Preface: Still remember that when I was work in bank environment. Visa and Master payment solutions looks indeed secure. Those facilities are running in standalone machine. The communication protocol is the IBM SDLC communication. In order to communication with S390 mainframe. We setup data link switch in network switch and define VTAM major nodes on mainframe. Can we say the invention of internet jeopardize the world. Yes, it does.
Incident details: MasterCard said it was investigating a data breach of a loyalty program in Germany. There are about 90000 personal records was steal. Perhaps the actual figure has not been finalize yet! but rumor said that the leaked personal data is selling on darknet now. However, when we manually view the programming source it shown to us there is a lot of weakness on backend server. For instance, the backend system run on vulnerable Apache version. So i am imagine that whether there has possibility let attacker exploit CVE-2017-3167 to bypass the authentication on the front end web server then stolen the data?
Background: Apache Spark is the tailor made for big data industry.Spark’s advanced acyclic processing engine can operating as a stand-alone mode or a cloud service.
Synopsis: Spark supports encrypting temporary data written to local disks. This covers shuffle files, shuffle spills and data blocks stored on disk (for both caching and broadcast variables). It does not cover encrypting output data generated by applications with APIs such as saveAsHadoopFile or saveAsTable. It also may not cover temporary files created explicitly by the user.
Vulnerability details: The vulnerability is due to a cryptographic issue in the affected software that allows user data to be written to the local disk unencrypted in certain situations, even if the spark.io.encryption.enabled property is set to true.
Security focus: This vulnerability did not category as critical. But the level of risk will be depends on the system architecture and classification level of data. For instance, it is a machine learning function and install on top of public cloud computer farm. If this is the case, a serious access restriction control to Spark infrastructure area must be apply.
Preface: Even though you company install full set of cyber defense mechanism. More than 70% of feature is detective and preventive. Perhaps SIEM can do a predictive action. May be you have doubt, but it is factual.
Part B: Cyber Attack Group & Commonly used malware
Group name: APT3,APT33,Dragonfly 2.0(Berserk Bear),Threat Group-3390,Lazarus Group , OilRig(APT35),Leafminer,Turla
Malware types: Chaos (malware) Linux Rabbit(malware) SpeakUp (Trojan backdoor) Xbash (malware) PoshC2 is an open source remote (written in powershell) Emotet (malware)
SIEM Definition – Firing Rules criteria (see below): 1. Failed attempts over a period of time 2. Large numbers of bad usernames 3. High number of account lockouts over a defined period of time 4. Unknown “appDisplayName” – Active Directory PowerShell 5. Ratio of login success verses login failure per IP address
Remark: If your IT infrastructure is a Cloud IaaS deployment, perhaps you need to do the monitoring by yourself.
If the above 5 items triggers your SIEM rules. Even though the activities not in high amount. But you requires to observe the continuity level. Most likely on those activities alert that cyber attack group is interested of your company.
Preface: The invention of the IoT sensor looks like a contingent driving a smart city. At the same time, the python programming language gives life to the Internet of Things.
Security Focus: Even though IoT devices and their back-end facilities deploy SSL certification. It cannot prevent data leakage because of programming language flaw.
Vulnerability details: The vulnerability exists because the affected software does not remove the HTTP Authorization header when performing HTTPS to HTTP redirects with the same hostname, which may allow user credentials to be transmitted in clear text. A successful exploit could allow the attacker to access sensitive information, such as user credentials and web server information. For more details, please refer to attached diagram.
Preface: Stolen account information of nearly 750 million users was available for sale on the dark web after hackers breached 24 popular websites. The stolen data, released in two batches, includes names, email addresses and hashed passwords.
Description: Spear phishing email with URL to an archive file containing a .lnk file can misleading receiver to become a cyber victim. The receiving end not aware and let the data thief steal the data in silent mode.
Fileless Malware Advisory: MICROSOFT alerting that a new type of fileless malware found ( Astaroth). This malware can be installed on victims’ PCs without an executable. The Microsoft Defender ATP Research Team lock down Astaroth in May and June 2019. The Canadian Centre for Cyber Security issue a report this week and provide a guidance to do the prevention. This malware has capability to evade the defenses mechanism. Should you have interested of this report. Please refer to the following url – https://cyber.gc.ca/en/alerts/fileless-malware-advisory
Preface: If victim is not negligence. Can we give an excuse to him?
Company background: Orvibo, a Chinese smart home solutions provider.
Story begin: A technical report shown to the world that Orvibo (ElasticSearch cluster) leaked more than two billion user logs containing sensitive data of customers from countries all over the world. Does the admin using easy to guess password or………
Impact: Diminished reputation of the company only. Perhaps more, GDPR penalty, phishing scam,..etc. Most likely customer do not aware and let the attacker hunt the victim easier because criminal will counterfeit their personal information.
If you are aware your personal information has been stolen by above incident. What should You do?
Since hacker know your personal details and therefore they will using your information to conducting criminal activities on other public media. Our suggestion is that changing your password and update the virus signature or OS patching are not enough. You must observer your mail box whether scam mail activities is growth rapidly after this incident. If result shown positive, you must contact your email service provider and looking for their recommendations.
Synopsis: This news seems make people nervous. The fact is that most of the people concern about the freedom of speech. Perhaps this topic not included in this discussion. Let’s take a look at the recent activities.
Japan is going to execute infiltration to citizens smart home devices on Feb 2019. The goal is hardening the cyber security in their country side.
Internet censorship in South Korea.
The new regulations on China’s Cybersecurity Law on November 2018 grant China cyber security agencies (the legal authority) to conduct remote testing of any Internet-related business operating in China.
Analytic based on current circumstances: Internet censorship or so-called internet surveillance is a mandatory action for each regime soon. Perhaps such mechanism can’t avoid the illegal activities growth since criminals relocate their playground to other area. What is that place? It is the dark web.
More than 617 million stolen accounts from 16 hacked websites are supposedly for sale. And believed that this is a possible way to enhance preventive and detection control. What’s your opinion?
Preface: Data breaches continue to be a threat to consumers. Many companies were hacked and likely had information stolen from them since January 2017.
Headline news Jan 2019: Abine announced that they learned on 13th December 2018 that a file containing information from customers who had registered prior to January 2016 was exposed online.
Who is Abine? Abine is a Boston-based privacy company. Led by consumer protection, privacy, and identity theft experts.
Official findings of data breaches: The file was in a “mis-configured Amazon S3 storage bucket that was being used for data processing.
User Tips: AWS code of law
can enable Block Public Access settings only for buckets and AWS
accounts. Amazon S3 doesn’t support Block Public Access settings on a
you apply Block Public Access settings to an account, the settings
apply to all AWS Regions globally. The settings might not take effect in
all Regions immediately or simultaneously, but they eventually
propagate to all Regions.
Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.
Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.
Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs – https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/
Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.