The terms IoT (Internet of things) looks a messed transformation of specifics definition. The suitable criteria to define a IoT component is that for a device demand data be processed without buffering delays. If you have habits read technology post daily. We known that IT security vendor (checkpoint) alert the world that a new IoT botneck is going to jeopardizing the world. Since the case is under their investigation. My personal opinion is that the specifics attacks focus on RTOS(real-time operating system). For instance, web cam, router, smart city facilities. I strongly believed that Microsoft not the major target. Since RTOS devices has large coverage on simplified linux base OS platform.  Keep your eye open, you might seen the result of reaper IoT attack relies on shellshock vulnerabilities and bruteforce attacks.In additional, if the device found vulnerabilities on the kernel. The malicious code will relies on it. Below url can provides the details to you in this regard. Perhaps we have more and more electronic computing devices supporting to our life daily. The hostile country engage the attack to suspend the daily operations of the enemy looks better than a bomb or military threatening.

https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/

Bitcoin technology looks luck this round since INFINEON chip design flaw – not vulnerable in ECC (Elliptic Curve Cryptography), flaw only encountered on RSA.

Vulnerability

The flaw resides in the Infineon-developed RSA Library version v1.02.013. A design weakness has been found. A vulnerability in an implementation of RSA Key Generation could allow private encryption key disclosure.

This vulnerability affects any products using the affected code library “RSA Library version v1.02.013” developed by Infineon Technologies. Keys generated with smartcards or embedded devices using the Infineon library are vulnerable, as well as devices certified by NIST FIPS 140-2 and CC EAL 5+.

Queries of this vulnerability – in regards to so called security regulatory standard

It is hard to believe that a tough and harsh security requirements issued by NIST (FIPS 140-2) and Common Criteria. However the certified products are also the victim.

Do you think is there a verification and identification gap in between hardware vendor and security authority? And therefore such embarrass status happened today.

Known effect areas:

Government:

Component: Smartcards (manufacturers using Infineon smartcard chips and TPMs)

Businesses: 

Component: Smartcards and IoT devices (manufacturers using Infineon smartcard chips and TPMs)

Home Users:

Component: IoT (manufacturers using Infineon smartcard chips and TPMs)

Vendor announcement:

Laptops and mobile devices use Trusted Platform Module (TPM) hardware chips with the affected encryption key code library. For instance Google, Microsoft, HP, Lenovo, and Fujitsu. They claimed that the have patched their respective software.

Reference:

Should you have interest in related topic, please refer to below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

 

WPA2 vulnerability found. But online Banking system customer do not shock. Take it easy. The WPA2 wireless encryption scheme looks secure before specifics vulnerability occurred. Security expert found that hacker is able to relies on 3rd handshake doing injection which causes man-in-the-middle of attack. As a result your wireless network data traffic will be hunted by hacker. The data includes on-line banking credentials, social media credentials,….etc. But if you think it over. The SSL tunnel end point of online banking web application is seat on your mobile. Hacker must install the web server SSL public PKI key certificate in the 1st phase, otherwise he cannot view the data embedded in the traffic pattern. Perhaps hacker already install the public cert. However a HSM will be protect your password from online banking system. Since password will be shown as random code. Hacker cannot reuse. How about VISA 3D secure method? You will receive SMS alert of your payment transactions finally. You can verify by yourself.  For more detail about the WPA2 vulnerability, please refer below url for reference.

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

Preface

U.S. Orders Federal Agencies to Remove Kaspersky Software Over Security Concerns!

https://www.wsj.com/articles/u-s-orders-federal-agencies-to-remove-kaspersky-software-over-security-concerns-1505337484

Discussion topics – Do you think Kaspersky is a Scapegoat?

Headlines news told that Eugene Kaspersky trained by former USSR KGB. For some potential reason predicted that his antivirus product design intend to collect the computer privacy thus doing the surveillance activities. From my personal opinion is that defendant Kaspersky might not engaged such treason activities. My stand points are shown below:

Allegation of their design mechanism similar as a Russian proxy

Below details highlights is the investigation team by US government written on incident report.

US investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

My bold hypothesis to object above speculations

We known the well-known names such as Symantec, McAfee and AVG may contains inherent risks and letting hackers and criminals secretly access your PC. What is the inherent risks will be encountered? Let’s take a quick closer look see whether you can find hints in this regard.

I. Design limitation and defense mechanism

a. Vulnerability (Design limitation)

For instance, Symantec anti-virus products found multiple vulnerabilities by Google researcher. The flaws affected both Mac and Windows PCs, and could be triggered simply by emailing a file to someone or sending them a link to a malicious website. The historical records are displayed below:

May 2016 – Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (see below url for reference)

https://bugs.chromium.org/p/project-zero/issues/detail?id=820

Jan 2017 – Google Security Researcher Finds Serious Vulnerability In Kaspersky’s TLS Interception Tool

Hacker wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
Step 1: Hacker sends you the real leaf certificate for mail.google.com, which Kasperksy validates and then generates its own certificate and key for.
Step 2: On the next connection, hacker sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (lets say Scapegoat.com)
Step 3: Now hacker redirects DNS for mail.google.com to Scapegoat.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.
Step 4: vulnerability occurred

b. Defense mechanism

Since a kernel hook method so called kernel hook bypassing engine.

Features:

• Attacker can use the system call instruction directly without calling of Windows API
• Malicious code can be passed to the AntiVirus through the hooks functions for analysis and as soon as it bypass the security checks.

In order to avoid this rootkit or antivirus bypassing incident occurs, anti-virus manufacturer better stand in front of any boot loader processes. And therefore it will using so called in proper hook technique to governance the overall activities. As a result antivirus program including build in IDP, malware detector will be received more privileges. From technical point of view, it is not possible to do it if anti-virus itself not hook to all core kernel process.

This is the major concerns of many informaiton security experts. But be reminded that such design feature not the only one make by Kaspersky. Other anti-virus vendors are using the same design of mechanism.

From general principal of common law system, benefit of the doubt goes to defendant.

II.  The company not loyal to Russia in regards to past cyber detection behaviors

a. Detection of Russia area APT activities

Above APT Trends report Q2 2017 statistic diagram issued by KASPERSKY. We did not seen the company intend to hide cyber security attacks given by Russia area. Meanwhile, the report highlight that the second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of ‘attention grabbers’ were the Sofacy and Turla threat actors. Should you have interest, please feel free to review the specify report in below url

https://securelist.com/apt-trends-report-q2-2017/79332/

b. Russia arrests top cyber security expert amid allegations of treason

There is not require for me to mention of this matter, for more detail please refer below headline news posted by telegraph.co.uk.

Russia arrests Kasperky cyber security expert amid allegations of treason

http://www.telegraph.co.uk/news/2017/01/25/russia-arrests-top-cyber-security-expert-amid-allegations-treason/

Summary:

My observation cannot guarantee will be generated false positive (incorrect) on this matter, however above items of evidence looks that the company is a Scapegoat!

 

We believed that Apache web server more secure than Microsoft IIS Web server so far. However the most recent security incidents told the world the products of Apache not secure anymore! For instance, a critical vulnerability on Apache Struts encountered a serious vulnerability on Mar 2017 (CVE-2017-5638). As of today, there are total 4 vulnerabilities (CVE-2017-5638,CVE-2017-7672,CVE-2017-9787,CVE-2017-9791) which jeopardize Enterprise firms. It looks that the slogan “Apache products more secure than Microsoft web products” is not valid anymore! Remark: When I was young, a black pig symbol let the kindergarten student understand their performance. We now know both brand name are receiving black pig stamp chop.

What will be the impact?

For more details, please see below url for references:

4-traders.com (APACHE-CORPORATION)

http://www.4-traders.com/APACHE-CORPORATION-11664/news-twitter/Apache-Struts-2-Puts-1000s-of-Web-Apps-at-Risk-839983316954697728/

Looks negative Cisco also the victim on this case. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Cisco announced that no workarounds available in the moment. However if your IT campus install Snort IDS. New yara rules will be fight against the attack. It looks that cyber attack is one of the business development channel!

Responsibility and Realistic

About Equifax data breach on 29th Jul 2017, CIO and CSO are retiring. The flaw focusing to the company with poor software patch management. The investigation team highlight two major problems. The company are using open source and without update the patch on Apache struts product immediately. But think it over, the server side contained client credit card information. It looks that no one else is going to discuss the comments on PCI QSA security assessment report. To be honest, if the classification level of data includes in PCI security requirement. A question you might voice out. What is the responsibilities on payment card industry authority of this incident?

How serious will democracy be concerned about this matter? see below url for reference:

https://www.govinfosecurity.com/blogs/top-democrat-likens-equifax-to-enron-as-ftc-launches-probe-p-2547?rf=2017-09-18_ENEWS_SUB_GIS_Slot1&mkt_tok=eyJpIjoiT0RsbE1HVTNPRGN4TVdWaSIsInQiOiJmKzliT2dYRVpPd3ppSUVBWkpxRmM0TUZrNWpDQ0NSUjE1XC90UnNwU0RGMmMwOWRUc084SENEcG5VdFBUdjVjR0tQR2g4XC96ejQyMjlJTHYxR3haaG9QK2ZBTFZvbThkbHJvT1JWdTJVYlpMSE1jUWplOHBXanFhUEhcL3c1QkdDdiJ9

PCI regulations highlights

20,000 to 1 million: 
Level 3 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

1 to 6 million: 
Level 2 Secure a regular network scan by an Approved Scanning Vendor Do an annual Self Assessment Questionnaire Complete an Attestation of Compliance 

6 Million plus: 
Level 1 Secure a regular network scan by an Approved Scanning Vendor Have a Qualified Security Assessor do an annual Report on Compliance Complete an Attestation of Compliance

Do you think CVE-2016-7255 is the culprit? Let enterprise audit firm Deloitte hit by cyber-attack causes information leak.The vulnerability which allows hacker do the code injection on both 32- and 64-bit versions of windows server and workstation OS before Nov 2016. If this is the root causes! How does the customer defense until Microsoft issue the patch. Even though security vendor IDS Yara rule not defined such pattern yet. As a result there are more victim afterwards! For more details on Deloitte  cyber security incident, please see below url for reference:

https://www.theguardian.com/business/2017/sep/25/deloitte-hit-by-cyber-attack-revealing-clients-secret-emails