Category Archives: cyber security incident news highlight

UK-based Metro Bank has suffered an SS7 attack – Jan 2019

Preface: The phrase “old wine in new bottles”! Cyber security world has similar things all the time!

About SS7 design weakness:

Business impact: A U.K. bank says no customers lost money after cyber attackers attempted account takeovers by rerouting one-time passcodes, Motherboard reports. The National Cyber Security Centre (NCSC) also confirmed.
Such attacks involve tampering with Signaling System #7, the protocol used to route mobile phone calls worldwide.

Security advice: A one-time passcode may be sent over SMS, but the safer way is to use an authenticator app,
such as Authy, Cisco’s Duo or Google Authenticator, to generate the code.

Reference: https://motherboard.vice.com/en_us/article/mbzvxv/criminals-hackers-ss7-uk-banks-metro-bank

Marvell Avastar wireless SoCs have multiple vulnerabilities – 5th Feb 2019

Preface: The Marvell 88W8897A SoC (System on a Chip) is the industry’s first 802.11ac chip to combine Bluetooth 4.2, mobile MIMO (Multi-input Multi-output), transmit beamforming, and with built-in support for all screen projection technologies.

Technology Background:
Computer design primary focus on memory usage. Even though without an exception in SoC (System on a Chip) design.

Vulnerability found: During Wi-Fi network scans, an overflow condition can be triggered, overwriting certain block pool data structures.

Exploitation of vulnerability: Attacker can exploit ThreadX block pool overflow vulnerability to intercept network traffic or achieve code execution on the host system.

Remedy: Marvell encourages customer to contact their Marvell representative for additional support.

Remark: This vulnerability was post on headline news on mid of January 2019. However we could not found any positive responses announce by vendor.

CISA Releases Blog on Emergency Directive: January 24, 2019

Preface: Cyber security experts predict that global DNS hijacking activities are underway. However, it is not certain who is the attacker (the cyber attack group), FireEye said on January 9, 2019.

Background information:
This cybersecurity incident caught the attention of the Network Security and Infrastructure Security Agency (CISA). Whereby, CISA released their first emergency order on January 22, 2019. They urge the world to understand the current situation (global DNS hijacking campaign). At the same time, they released a mitigation solution for mitigating DNS system.
For more details, please see below: https://cyber.dhs.gov/blog/#why-cisa-issued-our-first-emergency-directive

My observation:
While DNS software is specially designed to fulfill one specific role, applications like Bind are incredibly flexible and can be used as hybrid solutions. However there are plenty of vulnerabilities ( high severity of risk) found on Bind system software.Please refer following url for reference:

http://www.antihackingonline.com/potential-risk-of-cve/bind-9-flaw-krb5-subdomain-and-ms-subdomain-update-policy-rules-ineffective/

By the way, your in house SIEM system can fight against cyber crime.

Is this a careless mistake? BlackRock Exposes Confidential Data on Thousands of Advisers on iShares Site!

Preface: Excel spreadsheets are used all the time in high-risk financial data analysis, and sometimes this is a silent way to dig out the data.

BlackRock data leakage synopsis:

Bloomberg found three spreadsheets contains BlackRock’s iShares ETF business confidential information included thousands of financial advisors were given ratings based on how much business they bring BlackRock. For more details, please refer below url:
https://www.bloomberg.com/news/articles/2019-01-19/blackrock-exposes-data-on-thousands-of-advisers-on-ishares-site

Is it a careless mistake?
It is hard to tell. From technical point of view, Blackrock is easy to figure out the problem though their spreadsheet management system.

Prediction:
If it didn’t find related suspicious activity in the spreadsheet management system and security incident event management? What is the next step? Do the dark web research may find out some hints. If the final confirmation is a user negligence. In a nutshell, user negligence shown the design weakness of awareness training program.

Celebration 2019! Coming Soon! But…? The most serious data breach in 2018… So far, do you know where they are?

Preface: The internet contains at least 4.5 billion websites that have been indexed by search engines. But may be more data not shown there?

Technical background – Dark Web Synopsis:
What is dark web? It is the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.The dark web is a huge marketplace for stolen data and personal information.

Attack surface:

So far, social media companies have often experienced data breaches. However, the healthcare industry is the priority attack target.

Data theft action:Once the company has been hacked. the situation will be as follow

  1. the data will be posted to dark web immediately
  2. if company management not intend to pay for ransom. they will sell the data in dark market.

Expert findings:
Please refer below url for reference: https://www.network-box.com/front_newsletter

Facebook 6.8 million users’ private photos leaked – Suspected it was happened in developers environment.

Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.

Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.

Headline News: https://www.theverge.com/2018/12/14/18140771/facebook-photo-exposure-leak-bug-millions-users-disclosed

About recent data breaches – Every CEO might say cyber security.

Data leakage accident as of December 2018. It provides a message to the world. Even though you installed antivirus, malware detector and Firewall. The hacker still have ways to evade. In a nutshell, technology world is fighting with evils. But it make the senior management team especially CEO headache. So who can help?

CA insider Threat Report findings:

A majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.

US Homeland security recommendations:

  1. Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
  2. Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
  3. Evaluate and manage organization-specific cybersecurity risks.
  4. Ensure cybersecurity risk metrics are meaningful and measurable.
  5. Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
  6. Retain a quality workforce.
  7. Maintain situational awareness of cybersecurity threats.

Mr.CEO, what do you think?

Reflective thinking on Marriott data beaches – Dec 2018

Preface: Why we are concerning personal data privacy. Or major concern is we scare someone misuse your credit card for online shopping?

About cyber security:
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks – Quote Cisco definition.

Crime in the Hotel & Lodging Industry:
In the comments of security experts, they believe that since 2014, advanced cyber attacks or criminal network activities (POS malware or credit card fraud). The hotel industry will be the main goal. Kaspersky says the attackers have been active in hotel industry, they conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks. In additional, we cannot ignore threat actors exploit NSA-Level Infection Mechanism.

About GDPR:

In this incident, this reflects the effectiveness of GDPR regulations. For instance does it intend to execute the investigation?
Headline news – https://www.campaignlive.co.uk/article/marriott-potentially-exposed-first-big-gdpr-fine-starwood-data-breach/1520070

Any comment for you in this regard?

Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Preface:
Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Remedy:
Suspend online services.

Comments:
Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

https://www.scmp.com/news/hong-kong/hong-kong-economy/article/2175654/credit-agency-transunion-suspends-online-services

Apache Releases Security Update for Apache Tomcat JK Connectors – 31st Oct 2018

A reverse proxy is not totally transparent to the application on the backend. When the application on the backend returns content including self-referential URLs using its own backend address and port, the client will usually not be able to use these URLs.
Deploy Apache Tomcat Connector (mod_jk) can easy to solve these technical problem. It supports the load balancing of HTTP calls to a set of Servlet containers, while maintaining sticky sessions and communicating over AJP.
Regarding to vulnerability detail of CVE-2018-11759, it shown that Apache Tomcat JK (mod_jk) Connector design flaw contains path traversal vulnerability.
My speculation is that such vulnerability will be effected SME firm web application server. If the vulnerability occurs, it provides a way let’s attacker trace the target destination especially the location services account file.

For more details, please refer below url for reference.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201810.mbox/%3C16a616e5-5245-f26a-a5a4-2752b2826703@apache.org%3E