Category Archives: Application Development

Application Development, System

CVE-2016-7255 – Google Chrome is the Instigator

248 Comments

IT world encounters Storm in a tea cup from weekly. Heard that Microsoft blame Google mistaken on their web browser (chrome) design mistake causes vulnerability occurs (CVE-2016-7255). On hand information described that hacker would like to find back door in web browser (Google chrome), they found a privileges escalation at the end. It looks that similar vulnerability caused by web browser will be happened in future. The vulnerable service daemon is the win32K.sys this round!

What is win32K.sys – It is a multi user win 32 driver file.

It looks that win32K.sys has design limitation, a page_fault_in_nonpaged_area discovered in 2009. But what is page fault in non page area? The symptom is that application asked for a page of memory in order to continue, and the page was not available then crash.

Suspected that why google chrome is the instigator

When Chrome attempts to access critical data from memory that was supposed to be stored in the Non-Paged area, but cannot find it. Because this area of memory is reserved for the Windows core.

Below windows OS register keys relate to CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Exp.CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101?

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas
    
    HKEY_CURRENT_USER\Software\Exp.CVE-2016-7255

Comment:

CVE-2016-7255 hit design limitation and causes local privilege escalation. Patch is available. But my comments this time is wait for next round of announcement by Microsoft. What’s the reason? …….!!!!!

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is Single Sign on a Security Risk?

208 Comments

Is Single Sign on a Security Risk?

The majority of computer operators and people alike maintained one user ID and password. The single sign on facility fulfill their operation requirements. From security point of view, there are inherent risks for company deploys single sign-on function on their network infrastructure.

Single sign on infrastructure

Let take a closer look of single-sign on

Benefits:

  1. No need to remember many user IDs and passwords
  2. Simplified operation procedure
  3. Improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.
  4. Reduces the time taken by users to log into multiple applications and platforms

 

Single-sign on drawback

  1. Same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources.
  2. Single high-value target (attracts more attackers)
  3. Side channel attack against authentication step
  4. never know how secure your system is or if there is a breach

Single sign on increase the difficulties of application protection

SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  There are more techniques to attacks single sign-on application today. For more details, please see below:

  1. Single Sign-On phishing
  2. SSO profile was vulnerable to a Man-in-the-middle attack
  3. Replay Attacks
  4. XML Signature Wrapping vulnerability in SAML protocol

Security Concerns:

GIAC as a pioneer point out single sign on security concerns on their global information assurance certification paper. The article bring an idea to the world that each operating system and application has it own set of security requirement for both user user ID and password. In the sense that SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  Since enterprise firm need compliance, fulfill audit requirements. Please be noted that compliance may not equal security. Let’s think it over, one single password that could access all key applications. Does it on a security risk?

Application Development, Cell Phone (iPhone, Android, windows mobile), System

Android bad luck this year! Do you think iPhone is Invulnerability?

175 Comments

Keep heard that vulnerability found on Android phone recently. For instance Dirty Cow attack, Drammer attack and Dangerous Pork Explosion backdoor. Do you think Linux operating system not secure anymore?

As far as I remember vulnerabilities found on Apple IOS not less than Android operation system. Can you imagine in what circumstance, XNU (X is Not Unix) can be compromised by hacker. iPhone architecture and its main components. The architecture uses the Darwin operating system, which includes the XNU kernel and system utilities.

What is XNU?

Darwin is an open source operating system released by Apple in 2000. Apple then built upon Darwin to create OS X and iOS. XNU is the computer operating system kernel developed at Apple Inc for use in OS X and iOS. XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. The components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit. Up to 2016 iOS version details shown as below:

iOS has many similarities as Mac OSX on kernel components and functions. As mentioned, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. In the kernel there are three important components. They are Mach, BSD and IOKit.

  •    Mach: Low level abstraction of kernel
  •    BSD: High level abstraction of kernel
  •    IOKit: Apple kernel extension framework

All the classes have a root object, called OS Object. OS Object mainly overwrite new operator to allocate memory, and declare init method to initialize the object self. Because of this fundamental design, few known vulnerabilities are happened in this area. An application may be able to execute arbitrary code with kernel privileges. Do you think iPhone is invulnerability? No, sure properly not. Found high level of risk vulnerabilities last few month (2016). Seems headline news not intent broadcast in high profile and therefore not to seriously shocks iPhone fans. For more details, please see below CVE for references:

  • CVE-2016-4778: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4777: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (invalid pointer dereference) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4738: libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Remark: Impact – Processing maliciously crafted web content may lead to arbitrary code execution

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software

  • CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
  • CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow

Current summary:

Due to business requirement, life cycle of products become short and such a way shorten product development life cycle & test cycle. It is a joke!

Application Development, Network (Protocol, Topology & Standard), System

Part 1:Blockchain technology situation – A Tales of Two Cities

200 Comments

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!

 

Application Development, Network (Protocol, Topology & Standard), System

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

202 Comments

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is this a hoax? Or it is National Security Agency?

244 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/Equation-Group-pic-2_zpsojrksrjr.jpg

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-1_zpsd7yypvqf.jpg

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

200 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-Cisco_zpszinq59nd.jpg

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Application Development

SOFTWARE DEVELOPMENT – Internet of Things (IoT)

250 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/App-dev_zpstuucqzml.jpg

Preface

The term BYOD first entered common use in 2009, BYOD conceptual idea looks go to another phase today. The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. New products and new markets are being rapidly created base on software innovations. On the other hand, it bring out security concerns. This topic is going to provides the fundamental concept. On how,  application developers consider those factors (security in technology area).

Application development best practices

1. Avoid to combine new application into existing applications: large legacy software coding that are being reused and modified for current applications.

2. Security considerations : during software design cycle in regards to the buffer overflows, memory leaks, data protection (encryption), and other most common defects (Operating system and programmable interface software).

3. Application threat modeling:

  • Spoofing – Accessing and using another user’s authentication information.
  • Tampering –  Alteration of data as it flows over an open network.
  • Repudiation – Users denying the performance of an illegal action, in an environment where accountability can’t be identified.
  • Information Disclosure – Disclosing of information to individuals without access rights.
  • Denial of Service – DoS attacks against valid application users.
  • Elevation of Privilege – Unauthorised users gaining privileged access status.

4. Authentication: All authentication attempts should be logged, and repeatedly failed logins should trigger an account lock-out.

5. Access Control (least privilege model) – basic level of data access by default.

6. Input data validation: SQL injection and XSS are two of the most common application vulnerabilities. Define data validation scheme to avoid malicious data input.

7. Application session management: cookies need to be sanitised, and devoid of any sensitive information; and session IDs should be unique to each user, and randomly generated after successful authentication.

Any more, yes. stay tuned!