Category Archives: Data privacy

Please be vigilant. Spyware will be installed on your phone at any time – Oct 2019

Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.

Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.

Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.

The reasons why cyber criminals want to hack your phone?

  • To eavesdrop on calls
  • To steal money
  • To blackmail people

So the Federal Trade Commission recommended Smartphone users who suspect an illegitimate stalking app on their device should consider their recommendations. Refer to URL for more details. https://www.consumer.ftc.gov/blog/2019/10/stalking-apps-retina-x-settles-charges

ABout MasterCard data breach – Aug 2019

Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.

Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?

Bloomberg headline news https://smg.photobucket.com/user/chanpicco/media/chanpicco001/MasterCard-leak-Aug-2019-1_zps35cvwtvc.jpg.html?sort=3&o=0

CVE-2019-10099 Apache Spark Unencrypted Data Vulnerability Aug 2019

Background: Apache Spark is the tailor made for big data industry.Spark’s advanced acyclic processing engine can operating as a stand-alone mode or a cloud service.

Synopsis: Spark supports encrypting temporary data written to local disks. This covers shuffle files, shuffle spills and data blocks stored on disk (for both caching and broadcast variables). It does not cover encrypting output data generated by applications with APIs such as saveAsHadoopFile or saveAsTable. It also may not cover temporary files created explicitly by the user.

Vulnerability details: The vulnerability is due to a cryptographic issue in the affected software that allows user data to be written to the local disk unencrypted in certain situations, even if the spark.io.encryption.enabled property is set to true.

Security focus: This vulnerability did not category as critical. But the level of risk will be depends on the system architecture and classification level of data. For instance, it is a machine learning function and install on top of public cloud computer farm. If this is the case, a serious access restriction control to Spark infrastructure area must be apply.

Remedy: Apache has released software updates at the following link – https://spark.apache.org/downloads.html

Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks

Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.

Details: Australian Cyber Security Centre urge his citizen beware of Password Spraying Attacks (refer below url): https://www.cyber.gov.au/sites/default/files/2019-08/2019-130_-_password_spray_attacks_detection_and_mitigation_strategies.pdf
Such activities has been observed by U.S. Homeland security for long time. Consolidate their evaluation results, summary shown as below:

Part A: Commonly used ports are used when password spraying.

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

Part B: Cyber Attack Group & Commonly used malware

Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla

Malware types:
Chaos (malware)
Linux Rabbit(malware)
SpeakUp (Trojan backdoor)
Xbash (malware)
PoshC2 is an open source remote (written in powershell)
Emotet (malware)

SIEM Definition – Firing Rules criteria (see below):
1. Failed attempts over a period of time
2. Large numbers of bad usernames
3. High number of account lockouts over a defined period of time
4. Unknown “appDisplayName” – Active Directory PowerShell
5. Ratio of login success verses login failure per IP address

Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.

If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.

Even though you deployed SSL, stay alert in Python Iot world (CVE-2018-18074)

Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.

Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.

Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.

Remedy: Python has released a software update, please refer to the url: https://github.com/psf/requests/releases

Fileless Malware Advisory – 17 JUl 2019

Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.

Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.

Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url – https://cyber.gc.ca/en/alerts/fileless-malware-advisory

Orvibo smart home devices leak billions of user records – customer must staying alert – Jul 2019

Preface: If victim is not negligence. Can we give an excuse to him?

Company background: Orvibo, a Chinese smart home solutions provider.

Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world.
Does the admin using easy to guess password or………

Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.

If you are aware your personal information has been stolen by above incident. What should You do?

Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.

Headline News – https://www.dailymail.co.uk/sciencetech/article-7202675/Maker-smart-home-software-continues-leave-database-containing-users-passwords-OPEN-online.html

User opinion – Would you mind your user credential naked running? Facebook scandal (Mar 2019)

Preface: Do I Really Need To Encrypt Every File on My Computer?
May be answer is simple, all depends on your data classification label…..

The focus: Informed sources told that access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.

What is the objective of external audit?
The objective of external audit is for the auditor to express an opinion on the truth and fairness of IT operations.

Doubt? From information security point of view, developer role should not access production environment especially data. Meanwhile what is the job role for engineers? Seems the job role very messes.

Headline News: https://www.bbc.com/news/technology-47653656

Internet censorship versus Dark Web – 2019

Preface: Have you heard Internet censorship in South Korea?
https://en.wikipedia.org/wiki/Internet_censorship_in_South_Korea

Synopsis: This news seems make people nervous. The fact is that most of the people concern about the freedom of speech. Perhaps this topic not included in this discussion.
Let’s take a look at the recent activities.

  1. Japan is going to execute infiltration to citizens smart home devices on Feb 2019. The goal is hardening the cyber security in their country side.
  2. Internet censorship in South Korea.
  3. The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.

Analytic based on current circumstances:
Internet censorship or so-called internet surveillance is a mandatory action for each regime soon. Perhaps such mechanism can’t avoid the illegal activities growth since criminals relocate their playground to other area.
What is that place? It is the dark web.

More than 617 million stolen accounts from 16 hacked websites are supposedly for sale. And believed that this is a possible way to enhance preventive and detection control. What’s your opinion?

2019 headline news – a data breach may impact nearly 2.4 million Blur users

Preface: Data breaches continue to be a threat to consumers. Many companies were hacked and likely had information stolen from them since January 2017.

Headline news Jan 2019:  Abine announced that they learned on 13th December 2018 that a file containing information from customers who had registered prior to January 2016 was exposed online.

Who is Abine? Abine is a Boston-based privacy company. Led by consumer protection, privacy, and identity theft experts.

Official findings of data breaches: The file was in a “mis-configured Amazon S3 storage bucket that was being used for data processing.

User Tips: AWS code of law

  • You can enable Block Public Access settings only for buckets and AWS accounts. Amazon S3 doesn’t support Block Public Access settings on a per-object basis.
  • When you apply Block Public Access settings to an account, the settings apply to all AWS Regions globally. The settings might not take effect in all Regions immediately or simultaneously, but they eventually propagate to all Regions.

Should you have interest to know more details, please refer to official announcement: https://www.abine.com/blog/2018/blur-security-update/