Category Archives: cyber security incident news highlight

About recent data breaches – Every CEO might say cyber security.

Data leakage accident as of December 2018. It provides a message to the world. Even though you installed antivirus, malware detector and Firewall. The hacker still have ways to evade. In a nutshell, technology world is fighting with evils. But it make the senior management team especially CEO headache. So who can help?

CA insider Threat Report findings:

A majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.

US Homeland security recommendations:

  1. Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
  2. Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
  3. Evaluate and manage organization-specific cybersecurity risks.
  4. Ensure cybersecurity risk metrics are meaningful and measurable.
  5. Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
  6. Retain a quality workforce.
  7. Maintain situational awareness of cybersecurity threats.

Mr.CEO, what do you think?

Reflective thinking on Marriott data beaches – Dec 2018

Preface: Why we are concerning personal data privacy. Or major concern is we scare someone misuse your credit card for online shopping?

About cyber security:
Cybersecurity is the practice of protecting systems, networks, and programs from digital attacks – Quote Cisco definition.

Crime in the Hotel & Lodging Industry:
In the comments of security experts, they believe that since 2014, advanced cyber attacks or criminal network activities (POS malware or credit card fraud). The hotel industry will be the main goal. Kaspersky says the attackers have been active in hotel industry, they conducting surgical strikes against targeted guests at other luxury hotels in Asia as well as infecting victims via spear-phishing attacks and P2P networks. In additional, we cannot ignore threat actors exploit NSA-Level Infection Mechanism.

About GDPR:

In this incident, this reflects the effectiveness of GDPR regulations. For instance does it intend to execute the investigation?
Headline news – https://www.campaignlive.co.uk/article/marriott-potentially-exposed-first-big-gdpr-fine-starwood-data-breach/1520070

Any comment for you in this regard?

Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Preface:
Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Remedy:
Suspend online services.

Comments:
Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

https://www.scmp.com/news/hong-kong/hong-kong-economy/article/2175654/credit-agency-transunion-suspends-online-services

Apache Releases Security Update for Apache Tomcat JK Connectors – 31st Oct 2018

A reverse proxy is not totally transparent to the application on the backend. When the application on the backend returns content including self-referential URLs using its own backend address and port, the client will usually not be able to use these URLs.
Deploy Apache Tomcat Connector (mod_jk) can easy to solve these technical problem. It supports the load balancing of HTTP calls to a set of Servlet containers, while maintaining sticky sessions and communicating over AJP.
Regarding to vulnerability detail of CVE-2018-11759, it shown that Apache Tomcat JK (mod_jk) Connector design flaw contains path traversal vulnerability.
My speculation is that such vulnerability will be effected SME firm web application server. If the vulnerability occurs, it provides a way let’s attacker trace the target destination especially the location services account file.

For more details, please refer below url for reference.

http://mail-archives.us.apache.org/mod_mbox/www-announce/201810.mbox/%3C16a616e5-5245-f26a-a5a4-2752b2826703@apache.org%3E

 

 

Off-color humor – Cathay Pacific hack (9.4 million airline passengers data stolen by data thief)

Asia world seems feel shot of the Cathay Pacific Airline cyber security incident. To be honest, it is hard to avoid computer vulnerabilities occurs in business circumstances today. Why? It is a demanding environment includes comprehensive competition. Business man try a way to find out the cost efficiency solution. Meanwhile, it unintended to push a indirect task force to the technology domain. What is it? A short system and software design development cycle. Perhaps the developers cannot stop laughing when they read the text book mention about Maturity Models for Information Systems.
People did not have awareness of personal data privacy last decade. May be the junk email and phone call awake their awareness.
In my personal point of view, data privacy is more important of the rich people especially celebrity and politicians. Oh! yes, they are the frequent travelers.
Attached diagram is my imagination regarding to this incident. Yes, this is only my speculation since nobody know what is happened last few months, right?

Related information:

http://www.antihackingonline.com/cyber-security-incident-news-highlight/cathay-pacific-hack-personal-data-of-up-to-9-4-million-airline-passengers-stolen/

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers stolen.

From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.

Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.

From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.

For more details of above cyber security incident records, please refer below url for reference.

Cathay Pacific hack – https://www.scmp.com/news/hong-kong/law-and-crime/article/2170107/hong-kong-privacy-chief-slams-cathay-pacific-taking

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

25th Oct 2018 – BA status update

http://mediacentre.britishairways.com/pressrelease/details/86/2018-247/10234

Jun 2018 – ALL NIPPON Airways Security Advisories

Jun 2018 – ALL NIPPON Airways Security Advisories

 

Could ring 2 have the same momentum as a IoT backdoor?

Preface:

In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.

Additional:

Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL:

https://www.us-cert.gov/ncas/alerts/TA18-275A

An attack on media platform causes exposed nearly 50 million user informations – Sep 2018

In 80’s our daily life without any electronic type social media involves. But we understood that we are avoid to talk to the stranger. As time goes by, internet social media fine tune our mind. As a result we make friend and relies on this communication platform.

Since this is a popular open platform. It is hard to avoid scam activities. As a result, the risk factor will growth in such circumstances. Even though you have security awareness . But who can garantee the threat actor only focus to attack the indiviual instead of the social media vendor.

Back in October 2016, the memcached developers fixed three remote code execution vulnerabilities (CVE-2016-8704, CVE-2016-8705 and CVE-2016-8706). The flaws affected memcached’s binary protocol for storing and retrieving data and one of them was in the Simple Authentication and Security Layer (SASL) implementation.

Remark: CVE-2016-8704 – An integer overflow in the process_bin_append_prepend function in Memcached, which is responsible for processing multiple commands of Memcached binary protocol, can be abused to cause heap overflow and lead to remote code execution.

Do you think the data breaches announced by Facebook yesterday whether it happen earlier last year but nobody know?

Related news – https://www.forbes.com/sites/thomasbrewster/2018/09/29/how-facebook-was-hacked-and-why-its-a-disaster-for-internet-security/#74855f792033

Hypothesis – About the cyber attack on Port of Barcelona (Sep 2018)

We heard that the Port of Barcelona suffers an attack of hackers last week (20th Sep 2018). The logistics and transportation industry lure hackers’ interest because they can extort ransom.

There is no official or incident details announcement till today. The following details merely my personal imagination of this incident. Any resemblance to actual events or persons is entirely coincidental.

We noticed that Portic Barcelona uses WebLogic for Private PaaS in 2014. The solution aim to enhance the performance and facilitates interaction between its members through its information services to logistics agents and other customers.

What if below vulnerability occurs, do you think the scenario whether will have similarity to the incident.

ORACLE WEBLOGIC SERVER JAVA DESERIALIZATION REMOTE CODE EXECUTION VULNERABILITY (CVE-2018-2628) BYPASS

Headline News article for reference.

https://www.portseurope.com/barcelona-port-suffers-a-cyber-attack/