Category Archives: Blockchain

Blockchain

Is Quantum technology an existential threat to blockchain?

2 Comments

The world are obsessed with Bitcoin.We heard Quantum Computing earlier this year.Quantum computing found quantum bit theory. Boolean Algebra base on ‘AND’, ‘OR’ And ‘NOT’ condition. Therefore implementing to Quantum bit might have problem(attach picture can provide hints)! Blockchain theory empower cryptocurrency powerful features.But blockchain technology work with tradition computer. So, Quantum technology is blockchain technology enemy! The quantum computing is the traditional currency bodyguard.Following url can provide the hints.

https://singularityhub.com/2017/11/05/is-quantum-computing-an-existential-threat-to-blockchain-technology/

Information security perspective -Hyperledger (Blockchain Technology) article shown as below:

Overview of hyperledger (Blockchain Technology) security design

 

Blockchain

Overview of hyperledger (Blockchain Technology) security design

12 Comments

Preface

The deluge push the earth to next generation. The scientists found Noah’s Ark fingerprint on top of the hill in India. The tremendous trend of the cryptocurrency (Bitcoins) like deluge. It such a way change the financial industry framework.

The fundamental technology concept

What is the difference in between blockchain and hyperledger?

A consensus of the blockchain technology foundation have the following idea. The blockchain technology feature better implement in public ledger that is crypto currencies. Hyerledger should have benefits to business industries. Since the fundemental of the cryptocurrencies concept is a direct electronic payment.The specific technology objectives encryption and integrity of the record (it cannot counterfeit), once the block is use it cannot be use reuse anymore.

 

As times go by, the cyber attack incidents on IT technology world bring the enhancement idea to blockchain technology. In order to cope with on-going technology and business perspective. Blockchain technology transform the technology focus to enhance its framework structure. And therefore hyperledger was born.The most popular hyperledger framework models are the following models.

Refer to the Hyperledger Modular Umbrella approach. Each Hyperledger framework empower different advanced function in order to cope with business industry requirements.

There are total 5 different framework of approach.

Burrow Framework

Provides a modular blockchain client with permissioned smart contract interpreter partially developed to the ethereum virtual machine (EVM) specification.

From security point of view: Eris makes use of Docker containers for its services and much of the Eris and Tendermint tooling is written in Go.You’ll need to have at least as many EC2 instances available as you want nodes. Again, you’ll need at least four nodes for the network to operate. If you don’t want to use AWS to host your nodes, you’ll need to have access to hosts that have Go version 1.4.x and Docker version 1.8.x installed. The programming language is Go. This development language not popular but it is secure. But it is hard to find programmer familiar with GO programming background.

Observation: (CVE-2016-3958/CVE-2016-3959) Untrusted search path vulnerability in Go before 1.5.4 and 1.6.x before 1.6.1 on Windows allows local users to gain privileges via a Trojan horse DLL in the current working directory, related to use of the LoadLibrary function (CVE-2016-3958).

Iroha

An blockchain framework designed for simple and easy incorporation into infrastructure projects requiring distributed ledger technology.

From security point of view: Since Iroha framework contains the following features:

  • Creation and management of custom complex assets, such as currencies or indivisible rights, serial numbers, patents, etc.
  • Management of user accounts
  • Taxonomy of accounts based on domains — or sub-ledgers in the system
  • The system of rights and verification of user permissions for the execution of transactions and queries in the system
  • Validation of business rules for transactions and queries in the system

Comparing the actual functions (see below diagram). My comment is that the integrity check looks run in precise way on each transaction. Iroha try to improve the anti-tamper solution of the data. The fundamental design concept of Iroha focuses on Blockchain-based Data Management.

Observation: Since Iroha focuses on blockchain based data management. How about the end point protection? It looks the design did not provide a clear visibility on the end point.

Remark: The Iroha project is a bit of an outlier within Hyperledger. It originated with some developers in Japan who had built their own blockchain technology for a couple of mobile use cases. It’s implemented in C++ which can be more high performance for small data.

A modular platform designed for building, deploying and running versatile and scalable distributed ledgers. Heard that the Sawtooth consensus software targets large distributed validator populations with minimal resource consumption. “It may give us the ability to build very broad and flat networks of hundreds to thousands of nodes,” said Behlendorf. “It’s harder to do with traditional consensus mechanisms without having the CPU burden of cryptocurrencies.”

From security point of view: No conclusion at this moment.

Fabric Framework

An implementation of block chain technology intended as a foundation for developing blockchain application or solutions. Fabric is Hyperledger’s most active project to date. Hyperledger Fabric intends to offer a number of SDKs for a wide variety of programming languages. The first two delivered are the Node.js and Java SDKs.

From security point of view: Since the first two delivered are the Node.js and Java SDKs. In order to avoid the denial of service or avoid unauthenticated attacker with network access via Kerberos to compromise Java SE, Java SE Embedded. It is better to make use of GO for application development in future.

Below details are the recently vulnerabilities occurred on above 2 programming languages for reference.

http://www.cvedetails.com/cve/CVE-2017-10388/

https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

Indy

Sovrin is a specific deployment of the Hyperledger Indy codebase. Sovrin developed the Indy code base as part of its mission to build a global public utility for self-sovereign identity. Sovrin Foundation contributed the code to Hyperledger under the Hyperledger Indy brand to expand the developer community and allow greater participation. But Sovrin and Indy are distinct. Sovrin is a specific, operating instance of the Hyperledger Indy code that contains identities that are interoperable at the global scale.

Remark: The best way to start develop Sovrin would be with the Indy SDK. (Indy is the technology under Sovrin, and its SDK provides a C-callable library.

From security point of view: Vulnerability (Slow nodes can be stalled after a view change)

Description – The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number

Detail explanation: What if A is malicious, and C and D during a catch up get inconsistent catchup messages from A and B? Perhaps the PRIMARY declaration message needs a root hash, and f+1 consistent responses for both Last Ordered Batch number AND Txn Root Hash

Remedy: The election process needs to communicate what is the transaction and state root hash apart from the last ordered Pre-Prepare sequence number.

Summary:

IT security from 90’s encountered virus infection till today malware infection causes data breach. The appearance of blockchain (hyperledger technology) goal to mitigation the data leakage issue. The design objective of the data encryption is going to protect your data. As of today, an advanced technology enhanced server side and data storage. Block chain technology breakthrough traditional key algorithm encryption. The hash encryption technique and blockchain (accumulate) (N+1) data encryption scheme awaken the world. However the product design limitation let hacker exploit the vulnerabilities and such away expand the risk to application layer including programming language. On the other hand a hidden factor in client side (end point) looks without significant improvement. Apart from that the smartphone geometric level of growth . So, I forseen that information technology world requires a new revolution to end point platform. See whether there is a new concept of client platform technology announces tomorrow?

Note: AWS, Azure and Office 365 are ready for Blockchain (hyperledger) services (see above diagram). Be a innovative IT management. Don’t wait. Now please try to jump to Blockchain (hyperledger) services. You will love it!

Status update 19th Feb 2018 – The deluge push the earth to next generation.Bitcoin and hyperledger technologies such a way transform their new generation to the financial business world. Dubai a former big brother leading the natural resources supply to the world especially petroleum. Now they are keen to leads bitcoin and hypledger technologies. I wishes of their success. See whether what is the new technique can be renovate the blockchain and hyperledger world.

 

 

Blockchain

Sunday (10th Dec 2017) – Crypto currencies won the battle at this moment.

On Sunday (10th Dec 2017), Chicago Board Options Exchange has allowed investors to place their bets on crypto currencies commodities. Seems Crypto currencies won the battle at this moment. Perhaps we now living in digital world. IoT, BYOD, AI, and enterprise firm keen to do the digital transformation. Similar Charles Dickens said in his famous fiction (A Tale of Two Cities), it was the best of times, it was the worst of times. Let’s celebrates Chicago Board Options Exchange has allowed investors to place their bets on commodities from corn to steel (see below URL – CNN News)

New step for Bitcoin’s wild ride: Futures trading

http://money.cnn.com/2017/12/10/investing/bitcoin-chicago-board-options-exchange/index.html

2017, Blockchain, cyber security incident news highlight

Would you mind someone sharing your CPU power during your site visit?

1 Comment

Sharing your power to do the bitcoin mining not a news. Seems the storm spread to Hong Kong. The unknown program implant to the web server which share your CPU resources during your site visit. It looks such method wreak havoc! But the threat occurs in children products web portal. Why? More than 90% of people feeling that hacker will not be interested of this industry. But sharing your CPU power might operating in silent mode, right? Are you the victim of this attack? A simple and easy step to figure out the issue.You open your windows task manager. Then check your CPU resources utilization before and after close the specific web browser function.You will be figure out what is going on? Headline News details shown as follow:

Chinese language Newspaper article

https://hk.news.appledaily.com/local/daily/article/20171203/20233090

Another former discussion subject : Become a witness of new generation of financial age.For more details, please refer following url:

Become a witness of new generation of financial age. But be careful of hack.

 

Blockchain, IoT

Reveal block chain technology secret – he is the Genesis-of-Bible

8 Comments

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).

Blockchain

Become a witness of new generation of financial age. But be careful of hack.

7 Comments

Preface:

Bitcoin mining make the world crazy. Java base coin mining tools provides flexibility. A lightweight, small footprint let you involved to mining industry.

What is the actual reason to lure the people starting the mining work?

Reminder: Bitcoin mining like a games. Different types of crypto currencies will have different mining rewards policy.

It looks that it is easy to answer. We are looking for money that is the reward.

The Bitcoin block mining reward halves every 210,000 blocks, the coin reward will decrease from 12.5 to 6.25 coins, said bitcoinblockhalf (www.bitcoinblockhalf.com)

So what is the target mining pool (blockchain) and coin types?

The hottest crypto currencies are Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Litecoin (LTC), Dash and Pascal (PASC). But Ethereum mining is profitable, but it cannot maintain in the long run. However it is still the hottest topic. Ethereum has seen an almost 20x jump in price in 2017. What are Mining Rewards in Ethereum?

The proof of work(PoW) in Ethereum is run through Ethash. The successful PoW miner will receive a static block reward that is equal to 5 Ether.

 

Why a GPU mines faster than a CPU?

A majority of GPUs support add, multiply and multiply-add natively in hardware with single-cycle throughput, as the basic computation instructions.  And thereby it is better to using GPU conduct bitcoin mining. Since traditional CPU embedded instruction set and OS footprint. It is difficult to maximize the overall performance for bitcoin mining.

Does Java code is the best suit for Bitcoin Mining?

I watch a TV program years ago, a crew visited China report the status of this industry. Shown on the TV screen the bitcoin miner campus like a factory. A whole bunch of computer units which generates high temperature. You could not found a pretty office lady in that office. So, does it a artificial intelligence office? Seems it is not, you will find young Chinese men which wearing casual to working over there.

The traditional bitcoin mining require high CPU resources to do the calculation. A hints of the mining requirement recommend using GPU (graphics processing unit) instead of CPU (central processing unit). However, an HTML IFRAME tag is able to embedded java script to share visitor CPU resources to assists for bitcoin mining ((Embedding a javascript inside another using the<iframe> tag). As we know, web site open to the world not limited to area and visitor. From technical point of view, this is a win win situation. Coinhive offers a JavaScript miner for the Monero Blockchain that you can embed in your website.

To be honest, java programming provides flexibility for bitcoin miner do the mining. Below sample shown that a light-weight java programming can conduct a mining focusing on Ethereum blockchain. Some largeBitcoin mining farms switch to Ethereum today.

Remark: Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract functionality

package org.ethereum.core;

import java.math.BigInteger;

import org.ethereum.crypto.HashUtil;
import org.ethereum.util.ByteUtil;
import org.ethereum.util.FastByteComparisons;
import org.spongycastle.util.Arrays;
import org.spongycastle.util.BigIntegers;
public class Miner {
public boolean mine(Block newBlock, byte[] difficulty) {

		BigInteger max = BigInteger.valueOf(2).pow(256);
		byte[] target = BigIntegers.asUnsignedByteArray(32,
				max.divide(new BigInteger(1, difficulty)));

		byte[] hash = HashUtil.sha3(newBlock.getEncodedWithoutNonce());
		byte[] testNonce = new byte[32];
		byte[] concat;

		while(ByteUtil.increment(testNonce)) {
			concat = Arrays.concatenate(hash, testNonce);
			byte[] result = HashUtil.sha3(concat);
			if(FastByteComparisons.compareTo(result, 0, 32, target, 0, 32) < 0) {
				newBlock.setNonce(testNonce);
//				System.out.println(Hex.toHexString(newBlock.getEncoded()));
				return true;
			}
		}
		return false; // couldn't find a valid nonce
	}
}

Cyber security view point

Researchers found that a sophisticated class of surreptitious mining software might penetrates your system. Hacker will delivered their services through infected image files or by clicking on links leading to a malicious site. n such a way that visitor will consume more CPU power. It is easy to figure it out what is the status of your personal computer at home. If you have everything closed but CPU usage is still super high, then you may have a crypto mining malware problem.

Potential opportunities for hacker

Since those bitcoin mining java script not going to compile, Those programming coding something do not trigger the security alarm. Hacker is easy to mix their malware code contained in bitcoin mining java script then bypass the detective mechanism.

What next?

Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. The similar case of traditional bank robbery will be replaced by new technology. The hacker will conduct similar criteria of criminal activities.

Reference:

Monero: Mining metrics are calculated based on a network hash rate of 252 MH/s and using a XMR – USD exchange rate of 1 XMR = $ 88.35. These figures vary based on the total network hash rate and on the XMR to USD conversion rate. Block reward is fixed at 6.022756660193 XMRand future block reward reductions are not taken into account. The average block time used in the calculation is 120 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Ethereum: Mining metrics are calculated based on a network hash rate of 109,037 GH/s and using a ETH – USD exchange rate of 1 ETH = $ 307.61. These figures vary based on the total network hash rate and on the ETH to USD conversion rate. Block reward is fixed at 3 ETH and future block reward reductions are not taken into account. The average block time used in the calculation is 15 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Bitcoin: Mining metrics are calculated based on a network hash rate of 10,399,990,921 GH/s and using a BTC – USD exchange rate of 1 BTC = $ 6138.57. These figures vary based on the total network hash rate and on the BTC to USD conversion rate. Block reward is fixed at 12.5 BTCand future block reward reductions are not taken into account. The average block time used in the calculation is 600 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

DASH: Mining metrics are calculated based on a network hash rate of 210,374 GH/s and using a DASH – USD exchange rate of 1 DASH = $ 283.43. These figures vary based on the total network hash rate and on the DASH to USD conversion rate. Block reward is fixed at1.801475954707712 DASH POW mining out of 3.602951909415424 DASH total mining reward and future block reward reductions are not taken into account. The average block time used in the calculation is 488 seconds. The electricity price used in generating these metrics is $ 0.12per kWh.

Litecoin: Mining metrics are calculated based on a network hash rate of 30,369 GH/s and using a LTC – USD exchange rate of 1 LTC = $ 56.5. These figures vary based on the total network hash rate and on the LTC to USD conversion rate. Block reward is fixed at 25 LTC and future block reward reductions are not taken into account. The average block time used in the calculation is 150 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

 

 

 

Blockchain, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard)

SS7 flaw make two factor authentication insecure – Reveal the veil

1 Comment

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference. 

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

Blockchain

Not similar October revolution. Who maintain bitcoins fundamental concept?

 

Preface

Bitcoins concept: The system is peer-to-peer, and transactions take place between users directly, without an intermediary.

About status of Bitcoins today

Bitcoins change its original shape by financial investors. Perhaps there is no surprise that currencies are hard to avoid people re-engineering the structure. Sharing the and enjoys the benefits on arbitrage actions. This is the a priority ring in economic finance system. As of today, China is the pioneer to terminate the crypto currencies go to their country economic system. Perhaps China is not the 1st country to terminate the operation of crypto-currency. But their effective action avoid their assets run out of the countries (see below URL for reference). We known that Engima crypto currencies platform announced on September this year (2017). It looks that it interrupted the objective of the original definition. A so called Peer-to-Peer and Trustless Hedge Fund Platform.

Reference:

For more details of (Enigma (Catalyst)), refer to below url:

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology

Article: Cryptocurrency market cap rebounding (see below url for reference)

https://www.cryptopoint.nl/nieuws/219190_what-china-ban-cryptocurrency-market-cap-rebounding

Market Saturation causes financial sector go to another way to survivals

A former slogan of United Stated of America is that make your dream come true. Even though US government the annual expenditures are in huge volume. I believed that they keen to develop other way to managed their debt. During the Clinton years the Dow raced out ahead of the national debt, but it looks worst during 2017 (see below). Not in conspiracy talk, the possible way is find other channel to get rid of existing situation. Since US government was rejected crypto currencies in their area in past. However if the demand is on the way. It is harmless to defines regulations to governance and custodian. On the other hand it might find another way to remediation the exiting debt. At least crypto exchange need to pay for the taxes. And crypto currencies are able to centralize by American again. It is a win win situation.

Crypto platform and market status nowadays

From technical point of view instead of cyber security. The existing crypto currencies platform sounds like you visiting casino. There are many tables provides gambling entertainment to you but the only objective is the money. This is my objective in regards to the subject matter. Who maintain bitcoins fundamental concept? My last comment is that do you think this is the appropriate timing to make your money go to the market?

Reference:  Hedge funds re-engineering to crypto currency platform. For more details, please refer below:

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology

 

 

 

Blockchain

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology

11 Comments

 

Preface:

Hedge funds will often use borrowed money to amplify their returns. One aspect that has set the hedge fund industry apart is the fact that hedge funds face less regulation than mutual funds and other investment vehicles. The Enigma team wants to build an environment where traders can also become hedge fund managers.

Understanding of the Enigma (Catalyst) system Platform

 

Enigma project objective: Enigma (Catalyst) platform wants to make it easy for developers to create trading robots and cryptocurrency funds, and then allow other users to emulate their success by purchasing funds/robots through an open marketplace.

Comment: In the sense that they would like to become the pioneer centralize the bitcoin types digital currencies. It looks like a global digital current exchange headquarter. In regards to the digital currency trend, the economic position of Bitcoin & Ethereum will be equivalent to traditional currencies in future. Regarding to our observation, the solid model of finance especially currencies of US dollar looks no longer become the leader of the world. It is better to develop a new concept to consolidated all the cash flow around the world compatible with popular OS system nowadays. According to the fundamental design, Enigma is the protocol run on protocol layer. In additional a platform so called catalyst. Catalyst is an algorithmic trading library for crypto-assets written in Python.

 

(Catalyst) system Platform OS requirement – Linux, Mac OS and windows 10

Catalyst platform – You are allowed to download  the source code from Website (GitHub) setup your environment for development.

Trading Strategies – You can browse a list of strategies submitted by the community through the Enigma’s web application: open an account, learn from others and create your own!

3rd Party APIs – Quantopian, Zipline, Pandas, Numpy & Matplotlib

matplotlib is a plotting library for the Python programming language and its numerical mathematics extension NumPy.

Quantopian is an online platform for algorithm development, testing and execution.  It offers a web-based Python editor interface with tight integration with a hosted version of their open-source back-testing framework Zipline.

Zipline is a Pythonic algorithmic trading library. It is an event-driven system that supports both backtesting and live-trading.

pandas is a software library written for the Python programming language for data manipulation and analysis

NumPy is a library for the Python programming language

Discussion checkpoint 1: The project objective of Enigma is going to build an environment where traders can also become hedge fund managers.

A common criteria on programming language – banking environment

J.P. Morgan uses Python for its Athena programme, and Bank of America Merrill Lynch has built Quartz using it. Python is now wide-spread across investment banking and hedge funds.

Discussion Checkpoint 2 : We known that Enigma introduce encryption technique so called homomorphic encryption. A way to encrypt data such that it can be shared with a third party and used in computations without it ever being decrypted.

A technical limitation is that bitcoin takes an average of 10 minutes before a transaction receives a network confirmation. What the benefits of Enigma?

  • Bitcoin’s block time is 10 minutes
  • Ethereum’s block time is 15 seconds.
  •  LITECOIN – It takes an average of 2.5 minutes for this process to complete.
  • MONERO – 1/5th of the time bitcoin generates a block, which does not include any anonymity features
  • RIPPLE – The average Ripple network block is generated in as little as 3.5 seconds.

What is the benefits of faster block time from cyber security viewpoint

Empty blocks are often actually good for the network. There is always a non-zero amount of time before miners calculate their next block template. From technical point of view it avoid a duplicate transaction counterfeit by anonymous party.

Defense in depth

It looks that new technology implement on Enigma digital currency platform (Catalyst) looks perfect. So can we say this is a perfect solution? But what is the background reason lets half million worth of digital currency in unknown status? News article claimed that the incident has been caused by email scam.  For more details, please see below url for reference.

With Enigma, the attackers used their access to announce a “pre-sale” via Enigma’s site, messaging channels, and email. They provided an Ethereum “address” they controlled for investors to send money to. And that’s exactly what happened, with users handing over 1,492 Ether — around $480,000 at current prices said Business insider UK.

http://uk.businessinsider.com/hackers-steal-500000-ethereum-enigma-investors-2017-8

Enigma crypto technology (see below) found by Nazi Germany during World War II.

Alan Turing (United Kingdom) and his attempts to crack the Enigma machinecode during World War II. The decryption method so called banburismus technique (see below)

But Hacker did not going to spend too much man power to break through the crypto system. They are smart to use social engineering technique (SCAM EMAIL) to mislead the investor send the money to a counterfeit site. This technique similar break through enigma crypto system use intercept technique.

 

My imagination (assumption and proof of concept)

Banburismus was a cryptanalytic process developed by Alan Turing at Bletchley Park in England during the Second World War. A program was initiated by Bletchley Park to design much faster bombes that could decrypt the four-rotor system (Enigma) in a reasonable time. The conceptual ideal shown as below:

A deduction step used by the bombe; while the actual intermediate values after the plugboard P — the “steckered” values — are unknown, if one is guessed then it is possible to use the crib to deduce other steckered values. Here, a guess that P(A) = Y can be used to deduce that P(T) = Q because A and T are linked at the 10th position in the crib.

Above conceptual idea looks have possibilities to crack the Enigma. But this is not the true structure of Enigma (Catalyst) platform. However value and Y and Q are the significant value and apply to similar concept of architecture design to other crypto system. So this is the design weakness of the equivalent.

Apart from that (Catalyst) system Platform & 3rd party APIs are deployed on Python programming language intensively. We agreed that it is hard to avoid vulnerability found on software and hardware today. But hacker execute code can more easy execute on system platform which install python on top.

A critical vulnerability occurs on Sep 2016 in Python.The vulnerability allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow (CVE-2016-5636). As a result it leading to arbitrary code execution. If similar vulnerability happen in future, Hacker not only compromise the fund manger Enigma (catalyst) platform, it might possibilities to amplifying the attack to the Enigma exchange.

Discussion checkpoint 3:  Engima official announcement  will be held on 11th Sep 2017. Let’ s see how the status of finance market to cryptocurrency world.  For sure that we will keep track the activities see whether any details let us to start another discussion.

We hope that the  Enigma (catalyst) system will succeed in the future.

Goal and Objective

 

 

 

Blockchain

Perhaps Enigma contains iron wall, but it couldn’t defense the a simple word processing technology

3 Comments

 

Preface

Enigma crypto currency Platform told the world they are next generation of cypto currency Exchange. Banking and financial industry believes that this is a trustworthy platform. Not Kidding, enterprise invests to build and support. Apart from that MIT expertise develop and design a prefect cryptographic mechanism. A shock to the world this week said that they are fall into the victim group of cyber attack.

https://www.wired.com/story/enigma-ico-ethereum-heist/

Headline news claimed that it cause by “DUMB MISTAKE” – Slack account with administrative privileges, had previously leaked

What if! We assume that their Enigma design architecture is not vulnerable. And there is another reason let this incident occurs. Is it a insider threat caused by end user computing?

This incident under law enforcement investigation. since we do not know the root cause. But we can setup a virtual reality scenario see whether we can find out the possibility.

PDF format of file, a benefits bring to malware

  1. Hidden inside a Word document that’s hidden inside a PDF

Scenario:

Step 1: Emailed spam with a PDF attachment
Step 2: PDF has an attached document inside, which is trying to get opened by the Acrobat Reader
Step 3: Once the document is opened in MS Word, it asks you to enable editing (social engineering attack)
Step 4: Runs a VBA macro, which downloads and runs the malicious code
Step 5: Insider threat happens. Try to collect the sensitive data includes credential

2. Open source applications lure malware infection

Sounds not possible! Enterprise firm less implement software application open source concept. As a matter of fact, similar idea happened in enterprise firms including broker firm and investment banking. It is hard to image that such profit making industries concerns about software licenses. But it is a factual case.

Scenario:

A critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer.

CVE-2017-10951 –  vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location

Remark: Foxit refused to patch both the vulnerabilities because they would not work with the “safe reading mode”

3. Vulnerability in LinkedIn Messenger 

Scenario:

Even though enterprise firm will be included Linkedin into the white list. It allow their staff access without restriction. Regarding to subject matter expert vendor (Checkpoint), Linkedin message Would Have Allowed Malicious File Transfer. LinkedIn allow the following file extensions to be uploaded and attached within a message:

Documents – csv, xls, xlsx, doc, docx, ppt, pptx, pdf, txt.
Images– gif, jpeg, jpg, png.

As a result, the specific issue triggers inherent risk fall into above item 1 information security design weakness.

Current status

Let stop discussion here, there are more possibilities or ways once the attack vector happens on insider threat (end user computing). We keep our eye open see whether any new findings later on.