Category Archives: Application Development

Application Development, Network (Protocol, Topology & Standard), System

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

202 Comments

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is this a hoax? Or it is National Security Agency?

244 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/Equation-Group-pic-2_zpsojrksrjr.jpg

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-1_zpsd7yypvqf.jpg

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

200 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-Cisco_zpszinq59nd.jpg

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Application Development

SOFTWARE DEVELOPMENT – Internet of Things (IoT)

250 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/App-dev_zpstuucqzml.jpg

Preface

The term BYOD first entered common use in 2009, BYOD conceptual idea looks go to another phase today. The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. New products and new markets are being rapidly created base on software innovations. On the other hand, it bring out security concerns. This topic is going to provides the fundamental concept. On how,  application developers consider those factors (security in technology area).

Application development best practices

1. Avoid to combine new application into existing applications: large legacy software coding that are being reused and modified for current applications.

2. Security considerations : during software design cycle in regards to the buffer overflows, memory leaks, data protection (encryption), and other most common defects (Operating system and programmable interface software).

3. Application threat modeling:

  • Spoofing – Accessing and using another user’s authentication information.
  • Tampering –  Alteration of data as it flows over an open network.
  • Repudiation – Users denying the performance of an illegal action, in an environment where accountability can’t be identified.
  • Information Disclosure – Disclosing of information to individuals without access rights.
  • Denial of Service – DoS attacks against valid application users.
  • Elevation of Privilege – Unauthorised users gaining privileged access status.

4. Authentication: All authentication attempts should be logged, and repeatedly failed logins should trigger an account lock-out.

5. Access Control (least privilege model) – basic level of data access by default.

6. Input data validation: SQL injection and XSS are two of the most common application vulnerabilities. Define data validation scheme to avoid malicious data input.

7. Application session management: cookies need to be sanitised, and devoid of any sensitive information; and session IDs should be unique to each user, and randomly generated after successful authentication.

Any more, yes. stay tuned!