Category Archives: Cyber War

Military or Business Industry, Windows OS peripheral control bring to attention.

 

Preface:

Since the version of Windows XP, the Windows operating system feature embedded functionality of industrial applications.  However the motivation of factor on re-engineering of system depends on customer demand.

Case study details:

The US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015 

Information Background – According to SPAWAR official announcement on Jun 2015. The renewal process will buy the Navy time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities.

* The Space and Naval Warfare Systems Command (SPAWAR), based in San Diego, is an Echelon II organization within the United States Navy and is the Navy’s technical authority and acquisition command for C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), business information technology and space systems.

Doubt – known design limitations

a. Windows OS system – The re-engineering schedule instead of Windows XP operating system.

  1. US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015. As of today, we believed that the operating system update has been done. However a valid design weakness on Windows operation system found on 2014 till today. It found by security expert that a kernel flaw appears to all version on Microsoft operating system platform since end of 2014 (see below picture diagram for references). From my personal point of view. I agree with Microsoft official comment on their announcement, this is not a security issue (device driver inject rootkit). My stand point is that the Windows operating system fundamental design objective does not catering for mission critical industries especially Nuclear power facility and military industry.  However the modern technology industries deploying in formal fashion of manner. Yes, I agree that the manufacture industry and business automation not shown the side effect of design limitation. But on mission critical industries, the design capability limitation similar a technology kill chain! Information security is a continuous program. Microsoft operation system  don’t have exception. A group of security expert re-open this flaw recently (Inside NT’s Asynchronous Procedure Call).  Asynchronous Procedure Calls (APCs) are a fundamental building block in NT’s asynchronous processing architecture. This architecture still valid till today.

The security expert highlight the flaw in regards to the following items. 

If you are not interested in technical descriptions detail, you can skip and jump to below item 2.

As a device driver writer, you can rely on APCs to execute a routine in a particular thread context without that thread’s intervention or consent whenever no guarantee of its address space’s availability can be made.  Since APC mechanism not on Ring 3 and therefore the fundamental of design not enforce protect this mechanism. As a result, a weakness was found in this place. The PsSetLoadImageNotifyRoutine function registers a notification function that is called when the image is loaded or the image is mapped to memory. The operating system calls the registered callback function after displaying the image executed in the user space or in the kernel space (just what we need, because the drivers are just loaded into the kernel), before the execution of the image. The main weakness of software driver integration with operating system is given by PsSetLoadImageNotifyRoutine.

* The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

As we know, antivirus software using kernel driver to inject code into all all running processes. The antivirus software register for image creation notification and then queue some APCs that will execute in user mode and do the injection. Since the security level of protection of device driver on Windows OS all depends on 3rd party developer design.  A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring.

Device driver rootkit code (sample)

mov eax, [ebp+ImageInfo]
push dword ptr [eax+4]

Question:

Do you think the developer alert this issue on their design phase? From logical point of view, this unknown threat not announce to the world. Most of the protection mechanisms are implement falls under File, Registry, Process, DLL Load. Microsoft don’t allow anyone to hook the SSDT. For my comments, the system development cycle is division of job and therefore this protection mechanism will be fall into cyber security team job scope. As are result, the protection mechanism will be relies on antivirus and malware detection software. But the specific threat might evade malware scanner custodian.

It looks that remediation step on critical industries especially Nuclear Power facilities and Military Dept might do a audit.  As soon as possible to develop the protection mechanism through SSDT hooking.

2. Satellite communication systems design limitation

Since this topic has been discuss previous.  For more details of related article. Please see below url for reference.

Perhaps military battleship can destroy everything, but it could not win in the digital war!

 

Summary:

As of today (12th Sep 2017), my comments in regards to mission critical industries remain unchanged.  That is please re-confirm existing operating system peripherals issue before next action.

Scientific versus Prejudice – Cyber war Part II

Preface

The scandal of NSA let the world know large scale survillence program over the world. Perhaps the objective of the NSA not only this matter. We known that a vulnerability happened on VSAT satellite system. It allow malicious SMS signal obfuscate the system operation. For more details, please refer to below URL.
The war happens today hard to avoid to involve cyber technology battle. This is the prelude of the discussion today. What if, my imagination comes true, what will happen in this battle?

NSA’s backdoor catalog (OS system and Network) exposed:

On exposed information, a group list of vendors name are included in their target list. As we know, we believed that Microsoft, Cisco products hidden their backdoor. However CEO of Cisco tell the world that their products did not have embedded backdoor. Microsoft president Brad Smith blamed the NSA spy agency tarnished their system design. Do you think those two big head is a actor or they are really don’t  know?
Conspiracy theory point of view on OS system ( merely personal opinion )

In conspiracy theory point of view, what is the reason for operation system vendor maintain SMB version 1 until NSA scandal exposed to the world then take the patching action. Perhaps if not WannaCry ransomware attack outbreak tarnished SMB 1 design limitation. Meanwhile hacker claimed that they are appreciate for NSA found this secret! Since nobody aware this issue until secret leak to the world! But who know what is the true factor let OS vendor delay SMB version 1 patching schedule till incident happen afterwards? (Microsoft released patches for all supported versions of Windows on the March 2017).

Conspiracy theory point of view on Network system ( merely personal opinion )

Based on the Shadow Brokers disclosed. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new. From logical point of view, it is hard to imagine that such big technology company did not know the design weakness of their product? Maybe they are trustworthy. Or Who know, God know?

Who dare say there is no unknown backdoor in hardware unit including CPU

Information Update on 31st Aug 2017 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Headline news today report that CPU vendor design computer according the requirement by customer , sometimes the client is a government. For instance, US government might compliance to their security standard (High Assurance Platform program so called HAP). However a design limitation was found. An official announcement by Intel in regards to this vulnerabilities on May 2017. Furthermore security experts found a unknown backdoor on Intel ME Chip. From technical point of view, this is not coincidence and speculated that both vulnerabilities has relationship.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

From safety view point, it is impossible to use hostile national science and technology products

 

In defense and protective prospective, it was not possible to use hostile national science and technology products in military zone. Even though the hardware and operation system vendor are trustworthy. However the hostile country will try different to implant malware or infiltrate techniques to related system. For instance, Network equipment vendor (router, switch and firewall) do not know the design weakness will trigger such critical level of destructive result.  Below is a simple example to proof this concept.

Picture A is the reference of normal network operating scenario. We understand that internet world coexists with BGP network protocols.  The zoning driven by AS number (autonomous system number). The AS Using BGP to Distribute Routes. For instance, on picture B. The ISP D network equipment hits SNMP design flaw and encountered core OS buffer overflow causes privileges escalation. As a result the core router has been compromised. Base on BGP protocol hijack concept, the compromised router might obfuscate the network. It might have way to control the network routing path. I am not going to explain into details since it is a very long discussion. However if you base on above techincal terms and concept do a google search. You will be able to find the details. Yes, internet world is the big data. It  is free. 

Put above concept to the realistic world

Since above example is my imagination, however it will bring a solid idea to you. How serious level of destruction will be occurs in similar circumstances. So to protect yourself in cyber war battle seems better do not let your enemy know what type of equipment you are in use. Even though they are using CVE attack or Zero day attack. You equipment will be ignore those kind of cyber attack.

The focus of the discussion

I can’t written down a term of summary or conclusion right now. Since there are more and more information coming. However I need to study the details before continues this discussion. Ok, have a nice weekend. We discuss next time, Thank you! Bye!

Picture A – Normal scenario (request to reach adjacent side IP address)

Picture B – Telecommunication service provider network equipment compromised by hostile national.(As a result, the network traffic will route to their area and under their control)

 

Electronic War reference:

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/