Category Archives: 2018

Whether it is the last round of remediation on CVE-2022-26373? Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) – 6th Feb 2023

Preface: CVE-2022-26373 technical detail has released to public on 9th Aug 2022. Till end of Jan, 2023 it still has update on this vulnerability. For example, Red Hat fixed this vulnerability in their product Enterprise Linux 7 on 3rd Nov 2022. Since then it conducting the remediation to their product line. Perhaps the remediation on 24th Jan 2023 to Red Hat Virtualisation 4 for Red Hat Enterprise Linux 8 is the final round.
Looks like this is a CPU vendor specific bug. As a result, some vendors have stated that their products are not affected by this vulnerability. Whether it a absolute answer? All will depends on the use of CPU processor brand.

Background: From technical point of view, Indirect Branch Restricted Speculation (IBRS) is an indirect branch control mechanism that restricts speculation of indirect branches. See below for technical details.
CPUID.(EAX=7H,ECX=0): If EDX[26] is 1, it means support IBRS and IBPB,
OS can write IA32_SPEC_CTRL0 and IA32_PRED_CMD0 to control the behavior of indirect branch predictor.
IBRS finally failed to enter the kernel due to function problems, however when when the vm is switched. It can get into kernel. This weakness found in 2018 earlier stage.

Vulnerability details: A flaw was found in hw. In certain processors with Intel’s Enhanced Indirect Branch Restricted Speculation (eIBRS) capabilities, soon after VM exit or IBPB command event, the linear address following the most recent near CALL instruction prior to a VM exit may be used as the Return Stack Buffer (RSB) prediction.
Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow an authorized user to potentially enable information disclosure via local access.

Official announcement – For details, see URL –

Celebration 2019! Coming Soon! But…? The most serious data breach in 2018… So far, do you know where they are?

Preface: The internet contains at least 4.5 billion websites that have been indexed by search engines. But may be more data not shown there?

Technical background – Dark Web Synopsis:
What is dark web? It is the part of the World Wide Web that is only accessible by means of special software, allowing users and website operators to remain anonymous or untraceable.The dark web is a huge marketplace for stolen data and personal information.

Attack surface:

So far, social media companies have often experienced data breaches. However, the healthcare industry is the priority attack target.

Data theft action:Once the company has been hacked. the situation will be as follow

  1. the data will be posted to dark web immediately
  2. if company management not intend to pay for ransom. they will sell the data in dark market.

Expert findings:
Please refer below url for reference:

Facebook 6.8 million users’ private photos leaked – Suspected it was happened in developers environment.

Facebook looks bad luck this year. It is better to invite Chinese Feng Shui master provides suggestion. Yes, it is kidding.

Perhaps Facebook intend to improve their image. It immediately let’s public know what is happening in the moment. It is talking about 6.8 million users’ private photos leakage. But suspected that the loophole was happened in developers environment.
My comment is that may be vulnerability happens in call to action function. A design limitation keep the CTA access token. And therefore it provides unauthorize access.

Headline News:

About recent data breaches – Every CEO might say cyber security.

Data leakage accident as of December 2018. It provides a message to the world. Even though you installed antivirus, malware detector and Firewall. The hacker still have ways to evade. In a nutshell, technology world is fighting with evils. But it make the senior management team especially CEO headache. So who can help?

CA insider Threat Report findings:

A majority of 53% confirmed insider attacks against their organization in the previous 12 months (typically less than five attacks). Twenty-seven percent of organizations say insider attacks have become more frequent.

US Homeland security recommendations:

  1. Elevate cybersecurity risk management discussions to the company CEO and the leadership team.
  2. Implement industry standards and best practices rather than relying solely on compliance standards or certifications.
  3. Evaluate and manage organization-specific cybersecurity risks.
  4. Ensure cybersecurity risk metrics are meaningful and measurable.
  5. Develop and exercise cybersecurity plans and procedures for incident response, business continuity, and disaster recovery.
  6. Retain a quality workforce.
  7. Maintain situational awareness of cybersecurity threats.

Mr.CEO, what do you think?

Credit reporting agency TransUnion – personal data security flaw (Nov 2018)

Transunion offers total credit protection all in one place from credit score, credit report and credit alert. On June 25, 2015, TransUnion became a publicly traded company for the first time, trading under the symbol TRU.

Who is CreditGo?
CreditGo provides free access to credit circular reports and credit scores for Hong Kong residents. Meanwhile the credit information provided by CreditGo comes from TransUnion.

Data privacy leakage incident:
The Hong Kong arm of American consumer credit reporting agency TransUnion was forced to suspend its online services on Thursday after a local newspaper was easily able to access the personal data of the city’s leader and finance minister.

What is the reason?
Incorrect program logic from online web application cause database leak.

Suspend online services.

Refer to attached diagram, it is hard to avoid your data personal privacy leakage since when bank or financial institute check the information of a person. It is because a duplicate copy will be generate.
Business world and our daily life is insane now!

Headline news:

Apache Releases Security Update for Apache Tomcat JK Connectors – 31st Oct 2018

A reverse proxy is not totally transparent to the application on the backend. When the application on the backend returns content including self-referential URLs using its own backend address and port, the client will usually not be able to use these URLs.
Deploy Apache Tomcat Connector (mod_jk) can easy to solve these technical problem. It supports the load balancing of HTTP calls to a set of Servlet containers, while maintaining sticky sessions and communicating over AJP.
Regarding to vulnerability detail of CVE-2018-11759, it shown that Apache Tomcat JK (mod_jk) Connector design flaw contains path traversal vulnerability.
My speculation is that such vulnerability will be effected SME firm web application server. If the vulnerability occurs, it provides a way let’s attacker trace the target destination especially the location services account file.

For more details, please refer below url for reference.



Off-color humor – Cathay Pacific hack (9.4 million airline passengers data stolen by data thief)

Asia world seems feel shot of the Cathay Pacific Airline cyber security incident. To be honest, it is hard to avoid computer vulnerabilities occurs in business circumstances today. Why? It is a demanding environment includes comprehensive competition. Business man try a way to find out the cost efficiency solution. Meanwhile, it unintended to push a indirect task force to the technology domain. What is it? A short system and software design development cycle. Perhaps the developers cannot stop laughing when they read the text book mention about Maturity Models for Information Systems.
People did not have awareness of personal data privacy last decade. May be the junk email and phone call awake their awareness.
In my personal point of view, data privacy is more important of the rich people especially celebrity and politicians. Oh! yes, they are the frequent travelers.
Attached diagram is my imagination regarding to this incident. Yes, this is only my speculation since nobody know what is happened last few months, right?

Related information:

Cathay Pacific hack: Personal data of up to 9.4 million airline passengers stolen.

From public safety point of view, if a enterprise firm found 9.4 million personal records steal by hacker. Since the firm postpone the announcement schedule. From technical point of view. the law enforcement must require to interview with the firm top management to understand the root cause.

Regarding to my observation, the cyber security incident roadmap in airline industry looks special. Nippon found TLS could allow attacker man-in-the-middle attack on Jun. Thereafter British Airways announce that total 380,000 customers’ bank details stolen by hacker. However both 2 items of cyber security incident announce to public in acceptable manner.

From technical point of view, it was not possible leak such big amount of data from TLS vulnerability and mobile apps programming bug. It shown that such vulnerability most likely given by SQL injection attack. This is so called SQL injection vulnerabilities dumping the DB.

For more details of above cyber security incident records, please refer below url for reference.

Cathay Pacific hack –

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

British Airway announcement – 7th Sep 2018 (380,000 customers’ bank details stolen from website)

25th Oct 2018 – BA status update

Jun 2018 – ALL NIPPON Airways Security Advisories

Jun 2018 – ALL NIPPON Airways Security Advisories


Could ring 2 have the same momentum as a IoT backdoor?


In x86 protected mode, the CPU is always in one of 4 rings. The Linux kernel only uses 0 and 3:

  • 0 for kernel
  • 3 for users

Hidden janitor living in your computer

SMM is triggered through a System Management Interrupt (SMI), a signal sent from the chipset to the CPU. During platform initialization, the firmware configures the chipset to cause a System Management Interrupt for various events that the firmware developer would like the firmware to be made aware of.

Whether you remember the Intel chipsets for some years have included a Management Engine?

On May 2017, an official announcement by Intel, design found a design limitation on their product. The problem is that Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability encountered vulnerability (escalation of Privilege). Reference url shown as below:

If we are not talking about conspiracy, it looks that backdoor appear in the chipset not a rumour. It is a true statement.

Why Ring 2 isn’t used?

Rings 1 and 2 is for the OS to put device drivers at that level, so they are privileged, but somewhat separated from the rest of the kernel code.

An exploitation on Ring 2

We strongly believe that the person who familiar of code for the UEFI kernel and SMM half kernel is the CPU manufacturer. Both components are run on Ring 2. Above mentioned Intel design flaw run in Ring -2 OS (UEFI). UEFI can run in 32-bit or 64-bit mode and has more addressable address space than BIOS, which means your boot process is faster. Unified Extensible Firmware Interface (UEFI) is a specification for a software program that connects a computer’s firmware to its operating system (OS). UEFI is expected to eventually replace BIOS. Like BIOS, UEFI is installed at the time of manufacturing and is the first program that runs when a computer is turned on. Dual boot computer with Windows and Linux conducted by UEFI firmware. But UEFI firmware has become a target for hackers.

Refer to above diagram, we notice that the condition of Ring 2 will be depends on operation mode. So, if virtualization assist by hardware will let Ring 2 and Ring 3 work together. As a result, an attacker with write access to flash can inject malware into the firmware.

Remark: Malware injected into the firmware flash regions is persistent and will run on every subsequent boot.

SPI Flash Exploit – Malicious DXE drivers can disable security settings and install malicious code into the OS.


Refer to above information. When a computer was installed and switched on, the microchip altered the operating system’s core so it could accept modifications. The chip could also contact computers controlled by the attackers in search of further instructions and code.

But who is the culprit, no further indicator proof. Perhaps it can shift the blame onto someone else. If you do not mind to read the articles announced by Bloomberg once more. Please refer below:

2nd Oct 2018 – Homeland security alert (Retail payment system security advisory)

US Homeland security urge banking industry especially payment gateway services provider staying alert of new round of malicious cyber attack of their system. Similar of cyber attack was happened in Taiwan. The heist draw the cash equal to $2.6m (£2.1m). Homeland security reveal how the technique let ATM machine like human vomiting. But this is the bank note. You and me like it.

The key item of this attack is prioritize to compromise the switching application server.  Then malicious applications generate a counterfeit response message using GenerateResponseTransaction1() or GenerateResponseTransaction2() function to response to the acquire with a counterfeit response message and drops the request before the payment switch application processes the message. As a result it fool the issuer with no knowledge of the transaction. Should you have interest of above details, please refer to below URL: