Category Archives: Data privacy

Self-Encrypting Solid-State Drive Vulnerabilities – November 06, 2018

Preface:
Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.

Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.

Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs – https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/

Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.

Remedy – Fully turn off BitLocker to decrypt the drive on windows OS
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

The fundamental of data sharing versus data privacy

Preface:

What is “Fair Information Practices,” the principles of privacy protection are internationally recognized and are found in most privacy legislation around the world. These principles inform the way private organizations collect, secure, use and disclose personal information.

What is the bottleneck of data sharing?

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. And therefore this is the fundamental limitation of the data sharing. In the sense that you must consensus the data owner or object before use.

Can we found out the easy way to implement data sharing?

If you agree above standpoint is the bottleneck. I believe that you will continue to read this article. Ok, let’s take a quick way to elaborate.

The successful data analytic technology can tell the truth but not include survillance type. Because survillance program in my view point will categories as monitoring feature instead of data sharing categories. The phenomenon we have seen shown below table:

Above table perhaps not the official survey, it can’t provide the significant and reliable reference. However it shown an hints that the bottleneck of data sharing concept driven by Fair Information Practices.

As a matter of fact, even though the extreme regime governance country also not shown government will lead open his repository including personal information. The realistic so far is the private company collect their customer data for business goal or do a re-engineering of the usage of their customer data.

Potential hidden power

Natural & Non-Human Activities data contain huge potential power build a comprehensive big data infrastructure. We haven’t seen traditional database structure weakness until big data analytic born. As a result even though data sharing not mature in the moment however it can develop a perfect infrastructure waiting for the future.

Global Positioning System pioneer build the data sharing infrastructure

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system. As time goes by, GPS system build the data sharing architecture established.

Revolution of database technology

Big data is a term used to refer to the study and applications of data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.

Big data technologies break the ice, it improve traditional database model fundamental limitation on data access speed and usage efficiency. SQL was originally designed for relatively static data structured as a table. IoT-generated data is the data generated by the sensors fitted into interconnected devices. In the IoT scheme of things, each device will have an IP address so that it is able to communicate with destination peer. The IoT-generated data is a dynamic data because it is not the human input data model. So, a Key-Value Store technology can receive the advantage. In the market do far there were many different types of non-SQL, or non-relational, databases. The high-end system model is the famous IBM mainframe VSAM access method. But low end products can do similar things today. Below top 5 (low end) NoSQL database engines closer look.

IoT data require to do analytic before use. The data analytics focusing process device status data and sensor readings to generate descriptive reports and alarm.

Real-time analytics tools usually support controlling the window of time analysis, and calculating rolling metrics. For example, to track hourly averages over time rather than calculating a single average across an entire dataset. As a result the system require quick reponse and processing power.

Remark: What are rolling metrics good for? Get numbers faster – every day or minute if you want

Speed up an access

A general-purpose distributed memory caching system boost up the data access speed. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Below architecture can provide hints to you in this regard.

Summary:

So far, not seen any feature will be improved the data security. Since we are focus Natural & Non-Human Activities data. So it did not touch with any confidential data. The key factor of data sharing bottleneck not the limitation of technology. The fact shown that the successful factor to promote data sharing concept depends on you how to treat people with respect.

 

Consider how does JQuery affect millions of people confidential data – Sep 2018

RiskIQ expose one of the possible way how hacker steal customer credit card data of British Airline. Expert speculate the suspects exploit Inject jQuery into a page technique collect the confidential data. BA claim that the data breach only occurs in credit card data.
Risk IQ share the proof of concept shown that the technique equilvalent ATM machine skimmer. But this round the skimmer feature is install on web page. The fact is that when victim click the specific compromise web page button. The personal data belongs to victim will divert to hacker server.
Perhaps we know the technique so called Inject jQuery into a page is not a news. But exploit inject jQuery technique cope with ATM machine skimmer concept may be is new.
I am not going to copy RiskIQ POC programming language this time. However I will display the inject jQuery sample code for your reference. Meanwhile I will let your memory awaken.

BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers.
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. So this is another possibility let British Airways lost the customer data.

Jul 2018 – The IoT P2P (Peer to Peer) design flaw let passwords of over 30,000 devices exposed in search engine

The P2P (Peer to Peer) function is common function for the operation support for Internet of things devices. It aim to simplify the operation and increasing flexibility. We now focusing on data personal privacy but the fundamental of user friendly functions looks contained contradiction with secure operation. The firm (NewSky security) found password for tens of thousands of Dahua devices cached in the IoT search engine. In the meantime the hardware manufacturer not provides any responses in regard to this incident. Stay tuned! And see whether what is the reply by hardware vendor.

Should you have interested to know the details, please refer to attached diagram and url for references.

Passwords for tens of thousands of Dahua devices cached in the IoT search engine – https://amazingreveal.com/2018/07/15/passwords-for-tens-of-thousands-of-dahua-devices-cached-in-the-iot-search-engine/

Official Announcement/Notice – https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice

Vulnerability found recently

22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

 

TIBCO Security Advisory: June 26, 2018

The vulnerabilities that may allow for unauthorized information disclosure, remote code execution and allow for the disclosure of information looks a common topic in CVE list. Predictive models and analysis are typically used to forecast future probabilities. Applied to business, predictive models are used to analyze current data and historical facts in order to better understand customers, products and partners and to identify potential risks and opportunities for a company. TIBCO Spotfire makes it easy for you to analyze data from any number of data sources. Using this data, you can create predictive models and apply advanced techniques within the Spotfire environment. What do you think if this type of services has data breaches incident occurs?

TIBCO Spotfire existing has 1400 websites. Market share 2.49 % comparing with similar functions of competitor.

TIBCO Spotfire Product Family Remote Code Execution Vulnerability

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5435

TIBCO Spotfire Product Family Information Disclosure Vulnerability

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5437

TIBCO Spotfire Server information disclosure vulnerabilities

https://www.tibco.com/support/advisories/2018/06/tibco-security-advisory-june-26-2018-tibco-spotfire-2018-5436

Sometimes RESTful API jeopardize your personal data privacy

Ticketmaster Hacked! The company sold 500 million tickets to 86 million people last year. It is important for you to select the best API to create chatbot. Common way call a RESTful API from your Chatbot. What makes RESTful APIs even more attractive is that the same REST API could potentially be used both by a web application, as well as other clients such as a mobile application. But RESTful API require hardening. Otherwise it is not in secure way.

Common REST API security risk (see below):

  • unencrypted payload
  • Lack of input  sanitisaton

And therefore payments or approvals process must put into a secure place which is usually not the client app.

Should you have interest of the Ticketmaster data breach incident, please refer below url for reference.

Ticketmaster admits personal data stolen in hack attack

https://www.bbc.com/news/technology-44628874?intlink_from_url=https://www.bbc.com/news/topics/cz4pr2gd85qt/cyber-security&link_location=live-reporting-story

30thJune2018 – status update (Inbenta and the Ticketmaster Data Breach FAQ’s – official announcement)

https://www.inbenta.com/en/inbenta-and-the-ticketmaster-data-breach-faqs/

 

June 2018 – Red Shell service arousing public question!

DNS logs explicitly shown the internet user activities. For instance a malicious network traffic that can be identified in DNS logs. The technical details includes command and control (C2) traffic of the following cyber attacks.
Ransomware, malicious ads and redirects, exploit kits, phishing, typosquatting attacks, DNS hijacking; denial of service (DoS) attacks; and DNS tunneling.

Pi-hole is a Linux network-level advertisement and internet tracker blocking application which acts as a DNS sinkhole. DNS Sinkholing is a mechanism aimed at protecting users by intercepting DNS request attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator.

The Sinkhole server can be used to collect event logs, but in such cases the Sinkhole administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

Red Shell helps PC & console games uncover where their players
come from through reliable attribution. Their system architecture build by PI-HOLE and bind opensourece application. Meanwhile PI-HOLE and BIND can do reverse engineering. It can do the end point monitoring, aim to keep track the customer behaviour.

A concerns of public and question the analytics package provided by Innervate, Inc., to game publishers.
Innervate, a Seattle-based company founded to help game makers reach more customers, is launching its new Red Shell service today.

Reference:

European Union Agency for Network and Information Security

What is a “DNS Sinkhole”? – https://www.enisa.europa.eu/topics/csirts-in-europe/glossary/dns-sinkhole

Remark: Administrator must ensure that all logging is done within their legal boundaries and that there is no breach of privacy.

What is your privacy today? – Apr 2018

We are concerning about data privacy! Whereby we are scare of the surveillance program. As a matter of fact we are always under custodian.When you apply the loan or you have credit card. The financial instition will know your credit details. Your trustee will be categorized by score. Since this is the verification check and therefore we do not have negative comment. But it looks that the authorized agencies data custodian power become bigger and bigger. So a doubt occured after Equifax cyber security incident in 2017 causes data breach? Equifax is one of the credit report acency. There are total number of three company at this time. They are Equifax, Experian and TransUnion. Experian also offer INTERNET SURVEILLANCE,SOCIAL NETWORK MONITORING and anti-IDENTITY THEFT SERVICES. As far as I know, SunTrust Bank now offering identity protection for all current and new consumer clients at no cost on an ongoing basis because a former Employee Stole Details on 1.5 Million Customers. The identity protection services provider is Experian. Their power is bigger and no one aware. From technical point of view, their power similar government. But how we can do?

SunTrust 1.5 M client info stolen news – Apr 2018 (see below)

https://www.usatoday.com/story/tech/2018/04/20/many-1-5-million-accounts-may-have-been-compromised-suntrust-banks/535687002/

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’

 

Facebook scandal looks a hot discussion topic this week. However the scandal looks like the vendor misbehavior instead of data breach. Anyway let’s the expert figure out the truth. Perhaps this is not a news of cyber security expert since facebook not a secure platform so far. Scam email, email plishing relies on stolen data on facebook client endpoint do the ditry tricks. Heard that the UK parliament asks Mark Zuckerberg to testify in data misuse case. Oh!

Facebook’s Zuckerberg ‘sorry’ over Cambridge Analytica ‘breach’. For more details, please refer following url for reference.

http://www.bbc.com/news/world-us-canada-43494337

 

GDPR – Art.17 GDPRRight to erasure (‘right to be forgotten’)

In effective of data protection policy on 28th May 2018. EU member countries mandatory to compliance data protection policy. It is a good news to avoid personal data misuse somewhere. Such benefits applies to all member countries citizen. Following ground of interpretation you are allow to execute following actions. For instance:

The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.

But following criteria shall not apply to the extent that processing is necessary: For compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Actually there are more. For more details, please refer to

Art. 17 GDPR – Right to erasure (‘right to be forgotten’)

Enjoy!