for reference

c. Java script for pages with iFrame embedded (do tricks especially sharing victim CPU resources to do bitcoin mining).

Threats actor develop a page with an iframe that manipulates the document within the iframe. Their goal is for bitcoin mining.

 

  1. Create a VSTO Word document level project using Visual Studio

2. Drag a WebBrower onto document’s surface.

3. Edit ThisDocument_Startup to navigate the WebBrowser (code sample displayed below).

Code Snippet
private void ThisDocument_Startup(object sender, System.EventArgs e)

{

this.webBrowser1.Navigate(@"http://www.microsoft.com/en/us/default.aspx");

}

For more details, please refer to below diagram for reference.

Mitigation Strategy Tips, Hints and Tricks

Overview of programming language

The top seven most in-demand coding languages as we move into 2018. Some languages like Swift didn’t make the top seven because they have lower job demand.

Since there are many programming languages are available and therefore it is difficult to closing the vulnerabilities in effective way. Let’ take a overview of existing programming language utilization status.

Hints and Tricks

PHP code to prevent iframe loading on dynamic php pages

<?php
header("X-FRAME-OPTIONS: DENY");
?>

JavaScript code to prevent loading iframe on Static HTML pages

<?php
// php header to prevent iframe loading of your web page
header("X-FRAME-OPTIONS: DENY");
?>
JavaScript code to prevent loading iframe on Static HTML pages
<script type="text/javascript">

// Prevent iframe loading of your web page and redirect to iframe target.
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

Prevent iframe loading in Static HTML pages

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Iframe Blocker</title>

<script type="text/javascript">
if( (self.parent && !(self.parent===self))
    &&(self.parent.frames.length!=0)){
    self.parent.location=document.location
}
</script>

</head>
<body>
<h1>Welcome</h1>

</body>
</html>

Prevent iframe loading on Python web development framework (django)

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame> , <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

X_FRAME_OPTIONS = 'DENY'

General principle: X-Frame-Options

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

Summary

The <iframe> scrolling attribute is not supported in HTML5. Use CSS instead. However CSS has design weakness occurs. A injection vulnerabilities arise when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping. They are closely related to cross-site scripting (XSS) vulnerabilities.

 

Should you have the goal to require more, please let me know.

—- End —–

 

Application Development, System, Under our observation

Advantech WebAccess/SCADA – CVE-2018-5443 – CVE-2018-5445

1 Comment

Preface:

SCADA systems are the backbone of many modern industries, including: Energy, Food and beverage, Manufacturing, Oil and gas, Power, Recycling, Transportation, Water and waste water,….etc

SCADA evolution:

The first generation of SCADA system relies with mainframe computers. As time goes by, the evolutionary of SCADA build on top of open system foundation (Unix) in 80’s. Perhaps the Microsoft product dominate the computer world. And such away engaged the transformation in 90’s. The SCADA software that utilizes the power of SQL databases provides flexibility and advantages to traditional SCADA system.

One big benefit of using SQL databases with a SCADA system is that it makes it easier to integrate into existing MES and ERP systems, allowing data to flow seamlessly through an entire organization.

  • (MES) – Manufacturing execution systems are computerized systems used in manufacturing, to track and document the transformation of raw materials to finished goods.
  • (ERP) – Enterprise resource planning is the integrated management of core business processes, often in real-time and mediated by software and technology.

Evolving from classic program (non web access) to Web Platform

SCADA system on the Cloud (cope with modern technology trend with access anywhere function)

Before we start the discussion in security topic, we do a quick introduction of big-data frameworks. Since the Hadoop and Apache Spark pay the key role on this architecture especially big data function. For more details, please see below:

Big-data frameworks:

Hadoop is essentially a distributed data infrastructure: It distributes massive data collections across multiple nodes within a cluster of commodity servers.

Features: 

  • Indexes and keeps track of that data
  • Enabling big-data processing and analytics

Apache Spark is an open-source cluster-computing framework.

  • Spark can interface with other file system including Hadoop Distributed File System (HDFS).

Remark: From technical point of view, Spark is a data-processing tool that operates on those distributed data collections; it doesn’t do distributed storage.

Go to discussion

As of today, more and more business migrated their system application to Cloud platform including SCADA industry. Since SCADA system belongs to energy, food and beverage, manufacturing, oil and gas, Power, Recycling, Transportation, water and waste water. And therefore cyber security news and articles lack of their news. Perhaps we can hear the news is that after nuclear power station encounter hacker or malware attack.

Actually SCADA now expand their user function to mobile device. Even though a mobile phone can do a remote monitoring of the system. With WebAccess, users can build an information management platform and improve the effectiveness of vertical markets (see below picture for reference) development and management.

Let’s think it over, the WebAccess SCADA system involved in energy, aerospace and public facilities control. However those product sound like your IT devices. The SCADA hits vulnerabilities and recorded in CVE database not the 1st time. We know that hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015. Lets reader judge by yourself, let review their vulnerabilities found so far. Does it relate to SCADA vulnerability occurs which causes denied of services. Or it is really server malfunction?

Quote: Hundreds of United flights were delayed after the airline experienced a server malfunction on Jul 2015.

Quote: A United spokeswoman said that the glitch was caused by an internal technology issue and not an outside threat or hacker.

Advantech, a leader within the IPC global market. Advantech offers a comprehensive IPC product range that delivers reliability and stability for extreme environments, providing its customers with a one-stop shopping experience implementing Industry 4.0 and fulfilling their Industrial IoT needs. Let’s take a closer look on Advantech scada webaccess products vulnerabilities so far.

The vulnerabilities found on 2014 include an OS command injection, CVE-2014-8387, in the Advantech EKI-6340 series, a stack-based buffer overflow, CVE-2014-8388, in Advantech WebAccess, and a buffer overflow, CVE-2014-8386, in Advantech AdamView, CVE-2014-0770 – Advantech WebAccess SCADA webvact.ocx UserName Buffer Overflow. It looks that the design weakness keeps appear till today! For more details, please refer below details for references.

https://nvd.nist.gov/vuln/detail/CVE-2015-3947

https://nvd.nist.gov/vuln/detail/CVE-2018-5445

https://nvd.nist.gov/vuln/detail/CVE-2018-5443

Our observation in regards to above known vulnerabilities.

Regarding to WebAccess support specifications. It support the following open real-time data connectivity : OPC, Modbus, BACnet, DDE Server and the following open offline data connectivity: SQL Server, Oracle, MySQL, and Microsoft Access Database. If the repository is the MS SQL server. The IT administrator must staying alert of the SQL injection vulnerability. Since the OS user privilege escalation via Windows Access Token abuse is possible also via SQL injection.

End discussion. Thank you.

Reference:

Information appending on 3rd Feb 2018 – additional technical information supplement. My study on SCADA system risk factors to nuclear facilities (see below):

Potential black force – digitize Godzilla

 

2017, Application Development, cyber security incident news highlight, Cyber War, Data privacy

Say Goodbye to 2017 cyber incidents

1 Comment

We are going to say goodbye to 2017. What is your expectation in the new year? Cyber World activities especially cyber attacks looks intensive this year. Perhaps we cannot imagine ransomware threat which contain powerful destruction power last decade.The crypto worm (WANNACRY) break the Cyber incident world records which suspended huge volume of workstations and servers operations in the world on May 2017. A shock to the world that the only way to recover your system or data is pay the ransom. Apart from that an alert to the business world is that how does the open source software provides the IT security assurance to the company. The data breach incident occurred in Equifix was awaken everybody. However the data breach incidents continuous exposed to the world caused by misconfiguration instead of vulnerabilities. It such a way discredit the cloud services provider. On the banking environment, the  ATM malwares are wreak havoc. A speculation by expert that DDOS attack will be replaced by ransomware. It looks that DDOS looks running strong this year. My opinion is that application security will be the focus of IT people next year. By the way, I wish you Happy New Year.

Layer 7 (application layer) – What is the information security key factors?

Application Development

Out of memory bounds implication – a never ending story

Leave a comment

Preface

In cyber security world, we are in frequent heard a term privileges escalation. IT guy familiar buffer overflow causes privileges escalation vulnerability of Windows 2000 operating system. Seems buffer overflow issue not only happened in Microsoft product, even through you are using Linux. It will happen. As of today, Apple iPhone and Google Android phone are possible encountered this technical issue. But what’s the major element trigger this cause. It includes software application , operating system driver, Libraries and programming language!

Out of memory bounds status similar a ninja, he can bypass ASLR protection

Above design limitation is an example to show the out of memory bounds concern in computer world. Yes, this issue cover all the computer world and not only limited on Microsoft products. But what is the design difficulties of system designer (OS kernel or software driver)? Basically, the system designer has flexibility to use the memory address in their design. The overall status was changed because of malware born in the computer world. Regarding to my study in Microsoft Technet blog discussion so far. It was a tremendous hard job.

We might feel that Windows 2012R2 design looks perfect since it is a mature product since it summarizes the technical weakness and design limitation experiences in former products (Windows 2008, Windows 2000 and NT). But a technical issue found in 2015 bring me to attention of this matter. The issue was that system owner only delete network interfaces on a server that is running Windows Server 2012 R2 or Windows Server 2012, a random and intermittent crashes on the system

  • 0xD1: DRIVER_IRQL_NOT_LESS_OR_EQUAL
  • 0X139: KERNEL_SECURITY_CHECK_FAILURE
  • 0x3B: SYSTEM_SERVICE_EXCEPTION

Symptom occurs on system platform: Windows Server 2012 R2 or Windows Server 2012. Some cluster nodes that are running Windows Server 2012 R2 or Windows Server 2012 go down because of the corruption in NDIS and netcfg.

This case reveal to the computer world that memory under the memory protection features (Address space layout randomization protection (ASLR) and Data Execution Prevention (DEP) ). Kernel and driver designers are also headache in this matter. The key word “Prefect” does not appear in realistic world. Those memory protection facilities not prefect. Should you have interested of this item. Please refer below url for reference.

Hints: Cyber security experts aware that memory reuse and privileges escalation. The above our of memory bounds informative diagram specially show an idea how does hacker execute the malicious code of program in user mode instead of kernel mode.

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

My bias pin point to Microsoft product, let’s jump to Linux world.

The BYOD and IoT devices empower Linux operating system digital world achievement. It looks that a lot of people similar to my opinion! They will accept the excuse to this baby (Linux). As far as we know, the best partner of Linux is the C or C++ programming language. There are two ways of memory accessible to the programmer.

a. User’s virtual memory space in which application to run.

b. Register memory

From technical point of view, similar embarrass situation (memory corruption) has been occurred in Linux operating system.

  • Buffer overflow – Overwrite beyond allocated length
  • Index of array out of bounds: (array index overflow – index too large/underflow – negative index)
  • Using an address before memory is allocated and set. In this scenario the memory location is NULL or random. It is a run time error occurs when you try to point illegal memory space, usually address 0 which is reserved for OS.
  • Pointer persistence – Function returning a pointer from the stack which can get overwritten by the calling function (in this case main()):

In fact that the smartphone operating system especially Android, the cyber attack hit rate are equivalent to common office automation software application. For more details, please see below diagram for reference.

To conduct a review of the cyber attack.The cyber attack target memory address is not a new findings in mobile phone world. For instance, Huawei mobile phone encountered Out-of-Bounds Memory Access Vulnerability in the Boot Loaders on April 2017 (CVE-2017-8149). Regarding to CVE record details, this vulnerability affects an unknown function of the component Boot Loader. The manipulation as part of a Parameter leads to a memory corruption vulnerability (Out-of-Bounds). The vendor comment is that if vulnerability successful exploit. The impact could cause out-of-bounds memory read, leading to continuous system reboot.

My comment in regards to this technical issue (out of memory bounds)

The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

How about in programming language, will it happen in this area?

Yes, it will happen. See what’s going on in programming language now! PHP is a server-side scripting language designed primarily for web development but also used as a general-purpose programming language. But there is no excuse given to PHP language. Details shown as below:

Out-of-bounds memory read via gdImageRotateInterpolated (CVE-2016-1903)

Details: The gdImageRotateInterpolated function in ext/gd/libgd/gd_interpolation.c in PHP before 5.5.31, 5.6.x before 5.6.17, and 7.x before 7.0.2 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a large bgd_color argument to the imagerotate function.A buffer over-read flaw was found in the GD library used by the PHP gd extension. A specially crafted image file could cause a PHP application using the imagerotate() function to disclose portions of the server memory or crash the PHP application.

Conclusion:

Memory out of bounds looks will be happen in digital world. Sounds like a tumor in animals and human body. The impact affects by out of bonds memory all depends on where the access lands in host memory, it could lead to information disclosure. Or crash the process trigger deny of service. It could potentially be leveraged which causes execute arbitrary code with privileges escalation.

Life is not easy especially IT world. But sometimes it have fun! Wishes Merry X’mas and Happy New year.

Application Development

Perspective of e-Wallet Vulnerability

6 Comments

Preface:

Java, NodeJS, Python, ObjC with Xcode and GO are the popular programming language for develop of e-wallet application. It looks that some of the programmer favor of Java language since it is a common programming language.

New technology, but targeting approach by hacker remain unchanged

Reporting of Cybersecurity Incidents – InfoSec Resources

Jul 2017 – Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Nov 2017 – Parity wallet vulnerability freezes US$278 million of ethereum. The company patched the bug encountered on July 2017. However the code still present bugs and therefore freeze the crypto currency in the wallet.

* Ethereum wallet is implemented in C++ programming language

Feb 2012 – exposes a PIN vulnerability in Google Wallet security.

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

Common Security Vulnerabilities in a Digital Wallet

  • The registration process does not identify fraud verification of the user’s information card information.
  • Develop programming language encountered design limitation (vulnerability).

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

How is e-wallet different from cryptocurrency wallet on cyber security viewpoint?

Bitcoin is a cyrptocurrency. You need a wallet to keep your bitcoins. But Bitcoin underlying technology is block chain which cannot be counterfeited. If ever there is an issue with a transfer of funds, Bitcoin protocol settles it through consensus.

The e-wallet currency is traditional currency.It uses the secure 256bit Advanced Encryption Standard (AES) for encrypting information in your wallet. If a hacker tries a brute force attack relies on computer enter possible random-number strings at top speed it would take more than a billion years to exhaust all the possibilities.

Observation: It  looks that  both type of wallet contained hack proofed feature. But is there any underlying reason make those wallet in risk?

The Java, NodeJS, Python, ObjC with Xcode and GO are the main trend of the programming language today. Why does application developer like Java? Java is a platform Independent. Means Java does not depend on hardware and OS. Java platform fully compatible with all computers. Even through it is a mainframe computer. However the cyber security incidents from past awake the IT world that even though you are using block-chain technology platform. The other side of end point might encounter cyber attack which causes data breach or compromised of both machines. From security point of view, the overall risk rating for e-business applications including cryptocurrency or traditional currency payment transfer system are equal.

Traditional way bring people consider endpoint security but ignore other possibilities factors which are in risk!

About programming language

Python

Language: Python is a dynamically type language. Java is better characterized as a low-level implementation language.

Use of VARIABLE: No requires to declare any variables. You can mix object-oriented and imperative programming you run the code directly.

Run time speed: Slower than Java

Java

Language: Java is a statically typed language. Python is much better suited as a “glue” language.

Use of Variable: Requires to define the type of each variable, it’s object oriented in the sense that you cannot write any code without defining a class, you also invoke a compiler to compiler the code then you can run it.

Runtime speed: Run faster than python

Node.js

Language: Node.js is not a programming language. The programming language is Javascript. But Node.js not similar JavaScript framework. A group of authors define a new frameworks specifically for Node.js, It includes Express.js, Restify.js, and Hapi.js.

Use of Variable: When you declare methods without using var (function <function_name>() {}), those function declarations are moved to the top of the local scope. If you manually declare you functions, you have to wait until they are both declared before you can use them.

Runtime speed: Refer to benchmark table

C++ vs. Python vs. PHP vs. Java vs. Others performance benchmark (2016 Q3)

GO

Language: Go is an open source programming language designed for building simple, fast, and reliable software. The introduction phase for GO is written in C. The libraries are written by google developer itself. Now the compiler has been rewritten in Go, so it is fully self-hosting by Google.

Variable: The type of variable is automatically judged by the compiler based on the value passed to it.

Runtime speed: Refer to below benchmark table

ObjC with Xcode

Language: Xcode supports C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, Rez, and Swift source code with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.

Variable: It is important to note that ObjC does not support class variables. But developer can simulate static variables

Runtime speed: Objective-C is slightly slower than straight C function calls because of the lookups involved in its dynamic nature.

Security Focus

 

Since no bug proof software or hardware in the world and therefore the practical operation expose the design weakness (vulnerability). Refer to informative diagram table below , Java and php looks unsecure because of the accumulate vulnerability records.

But why Java and PHP programming language are popular in the IT world. Even though Node.js framework make use of Java language. I believe that it is the fate of the IT product market. Perhaps Java bring security worries to the world. However java language provide a comprehensive functions. E-wallet looks has benefits running on Apple iPhone OS. Since it is a proprietary environment. From security prospective, it is better than opensource OS since it looks a black hole. Perhaps vulnerability occurs, the vendor (Apple) will conduct the remediation immediately. As mentioned iOS is a proprietary environment and such away avoid multiple vulnerabilities occurs simultaneously.

Example of multiple vulnerabilities: For instance Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products (September 2017). On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. However those vulnerability affected a series of Cisco products since those voice and media management products deployed Apache Structs 2.

E-Wallet on top of mobile device platform

The Near Field Communication (NFC) payment wallets designed by GSMA program project. It relies on SIM based technique support the payment service in past. But Android M break the ice develop other alternative for online payment electronic wallet. From security point of view, the new android system architecture of the design provide sandbox feature enhance the security (see below). If we believe that it is a trustworthy environment then we move our security concerns to e-wallet SDK.

Most likely the technology trend will be form into two different way. The retail shop remain to use near field communication technique secure the payment transaction. For online payment transaction like Master card, Paypal and Alipay will lead the online payment solution. As mentioned the vulnerability found in online e-wallet SDK more or less will involved in programming language. For more details, please see below:

Instance 1: A cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter (CVE-2017-6099).

Instance 2: The Android source code file (internal/telephony/SMSDispatcher.java) does not properly construct warnings about premium SMS messages, which allows attackers to spoof the premium-payment confirmation dialog via a crafted application, aka internal bug 28557603 (CVE-2016-3883)

Reference: Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01

Instance 3: Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page (CVE-2017-5110).

Instance 4: Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Refer to above details, the argument can confirm that programming language is the important factor in e-wallet development. Even through it is a cryptocurrency wallet. The overall security level of protection for a eletronic payment system must include programming language as a major factor.

End of discussion……!

Information Supplement (under observation)

Typically, a program consists of instructions tell the computer what to do. Thus what types of data will be used when it is running will be responsible by variable. In the Java programming language, the words field and variable are both one and the same thing. Variables are devices that are used to store data, such as a number, or a string of character data. The enumerate() is one of the built-in Python functions. It returns an enumerate object. In our case that object is a list of tuples (immutable lists), each containing a pair of count/index and value. However variable can be rebound at any time, so no consistent use as an enumerator. This is a vulnerability encountered in python.

* An enumeration is a set of symbolic names (members) bound to unique, constant values.

But comparing with Java and Python CVE checklist. It shown that Python programming language hit vulnerability less than Java programming language .

 

 

Application Development

Layer 7 (application layer) – What is the information security key factors?

1 Comment

Preface:

We heard shocking news this year especially EQUIFAX breach. The hackers accessed up to 143 million customer account details earlier this year. Thereafter a data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people. Perhaps you could said that the incident given by vulnerability on Apache component Struts CVE-2017-5638. A design limitation was found in the Jakarta Multipart parser. A proof of concept shown that we can set the Content-Type to an OGNL expression such as:

Content-Type: ${(#_='multipart/form-data').

The Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression. As a result the attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands (see below diagram for reference).

API security is important today especially the API infiltration

So far includes myself only focusing in ring 0 attack. It looks that information security bring my attention to kernel hooking. Once upon a time, kernel hooking looks like it is everything. I think it might have similarity and such a way anti-virus manufacturer address in the same place. But when do we awake? I believed that it is the Java application century. API security level equivalent to kernel level.

Actually the defense mechanism not difficult to detect the malware on 32-bit operating system. For instance, on a 32-bit windows system, antivirus software may use SSDT hooking (System Service Dispatch Table hooking). Using SSDT hooking, the Antivirus software can prevent attacks based on the APIs being called by the malicious software.

So, it looks secure that once modern antivirus installed, right?
But what is the reason let cyber attack victims growth rapidly? Even though IDS , firewall and modern antivirus software was deployed?

Closer Look details

Windows 7 x64 is shipped with Patch Guard which doesn’t allow to hook SSDT/MSRa/code section. Disabling PatchGuard is the 1st priority of objective for malware. Since we are the system owner and therefore it is easy to disable the Patch Guard function in your 64 bit window operating system by yourself. The instruction displayed below:

Type msconfig, Go to the boot tab and delete the patched boots.

Or running the following commands in a root-shell and restarting the PC afterwards.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex

As we know, malware couldn’t conduct manual driven job task. If malware is going to find their target named function. It must go to the correct memory address (refer to table 1). But the objective of the PatchGuard is protect the following data and structures.

• Modifying system service tables, for example, by hooking KeServiceDescriptorTable

• Modifying the interrupt descriptor table (IDT)

• Modifying the global descriptor table (GDT)

• Using kernel stacks that are not allocated by the kernel

• Patching any part of the kernel (detected only on AMD64-based systems)

Remark: The inline hooking 3 step slogan. However it doesn’t work since patch guard is enable.

  1. The Hook – A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code.
  2. The Proxy – This is our specified function (or code) which the hook placed on the target function will jump to.
  3. The Trampoline – Used to bypass the hook so we can call a hooked function normally.

How malware trim down himself, then go to kernel level. How to bypass antivirus or malware detector?

Attempt 1. Find out design limitation on web portal then using the scripting API or dynamic JSP inject command. One of the example has shown from our discussion first page. Try to find out vulnerability on web server side module or component. Or find our the weakness of  programming design (see below for reference) then inject system command.

But is there additional way to conduct API infiltration?

Attempt 2. Hooking Shared Library Function Calls

Phenomenon: Apache web server deployment high coverage in the world. However not less Apache servers are running on Windows operating system.

Variables factor: enable patchguard and ASLR (those functions might be make hack activities more difficulties)

Below diagram is the reference of example how does inline hook jumping to malicious code and then executing the original function.

Since defense function was strengthen today. Antivirus embedded malware detection function, Microsoft PatchGuard verify the instruction and ASLR conduct random address function limit malware infection and therefore below traditional way of cyber attack can not work well!

  • DLLs loaded at runtime into process address space
    For kernel32 – target private addres space between 0x00010000 and 0x7FFE0000
  • Hiding files in a directory
    Replace FindFirstFile(),FindNextFile() in Kernel32 to skip rootkit files

Is there any benefits in below attack methods?

DirectX/OpenGL APIs and time functions – Typically hooked to implement cheating in on-line games.

Status: Possibility high, under our observation.

Winsock API – Hooked to monitor network traffic.

Status: It was happened in frequent. Under observation now.

But a security gap still valid because of today fast growth business strategy

Further to my study on cyber attack incident over past few months, a hints to me that API hook technique on layer 7 (application layer) is the key milestone of hacker today. See below cyber incident records for reference:

February 2017 –  The internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data.

Incident root cause analysis: Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

June 2017 (It discovered the data breach June 19): 198 Million Voter Records Exposed

Incident root cause analysis: Misconfiguration isn’t a malicious hack in itself. However such incident shown to the world that a wide range of component could be impact the information security world. A misleading message bring people major focus on operatio system level from past.

July 2017 (It discovered the hack on July 29) : Equifax recently had 143 million customer records breached in a hack.

Incident root cause analysis: Found security weakness on patch management in IT  operation and vulnerability awareness. The incident given by vulnerability on Apache component Struts CVE-2017-5638.

A major unknown area will be transformed to hacker new target

Technology zone:  The IP telephony technology integrated with  TCP stack more than decade. However business operation keen to enhance the functional features. And therefore do the customization for system integration is hard to avoid. We seen some network communications hardware vendor will be involved in the application interface technologies. Modern business world more tough and demanding competition. Looks  Cisco also become the victim on former vulnerability hiccups. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Summary: Seems, I did not has final checkpoint guide me to drawn any conclusion on this discussion. Hey Guy, keep your eye open. There will be more strange things happened in today such demanding and tough business world!

Be a happy Sunday. I remain with my best regards.

 

Reference table 1:

Application Development, Virus & Malware

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

1 Comment

Preface:

A simple question was asked by kernel? Why I was hacked even though I have comprehensive protective system?

Background:

The windows Operating System development team fully understand relies on market anti virus might not protecting their core OS significantly. Since the computer user not only using Microsoft word processing application. They are allow the 3rd party application vendor run on top of their operating system.
They provides security defense mechanism to 3rd party software developers on their OS products since 2002. Such advanced protective mechanism also apply to windows XP SP2 and windows server 2003.

Introduction – Microsoft Comprehensive protective system for 3rd party application development (cookbook)

Top 3 protection features overview

Stack buffer overrun detection

The Detection  capability was introduced to the C/C++ compiler in Visual Studio .NET.  The /GS switch only inserts checks into function that it “recognizes as subject to buffer overrun problems.

Mitigation scheme – add below instruction in a commonly used header file to increase the number of functions protected by /GS:

#pragma strict_gs_check(on)

Preventing the SEH Overwrites with SEHOP

Structured Exception Handling (SEH) is a Windows mechanism for handling both hardware and software exceptions consistently. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. (see below diagram for reference)

Remark: The SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows.

Mitigation scheme:

Adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. SEHOP achieves this functionality in two distinct steps.

  1. Insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list.
  2. Ensure that the symbolic record can be reached and that it is valid

Below diagram illustration of this logic:

 

Address space layout randomization (ASLR)

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. By default, Windows Vista and later will randomize system DLLs and EXEs. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. It provides random stack and heap allocations and page load every time a process starts. Even though system process was hacked. The malware cannot execute shellcode theoretically.

Below articles are my research on ASLR topic on Virtual Machine and other operation system . Should you have interest. Please review below articles for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

The enemy of ASLR (Address space layout randomization) – memory leak

But why was hacked ?

Technical insight –  It looks that using ASLR feature protect windows OS products are perfect. But the cyber security incident happened from past proven that ASLR is hard to avoid side-channel attack. For instance, the vulnerabilities (CVE-2016-7260 and CVE-2016-7259) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The windows OS system including 2008,2008R2, 2012,2012R2 and 2016.

Another example alert by Microsoft that attackers are using a blend of in-memory malware, legitimate pen-testing tools and a compromised updater to attack banks and tech firms. Similar type of attack was happened on 2013 of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Below details of information can help you to developing more idea in regards of this matter.

The operating system can promote a driver’s StartType to be a boot start driver depending on the BootFlags value specified in the driver’s INF. You can specify one or more (ORed) of the following numeric values in the INF file, expressed as a hexadecimal value:

  • If a driver should be promoted to be a boot start driver on network boot, specify 0x1 (CM_SERVICE_NETWORK_BOOT_LOAD).
  • If a driver should be promoted on booting from a VHD, specify 0x2 (CM_SERVICE_VIRTUAL_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a USB disk, specify 0x4 (CM_SERVICE_USB_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting from SD storage, specify 0x8 (CM_SERVICE_SD_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a disk on a USB 3.0 controller, specify 0x10 (CM_SERVICE_USB3_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting with measured boot enabled, specify 0x20 (CM_SERVICE_MEASURED_BOOT_LOAD).
  • If a driver should be promoted while booting with verifier boot enabled, specify 0x40 (CM_SERVICE_VERIFIER_BOOT_LOAD).
  • If a driver should be promoted on WinPE boot, specify 0x80 (CM_SERVICE_WINPE_BOOT_LOAD).

Windows registry:  Turn on/off ASLR feature: (see below)

ASLR by setting HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages

Summary:

ASLR does not affect runtime performance. However it might slow down the initial loading of modules. But it is not in full capability to protect your windows OS system.

A reminder . Do not ignore unimportant item.