Category Archives: Network (Protocol, Topology & Standard)

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

21st century kill chain (logic bomb, cyber bomb and ransomware)

Preface

The 21st century is the current century of the Anno Domini era, in accordance with the Gregorian calendar. It began on January 1, 2001 and will end on December 31, 2100. It is the first century of the 3rd millennium.

We can’t tolerate cyber attack happen in election again, President said.

https://www.washingtonpost.com/graphics/2017/world/national-security/obama-putin-election-hacking/?utm_term=.777d18938599

Headline news told that former president Obaman intend to use new technique to reduce other country especially Russia engage the cyber attack to USA during 2016 election of president. The solution is that activate a cyber bomb technique. But this idea did not action yet.

What is a logic bomb?

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. The technical term so called slag code.

What is slag code?

It is not a virus, but works in a similar pattern. From technical point of view, slag code sounds like a set of instructions inserted into a program that are designed to execute the target action (sounds like “explode”).

Scenario – The technical term so called network exploded. The result of this explosion contains delete data ,corrupt data or have other harmful effects.

Concept:

Below  example (Picture A) shown that only implement a simple command syntax to a windows workstation. The process will consume all the CPU resources until windows OS shutdown. This is the concept idea of a slag code. Do you think similar attack concept can whether be affect the services provider network equipment?

Picture A – slag code

How powerful of the cyber bomb, is it possible?

Above concept can show you that your workstation execute a slag code and result not operation properly. The service get back normal until reboot. What if, the telecommunication services provider receive the slav code crafted by expert. What’s the worst situation is?

Logic Bomb 

Logic Bomb 1 – infectious media (malware)

The logic bomb goal to achieve a destructive result. The infectious media relies on malware. The malware structure will  be consists of a executable file ( Agent.exe ). This file is for triggered the wiping function. Besides this file contains a hex string. For example – a hex string display 65B417D8. When we convert the hex code to numeric value, it indicate that this is the date and time of the attack to begin (June 30, 2017 at 2pm local time (2017-6-30 14:00:00)). As soon as the internal system clock on the machine hit 14:00:01, the wiper (agent) was triggered to overwrite the hard drive and master boot record on Microsoft OS of machines and then reboot the system. The malicious code can access and compromise Windows-based systems inside the industrial control network. After a Windows system has been infected, the weapon would be stealthy enough to evade IT security controls while it searches for a target system

Logic Bomb 2 – A persistent attack (the packets being constantly injected)

A persistent attack occurs when the attacker would put bad packets into a router and it would lead to vulnerabilities being exploited/revealed during the process. Significant damage can occur during this attack because packets would be flooded into the router and can end up suspend the routing function.

Remark: These attacks are very complicated to detect.

Logic Bomb 3 – The mistrating attacks

The mistreating attacks can be caused indirectly by directing an irresistible number of packers to the target victim address. Let the victim (router and network) isolated. In the means that the network services will be suspended.

 

Cyber warfare arsenal (major weapon)

Ransomware

Since this topic we discussed in past , for more details, please see below URL for reference.

The other side of the story on cyber attack (Electronic war between countries)

Informaiton Supplement  – BGP hijack attack

Below idea show a rogue AS falsely advertises a shorter path to reach a prefix P, which causes other AS’es to route traffic destined to the prefix P through the shorter path.

 

There are four AS’s: AS1, AS2, AS3 and AS4 (rogue).

Each routing daemon’s peers are shown using connections:

  1. Router 1 peers with router 2 and router 4.
  2. Router 2 peers with router 1 and router 3.
  3. Router 3 peers with router 4.

 1 – Show router 1 routing entries

BGP table version is 0, 
local router ID is 9.0.0.1

Network Next Hop Metric LocPrf Weight Path
1.0.0.0 0.0.0.0    0           32768  i
2.0.0.0 9.0.0.2    0               0  2 i
3.0.0.0 9.0.0.2                    0  2 3 i

Reminder A: On AS1, the chosen AS path to reach 3.0.0.0/8 is “2 3” (i.e., via AS2 and AS3).

2: Start the rogue AS, the rogue AS will connect to AS1 and advertise a route to 3.0.0.0/8 using a shorter path (i.e., a direct path from AS1 to AS4). Thus, AS1 will choose this shorter path by default.

3. Show router 1 routing entries again

BGP table version is 0, 
local router ID is 9.0.0.1 

Network Next Hop Metric LocPrf Weight Path 
1.0.0.0 0.0.0.0     0           32768 i
2.0.0.0 9.0.0.2     0               0 2 i
3.0.0.0 9.0.4.2     0               0 4 i
        9.0.0.2     0                 2 3 i

We can see AS4’s chosen path and also AS3’s path in the routing information base of AS1.
Since the AS path length to reach 3.0.0.0/8 is smaller through AS4, router 1 chooses AS4 as its next hop.

From technical point of view, it successfully hijack the traffic in BGP network. We known internet routing protocol is using BGP. No suprise, this is only a basic theory. More complex and advance technique is under develop by different countries.
See who show his power to the world.

Observation:

On our discussion of this topic, I am not going to input key word conclusion on the end of page this time. As we know, above items is my speculation. Believed it or not , the cyber attack atmosphere looks similar with discussion in past.

But bear in mind that any product includes cyber weapon require test and pilot run. These rehearsal looks mandatory since it is hard to foreseen the overall damage effect (including the response of the countries). On the other hand it is a test to know the actual system specification in hostile country. It compared to traditional way become more effective! Hire a spy infiltrate to hostile country is not the way today. Do you agree?

I am going to write more interested topics. Hope you will be interest. See you. Have a nice weekend.

 

 

 

 

 

 

 

 

Who spying on me? Da Vinci or Archimedes?

Preface:

Archimedes’ principle is a law of physics fundamental to fluid mechanics.

Leonardo Da vinci  is widely considered one of the most diversely talented individuals ever to have lived.

Since they are the famous scientists. They dedicate their inventions to the world. But we known the infamous tools in cyber world for the government surveillance program. The most famous eavesdropping feature type of malware. Those surveillance tools make use of similar naming convention. From general point of view, it looks that it is not respect of these two great scientists!

About  Da vinci  Spy tools

A powerful spy software developed by Italian hack team, the tool benefits to track a person’s calls and other communications in real-time.  This tools only sell to law enforcement or government agent. Italian Hacking Team was hacked by other hacker group on 2015. More than 400GB of data, including source code, internal documents and emails that could reveal the identity of customers display on embedded torrent file share link. A rumors were told that Italian hack team blamed their customer unethical collect their technology and hack them.

About Archimedes tool

We all known tool used by the CIA named “Archimedes”  open to the world through WikiLeaks on 5th May 2017. Archimedes developed by CIA engineering development Group. The project code so called UMBRAGE project.  It is a interested project code name. The definition of Umbrage means offense; annoyance; displeasure: to feel umbrage at a social snub; to give umbrage to someone; to take umbrage at someone’s rudeness.

Technology

 Da vinci  Spy tool

Da vinci spy tool relies on JAR (Java ARchive) , Microsoft Office and Adobe Flash Player design limitation as a infection media to fulfill their remote control system (RCS) criteria (see below). A more advance technique of tool easy to fool the cyber defense mechanism since this is a unknown attack (zero day) and therefore it will be more easily to spread out the spyware fulfill their objective.

1. Self-signed JAR
2. CVE-2012-4167: Integer overflow in Adobe Flash Player
3. CVE-2010-3333: Stack-based buffer overflow in Microsoft Office
4. CVE-2012-5054: Integer overflow in the copyRawDataTo method in the Matrix3D class in Adobe Flash Player
5. CVE-2012-1682: Unspecified vulnerability in the Java Runtime Environment (JRE)
6. CVE-2013-0633: Buffer overflow in Adobe Flash Player

Archimedes

Archimedes is an update to Fulcrum 0.6.1. The design objective of Fulcrum. Fulcrum will direct a target machine’s HTTP client traffic to the URL of the attacker’s choice. The technique involves ARP Spoofing to Get In the Middle and HTTP Traffic Injection. The simple conceptual idea shown in below picture.

Archimedes (Fulcrum 0.6.2) focus windows OS with high flexibility. The attacker can execute Fulcrum as an EXE with Compiled Parameters. In order to avoid anti-virus program protection .The remote attacker can run as DLL with rundll32.exe with CommandLine Parameters. The tool itself is not sophisticated. Attacker can easy to get rid following files (f32.exe,f32.dll,fs32.exe,fs32.dll,f.cfg and f.log). The normal computer user do not know what is happen.

Capability and Flexibility

Da vinci  Spy tool:

Capability: small footprint,  unknown vulnerability (zero day)

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Archimedes :

Capability: small footprint,  similar normal application program service daemon

Flexibility: Antivirus program not easy to detect until vulnerabilities found by vendor

Similarity

Both spy tools (Da vinci  &  Archimedes (Fulcrum 0.6.2))are using inline hooking technique (see below).

However Archimedes (Fulcrum 0.6.2) looks develop infiltration technique from layer 2. For instance ARP cache poisoning.  Both spy tools entry point (infiltration) looks have differences! Da vinci more focus on layer 7 (application) and Archimedes run on layer 2. Seems it is hard to proof the integrity of the rumors (Italian hack team blamed their customer unethical collect their technology and hack them). But it is not the absolute answer. Let’s keep our eye open on wiki-leaks to know more!

 

Reference:

https://wikileaks.org/vault7/#Archimedes

 

Conduct self assessment enhance your cyber security setup

Preface:

Although your in house IT setup has SIEM, IDS, IPS, ..etc. But you may have questions? What is the defense criteria. Yes, we fully understand that install full scope of defense mechanism might mitigate the risk, right? Implement the IT strategic outsourcing.  Enforce the follow the Sun policy. Deploy the management security service.  But think it over, those defense mechanisms are involve human operation.  Perhaps the SLA agreement of your services provider promises 99.99 % response time. But cyber security incident handling method far away with normal IT operation framework. For instance, engage the forensic investigation sometimes consume time to isolate the problem. As a matter of fact, SLA looks like a value. The quicker you receive email reply or return phone call did not imply it boots up the value of cyber incident management.

Objective:

Now we look back the cyber incident history. The security experts and security analysis Guru are summarized the key factors of the weakness of IT infrastructure today. No matter how was the size of your firm. Below key elements can guide you to the appropriate approach.

Weaknesses of IT domain – Key elements

  1. Unauthenticated protocols
  2. Outdated hardware
  3. Weak user authentication
  4. Weak file integrity checks
  5. Vulnerable Windows operating systems
  6. Undocumented third-party relationships

If your firm is able to compliance above 6 items of key elements. I was say congratulation to you. But for the realistic point of view, I believed that it is not easy to archive. For instance, you application development team is going to enhance the application. However the application integrate with a legacy product. Furthermore the legacy product is retired of their product life cycle. You know what is the weakness and the vulnerabilities. As a matter of fact, it is not possible to inform your management team suspend the project process since this is a business objective. Similar fashion of  scenario you might encountered or familiar.  Any idea or resolution to resolve such business habit forming manner. Since all the final decision will be decide by CSO, CIO or coporate management team. But at least following hints can give more space to you for thinking of this subject matter.

Definition:

Use a security controls matrix to justify controls and identify the weakness of the specifics area. The design goal is that take the benefit of matrix table for simplification terms. Thus provide a straight forward path which can apply to the key objective area. Since we all tech guy and no need to mention in depth. For more details, please see below:

Base on the 6 key elements of weakness in overall IT Infrastructure. Below assessment tool can provides an overall idea to you which area of weakness encountered in your shop.

 

authenticated protocols Availability SSL or VPN (Ipsec) Change control policy
Router (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Switch (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Firewall (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Managed security service (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Cloud Farm (GUI access) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Outdated Hardware Still operate In-House hardware lifecycle policy
Router (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Switch (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Firewall (OS obsoleted) Yes(0)/No(1) Yes(1)/No(0)
Sever (Vendor support – End of Life) Yes(0)/No(1) Yes(1)/No(0)
PABX (CTI server) Yes(0)/No(1) Yes(1)/No(0)
Total score Full score (5) Full score (5)
user authentication ID asset management Single sign-on feature
Router Logon access Yes(1)/No(0) Yes(0)/No(1)
Switch Logon access Yes(1)/No(0) Yes(0)/No(1)
Firewall Logon access Yes(1)/No(0) Yes(0)/No(1)
Privileges ID Yes(1)/No(0) Yes(0)/No(1)
Application program service ID Yes(1)/No(0) Yes(0)/No(1)
Total score Full score (5) Full Score (5)
File integrity check Top Secret / Confidential Data Data classification Policy
Server Yes(1)/No(0) Yes(1)/No(0)
Web Application (External) Yes(1)/No(0) Yes(1)/No(0)
Web Application (Internal) Yes(1)/No(0) Yes(1)/No(0)
Database (DB) Yes(1)/No(0) Yes(1)/No(0)
Cloud farm Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
Vulnerability management Zero day & critical patch Incident management procedure
Router Yes(1)/No(0) Yes(1)/No(0)
Switch Yes(1)/No(0) Yes(1)/No(0)
Firewall Yes(1)/No(0) Yes(1)/No(0)
Server Yes(1)/No(0) Yes(1)/No(0)
Application Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)
3rd Party relationship Responsibilities (scope of works and support level of cyber security incident) Dedicated subject matter expert implement in this role
Management security services Yes(1)/No(0) Yes(1)/No(0)
Web Hosting Yes(1)/No(0) Yes(1)/No(0)
Application (Vendor service support token) Yes(1)/No(0) Yes(1)/No(0)
Hardware maintenance (services provider) Yes(1)/No(0) Yes(1)/No(0)
Network (MPLS, Frame-link, Internet line, Boardband..etc) Yes(1)/No(0) Yes(1)/No(0)
Total score Full score (5) Full score (5)

Achievement:

What is your over performance score on above matrix table?  If it is not suitable to your environment. No problem, please go ahead to modify the criteria and try to fit to your project scope. Even though external auditor engage the risk assessment they are using the same idea.  Good luck to all of you!

 

 

 

 

 

Part 2:Blockchain technology situation – Malware join to bitcoin mining

A moment of silence, prayer for the dead (Terrorist attack on the streets attack near U.K. Parliament 22nd Mar 2017)

A moment of silence, prayer for the dead 
Tragedy in Russia - Explosion in the St. Petersburg metro 3rd Apr 2017

Part 2: Blockchain technology situation – Malware join to bitcoin mining

We continuous the discussion topic on blockchain technology situation.  Part 1:Blockchain technology situation – A Tales of Two Cities The discussion on part 2 mainly focus on malware threats to bitcoin industry.  We understand that Bitcoin was designed to be uncensorable digital cash that could operate outside the existing financial system. As mentioned last time, it looks that the blockchain technology contained weakness on end point device (bitcoin owner workstation or mobile phone). Even though you deploy a proprietary wallet, the overall setup will become weakness once malware compromise your end point device. Below picture diagram bring an idea to reader of bitcoin wallet architecture, see whether you have different idea in this regard?

Bitfinex incident wakes up concern on endpoint security

More than US$60m worth of bitcoin was stolen from one of the world’s largest digital currency exchanges (Bitfinex) on 2nd Aug 2017. Nearly 120,000 units of digital currency bitcoin worth about US$72 million was stolen from the exchange platform Bitfinex in Hong Kong, said Reuters Technology News. Director of Community & Product Development for Bitfinex stated that the bitcoin was stolen from users’ segregated wallets. The investigation has found no evidence of a breach to any BitGo servers, said the representative of BitGo.

Since no evidence proof that security breach happened in that place but what is the possible cause?

An announcement posted by official group (Bitfinex), the company informed that there are going to secure the environment and bring down the web site and the maintenance page will be left up. From technical point of view, if  API and signing keys reside on servers. Hacker might have access with legitemate credential once a bitcoin wallet user workstation compromised.As a matter of fact if the webservice is hacked, bitcoin owner will lost the money (see above bitcoin wallet architecture comparison diagram for reference).

Our Observation

The weakness of Node.J.S trading API Framework.

The java script contain security weakness. It benefits hacker to understand the operation path. For instance

Client send his payload, his key, and the hmac of his payload with his secret key. Server retrieve user with his pk, recompute the hmac with the retrieved sk and then check if the computed hmac is equal to the retrieved hmac. (see below program syntax for reference).

 

From technical point of view, malware which contains steal private key or digital certificate function, they have capability transform to bitcoin malware. As usual, the infection technique relies on Spear phishing. The emails contained a malicious attachment with the file which contained a zero-day exploit. The exploit attacked multimedia software platform used for production of animations especially Adobe Flash to install a malware onto the victim’s computer.

Then malware obtained bitfinex private key and one of the following item.

i) bitgo’s private key

ii) bitfinex bitgo’s username and password and authy’s credentials (that allows the hacker to create new api access tokens and remove daily limits)

iii) bitfinex bitgo’s api access token

Or apply new keys gave to bitgo as new 2-3 internal bitfinex address. signed tx with bfx key, and “new key” that was just given. Meanwhile bypassing bitgo’s security checks.

Summary:

Above information detail is one of the example. It looks that quote a real incident can increase the visibility of the understanding.  Apart from that, discussion looks never ending. I believed that part 3 will be coming soon.

 

 

 

Advanced Persistent Threat (APT) miscellaneous outline

For the first time I heard the “Advanced Persistent Threat”, which, for me, was a hostile conspiracy between nations. Famous network events (see below) as proof of concept. What is the purpose of announcing the APT to the world?

2010 – The Stuxnet (ATP) is believed by many experts to be a jointly built American-Israeli cyber weapon,although no organization or state has officially admitted responsibility.

2011 – Defence contractor Lockheed Martin hit by advanced persistent threat to network (specifically related to RSA’s SecurID two-factor authentication products)

2011 – APT28 has used lures written in Georgian that are probably intended to target Georgian government agencies or citizens.

2013 – APT28 Targeting a Journalist Covering the Caucasus

2013 – Kimsuki malware (APT) targets critical infrastructures and Industrial control system (ICS) in South Korea

2013 – In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1).Alleged Chinese attacks using APT methodology between 2004 and 2013

*2014 – BlackEnergy APT group re engineer the black energy DDOS software. Deploy SCADA‐related plugins to the ICS and energy sectors around the world.

2015 – In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation. (Cozy Bear, classified as advanced persistent threat APT29)

2016 – Onion Dog, APT focused on the energy and transportation industries in Korean-language countries

APT (Advanced Persistent Threat) design definition

It is flexible and sustainable platform, demonstrating long-term use and versatility planning.

The common APT kill chain criteria (see below diagram for reference)

However, APT 28 runs differently. A complete attack scenario with APT28 has multiple malware stages, such as Sourface/Coreshell, Eviltoss, and Chopstick. APT28 malware could persuade a trusted user to open a malicious document that includes a Sourface downloader, which downloads the Chopstick second-stage malware. We believe that hacker use the spare phishing technique.

Terminology for reference:

CORESHELL:This downloader is the evolution of the previous downloader ofchoice from APT28 known as “SOURFACE” (or “Sofacy”). This downloader, once executed, create the conditions to download and execute a second-stage(usually Eviltoss) from a C2.
EVILTOSS: This backdoor is delivered through CORESHELL downloader to gain system access for reconnaissance, monitoring, credential theft,  and shellcode execution
CHOPSTICK: This is a modular implant compiled from a software framework that provides tailored functionality and flexibility. By far Chopstick is the most advanced tool used by APT 28.

 

MIMIKATZ: Everyone of us knows this tool. In this case, this has been of devastating effects to completely compromise AD Forest

Fileless APT malware

MM Core APT: MM core is a file-less trojan

Trojan.APT.BaneChant targeted Middle Eastern and Central Asian organizations. The trojan is file-less, downloading its malicious code to memory to prevent investigators from extracting the code from the device’s hard drive.

Primary objective for advanced persistent threat

There are 2 different of objectives for advanced persistent threat till today.

Objective 1: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

Objective 2: An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes which targeted the computer hardware of nuclear facilities. The obj of the attack is try to suspend the services or mess up the operation causes destruction.

Infiltration outline
A typical scenario shown as below:
1. Attackers rename the exploit (say Titanium.zip, which takes advantage of a ZIP parsing vulnerability of the antivirus) to Titanium.wmf
2. Hold a webpage which contains <iframe src = Titanium.wmf>
3. Convince victims to visit this webpage.
4. While victims are browsing webpages, iron.wmf would be downloaded onto the victims’ computers automatically, without any user interaction.
5. If the auto-protect of the antivirus is on, the antivirus engine would parse Titanium.wmf  automatically, and then possibly get compromised immediately.
Detect: To perform a number of checks for installed security products on the victim machine. Check entries within the HKLM\Software\ registry path
The antivirus product represented by a value that is binary which might hints malware which brand of anti-virus install in victim machine (see below example):

0x08000000 : Sophos
0x02000000 : INCAInternet
0x04000000 : DoctorWeb
0x00200000 : Baidu
0x00100000 : Comodo
0x00080000 : TrustPortAntivirus
0x00040000 : GData
0x00020000 : AVG
0x00010000 : BitDefender
0x00008000 : VirusChaser
0x00002000 : McAfee
0x00001000 : Panda
0x00000800 : Trend Micro
0x00000400 : Kingsoft
0x00000200 : Norton
0x00000100 : Micropoint
0x00000080 : Filseclab
0x00000040 : AhnLab
0x00000020 : JiangMin
0x00000010 : Tencent
0x00000004 : Avira
0x00000008 : Kaspersky
0x00000002 : Rising
0x00000001 : 360

FINGING VULNERABILITIES OF ANTIVIRUS
Basically there are four kinds of vulnerabilities seen in antivirus software:
Local Privilege Escalation
ActiveX-related
Engine-based
Management (Administrative) interface

KILL THE LOCAL ANTIVIRUS PROGRAM

For instance, A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software.

Find zero day vulnerability compromise on victim workstation

The implant successful rate all depends on the patch management status on the workstation.

APT Malware callback

In order to avoid malware analyzer (FireEye, RSA ECAT) detect the malware callback to external CnC server. APT malware will compromise the legitimate website and then redirects the communication to the CnC server. This method can prevent malware analyzer deny the traffic to external command and control (C&C) servers.

Data Theft

The malware collects data on a victim host, then exfiltrate the data off the network and under the full control of the hacker. Hacker will erase all evidence after job complete. Since the host is compromised and therefore he can return at any time to continue the data breach.

Observation on 2017 1st quarter

Regarding to the consolidation of APT incidents, analysis reports so far.  It looks that the most efficient way to avoid APT incident happen is install a malware analyzer (FireEye, RSA ECAT) in your IT network campus. As a matter of fact, APT technique is a  advance technology which develop by country or technology group and therefore the greater possibility can break through End point defense mechanism. For instance antivirals program. However my comment is that Kaspersky is a prefect antivirus and malware defense vendor. May be he is one of he exception. However client might concern the company background (A group of developer from Russia). As we know, home users not possible to install the malware analyser. As such, I would suggest end user consider their decision when they are going to purchase antivirus program. Below matrix table not precise but can provide an idea to you which component is a the bottle neck to against APT attack.

APT (advanced persistent threat) kill chain relationship matrix table

Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance 1. Managed security services
2. IDS
3. SIEM
Firewall
Weaponization End point defense (antivirus) End point defense (antivirus) queuing and loading
Delivery SIEM Proxy Srv End point defense (antivirus)
Exploitation malware analyzer Vendor Patch End point device
Installation End point defense (antivirus) malware analyzer 1. End point device
2. Malware analyzer
C2 1. malware analyzer
2. SIEM
malware analyzer malware analyzer DNS redirect
Actions 1. malware analyzer
2. SIEM
malware analyzer

Vulnerabilities in the old OLE2-based HWP file format – engages APT attacks to South Korea

North Korea’s rising ambition seen in bid to breach global banks

My reflection on CNBC News (North Korea’s rising ambition seen in bid to breach global banks) and written down comments below:

Preface:

The overall situation looks extreme today no matter political or commercial. From commercial area, enterprise try to monopolize on market. From country to country, conflicts of interest in natural resources. My personal feeling was that the ownership of the non develop areas better belongs to natural instead of country. For sure that not only limit to Antarctica! Above description not intend to divert (side-track) your attention. Since the terms benefits or interest change the whole world. Yes,  human being go for survival, money is the key factor. And such away create the criminal activities and conflict of interest.

Electronic age made the overall situation more complex

Electronic age made the overall situation more complex especially banking industry. The evidence was told that that even though Mira DDOS, IOT Botnet and Zombie types of cyber attacks not causes banking industries lost the money in their drawer. However the insider threats especially trojan and malware which lets the finanical institution lost huge amount of money (For instance Bangladesh heist). Furthermore cyber espionage infiltrate activities most likely relies on malware and Trojan. The best example can quotes is the Stuxnet malware. The goal of Stuxnet intend to disturb the operations of nuclear facilities in Iraq.

From technical point of view, malware belongs to monitor (surveillance) and control of tool. The huge group of survillaince program must utilize malware as a infection media. Sounds like the APT (advanced persistent threat) is the descendants of the malware.

The term kill chain was originally used as a military concept related to the structure of an attack; … Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks (see below picture diagram)

Regarding to the definition of APT show on wikipedia . An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time.  From criminal activities point of view, hacker most likely will collect the credential, personal details and database in the long run. For the criminal case like steal the money in electronic payment system, it is rare on APT type of attack.

Does APT equal to criminal activities in commercial world?

Observation – FBI stated that SONY INTRUSION and banking environment insider threats (banking malware) are the conspiracy of the North Korea government.

Why do we believe the perpetrator is North Korea?

The official statements from the FBI and US-CERT found the malware and disclose their md5 hashes for reference.

Dropper = d1c27ee7ce18675974edf42d4eea25c6
wiper = 760c35a80d758f032d02cf4db12d3e55
Web server = e1864a55d5ccb76af4bf7a0ae16279ba
Backdoor = e904bf93403c0fb08b9683a9e858c73e

Since the attack target of this malware exactly Microsoft windows platform. Base on definition of fair proof, I select and highlight Microsoft information details for reference.

Microsoft Backdoor:Win32/Escad.AA!dha

This threat can give a malicious hacker access and control of your PC. They can then perform a number of actions, including downloading other malware. But as usual Microsoft’s not intend to provides the suspicious source IP address list.

Remark: Per Norse Corp information, the malware was signed with a compromised Sony certificate.

The cyber defense solution provider found more details of this malware on Sep 2013. The malware activities looks came from Jilin Province Network and Liaoning Province Network. The security expert believed that the command & control may came from North Korea. Since Jilin and Liaoning provides the Internet services to North Korea. This malware so called Kimsuki malware.

Transformation – file type format convert weaponized File format

Vulnerabilities in the old OLE2-based HWP file format

What is an HWP file?

HWP documents are document files specialized in the Korean language and OLE2based document format similar to Microsoft’s 97-2003 Microsoft document. The file format created by the South Korean company Hancom. HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government.

Design weakness of HWP files:

Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.

Remark: In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.

2013 – Kimsuki malware design objective(OLE2-based HWP file format + APT) : Targets Critical Infrastructures and Industrial Control Systems (ICS)

2016 – Onion Dog, APT Focused On the Energy and Transportation Industries in Korean-language Countries

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB Worm. OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

Overall comment:

Since North Korea ruler as a dictator control their country. Developing nuclear bomb,  test the missile looks show his power to the world. From psychological point of view, it is easy to understand his goal to enagaged APT attack. Since the dictator would like to emulate his imaginary enemy (USA) to destroy the nuclear power energy facilities from his enemy. However I remain to reserve my opinion that he is the lord behind the seen to engage the banking malware attack in foreign country except south Korea?

Reference to Korea CSIS report:

  1. 2011 – Denial-of-service(DDoS)attacks on websites, the first major cyber-attack attributed to North Korea was on April 12, 2011, which paralyzed online banking and credit card services of Nonghyup Agricultural Bank for its 30 million customers.
  2. 2013 – Advanced persistent threat campaigns, and employment of less sophisticated but sufficiently effective malware such as the Jokra wiper tool observed on March 20, 2013. South Korean media reports that North Korea has started to target smartphones as well.

For more detail, please refer to below url for reference.

What Do We Know About Past North Korean Cyber Attacks and T heir Capabilities ?

 

Apple icloud security burden – Webkit looks like a culprit! (Mar 2017)

Apple developers work hard on  iCloud security to improve the security. They are in an effort to encourage adoption of the two factor authentication standard. Since Apple device did a good job in end point device so far. And therefore it such a way reduces of inherent risks. However it is hard to avoid the vulnerability happen on application side since development source code is open. Apart from that it is hard to refuse the open source application deployment.

As we know a Apple release security patches on 23rd Jan 2017, a common vulnerability criteria focus on a web component. Yes, it is WebKit. Let start the story from scratch.  Be my guest. Let’s start the journey!

Why Use WebKit?

Some applications are full-featured browsers, but more often applications embed web content as a convenience, as in a custom document system. WebKit is a layout engine software component for rendering web pages in web browsers.

Since found a flaw on WebKit,  a rogue web page can crash the browser because all code runs in the same process. New version of webkit (Webkit2) enhance Safari architecture. It aim to avoid this design limitation. It enforce to separate the code into two different processes. That is User Interface and web page process maintain their specify process. Below detail shown that how Webkit 2 architecture improve the Safari process isolation feature.

 

As times goes by, Webkit features like a major component embedded in web browser (see below).

However it bring up cyber security world concern on 2012. A heap memory buffer overflow vulnerability exists within the WebKit’ JavaScriptCore JSArray::sort(…) method.

This design limitation accepts the user-defined JavaScript function and calls it from the native code to compare array items.
If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. At this time, you may ask, does the webkit or webkit 2 design flaw only apply to Apple devices? I believe that it apply to all different brand name of vendors which make use of webkit or webkit2.

The exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method. Below details of program syntax will bring you an idea in this regard.

Cyber attack transformation = Attack from local device to Virtual server machine.

Hacker looks exploits the vulnerability of WEBKIT, a weakness hints that hacker can transform the ROP(return oriented programming) as attack weapon. A technical article published by IEEE records the following scenario.

Important: An approach to attack on the Xen hypervisor utilizing return-oriented programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged or not and thus can escalate the privilege of an unprivileged domain (domU) at run time. As ROP technique makes use of existed code to implement attack, not modifying or injecting any code, it can bypass the integrity protections that base on code measurement. By constructing such kind of attack at the virtualization layer.

Sounds horrible on above matters! Why? If such hacker technique develop in advance. So the virtual machine run on cloud farm will become a victim.  Hey, same scenario looks possible happened in iCloud. The side effect is that it is not only compromise a single icloud container (single device), it effect the whole unit of icloud. Below IEEE technical article highlight is the proof of concept. If you are interest, please do a walk-through of this document highlight. I am afraid that this article might have copyright. And therefore not going to copy all the articles. Should you have any interest, please visit IEEE publisher web site to find out more.

A rumour concerning “rumblings of a massive (40 million) data breach at Apple.” Believe it or not? In the meantime, if you are the apple fans, you must re-confirm all the patches provided by Apple Corp.  Keep run don’t stop! For more details, please refer to below url for reference.

Reference:

iCloud for Windows 6.1.1

The latest software updates from Apple

 

 

 

 

 

 

 

 

 

 

 

DDOS never expire! A powerful tool for political and economic weapon (Part 1)

We heard DDOS term till 80’s. The foundation of attack given from network layer (OSI layer 3) till today application layer (OSI layer 7). Since 2010 a mobile computing trend leads BYOD (Bring your own device) terminology and carry out more serious distribution denial of services. A public DNS incident occured last year (2016) exposed IoT type style distribution denial of services. If you still remember , security expert forseen that ransomware  is going to replace DDOS soon. It looks that the statement not totally correct.  The truth is that cyber arsenal virtually categorizes the weapons into different categories (see below).

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
End user computing
1. DDOS (SYN Flood)
2. DOS (SYN Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (UDP Flood)
2. DOS (UDP Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (ICMP Flood)
2. DOS (ICMP Flood)
Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Web applications vulnerabilities
2. DOS attack focused on Web applications vulnerabilities
Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Operating system vulnerabilities
2. DOS attack focused on Operating system vulnerabilities
Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
Compromised web site, email phishing attached with file or url embedded malicious code Application layer (files and OS) – Attack trigger by ransomware which cause files lock (encrypted) 1. Operating system and files
2. End user computing
Bitcoin (money) Bring disruption to satisfy objective (focus on business world instead of political reasons)

Information supplement (BYOD and IoT)

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
BYOD (mobile phones) Botnet – so called vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
IoT (Internet of things includes, web cam, car automation, home appliance, Smart TV and smart electronics device) IoT (Botnet) – so called descendant of vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)

Yes, this topic might bring interests to reader. Ok, let’s join together to this journey (DDOS never expire – A powerful political and economic weapon (Part 1)).

Is there a way to identify attacker traffics? Yes, it can but it seems out of control now! BYOD and IoT technology are the accomplice!

As far as we know, the earlier stage of DDOS and DOS attack keen to make use of random source to increase the difficulties of the defense. A technical term so called Random Spoofed Source Address Distributed Denial of Service Attack (RSSA-DDOS)

Let recall different types of avoidance mechanism to avoid classic DDOS. There are total 3 types of filter can avoid classic DDOS happened on network layer.  For more details, please see below:

  1. Ingress filtering
  2. Egress filtering
  3. Router-based filtering

However above 3 types of prevention mechanisms not able to avoidance of RSSA-DDOS. The drawback is that those solution encounter difficulties to distinguish between legitimate traffic and attack traffic in effective way.

Dawn appears only for short time (FSAD & ECBF)

Filtering based on the source address distributed feature – FSAD

Solution:

  1. Detection of attack occurred and according to the current attack scale, historical flow and source address recognition accuracy requirements. Set the appropriate legal address identification
    parameter.
  2. 2. Identify the legal source address and saved to the legal address table (LAT)

But how to identify the counterfeit source IP address

A solution named “The Extended Counting Bloom Filter -ECBF” can do the magic.
Example:
Assuming that a packet is received, the source address Saddr is (a.b.c.d) > 1.1.1.1
The source address Saddr is (a.b.c.d), then

• IPH(Saddr)=256×a+b;
• IPM(Saddr)=256×b+c;
• IPL (Saddr)=256×c+d;
• IPLH(Saddr)=256×d+a.

The ECBF contains four hash codes for counting the number of source address packets number and array. Each array corresponds to a hash function (see below)

It is easy to see that each element of the ECBF corresponds to 2 16 source addresses. For example, the 257th cell of the A 1 array corresponds to the source address (1.1.x.y)
According to the packet, where x and y are any number between 0 and 255. And each time a packet is received, the four cell values corresponding to the packet source address
Then add 1 for A 1 [256 × a + b], A 2 [256 × b + c], A 3 [256 × c + d] and A 4 [256 × d + a], respectively.
 See below diagram will receive a high-level understanding.
Legitimate address identifying algorithm under random spoofed source address DDoS attacks (see below):
Set identifying time interval and threshold T;
while(1)
Receive a packet;
Get source ip address sip;
Record sip in ecbf;
If (every element’s value of sip in 4 arrays>T)
Sip is a legitimate address;
fi;
if (time interval is over)
Empty 4 arrays;
Start a new time interval;
fi;
End while;
 IoT Botnet appears then triggers DDOS make the Cyber world crazy!
Above filter base defense mechanism and integrity identification method looks insufficient when IoT Botnet join to cyber war. Recently headline news stated that Mirai botnet turning internet of things into botnet of things. See how serious of this attack effected cyber world!
Mirai botnet on volume amount basis break through advanced defense mechanism. It look likes a cyber soldiers listen to the instruction of C&C server to attack the enemy. As a matter of fact, the cyber incident historical record last year proven that above imagination not a assumption. This is a real story.
References:
Oct 2016 – Dyn cyberattack: the attack involved “10s of millions of IP addresses (DDOS suspects – Mirai)
2016 – A massive DDoS cyber attack that disabled many online sites during the American presidential election (DDOS suspects – unknown)
2017 – The citizens of Hong Kong looking for True, Fair & Free Election, however the democratic websites operate in frequently encountered DDOS during important events (DDOS suspects – unknown)
Above 3 items of incident can tell us DDOS attack never expire. Sounds like the attack is under transformation. DDOS attack from begin focus on commercial world expands to other non commercial area. The attacks methodology enhance by internet of things and become powerful. The additional target added foreign government and democratic world.

 

Since this discussion overtime and looks bulky. Let’s continue our discussion on Part 2 next time (DDOS never expire! A powerful tool for political and economic weapon). Stayed tuned.

 

 

 

 

 

 

 

 

 

The culprit of the CIA’s global covert hacking program given from SS7 design limitation

Headline news today provides a 2nd round of reminder to the world that we are under surveillance.  Since our hero Edward Snowden heads up to the world earlier. As a result, he such a way may carry a crime of treason. To be honest , I am a little worry about of him. The fact is that the expectation of president in united stated has been changed. Good luck to him at all! If god is present, please give your son Edward’s assistance. He really need you help!

The no. of total 8761 documents posted on wikileak we are not going to discuss here. Just know this is the first full part of the series dubbed Year Zero. However we would like to bring your attention on the weakness of tel-comm industry today. And believed that this is the root causes or you can say this is a backdoor on telecommunication world. Ok, this time all we emulate as Sherlock Holmes. Let’s start.

Speculation

  1. Flaw found in ASN.1 compiler

Abstract Syntax Notation 1 (ASN.1) background:

Quick and dirty description:

In the field of telecommunications and computer networks, ASN.1 (Abstract Syntax Notation One) is a set of standards describing data representation, encoding, transmission and decoding flexible notation. It provides a formal, unambiguous and precise rules to describe independent of the specific computer hardware object structure. ASN.1 provides application and protocol developers a high-level tool, essentially a data-definition language, for defining protocol syntax and the information that an application exchanges between systems.

Vulnerability:

A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution.

Heap memory corruption attacks

Traditional memory corruption exploit can be achieved by pointing to the injected code on the stack or heap which data resides in.

Technical information – vulnerability details

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839

Afterwards, the government agency relies on this design weakness of SS7 to track the movements of the mobile phone user anywhere in the world. From technical point of view, compromise of WhatsApp or Telegram was not direct way. Sometimes no need to install malware to the clients mobile phone. It is exact the abuses of SS7 weaknesses.

2. TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

 

3. Law enforcement backdoor software overview

Edward Snowden disclosed global surveillance program in 2013. We all alert that surveillance programs are flooding all around the world. Bring to tech guy attention may more or less is the sniffing technique. How was US government collect personal data and telephone call on our desktop and mobile phone devices? Tech guy with interest on cyber securities may know few hacker group assists law enforcement sector develop monitoring agent software. The brand name includes DaVinci, Morcut, Crisis & Flosax. It looks that the most famous product is the DaVinci. An Italian made surveillance software best perform a lot of actions, such as hidden file transfers, screen capturing, keystroke logging & process injection.

Interest story happened on July 2015

A cyber-surveillance company believes a government may have been behind a massive hack of its systems that saw huge chunks of its code stolen. For more details, please refer to below URL:

http://eandt.theiet.org/news/2015/jul/hacking-team-breach.cfm

After you read  this article, you may have questions? Since 2015 data breaches incidents happened in frequent. It is hard to believe that how weakness of cyber defense setup in the world. No matter how many anti defense facilities you built in your firm. Seems there is no appropriate solution to fight against cyber crime. Do you think all the incidents happened within 2015 to 2016 are related hacker code exposed in July 2015?

Reference:

Law enforcement surveillance software technical features:

Available surveillance modules
Accessed files
Address Book
Applications used
Calendar
Contacts
Device Type
Files Accessed
Keylogging
Saved Passwords
Mouse Activity (intended to defeat virtual keyboards)
Record Calls and call data
Screenshots
Take Photographs with webcam
Record Chats
Copy Clipboard
Record Audio from Microphone
With additional Voice and silence detection to conserve space
Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
Device Position
URLs Visited
Create conference calls (with a silent 3rd party)
Infect other devices (depreciated since v. 8.4)

Suggestion to reader:

Since the world situation became more complex today no matter political and people’s livelihood. A solution will let you easy to know your mobile phone status. Are you under government surveillance program?

If you are android phone user, go to playstore download a free program names SnoopSnitch. The SnoopSnitch which can warn when certain SS7 attacks occur against a phone and can detect voyeur’s jump into your phone.

Bye!