Category Archives: 2018

Staying alert with CSRF and XSS vulnerabilities

Perhaps there are a lot of vulnerabilities sometimes will be ignored. Why? For instance cross-site scripting will be occurred on client or server side. If there is a cross-site scripting (XSS) vulnerability in the web application, it is not possible to prevent CSRF (cross site request forgery) since the cross site scripting will allow the attacker to grab the token and include the token with a forged request. However cross-site scripting (XSS) and CSRF are only the medium risk rating vulnerability in app scan definitions. As a result it couldn’t draw the software developers attention. OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers. A security expert found that Oneplus exploiting Magento eCommerce platform. Magento found XSS and CSRF vulnerabilities last year on May 2017. The patch released on Sep 2017. Do you think XSS and CSRF are the culprit  of this credit card data breach incident? For more details about OnePlus credit card data breach incident status update. Please refer below url for reference.

OnePlus Confirms Credit Card Breach Impacted Up to 40,000 Customers

Remark: Magento is an open source platform that provides merchants with control over their online stores and a shopping cart system, as well as tools to improve the visibility and management of the shop.

CPU vulnerability remediation status update – especially Spectre

Intel has a quartet of lawsuits vying for the attention of its lawyers. Heard that AMD might have lawsuits. However so called install the remediation CPU patch looks amazed the windows OS user. I am using window 7 instead of windows 10. Perhaps I just did the windows update this morning. It behind my seen that CPU vulnerability still valid on my PC. The cache-misses as compared to missed-branches data collected from Spectre is possible on my PC (see attached screen-shot for reference). As far as I know, spectre vulnerability not easy to mitigate. Did you aware of your IT appliances (WAN accelerator, IDS, firewall, malware detector and SIEM system. Those devices did not install updated CPU unit. It looks there will be more difficulties to mitigate the CPU design flaw. Friendly speaking, do you want to know how does hacker exploit this flaw for their benefits? Time will tell.

For more details about AMD Gets Hit With Two Class Action Lawsuits For Spectre Vulnerabilities, Intel Hit With Four For Meltdown & Spectre. Please refer to below url for reference.

https://wccftech.com/amd-class-action-law-suits-for-spectre-vulnerabilities-intel-four-meltdown/

 

The hunt for red october – Nautilus and Neuron by Turla Group

The ncsc.gov.uk advisory urge UK citizen and business enterprise staying alert for Turla group malware. The similar of alert announced 2 months ago. Per alert subject provided by NCSC the malware changed it shape already. But the attack target remain unchanged, the malware target Microsoft products especially Exchange mail server and IIS web server. Perhaps this incident contains the similarity of APT attack. As said I can’t predict who is the perpetrator.  Let’s me echo my observation which posted 2 months ago.  The most famous tools (rootkit) “snake” was designed by this group. Since “snake” implemented few years. Therefore a new tools (Nautilus and Neuron) has been deployed to replacing the “snake” position. Meanwhile the target will be focus on both client (endpoint) and server. Read the technical articles is a burden to IT guy since many cyber attacks in frequent. The quick and dirty way to provide a shortest path to IT guy is a key term. What to do, right. Yes, below free of charge scan tool provided by Microsoft will help you in this regard (refer below url for reference).

https://www.microsoft.com/en-us/wdsi/products/scanner

Should you have interest of this incident. Please find the details in below url:

https://www.ncsc.gov.uk/alerts/turla-group-malware

The “retpoline” x86 mitigation technique for variant # 2

We heard that vendor recommend install the patch into your server, workstation and notebook within this month. In regards to meltdown and Spectre technical white paper. We known the design weakness are divided into 3 parts. This variant 2 – branch target injection flaw might the easy one to resolve in comparing the remains 2 items of vulnerabilities. That is Bounds check bypass and Rogue data cache load, memory access permission check performed after kernel memory read. Retpoline as a mitigation strategy which control indirect branches for returns, to avoid using predictions which come from the BTB (Branch Target Buffer). But Spectre vulnerability contained bounds check bypass vulnerability. In reality, security researchers comments that the vulnerabilities are difficult to exploit in practice. Perhaps big team might spend resources to re-engineering this flaw in future then transform as a APT attack tool. Since hacker is silent at this moment. At least no one exploit those vulnerability.However US Democratic looks with interest of this incident.

U.S. lawmaker asks Intel, others for briefing on chip flaws (see url below):

https://www.cnbc.com/2018/01/16/rep-jerry-mcnerney-probes-intel-arm-and-amd-on-spectre-and-meltdown.html

A replay attack capable detected by Microsoft event ID

Perhaps Meltdown and Spectre CPU design weakness headache the IT guy this month. Sounds like the overall environment covered with mist! But the sunrise will be raised finally to get rid the dark. Can you remember that replay attack on WPA2 Wifi network last year? You did OS version upgrade and change the authentication method because of this incident. No matter hardware and software, the IT product life cycle is short today. In the meantime, Microsoft can help you to do the detection of this attack if your Wi-Fi network authentication integrate with Active Directory. You are able to verify the details on event viewer or make use of your SIEM Dashboard to review the details.  For more details, please see below url provided by Microsoft for reference.

4649(S): A replay attack was detected:

https://docs.microsoft.com/en-us/windows/device-security/auditing/event-4649

VMware Response to Speculative Execution security issues (Spectre and Meltdown)

About 14 hours ago VMware official announce the products mitigation plan in regards to CPU design vulnerabilities (Spectre and Meltdown). Even though mitigation plan has been released. For recent chip design weakness, once the patches are applied, developers have to rewrite code to support the patch. Perhaps VMware programming team cannot address the problem in full scale. But you do not have choices if you are a VM users!

For more details, please see below url for reference:

VMware Response to Speculative Execution security issues, CVE-2017-5753, CVE-2017-5715, CVE-2017-5754 (aka Spectre and Meltdown)

https://kb.vmware.com/s/article/52245

Bitcoin empire is coming!

All the world perhaps unhappy with existing financial world. Cyyptocurrency became stronger and stronger. We seen last year the cypto currency market activities especially Ethererum, Bitcoin told the world they have market support. Kodak pioneer jump to this hot area. (KODK)’s stock surged as much as 125% in trading after the announcement. Apparently there are more cyber business opportunities coming to IT industry. AWS, Azure and Office 365 cloud platform provides flexibility assists technology firm resolves costing and labor which assists business doing the IT transformation. For more details about Kodak business strategic transformation, please refer below URL for reference.

http://money.cnn.com/2018/01/09/technology/kodakcoin/index.html

Reference: Information security perspective -Hyperledger (Blockchain Technology)

Overview of hyperledger (Blockchain Technology) security design

 

Protect against the chipset vulnerabilities known as Spectre and Meltdown, but encountered problem in AMD chips

Microsoft release patch this week objectives Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown. A problem encountered on AMD chip after patch installed. The system not boot. Microsoft suspected that the root causes by AV software. For  more details, please see below informative diagram for reference. The reference url shown as below:

Windows operating system security update block for some AMD based devices:

https://support.microsoft.com/en-us/help/4073707/windows-os-security-update-block-for-some-amd-based-devices

Important: Windows security updates released January 3, 2018, and antivirus software:

https://support.microsoft.com/en-us/help/4072699/january-3-2018-windows-security-updates-and-antivirus-software

Take care man!

Spectre attack works on non-Intel processors – status update by Apple 8th Jan 2018

In order to avoid the effects of Spectre (CVE-2017-5753 and CVE-2017-5715), Apple announced solution (patching) to mitigate this vulnerabilities. It was surprise that the result looks different from the security analysis report findings. It looks that no significant performance slow down and not require to re-design CPU. However Apple computer address the problem this time is for Spectre attack. Unlike Meltdown, the Spectre attack works on non-Intel processors, including AMD and ARM processors. Furthermore, it looks that it does not protect against Spectre till new design concept of idea found! It looks that the easy way is disable CPU L1 cache. But it will reduce the performance.  It surprise to me that Azuer and Apple apply the patch and did not encountered known performance issue?  Perhaps cloud base system platform is memory intensive instead of CPU intensive. Or the problem not been correctly address. For your reference: Apple patch announcement:

macOS High Sierra 10.13.2 Supplemental Update

https://support.apple.com/en-hk/HT208397

Safari 11.0.2 includes security improvements to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208403

iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

https://support.apple.com/en-hk/HT208401

 

 

 

CPU and machines not vulnerable to “meltdown and “Spectre” vulnerabilities.

The Chinese mantra “time can tell” looks like a witness to modern hardware and software development industry. As we know IBM mainframe (s390) and Sun SPARC given the feeling to the world in last decase was that they are far away from modern technologies. Even though S390 contains LPAR function allow multuple OS platform operation includes Windows server , linux and 3rd party unix run in their box. The general comments feedback from IT world was that they are outdated. A rumours were true and Oracle laid off the core talent of the Solaris and SPARC teams last year. As a matter of fact, protect the IT world not only Cyber security services provider. (For example, the defense solution vendor headache because they do not have precise idea how to detect and defense such design limitation problem). In future may be the former giant will give you an assistance to you. Why?It was because SPARC and S390 support “Address Space Identifiers” (ASIs). In the sense that they did the Kernel page-table isolation already. They are not vulnerable to “meltdown and “Spectre” vulnerabilities.

Remark:

SPARC v8 privileged instructions shown as below:

  • user mode instruction fetch is ASI 0x08,
  • supervisor mode instruction fetch is ASI 0x09
  • user mode normal data access is ASI 0x0A
  • supervisor mode normal data access is ASI 0x0B