Category Archives: Network (Protocol, Topology & Standard)

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Advanced Persistent Threat (APT) miscellaneous outline

870 Comments

For the first time I heard the “Advanced Persistent Threat”, which, for me, was a hostile conspiracy between nations. Famous network events (see below) as proof of concept. What is the purpose of announcing the APT to the world?

2010 – The Stuxnet (ATP) is believed by many experts to be a jointly built American-Israeli cyber weapon,although no organization or state has officially admitted responsibility.

2011 – Defence contractor Lockheed Martin hit by advanced persistent threat to network (specifically related to RSA’s SecurID two-factor authentication products)

2011 – APT28 has used lures written in Georgian that are probably intended to target Georgian government agencies or citizens.

2013 – APT28 Targeting a Journalist Covering the Caucasus

2013 – Kimsuki malware (APT) targets critical infrastructures and Industrial control system (ICS) in South Korea

2013 – In February 2013, Mandiant uncovered Advanced Persistent Threat 1 (APT1).Alleged Chinese attacks using APT methodology between 2004 and 2013

*2014 – BlackEnergy APT group re engineer the black energy DDOS software. Deploy SCADA‐related plugins to the ICS and energy sectors around the world.

2015 – In August 2015 Cozy Bear was linked to a spear-phishing cyber-attack against the Pentagon email system causing the shut down of the entire Joint Staff unclassified email system and Internet access during the investigation. (Cozy Bear, classified as advanced persistent threat APT29)

2016 – Onion Dog, APT focused on the energy and transportation industries in Korean-language countries

APT (Advanced Persistent Threat) design definition

It is flexible and sustainable platform, demonstrating long-term use and versatility planning.

The common APT kill chain criteria (see below diagram for reference)

However, APT 28 runs differently. A complete attack scenario with APT28 has multiple malware stages, such as Sourface/Coreshell, Eviltoss, and Chopstick. APT28 malware could persuade a trusted user to open a malicious document that includes a Sourface downloader, which downloads the Chopstick second-stage malware. We believe that hacker use the spare phishing technique.

Terminology for reference:

CORESHELL:This downloader is the evolution of the previous downloader ofchoice from APT28 known as “SOURFACE” (or “Sofacy”). This downloader, once executed, create the conditions to download and execute a second-stage(usually Eviltoss) from a C2.
EVILTOSS: This backdoor is delivered through CORESHELL downloader to gain system access for reconnaissance, monitoring, credential theft,  and shellcode execution
CHOPSTICK: This is a modular implant compiled from a software framework that provides tailored functionality and flexibility. By far Chopstick is the most advanced tool used by APT 28.

 

MIMIKATZ: Everyone of us knows this tool. In this case, this has been of devastating effects to completely compromise AD Forest

Fileless APT malware

MM Core APT: MM core is a file-less trojan

Trojan.APT.BaneChant targeted Middle Eastern and Central Asian organizations. The trojan is file-less, downloading its malicious code to memory to prevent investigators from extracting the code from the device’s hard drive.

Primary objective for advanced persistent threat

There are 2 different of objectives for advanced persistent threat till today.

Objective 1: An advanced persistent threat (APT) is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization.

Objective 2: An advanced persistent threat (APT) is a set of stealthy and continuous computer hacking processes which targeted the computer hardware of nuclear facilities. The obj of the attack is try to suspend the services or mess up the operation causes destruction.

Infiltration outline
A typical scenario shown as below:
1. Attackers rename the exploit (say Titanium.zip, which takes advantage of a ZIP parsing vulnerability of the antivirus) to Titanium.wmf
2. Hold a webpage which contains <iframe src = Titanium.wmf>
3. Convince victims to visit this webpage.
4. While victims are browsing webpages, iron.wmf would be downloaded onto the victims’ computers automatically, without any user interaction.
5. If the auto-protect of the antivirus is on, the antivirus engine would parse Titanium.wmf  automatically, and then possibly get compromised immediately.
Detect: To perform a number of checks for installed security products on the victim machine. Check entries within the HKLM\Software\ registry path
The antivirus product represented by a value that is binary which might hints malware which brand of anti-virus install in victim machine (see below example):

0x08000000 : Sophos
0x02000000 : INCAInternet
0x04000000 : DoctorWeb
0x00200000 : Baidu
0x00100000 : Comodo
0x00080000 : TrustPortAntivirus
0x00040000 : GData
0x00020000 : AVG
0x00010000 : BitDefender
0x00008000 : VirusChaser
0x00002000 : McAfee
0x00001000 : Panda
0x00000800 : Trend Micro
0x00000400 : Kingsoft
0x00000200 : Norton
0x00000100 : Micropoint
0x00000080 : Filseclab
0x00000040 : AhnLab
0x00000020 : JiangMin
0x00000010 : Tencent
0x00000004 : Avira
0x00000008 : Kaspersky
0x00000002 : Rising
0x00000001 : 360

FINGING VULNERABILITIES OF ANTIVIRUS
Basically there are four kinds of vulnerabilities seen in antivirus software:
Local Privilege Escalation
ActiveX-related
Engine-based
Management (Administrative) interface

KILL THE LOCAL ANTIVIRUS PROGRAM

For instance, A zip bomb, also known as a zip of death or decompression bomb, is a malicious archive file designed to crash or render useless the program or system reading it. It is often employed to disable antivirus software.

Find zero day vulnerability compromise on victim workstation

The implant successful rate all depends on the patch management status on the workstation.

APT Malware callback

In order to avoid malware analyzer (FireEye, RSA ECAT) detect the malware callback to external CnC server. APT malware will compromise the legitimate website and then redirects the communication to the CnC server. This method can prevent malware analyzer deny the traffic to external command and control (C&C) servers.

Data Theft

The malware collects data on a victim host, then exfiltrate the data off the network and under the full control of the hacker. Hacker will erase all evidence after job complete. Since the host is compromised and therefore he can return at any time to continue the data breach.

Observation on 2017 1st quarter

Regarding to the consolidation of APT incidents, analysis reports so far.  It looks that the most efficient way to avoid APT incident happen is install a malware analyzer (FireEye, RSA ECAT) in your IT network campus. As a matter of fact, APT technique is a  advance technology which develop by country or technology group and therefore the greater possibility can break through End point defense mechanism. For instance antivirals program. However my comment is that Kaspersky is a prefect antivirus and malware defense vendor. May be he is one of he exception. However client might concern the company background (A group of developer from Russia). As we know, home users not possible to install the malware analyser. As such, I would suggest end user consider their decision when they are going to purchase antivirus program. Below matrix table not precise but can provide an idea to you which component is a the bottle neck to against APT attack.

APT (advanced persistent threat) kill chain relationship matrix table

Phase Detect Deny Disrupt Degrade Deceive Destroy
Reconnaissance 1. Managed security services
2. IDS
3. SIEM		 Firewall
Weaponization End point defense (antivirus) End point defense (antivirus) queuing and loading
Delivery SIEM Proxy Srv End point defense (antivirus)
Exploitation malware analyzer Vendor Patch End point device
Installation End point defense (antivirus) malware analyzer 1. End point device
2. Malware analyzer
C2 1. malware analyzer
2. SIEM		 malware analyzer malware analyzer DNS redirect
Actions 1. malware analyzer
2. SIEM		 malware analyzer
Application Development, Network (Protocol, Topology & Standard), System

Vulnerabilities in the old OLE2-based HWP file format – engages APT attacks to South Korea

762 Comments

North Korea’s rising ambition seen in bid to breach global banks

My reflection on CNBC News (North Korea’s rising ambition seen in bid to breach global banks) and written down comments below:

Preface:

The overall situation looks extreme today no matter political or commercial. From commercial area, enterprise try to monopolize on market. From country to country, conflicts of interest in natural resources. My personal feeling was that the ownership of the non develop areas better belongs to natural instead of country. For sure that not only limit to Antarctica! Above description not intend to divert (side-track) your attention. Since the terms benefits or interest change the whole world. Yes,  human being go for survival, money is the key factor. And such away create the criminal activities and conflict of interest.

Electronic age made the overall situation more complex

Electronic age made the overall situation more complex especially banking industry. The evidence was told that that even though Mira DDOS, IOT Botnet and Zombie types of cyber attacks not causes banking industries lost the money in their drawer. However the insider threats especially trojan and malware which lets the finanical institution lost huge amount of money (For instance Bangladesh heist). Furthermore cyber espionage infiltrate activities most likely relies on malware and Trojan. The best example can quotes is the Stuxnet malware. The goal of Stuxnet intend to disturb the operations of nuclear facilities in Iraq.

From technical point of view, malware belongs to monitor (surveillance) and control of tool. The huge group of survillaince program must utilize malware as a infection media. Sounds like the APT (advanced persistent threat) is the descendants of the malware.

The term kill chain was originally used as a military concept related to the structure of an attack; … Since then, the “cyber kill chain” has been adopted by data security organizations to define stages of cyber-attacks (see below picture diagram)

Regarding to the definition of APT show on wikipedia . An APT usually targets either private organizations, states or both for business or political motives. APT processes require a high degree of covertness over a long period of time.  From criminal activities point of view, hacker most likely will collect the credential, personal details and database in the long run. For the criminal case like steal the money in electronic payment system, it is rare on APT type of attack.

Does APT equal to criminal activities in commercial world?

Observation – FBI stated that SONY INTRUSION and banking environment insider threats (banking malware) are the conspiracy of the North Korea government.

Why do we believe the perpetrator is North Korea?

The official statements from the FBI and US-CERT found the malware and disclose their md5 hashes for reference.

Dropper = d1c27ee7ce18675974edf42d4eea25c6
wiper = 760c35a80d758f032d02cf4db12d3e55
Web server = e1864a55d5ccb76af4bf7a0ae16279ba
Backdoor = e904bf93403c0fb08b9683a9e858c73e

Since the attack target of this malware exactly Microsoft windows platform. Base on definition of fair proof, I select and highlight Microsoft information details for reference.

Microsoft Backdoor:Win32/Escad.AA!dha

This threat can give a malicious hacker access and control of your PC. They can then perform a number of actions, including downloading other malware. But as usual Microsoft’s not intend to provides the suspicious source IP address list.

Remark: Per Norse Corp information, the malware was signed with a compromised Sony certificate.

The cyber defense solution provider found more details of this malware on Sep 2013. The malware activities looks came from Jilin Province Network and Liaoning Province Network. The security expert believed that the command & control may came from North Korea. Since Jilin and Liaoning provides the Internet services to North Korea. This malware so called Kimsuki malware.

Transformation – file type format convert weaponized File format

Vulnerabilities in the old OLE2-based HWP file format

What is an HWP file?

HWP documents are document files specialized in the Korean language and OLE2based document format similar to Microsoft’s 97-2003 Microsoft document. The file format created by the South Korean company Hancom. HWP files are similar to MS Word’s DOCX files, except that they can contain Korean written language, making it one of the standard document formats used by the South Korean government.

Design weakness of HWP files:

Para text is a data record type that stores the content of each paragraph in body text. When parsing a para text tag within an .hwpx file, a logic error in hwpapp.dll results in a type confusion scenario. When paired with an appropriate heap spray, this vulnerability can affect code execution.

Remark: In computer security, heap spraying is a technique used in exploits to facilitate arbitrary code execution. The part of the source code of an exploit that implements this technique is called a heap spray. In general, code that sprays the heap attempts to put a certain sequence of bytes at a predetermined location in the memory of a target process by having it allocate (large) blocks on the process’s heap and fill the bytes in these blocks with the right values.

2013 – Kimsuki malware design objective(OLE2-based HWP file format + APT) : Targets Critical Infrastructures and Industrial Control Systems (ICS)

2016 – Onion Dog, APT Focused On the Energy and Transportation Industries in Korean-language Countries

OnionDog malware is transmitted by taking advantage of the vulnerability of the popular office software Hangul in Korean-language countries, and it attacked network-isolated targets through a USB Worm. OnionDog APT targets Critical Infrastructures and Industrial Control Systems (ICS)

Overall comment:

Since North Korea ruler as a dictator control their country. Developing nuclear bomb,  test the missile looks show his power to the world. From psychological point of view, it is easy to understand his goal to enagaged APT attack. Since the dictator would like to emulate his imaginary enemy (USA) to destroy the nuclear power energy facilities from his enemy. However I remain to reserve my opinion that he is the lord behind the seen to engage the banking malware attack in foreign country except south Korea?

Reference to Korea CSIS report:

  1. 2011 – Denial-of-service(DDoS)attacks on websites, the first major cyber-attack attributed to North Korea was on April 12, 2011, which paralyzed online banking and credit card services of Nonghyup Agricultural Bank for its 30 million customers.
  2. 2013 – Advanced persistent threat campaigns, and employment of less sophisticated but sufficiently effective malware such as the Jokra wiper tool observed on March 20, 2013. South Korean media reports that North Korea has started to target smartphones as well.

For more detail, please refer to below url for reference.

What Do We Know About Past North Korean Cyber Attacks and T heir Capabilities ?

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Apple icloud security burden – Webkit looks like a culprit! (Mar 2017)

1,015 Comments

Apple developers work hard on  iCloud security to improve the security. They are in an effort to encourage adoption of the two factor authentication standard. Since Apple device did a good job in end point device so far. And therefore it such a way reduces of inherent risks. However it is hard to avoid the vulnerability happen on application side since development source code is open. Apart from that it is hard to refuse the open source application deployment.

As we know a Apple release security patches on 23rd Jan 2017, a common vulnerability criteria focus on a web component. Yes, it is WebKit. Let start the story from scratch.  Be my guest. Let’s start the journey!

Why Use WebKit?

Some applications are full-featured browsers, but more often applications embed web content as a convenience, as in a custom document system. WebKit is a layout engine software component for rendering web pages in web browsers.

Since found a flaw on WebKit,  a rogue web page can crash the browser because all code runs in the same process. New version of webkit (Webkit2) enhance Safari architecture. It aim to avoid this design limitation. It enforce to separate the code into two different processes. That is User Interface and web page process maintain their specify process. Below detail shown that how Webkit 2 architecture improve the Safari process isolation feature.

 

As times goes by, Webkit features like a major component embedded in web browser (see below).

However it bring up cyber security world concern on 2012. A heap memory buffer overflow vulnerability exists within the WebKit’ JavaScriptCore JSArray::sort(…) method.

This design limitation accepts the user-defined JavaScript function and calls it from the native code to compare array items.
If this compare function reduces array length, then the trailing array items will be written outside the “m_storage->m_vector[]” buffer, which leads to the heap memory corruption. At this time, you may ask, does the webkit or webkit 2 design flaw only apply to Apple devices? I believe that it apply to all different brand name of vendors which make use of webkit or webkit2.

The exploit was due to an heap buffer overflow issue in JavaScriptCore JSArray::Sort() method. Below details of program syntax will bring you an idea in this regard.

Cyber attack transformation = Attack from local device to Virtual server machine.

Hacker looks exploits the vulnerability of WEBKIT, a weakness hints that hacker can transform the ROP(return oriented programming) as attack weapon. A technical article published by IEEE records the following scenario.

Important: An approach to attack on the Xen hypervisor utilizing return-oriented programming (ROP). It modifies the data in the hypervisor that controls whether a VM is privileged or not and thus can escalate the privilege of an unprivileged domain (domU) at run time. As ROP technique makes use of existed code to implement attack, not modifying or injecting any code, it can bypass the integrity protections that base on code measurement. By constructing such kind of attack at the virtualization layer.

Sounds horrible on above matters! Why? If such hacker technique develop in advance. So the virtual machine run on cloud farm will become a victim.  Hey, same scenario looks possible happened in iCloud. The side effect is that it is not only compromise a single icloud container (single device), it effect the whole unit of icloud. Below IEEE technical article highlight is the proof of concept. If you are interest, please do a walk-through of this document highlight. I am afraid that this article might have copyright. And therefore not going to copy all the articles. Should you have any interest, please visit IEEE publisher web site to find out more.

A rumour concerning “rumblings of a massive (40 million) data breach at Apple.” Believe it or not? In the meantime, if you are the apple fans, you must re-confirm all the patches provided by Apple Corp.  Keep run don’t stop! For more details, please refer to below url for reference.

Reference:

iCloud for Windows 6.1.1

The latest software updates from Apple

 

 

 

 

 

 

 

 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

DDOS never expire! A powerful tool for political and economic weapon (Part 1)

739 Comments

We heard DDOS term till 80’s. The foundation of attack given from network layer (OSI layer 3) till today application layer (OSI layer 7). Since 2010 a mobile computing trend leads BYOD (Bring your own device) terminology and carry out more serious distribution denial of services. A public DNS incident occured last year (2016) exposed IoT type style distribution denial of services. If you still remember , security expert forseen that ransomware  is going to replace DDOS soon. It looks that the statement not totally correct.  The truth is that cyber arsenal virtually categorizes the weapons into different categories (see below).

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
End user computing
 1. DDOS (SYN Flood)
2. DOS (SYN Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (UDP Flood)
2. DOS (UDP Flood)
 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS (ICMP Flood)
2. DOS (ICMP Flood)		 Network layer (OSI layer 3) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Web applications vulnerabilities
2. DOS attack focused on Web applications vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
End user computing 1. DDOS attack focused on Operating system vulnerabilities
2. DOS attack focused on Operating system vulnerabilities		 Application layer (OSI layer 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
Compromised web site, email phishing attached with file or url embedded malicious code Application layer (files and OS) – Attack trigger by ransomware which cause files lock (encrypted) 1. Operating system and files
2. End user computing		 Bitcoin (money) Bring disruption to satisfy objective (focus on business world instead of political reasons)

Information supplement (BYOD and IoT)

Denial of IT Services categories Source of attack Technical (Naming convention) Destination of attack Benefits of attacker Side Effect
BYOD (mobile phones) Botnet – so called vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)
IoT (Internet of things includes, web cam, car automation, home appliance, Smart TV and smart electronics device) IoT (Botnet) – so called descendant of vampire cyber soldier Both network and application layer (OSI 3 & 7) Prestige and Glory Bring disruption to satisfy objective (not limit to economic, might involves political reason)

Yes, this topic might bring interests to reader. Ok, let’s join together to this journey (DDOS never expire – A powerful political and economic weapon (Part 1)).

Is there a way to identify attacker traffics? Yes, it can but it seems out of control now! BYOD and IoT technology are the accomplice!

As far as we know, the earlier stage of DDOS and DOS attack keen to make use of random source to increase the difficulties of the defense. A technical term so called Random Spoofed Source Address Distributed Denial of Service Attack (RSSA-DDOS)

Let recall different types of avoidance mechanism to avoid classic DDOS. There are total 3 types of filter can avoid classic DDOS happened on network layer.  For more details, please see below:

  1. Ingress filtering
  2. Egress filtering
  3. Router-based filtering

However above 3 types of prevention mechanisms not able to avoidance of RSSA-DDOS. The drawback is that those solution encounter difficulties to distinguish between legitimate traffic and attack traffic in effective way.

Dawn appears only for short time (FSAD & ECBF)

Filtering based on the source address distributed feature – FSAD

Solution:

  1. Detection of attack occurred and according to the current attack scale, historical flow and source address recognition accuracy requirements. Set the appropriate legal address identification
    parameter.
  2. 2. Identify the legal source address and saved to the legal address table (LAT)

But how to identify the counterfeit source IP address

A solution named “The Extended Counting Bloom Filter -ECBF” can do the magic.
Example:
Assuming that a packet is received, the source address Saddr is (a.b.c.d) > 1.1.1.1
The source address Saddr is (a.b.c.d), then

• IPH(Saddr)=256×a+b;
• IPM(Saddr)=256×b+c;
• IPL (Saddr)=256×c+d;
• IPLH(Saddr)=256×d+a.

The ECBF contains four hash codes for counting the number of source address packets number and array. Each array corresponds to a hash function (see below)

It is easy to see that each element of the ECBF corresponds to 2 16 source addresses. For example, the 257th cell of the A 1 array corresponds to the source address (1.1.x.y)
According to the packet, where x and y are any number between 0 and 255. And each time a packet is received, the four cell values corresponding to the packet source address
Then add 1 for A 1 [256 × a + b], A 2 [256 × b + c], A 3 [256 × c + d] and A 4 [256 × d + a], respectively.
 See below diagram will receive a high-level understanding.
Legitimate address identifying algorithm under random spoofed source address DDoS attacks (see below):
Set identifying time interval and threshold T;
while(1)
Receive a packet;
Get source ip address sip;
Record sip in ecbf;
If (every element’s value of sip in 4 arrays>T)
Sip is a legitimate address;
fi;
if (time interval is over)
Empty 4 arrays;
Start a new time interval;
fi;
End while;
 IoT Botnet appears then triggers DDOS make the Cyber world crazy!
Above filter base defense mechanism and integrity identification method looks insufficient when IoT Botnet join to cyber war. Recently headline news stated that Mirai botnet turning internet of things into botnet of things. See how serious of this attack effected cyber world!
Mirai botnet on volume amount basis break through advanced defense mechanism. It look likes a cyber soldiers listen to the instruction of C&C server to attack the enemy. As a matter of fact, the cyber incident historical record last year proven that above imagination not a assumption. This is a real story.
References:
Oct 2016 – Dyn cyberattack: the attack involved “10s of millions of IP addresses (DDOS suspects – Mirai)
2016 – A massive DDoS cyber attack that disabled many online sites during the American presidential election (DDOS suspects – unknown)
2017 – The citizens of Hong Kong looking for True, Fair & Free Election, however the democratic websites operate in frequently encountered DDOS during important events (DDOS suspects – unknown)
Above 3 items of incident can tell us DDOS attack never expire. Sounds like the attack is under transformation. DDOS attack from begin focus on commercial world expands to other non commercial area. The attacks methodology enhance by internet of things and become powerful. The additional target added foreign government and democratic world.

 

Since this discussion overtime and looks bulky. Let’s continue our discussion on Part 2 next time (DDOS never expire! A powerful tool for political and economic weapon). Stayed tuned.

 

 

 

 

 

 

 

 

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

The culprit of the CIA’s global covert hacking program given from SS7 design limitation

904 Comments

Headline news today provides a 2nd round of reminder to the world that we are under surveillance.  Since our hero Edward Snowden heads up to the world earlier. As a result, he such a way may carry a crime of treason. To be honest , I am a little worry about of him. The fact is that the expectation of president in united stated has been changed. Good luck to him at all! If god is present, please give your son Edward’s assistance. He really need you help!

The no. of total 8761 documents posted on wikileak we are not going to discuss here. Just know this is the first full part of the series dubbed Year Zero. However we would like to bring your attention on the weakness of tel-comm industry today. And believed that this is the root causes or you can say this is a backdoor on telecommunication world. Ok, this time all we emulate as Sherlock Holmes. Let’s start.

Speculation

  1. Flaw found in ASN.1 compiler

Abstract Syntax Notation 1 (ASN.1) background:

Quick and dirty description:

In the field of telecommunications and computer networks, ASN.1 (Abstract Syntax Notation One) is a set of standards describing data representation, encoding, transmission and decoding flexible notation. It provides a formal, unambiguous and precise rules to describe independent of the specific computer hardware object structure. ASN.1 provides application and protocol developers a high-level tool, essentially a data-definition language, for defining protocol syntax and the information that an application exchanges between systems.

Vulnerability:

A flaw discovered in an ASN.1 compiler, a widely used C/C++ development tool, could have propagated code vulnerable to heap memory corruption attacks, resulting in remote code execution.

Heap memory corruption attacks

Traditional memory corruption exploit can be achieved by pointing to the injected code on the stack or heap which data resides in.

Technical information – vulnerability details

Vulnerability Note VU#790839
Objective Systems ASN1C generates code that contains a heap overflow vulnerability, for more details, please refer to below url for reference.

https://www.kb.cert.org/vuls/id/790839

Afterwards, the government agency relies on this design weakness of SS7 to track the movements of the mobile phone user anywhere in the world. From technical point of view, compromise of WhatsApp or Telegram was not direct way. Sometimes no need to install malware to the clients mobile phone. It is exact the abuses of SS7 weaknesses.

2. TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

 

3. Law enforcement backdoor software overview

Edward Snowden disclosed global surveillance program in 2013. We all alert that surveillance programs are flooding all around the world. Bring to tech guy attention may more or less is the sniffing technique. How was US government collect personal data and telephone call on our desktop and mobile phone devices? Tech guy with interest on cyber securities may know few hacker group assists law enforcement sector develop monitoring agent software. The brand name includes DaVinci, Morcut, Crisis & Flosax. It looks that the most famous product is the DaVinci. An Italian made surveillance software best perform a lot of actions, such as hidden file transfers, screen capturing, keystroke logging & process injection.

Interest story happened on July 2015

A cyber-surveillance company believes a government may have been behind a massive hack of its systems that saw huge chunks of its code stolen. For more details, please refer to below URL:

http://eandt.theiet.org/news/2015/jul/hacking-team-breach.cfm

After you read  this article, you may have questions? Since 2015 data breaches incidents happened in frequent. It is hard to believe that how weakness of cyber defense setup in the world. No matter how many anti defense facilities you built in your firm. Seems there is no appropriate solution to fight against cyber crime. Do you think all the incidents happened within 2015 to 2016 are related hacker code exposed in July 2015?

Reference:

Law enforcement surveillance software technical features:

Available surveillance modules
Accessed files
Address Book
Applications used
Calendar
Contacts
Device Type
Files Accessed
Keylogging
Saved Passwords
Mouse Activity (intended to defeat virtual keyboards)
Record Calls and call data
Screenshots
Take Photographs with webcam
Record Chats
Copy Clipboard
Record Audio from Microphone
With additional Voice and silence detection to conserve space
Realtime audio surveillance (“live mic:” module is only available for Windows Mobile)
Device Position
URLs Visited
Create conference calls (with a silent 3rd party)
Infect other devices (depreciated since v. 8.4)

Suggestion to reader:

Since the world situation became more complex today no matter political and people’s livelihood. A solution will let you easy to know your mobile phone status. Are you under government surveillance program?

If you are android phone user, go to playstore download a free program names SnoopSnitch. The SnoopSnitch which can warn when certain SS7 attacks occur against a phone and can detect voyeur’s jump into your phone.

Bye!

 

 

 

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is Single Sign on a Security Risk?

858 Comments

Is Single Sign on a Security Risk?

The majority of computer operators and people alike maintained one user ID and password. The single sign on facility fulfill their operation requirements. From security point of view, there are inherent risks for company deploys single sign-on function on their network infrastructure.

Single sign on infrastructure

Let take a closer look of single-sign on

Benefits:

  1. No need to remember many user IDs and passwords
  2. Simplified operation procedure
  3. Improves the effectiveness/timeliness of disabling all network/computer accounts for terminated users.
  4. Reduces the time taken by users to log into multiple applications and platforms

 

Single-sign on drawback

  1. Same password on all your various web services, it is also dangerous to let one username/password combination unlock all the resources.
  2. Single high-value target (attracts more attackers)
  3. Side channel attack against authentication step
  4. never know how secure your system is or if there is a breach

Single sign on increase the difficulties of application protection

SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  There are more techniques to attacks single sign-on application today. For more details, please see below:

  1. Single Sign-On phishing
  2. SSO profile was vulnerable to a Man-in-the-middle attack
  3. Replay Attacks
  4. XML Signature Wrapping vulnerability in SAML protocol

Security Concerns:

GIAC as a pioneer point out single sign on security concerns on their global information assurance certification paper. The article bring an idea to the world that each operating system and application has it own set of security requirement for both user user ID and password. In the sense that SSO by itself doesn’t really improve security and, in fact, if not deployed properly can degrade security.  Since enterprise firm need compliance, fulfill audit requirements. Please be noted that compliance may not equal security. Let’s think it over, one single password that could access all key applications. Does it on a security risk?

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Edward Snowden Heads up! Stranger, what do you want?

860 Comments

Enterprise firm execute data classification to protect corporate important data. Follow the code of practise, confidential data contained high level of sensitivity label requires encryption. The whistleblower Edward Snowden alerts the people in the world on 2013. But you might have question to ask till now, what sort of personal data we need to protect. Seems end user computing mostly ignore by users. The traditional idea is that we enforce the preventive control from server end. As times go by, mobile phone twisted the IT world. IT Renaissance, literally reborn. The usage of computer not limit to location and time zone. We can execute the remittance or payment on mobile phone. You do a backup or synchronize mobile data when go home. Sure you can upload everything on cloud.

In regards of global surveillance program by US government

It looks that surveillance program is a never ending story! Why? From official perspective domestic surveillance program can effectively monitoring terrorist attacks and criminal activities. NSA web page slogan have the following statement.

“Defending our nation. Securing the citizens.”

We have no objection that collection of internet data, mobile phone voice and data exchange as a weapon fright againts crime. To be honest we don’t have rights! But question raised how to identify the usage of this data?We are not the perpetrator, logically we might not afraid of this control?

Highlight the NSA data collection methoglogy:

  • Real-Time Yahoo Email Scanning
  • Domestic Intercept Stations
  • Bulk Collection of U.S. Citizens’ Phone Records
  • The PRISM Program: Source of Raw Intelligence
  • Google Cloud Exploitation
  • Cellphone Tracking
  • Spying Toolbox: Servers, routers, firewall devices, computers, USB, keyboard, wireless LAN, cell phone network & mobile phone
  • FBI Aviation Surveillance Operations (FBI Hawk Owl Project)
  • XKeyscore: Our Real-Time Internet Monitoring Capability

Above details not a confidential data, you can easy find this information. Please take a visit to NSA front page, for more details please see below:

https://nsa.gov1.info/surveillance/

US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE”. When an US speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/english” fingerprint (denoting language settings). When a browser visits a site that uses Yield Manager, a cookie will be set. This cookie is used to identify whether the browser has loaded an advert and when and where it loaded it (which detects Yahoo browser cookies).  Yield Manager also collects information such as:

– the date and time of your visit to the website.

– IP address.

– the type of browser you are using.

– the web page address you are visiting.

XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

XKEYSCORE features highlight:

  1. Tracking Bridge Users
  2. Tracking Tor Directory Authorities
  3. Tracking Torproject.org Visits

See below part of the XKEYSCORE sourcecode can bring you an idea XKEYSCORE focus on TOR routers.

 

Traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern.

But how about the hackers? Hacker also have interest of these data which NSA does. I believed that below checklist details lure hacker interest.

Internet application coding create a loophole make this cyber games become a never ending story.

Example:

  • Email accounts or passwords using session cookies
  • A common use for XSS is stealing cookies to hijack sessions and gain access to restrictedweb content
  • When cookie doesn’t have Secure flag set, then it can be sent over insecure HTTP (provided that HSTS is not used; HSTS is described in the next section). When this is a case, the attacker controlling the communication channel between a browser and a server can read this cookie. If the cookie stores session ID, then disclosure of this cookie over insecure HTTP leads to user impersonation.
  • When a cookie doesn’t have HttpOnly flag set, then JavaScript can read a value of this cookie. That’s why XSS attack leads to user impersonation if there is no HttpOnly flag set for a cookie with session ID. When a cookie has HttpOnly flag set, then attacker can’t read a value of the cookie in case of XSS attack. The problem is that access permissions are not clearly specified in RFC 6265. It turns out, that cookie with HttpOnly flag can be overwritten in Safari 8.

Short term conclusion:

No way because we are living on earth!

Network (Protocol, Topology & Standard)

Black Friday malware vs Lucky 13 – Keep away from anything labeled thirteen

81 Comments

We are living on earth. The human being ancestor went through different generations of reforms. As a result modern civilization today. The foundation of civilization build by different elements and objects. A major element named logic, it structure cause and effect. Above definition involve successful factor of result. However some sort of things happen on earth looks mystery. Quote an example, Friday the 13th is considered an unlucky day in Western superstition. From scientific view point, such superstition it doesn’t make sense and no background factor support. By coincidence when you go to cosmopolitan city like Chicago or New York. You couldn’t found 13th Floor on escalator? Even though without scientific factor support this superstition whereas No.13th or Black Friday bring us psychological impact. We continue this discussion but our focus will go to cyber security. Up to this point, you might have question to ask? Why do we spend time on preface mention superstition topic?

Do you remember Jerusalem virus?

A virus first detected in Jerusalem, in 13th October 1987 (Black Friday). This virus hook itself on MS DOS services and capable run malware function. But internet communicate services not available at 80’s. How does it work? The virus program contains one destructive payload that is set to go off on black Friday (Friday the 13th). This is the 1st time let IT guru know a cyber attack schedule Friday the 13th Jan 2016. Below is the source code highlight for reference:

mov ah,02Ah             ; Get system data
int 021h
mov byte cs:[zap],00H
cmp cx,07C3h            ; CX->Year, 7C4h=1987
jz done                 ; Do nothing if1987
cmp al,05h              ; AL->Day,05h=Friday
jnz otherpload          ; No zap if not Fri
cmp dl,00h              ; DL->Date, 00h=13
jnz otherpload          ; No zap if not 13th
inc byte cs:[zap]       ; Else turn on ZapFlag
jmp done
nop

Attack concept and idea – take advantage of the computer instruction set design limitation. For more details, please see below:

  1. If the interrupt flag (IF) is set (=1) then external hardware can initiate an interrupt via the INTR input of the microprocessor.
  2. If IF flag is clear (=) then the external device cannot initiate an interrupt.

Jerusalem code itself hooks into interrupt processing and other low level DOS services. This type of infection technique looks similar of the privileges escalation method run by malware today!

Keep away from anything labeled thirteen

Unfortunately, cyber incident occurs in 2013, coincidence that magic number thirteen was involved in the naming convention scheme. It is a crypto TLS vulnerability. Before we discuss what is lucky 13. Let’s do a quick review of TLS & SSL/TLS protocol architecture in below info graphic diagram.

Overview of TLS & SSL/TLS protocol architecture

 

As we know, there are total 4 types of SSL attack recently.

  • Beast attack
  • Crime attack
  • Lucky 13 attack
  • RC4 attack

To be honest, lucky 13 not equivalent to the meaning of his name. It is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol originally.

What is timing attack? (see below)

The attack allows a man-in-the-middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode (cipher-block chaining) encryption is used. Man-in-the-middle timing attack against TLS that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication.

CVE-2013-0169 – The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets.

Predict more security bug in future, it is a fundamental design limitation so called MAC then encrypt

Encryption algorithm tried to apply it to TCP/IP but the model does not match well TCP/IP. Some things don’t fit in the layers, and SSL/TLS is one of them.

D(TLS) encryption process (see below):

  • SSL/TLS uses an underlying transport medium that provides a bidirectional stream of bytes. That would put it somewhere above layer 4.
  • SSL/TLS organizes data as records, that may contain, in particular, handshake messages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6 or 7.
  • However, what SSL/TLS conveys is “application data”, which is, in fact, a bidirectional stream of bytes. Applications that use SSL/TLS really use it as a transport protocol. They then use their own data representation and messages and semantics within that “application data”. Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.

The Lucky13 attack triggered a series of TLS technical concerns . Yet another Padding Oracle vulnerability found in May 2016 (see below)

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
======================================================

Severity: High

A MITM attacker can use a padding oracle attack todecrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be inconstanttimeby making sure that always the same bytesarereadand
compared against either the MAC or padding bytes. But it no longer
checked that there was enough datato have both the MAC and padding
bytes.

OpenSSL 1.0.2users should upgradeto1.0.2h
OpenSSL 1.0.1users should upgradeto1.0.1t

This issue was reported to OpenSSL on13th of April 2016by Juraj
Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx
of the OpenSSL development team.

Interim summary:

A good practise on web server to mitigate the risk:

Control requirement on web server

  • Do not configure wild card certificates
  • Certificate to be signed by trusted certificate authority (CA)
  • Ensure session cookies have “secure=true” flag set
  • Ensure HSTS header is set for domain and sub domain
Network (Protocol, Topology & Standard), System

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

891 Comments

Stuxnet a famous malware to sabotage Iran’s nuclear program. From technical of view, malware change the shape of computers in the world convert to a cyber weapon. Who’s the team take responsibility? For sure that is not you and me.

Stunext attack scenario:

Heard that malware activities in South Korea run serious recently. Headline news were told the military defense of south Korea was hacked. Regarding to the articles the goal of such malware attack focus South Korean nuclear facility. We don’t have related information and not going to predict who is the attacker of this incident. But malware focus nuclear power facilities not only occurs today. Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Do you think SCADA system is the culprit of attack on nuclear power system?

What is SCADA?

SCADA is an acronym for Supervisory Control And Data Acquisition, which is a computer system for gathering and analyzing real-time data.

Where is SCADA used?

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant.

SCADA application:

WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries.

Historical incident record:

June 2010 – Stuxnet relies on MS zero day implant malware granted control and monitor functions in SCADA system.

Malware attack triggered by Microsoft Zero day (MS08-067, MS10-046 & MS10-061)

Malware relies on vulnerability (CVE-2010-2772) and execute privileges escalation on database of WinCC MSSQL server. As a result hacker allow to view information on SCADA system.

Oct 2011Duqu executables share injection code with the Stuxnet worm. The Duqu design was based on the same source code as Stuxnet. The similarity of features shown as below:

  • Duqu use XOR based encryption for strings (key: 0xAE1979DD)
  • Decrypted DLLs are directly injected into system processes instead of dropped to disk.
  • Rootkit to hide its activities

May 2012 Flame malware targeted cyber espionage in Middle Eastern countries.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

The number and geographical location of Flame infections detected by Kaspersky Lab on customer machines.

  • Iran = 189
  • Israel Palestine = 98
  • Sudan = 32
  • Syria = 30
  • Lebanon = 18
  • Sudi Arabia = 10
  • Egypt = 5

Apr 2016Virus:Win32/Ramnit.A, German nuclear plant infected with computer virus. As Reuters reports, viruses with names like “W32.Ramnit” and “Conficker” where found in a computer system that deals with data visualization.

The virusesWin32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

  • File MD5: 0x5CC31D49CAFC508238259616583332A2
  • File SHA-1: 0xC775A22B4B150989F57AB129591F4DA328F52B7C

Aug 2016Virus:Win32/Ramnit.A (checksum changed)

  • File MD5: 0x25C1DE8838ADBC0DCFF61E6B44458CF4
  • File SHA-1: 0xDF6B04BA2103B2EB43B51EBDFB705A37BE5F28A9

1st Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Interim summary:

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant. WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries. Since zero-day vulnerability found each week especially Miscrosoft products. Do you think SCADA system is the culprit of attack on nuclear power system?

The project development of Nuclear power budget huge amount of money and covered with disaster recovery plan. Do you think current disaster recovery plan will cover up Zero day attack on SCADA system? What do you think?

 

Application Development, Network (Protocol, Topology & Standard), System

Part 1:Blockchain technology situation – A Tales of Two Cities

844 Comments

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!