Category Archives: Data privacy

User opinion – Would you mind your user credential naked running? Facebook scandal (Mar 2019)

Preface: Do I Really Need To Encrypt Every File on My Computer?
May be answer is simple, all depends on your data classification label…..

The focus: Informed sources told that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

What is the objective of external audit?
The objective of external audit is for the auditor to express an opinion on the truth and fairness of IT operations.

Doubt? From information security point of view, developer role should not access production environment especially data. Meanwhile what is the job role for engineers? Seems the job role very messes.

Headline News: https://www.bbc.com/news/technology-47653656

Internet censorship versus Dark Web – 2019

Preface: Have you heard Internet censorship in South Korea?
https://en.wikipedia.org/wiki/Internet_censorship_in_South_Korea

Synopsis: This news seems make people nervous. The fact is that most of the people concern about the freedom of speech. Perhaps this topic not included in this discussion.
Let’s take a look at the recent activities.

  1. Japan is going to execute infiltration to citizens smart home devices on Feb 2019. The goal is hardening the cyber security in their country side.
  2. Internet censorship in South Korea.
  3. The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.

Analytic based on current circumstances:
Internet censorship or so-called internet surveillance is a mandatory action for each regime soon. Perhaps such mechanism can’t avoid the illegal activities growth since criminals relocate their playground to other area.
What is that place? It is the dark web.

More than 617 million stolen accounts from 16 hacked websites are supposedly for sale. And believed that this is a possible way to enhance preventive and detection control. What’s your opinion?

2019 headline news – a data breach may impact nearly 2.4 million Blur users

Preface: Data breaches continue to be a threat to consumers. Many companies were hacked and likely had information stolen from them since January 2017.

Headline news Jan 2019:  Abine announced that they learned on 13th December 2018 that a file containing information from customers who had registered prior to January 2016 was exposed online.

Who is Abine? Abine is a Boston-based privacy company. Led by consumer protection, privacy, and identity theft experts.

Official findings of data breaches: The file was in a “mis-configured Amazon S3 storage bucket that was being used for data processing.

User Tips: AWS code of law

  • You can enable Block Public Access settings only for buckets and AWS accounts. Amazon S3 doesn’t support Block Public Access settings on a per-object basis.
  • When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Should you have interest to know more details, please refer to official announcement: https://www.abine.com/blog/2018/blur-security-update/


Self-Encrypting Solid-State Drive Vulnerabilities – November 06, 2018

Preface:
Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.

Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.

Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs – https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/

Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.

Remedy – Fully turn off BitLocker to decrypt the drive on windows OS
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

The fundamental of data sharing versus data privacy

Preface:

What is “Fair Information Practices,” the principles of privacy protection are internationally recognized and are found in most privacy legislation around the world. These principles inform the way private organizations collect, secure, use and disclose personal information.

What is the bottleneck of data sharing?

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. And therefore this is the fundamental limitation of the data sharing. In the sense that you must consensus the data owner or object before use.

Can we found out the easy way to implement data sharing?

If you agree above standpoint is the bottleneck. I believe that you will continue to read this article. Ok, let’s take a quick way to elaborate.

The successful data analytic technology can tell the truth but not include survillance type. Because survillance program in my view point will categories as monitoring feature instead of data sharing categories. The phenomenon we have seen shown below table:

Above table perhaps not the official survey, it can’t provide the significant and reliable reference. However it shown an hints that the bottleneck of data sharing concept driven by Fair Information Practices.

As a matter of fact, even though the extreme regime governance country also not shown government will lead open his repository including personal information. The realistic so far is the private company collect their customer data for business goal or do a re-engineering of the usage of their customer data.

Potential hidden power

Natural & Non-Human Activities data contain huge potential power build a comprehensive big data infrastructure. We haven’t seen traditional database structure weakness until big data analytic born. As a result even though data sharing not mature in the moment however it can develop a perfect infrastructure waiting for the future.

Global Positioning System pioneer build the data sharing infrastructure

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system. As time goes by, GPS system build the data sharing architecture established.

Revolution of database technology

Big data is a term used to refer to the study and applications of data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.

Big data technologies break the ice, it improve traditional database model fundamental limitation on data access speed and usage efficiency. SQL was originally designed for relatively static data structured as a table. IoT-generated data is the data generated by the sensors fitted into interconnected devices. In the IoT scheme of things, each device will have an IP address so that it is able to communicate with destination peer. The IoT-generated data is a dynamic data because it is not the human input data model. So, a Key-Value Store technology can receive the advantage. In the market do far there were many different types of non-SQL, or non-relational, databases. The high-end system model is the famous IBM mainframe VSAM access method. But low end products can do similar things today. Below top 5 (low end) NoSQL database engines closer look.

IoT data require to do analytic before use. The data analytics focusing process device status data and sensor readings to generate descriptive reports and alarm.

Real-time analytics tools usually support controlling the window of time analysis, and calculating rolling metrics. For example, to track hourly averages over time rather than calculating a single average across an entire dataset. As a result the system require quick reponse and processing power.

Remark: What are rolling metrics good for? Get numbers faster – every day or minute if you want

Speed up an access

A general-purpose distributed memory caching system boost up the data access speed. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Below architecture can provide hints to you in this regard.

Summary:

So far, not seen any feature will be improved the data security. Since we are focus Natural & Non-Human Activities data. So it did not touch with any confidential data. The key factor of data sharing bottleneck not the limitation of technology. The fact shown that the successful factor to promote data sharing concept depends on you how to treat people with respect.

 

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

Jul 2018 – The IoT P2P (Peer to Peer) design flaw let passwords of over 30,000 devices exposed in search engine

The P2P (Peer to Peer) function is common function for the operation support for Internet of things devices. It aim to simplify the operation and increasing flexibility. We now focusing on data personal privacy but the fundamental of user friendly functions looks contained contradiction with secure operation. The firm (NewSky security) found password for tens of thousands of Dahua devices cached in the IoT search engine. In the meantime the hardware manufacturer not provides any responses in regard to this incident. Stay tuned! And see whether what is the reply by hardware vendor.

Should you have interested to know the details, please refer to attached diagram and url for references.

Passwords for tens of thousands of Dahua devices cached in the IoT search engine – https://amazingreveal.com/2018/07/15/passwords-for-tens-of-thousands-of-dahua-devices-cached-in-the-iot-search-engine/

Official Announcement/Notice – https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice

Vulnerability found recently

22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

 

TIBCO Security Advisory: June 26, 2018

The vulnerabilities that may allow for unauthorized information disclosure, remote code execution and allow for the disclosure of information looks a common topic in CVE list. Predictive models and analysis are typically used to forecast future probabilities. Applied to business, predictive models are used to analyze current data and historical facts in order to better understand customers, products and partners and to identify potential risks and opportunities for a company. TIBCO Spotfire makes it easy for you to analyze data from any number of data sources. Using this data, you can create predictive models and apply advanced techniques within the Spotfire environment. What do you think if this type of services has data breaches incident occurs?

TIBCO Spotfire existing has 1400 websites. Market share 2.49 % comparing with similar functions of competitor.

TIBCO Spotfire Product Family Remote Code Execution Vulnerability

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5435

TIBCO Spotfire Product Family Information Disclosure Vulnerability

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5437

TIBCO Spotfire Server information disclosure vulnerabilities

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5436

Sometimes RESTful API jeopardize your personal data privacy

Ticketmaster Hacked! The company sold 500 million tickets to 86 million people last year. It is important for you to select the best API to create chatbot. Common way call a RESTful API from your Chatbot. What makes RESTful APIs even more attractive is that the same REST API could potentially be used both by a web application, as well as other clients such as a mobile application. But RESTful API require hardening. Otherwise it is not in secure way.

Common REST API security risk (see below):

  • unencrypted payload
  • Lack of input  sanitisaton

And therefore payments or approvals process must put into a secure place which is usually not the client app.

Should you have interest of the Ticketmaster data breach incident, please refer below url for reference.

Ticketmaster admits personal data stolen in hack attack

https://www.bbc.com/news/technology-44628874?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

30thJune2018 – status update (Inbenta and the Ticketmaster Data Breach FAQ’s – official announcement)

https://www.inbenta.com/en/inbenta-and-the-ticketmaster-data-breach-faqs/

 

June 2018 – Red Shell service arousing public question!

DNS logs explicitly shown the internet user activities. For instance a malicious network traffic that can be identified in DNS logs. The technical details includes command and control (C2) traffic of the following cyber attacks.
Ransomware, malicious ads and redirects, exploit kits, phishing, typosquatting attacks, DNS hijacking; denial of service (DoS) attacks; and DNS tunneling.

Pi-hole is a Linux network-level advertisement and internet tracker blocking application which acts as a DNS sinkhole. DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator.

The Sinkhole server can be used to collect event logs, but in such cases the Sinkhole administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

Red Shell helps PC & console games uncover where their players
come from through reliable attribution. Their system architecture build by PI-HOLE and bind opensourece application. Meanwhile PI-HOLE and BIND can do reverse engineering. It can do the end point monitoring, aim to keep track the customer behaviour.

A concerns of public and question the analytics package provided by Innervate, Inc., to game publishers.
Innervate, a Seattle-based company founded to help game makers reach more customers, is launching its new Red Shell service today.

Reference:

European Union Agency for Network and Information Security

What is a “DNS Sinkhole”? – https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/dns-sinkhole

Remark: Administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.