Category Archives: Network (Protocol, Topology & Standard)

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Edward Snowden Heads up! Stranger, what do you want?

245 Comments

Enterprise firm execute data classification to protect corporate important data. Follow the code of practise, confidential data contained high level of sensitivity label requires encryption. The whistleblower Edward Snowden alerts the people in the world on 2013. But you might have question to ask till now, what sort of personal data we need to protect. Seems end user computing mostly ignore by users. The traditional idea is that we enforce the preventive control from server end. As times go by, mobile phone twisted the IT world. IT Renaissance, literally reborn. The usage of computer not limit to location and time zone. We can execute the remittance or payment on mobile phone. You do a backup or synchronize mobile data when go home. Sure you can upload everything on cloud.

In regards of global surveillance program by US government

It looks that surveillance program is a never ending story! Why? From official perspective domestic surveillance program can effectively monitoring terrorist attacks and criminal activities. NSA web page slogan have the following statement.

“Defending our nation. Securing the citizens.”

We have no objection that collection of internet data, mobile phone voice and data exchange as a weapon fright againts crime. To be honest we don’t have rights! But question raised how to identify the usage of this data?We are not the perpetrator, logically we might not afraid of this control?

Highlight the NSA data collection methoglogy:

  • Real-Time Yahoo Email Scanning
  • Domestic Intercept Stations
  • Bulk Collection of U.S. Citizens’ Phone Records
  • The PRISM Program: Source of Raw Intelligence
  • Google Cloud Exploitation
  • Cellphone Tracking
  • Spying Toolbox: Servers, routers, firewall devices, computers, USB, keyboard, wireless LAN, cell phone network & mobile phone
  • FBI Aviation Surveillance Operations (FBI Hawk Owl Project)
  • XKeyscore: Our Real-Time Internet Monitoring Capability

Above details not a confidential data, you can easy find this information. Please take a visit to NSA front page, for more details please see below:

https://nsa.gov1.info/surveillance/

US Government with high visibility statement let’s the citizens know they are under surveillance. A open method of NSA is use a tool so called “XKEYSCORE”. When an US speaker logs into a Yahoo email address, XKEYSCORE will store “mail/yahoo/login” as the associated appID. This stream of traffic will match the “mail/english” fingerprint (denoting language settings). When a browser visits a site that uses Yield Manager, a cookie will be set. This cookie is used to identify whether the browser has loaded an advert and when and where it loaded it (which detects Yahoo browser cookies).  Yield Manager also collects information such as:

– the date and time of your visit to the website.

– IP address.

– the type of browser you are using.

– the web page address you are visiting.

XKEYSCORE appIDs and fingerprints lists several revealing examples. Windows Update requests appear to fall under the “update_service/windows” appID, and normal web requests fall under the “http/get” appID. XKEYSCORE can automatically detect Airblue travel itineraries with the “travel/airblue” fingerprint, and iPhone web browser traffic with the “browser/cellphone/iphone” fingerprint.

XKEYSCORE features highlight:

  1. Tracking Bridge Users
  2. Tracking Tor Directory Authorities
  3. Tracking Torproject.org Visits

See below part of the XKEYSCORE sourcecode can bring you an idea XKEYSCORE focus on TOR routers.

 

Traffic flows into an XKEYSCORE cluster, the system tests the intercepted data against each of these rules and stores whether the traffic matches the pattern.

But how about the hackers? Hacker also have interest of these data which NSA does. I believed that below checklist details lure hacker interest.

Internet application coding create a loophole make this cyber games become a never ending story.

Example:

  • Email accounts or passwords using session cookies
  • A common use for XSS is stealing cookies to hijack sessions and gain access to restrictedweb content
  • When cookie doesn’t have Secure flag set, then it can be sent over insecure HTTP (provided that HSTS is not used; HSTS is described in the next section). When this is a case, the attacker controlling the communication channel between a browser and a server can read this cookie. If the cookie stores session ID, then disclosure of this cookie over insecure HTTP leads to user impersonation.
  • When a cookie doesn’t have HttpOnly flag set, then JavaScript can read a value of this cookie. That’s why XSS attack leads to user impersonation if there is no HttpOnly flag set for a cookie with session ID. When a cookie has HttpOnly flag set, then attacker can’t read a value of the cookie in case of XSS attack. The problem is that access permissions are not clearly specified in RFC 6265. It turns out, that cookie with HttpOnly flag can be overwritten in Safari 8.

Short term conclusion:

No way because we are living on earth!

Network (Protocol, Topology & Standard)

Black Friday malware vs Lucky 13 – Keep away from anything labeled thirteen

77 Comments

We are living on earth. The human being ancestor went through different generations of reforms. As a result modern civilization today. The foundation of civilization build by different elements and objects. A major element named logic, it structure cause and effect. Above definition involve successful factor of result. However some sort of things happen on earth looks mystery. Quote an example, Friday the 13th is considered an unlucky day in Western superstition. From scientific view point, such superstition it doesn’t make sense and no background factor support. By coincidence when you go to cosmopolitan city like Chicago or New York. You couldn’t found 13th Floor on escalator? Even though without scientific factor support this superstition whereas No.13th or Black Friday bring us psychological impact. We continue this discussion but our focus will go to cyber security. Up to this point, you might have question to ask? Why do we spend time on preface mention superstition topic?

Do you remember Jerusalem virus?

A virus first detected in Jerusalem, in 13th October 1987 (Black Friday). This virus hook itself on MS DOS services and capable run malware function. But internet communicate services not available at 80’s. How does it work? The virus program contains one destructive payload that is set to go off on black Friday (Friday the 13th). This is the 1st time let IT guru know a cyber attack schedule Friday the 13th Jan 2016. Below is the source code highlight for reference:

mov ah,02Ah             ; Get system data
int 021h
mov byte cs:[zap],00H
cmp cx,07C3h            ; CX->Year, 7C4h=1987
jz done                 ; Do nothing if1987
cmp al,05h              ; AL->Day,05h=Friday
jnz otherpload          ; No zap if not Fri
cmp dl,00h              ; DL->Date, 00h=13
jnz otherpload          ; No zap if not 13th
inc byte cs:[zap]       ; Else turn on ZapFlag
jmp done
nop

Attack concept and idea – take advantage of the computer instruction set design limitation. For more details, please see below:

  1. If the interrupt flag (IF) is set (=1) then external hardware can initiate an interrupt via the INTR input of the microprocessor.
  2. If IF flag is clear (=) then the external device cannot initiate an interrupt.

Jerusalem code itself hooks into interrupt processing and other low level DOS services. This type of infection technique looks similar of the privileges escalation method run by malware today!

Keep away from anything labeled thirteen

Unfortunately, cyber incident occurs in 2013, coincidence that magic number thirteen was involved in the naming convention scheme. It is a crypto TLS vulnerability. Before we discuss what is lucky 13. Let’s do a quick review of TLS & SSL/TLS protocol architecture in below info graphic diagram.

Overview of TLS & SSL/TLS protocol architecture

 

As we know, there are total 4 types of SSL attack recently.

  • Beast attack
  • Crime attack
  • Lucky 13 attack
  • RC4 attack

To be honest, lucky 13 not equivalent to the meaning of his name. It is a cryptographic timing attack against implementations of the Transport Layer Security (TLS) protocol originally.

What is timing attack? (see below)

The attack allows a man-in-the-middle attacker to recover plaintext from a TLS/DTLS connection when CBC-mode (cipher-block chaining) encryption is used. Man-in-the-middle timing attack against TLS that exploits the interaction between how the protocol implements AES in CBC mode for encryption, and HMAC-SHA1 for authentication.

CVE-2013-0169 – The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets.

Predict more security bug in future, it is a fundamental design limitation so called MAC then encrypt

Encryption algorithm tried to apply it to TCP/IP but the model does not match well TCP/IP. Some things don’t fit in the layers, and SSL/TLS is one of them.

D(TLS) encryption process (see below):

  • SSL/TLS uses an underlying transport medium that provides a bidirectional stream of bytes. That would put it somewhere above layer 4.
  • SSL/TLS organizes data as records, that may contain, in particular, handshake messages. Handshake messages look like layer 5. This would put SSL/TLS at layer 6 or 7.
  • However, what SSL/TLS conveys is “application data”, which is, in fact, a bidirectional stream of bytes. Applications that use SSL/TLS really use it as a transport protocol. They then use their own data representation and messages and semantics within that “application data”. Therefore, SSL/TLS cannot be, in the OSI model, beyond layer 4.

The Lucky13 attack triggered a series of TLS technical concerns . Yet another Padding Oracle vulnerability found in May 2016 (see below)

Padding oracle in AES-NI CBC MAC check (CVE-2016-2107)
======================================================

Severity: High

A MITM attacker can use a padding oracle attack todecrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI.

This issue was introduced as part of the fix for Lucky 13 padding
attack (CVE-2013-0169). The padding check was rewritten to be inconstanttimeby making sure that always the same bytesarereadand
compared against either the MAC or padding bytes. But it no longer
checked that there was enough datato have both the MAC and padding
bytes.

OpenSSL 1.0.2users should upgradeto1.0.2h
OpenSSL 1.0.1users should upgradeto1.0.1t

This issue was reported to OpenSSL on13th of April 2016by Juraj
Somorovsky using TLS-Attacker. The fix was developed by Kurt Roeckx
of the OpenSSL development team.

Interim summary:

A good practise on web server to mitigate the risk:

Control requirement on web server

  • Do not configure wild card certificates
  • Certificate to be signed by trusted certificate authority (CA)
  • Ensure session cookies have “secure=true” flag set
  • Ensure HSTS header is set for domain and sub domain
Network (Protocol, Topology & Standard), System

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

198 Comments

Stuxnet a famous malware to sabotage Iran’s nuclear program. From technical of view, malware change the shape of computers in the world convert to a cyber weapon. Who’s the team take responsibility? For sure that is not you and me.

Stunext attack scenario:

Heard that malware activities in South Korea run serious recently. Headline news were told the military defense of south Korea was hacked. Regarding to the articles the goal of such malware attack focus South Korean nuclear facility. We don’t have related information and not going to predict who is the attacker of this incident. But malware focus nuclear power facilities not only occurs today. Stuxnet, Duqu, and Flame are categories hardcore type malware. The hardcore type malware usually achieve the following actions.

Do you think SCADA system is the culprit of attack on nuclear power system?

What is SCADA?

SCADA is an acronym for Supervisory Control And Data Acquisition, which is a computer system for gathering and analyzing real-time data.

Where is SCADA used?

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant.

SCADA application:

WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries.

Historical incident record:

June 2010 – Stuxnet relies on MS zero day implant malware granted control and monitor functions in SCADA system.

Malware attack triggered by Microsoft Zero day (MS08-067, MS10-046 & MS10-061)

Malware relies on vulnerability (CVE-2010-2772) and execute privileges escalation on database of WinCC MSSQL server. As a result hacker allow to view information on SCADA system.

Oct 2011Duqu executables share injection code with the Stuxnet worm. The Duqu design was based on the same source code as Stuxnet. The similarity of features shown as below:

  • Duqu use XOR based encryption for strings (key: 0xAE1979DD)
  • Decrypted DLLs are directly injected into system processes instead of dropped to disk.
  • Rootkit to hide its activities

May 2012 Flame malware targeted cyber espionage in Middle Eastern countries.

The researchers say that Flame may be part of a parallel project created by contractors who were hired by the same nation-state team that was behind Stuxnet and its sister malware, DuQu.

The number and geographical location of Flame infections detected by Kaspersky Lab on customer machines.

  • Iran = 189
  • Israel Palestine = 98
  • Sudan = 32
  • Syria = 30
  • Lebanon = 18
  • Sudi Arabia = 10
  • Egypt = 5

Apr 2016Virus:Win32/Ramnit.A, German nuclear plant infected with computer virus. As Reuters reports, viruses with names like “W32.Ramnit” and “Conficker” where found in a computer system that deals with data visualization.

The virusesWin32/Ramnit.A is a file infector with IRCBot functionality which infects .exe, and .HTML/HTM files, and opens a back door that compromises your computer.

  • File MD5: 0x5CC31D49CAFC508238259616583332A2
  • File SHA-1: 0xC775A22B4B150989F57AB129591F4DA328F52B7C

Aug 2016Virus:Win32/Ramnit.A (checksum changed)

  • File MD5: 0x25C1DE8838ADBC0DCFF61E6B44458CF4
  • File SHA-1: 0xDF6B04BA2103B2EB43B51EBDFB705A37BE5F28A9

1st Oct 2016 – Headline News: Rep. Kim Jin-pyo, a lawmaker of the main opposition Minjoo Party of Korea, told Yonhap News Agency in a telephone interview that the hacking targeted the “vaccine routing server” installed at the cyber command.

Interim summary:

SCADA systems are used to automate complex industrial processes where human control is impractical. The SCADA systems benefits to control and monitor processes. Thereby it used in large applications such as monitoring and controlling a nuclear power plant. WinCC (Siemens Simatic HMI WinCC v7.3 (x86/x64)) provides all the functionality of SCADA for Windows for all industries. Since zero-day vulnerability found each week especially Miscrosoft products. Do you think SCADA system is the culprit of attack on nuclear power system?

The project development of Nuclear power budget huge amount of money and covered with disaster recovery plan. Do you think current disaster recovery plan will cover up Zero day attack on SCADA system? What do you think?

 

Application Development, Network (Protocol, Topology & Standard), System

Part 1:Blockchain technology situation – A Tales of Two Cities

200 Comments

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!

 

Application Development, Network (Protocol, Topology & Standard), System

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

202 Comments

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is this a hoax? Or it is National Security Agency?

244 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/Equation-Group-pic-2_zpsojrksrjr.jpg

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-1_zpsd7yypvqf.jpg

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

200 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-Cisco_zpszinq59nd.jpg

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Internet traffic governance by firewall (Great wall), what circumstances China still under external Cyber attack?

304 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/China-Firewall_zpsutjpv0vx.jpg

The surveillance program in China running in visible level. China government defined traffic monitoring scheme, the People live in China entitled to benefits of citizenship must accept this policy.A well known secret indicated that a giant (Great wall) monitoring the inbound and outbound internet traffic continuously. Sounds great! From technical point of view, workstation located in China is under government protection. The benefits is that overall hit rate with cyber attacks will become lower. We are not a politicians for not going to speculate the reason to establish this security facility. But it looks that there is no perfect defence mechanism in the world. The Internet Security Threat Report on June 2016 provides the following parameters.

Web sites for remote control

  • 3,637 foreign IP addresses through the backdoor arrived to the territory.
  • 6,618 websites encountered cyber attack causes hacker remote control.

Remark: Among them, foreign suspicious IP address is located mainly in the United States, China, Hong Kong and South Korea and other countries or regions.

  • Foreign countries IP address relies on backdoor might came from Russia . They are execute web server remote control. The total suspected IP addresses are 1,667.
  • Website implanted backdoors, ranks in high volume.
  • Besides, implanted backdoor attack IP address covered US and Hong Kong area. The total statistic are 1129 came from US and 808 came from Hong Kong.

Reference: Internet stats for 2016

China, as a country, has the most internet users; with an estimated 640 million internet users, the number of internet users in China is twice the number of the entire U.S population.

What’s the reason?

Major Factor:

1. Enterprise firm Site to Site VPN connection bypass Great Wall governance: If there is security weakness occurs in their server system and network backbone. Hackers are able to relies on those vulnerabilities of the system  activate the cyber attacks.

2. Remote Proxy services bypass Great Wall

A terminology so called internet censorship circumvention, the method is establish a encryption tunnel, the tunnel end point of connection is the foreign countries proxy gateway. It is a onion network, if one of the proxy server not in service, the proxy services application will search another available gateway.
Since the network datagram was encrypted by TLS/SSL. The version update in frequent. From certain point of view, great wall might not decrypt the network traffic and such a way let him go!

3. Layer 2 Tunneling Protocol (L2TP) bypass Great Wall

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one’s IP address, censorship circumvention, and geolocation. As far as I know, Great wall have capability to deny this network traffic.

4. Flaw found in ASN.1 compiler – for more details refer below url for reference.

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

China’s intelligence mobile phone has high growth rate. Since it is intelligence device, it is a mobile computing device. From technical point of view, it looks a workstation with Internet connection feature. China Mobile Phone Users reached 1.306 Billion in 2015. It is hard to guarantee 1.306 Billion mobile phone are compliance. That mean OS is the latest version, anti-virus installed with update pattern. To be honest it is not easy! With so many people dependent on mobile devices to communicate and work, mobile network security is more important than ever.

Additional information – SCMP regarding China Firewall

http://www.scmp.com/news/china/policies-politics/article/1922677/china-blocks-vpn-services-let-users-get-round-its-great

Any other? Is your turn to input. Be my guest!

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard)

The important thing is to never stop questioning (Albert Einstein)

251 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/sat-China_zpsfc8frkuz.jpg

The important thing is to never stop questioning, said Dr. Einstein. View the breaking news today.China has launched the world’s first quantum communications satellite into orbit. Watch TV News program noticed that a group of scientist find a way apply the quantum physics to traditional cryptography replacing RSA cryptosystem. The testing go to final stage in 2015. Competitions everywhere today including employees, business partners, countries. Life is not easy! World looks demanding now! Let’s review in short form in regards to RSA cryptosystem weakness.

RSA cryptosystem weakness:

  • The RSA cryptosystem can be very weak if you do not choose your primes carefully.
  • If the two corresponding ciphertexts are intercepted.
  • If you send the same message to more people with the same RSA encryption exponent e , then the plaintext can always be obtained easily from the intercepted ciphertexts.

Quantum Cryptography benefits:

  • Quantum entanglement – particles can share the same quantum state irrespective of their spatial distance from each other. The entanglement state discard when parameters change.
  • Quantum cryptography would be used in practice to produce one time pads that could be used to securely encrypt any message.

What is the key factors (built a quantum communications satellite):

Avoid eavesdropping – Being monitored

Cyber attack – Being attacked by hackers

Questioning about unknown factors?

In what Layer of the Earth’s Atmosphere install this satellite?

Answer: Exosphere – up to 10,000 km above the Earth

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/orbit-v4_zpsgkk97mbq.gif

Is there any external interfere to this layer? For instance, SUNSPOT & X-rays?

It was protected by atmosphere. Atoms are no longer gravitationally bound to the Earth and get knocked away by solar wind. As such, without interference caused by Sunspot suspend the network communications. (Remark: Satellite interfere by sunspot periodically. The result is that the satellite will lost electronic communications in short period of time.)

Does it compatible with mobile phone?

Yes, it is compatible with 4G mobile network and provides hack proof communication channel. I believed that it achieves independence from the use of fixed line or existing mobile networks through super fast Ka-band satellite backhaul.

The objective is that avoid eavesdropping on mobile phone. For instance, NSA tapped Angela Merkel’s mobile phone. The scandal expose to public in 2014.

Germany opens inquiry into claims NSA tapped Angela Merkel’s phone

https://www.theguardian.com/world/2014/jun/04/germany-inquiry-nsa-tapping-angela-merkel-phone

Interim summary:

The space of technology development is to infinite. But like Dr Einstein said, the important thing is to never stop questioning.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/questioning_zpsyrbxvutm.jpg

Network (Protocol, Topology & Standard)

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

35 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/SS7-ASN1-Flaw_zpslcpchclx.jpg

Preface

People might questions leonardo Da Vinci if he still alive. Why did he choose this woman became mona lisa? Since nobody could explain on behalf of him. But strongly believe that this is the original design.

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. On the other hand, the culture of modern world relies on electronic communications system. Therefore network communication protocol especially TCP/IP protocol and Signaling System 7 are the major elements in nowadays world.

Recall historical data of specific elements (quick & dirty)

1. ASN.1

Originally defined in 1984 as part of CCITT X.409:1984

Design objective:

i. Overcome how different computer systems transmit data
ii. Model parameters exchanged between application entities

 

2. Signalling System 7

It was developed in 1975

Design objective

i. SS7 controls telephone calls, both wired and wireless, through the use of a control signal that is separate from the actual voice circuit.

ii. It allows phone networks to exchange the information needed for passing calls and text messages between each other.

3. TCP/IP version 4

The first version of this predecessor of modern TCP was written in 1973

Design objective

i. A set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over networks.

ii. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination.

Flaws found as of today

TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/ninja-anima-ver2_zpsoonzpftm.gif

Interim solution apply to Linux environment

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. Append the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

Use “sysctl -p” to activate this feature

Flaw found in ASN.1 compiler

For more details, please see below:

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

Interim solution: unavailable

Current status: The extent of the vulnerability has yet to be determined, IT folks this vulnerability looks critical. It is hard to imagine what’s the impact at this moment. We keep our eyes open see whether a remediation will be announced by the telecommunication providers?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

Interim solution

Mobile phone network services provider has employed security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access.

For additional information details, please refer below:

SS7 hack explained: what can you do about it?

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/OSI-vs-SS7_zpsk76izco4.gif

How to protect your IT premises in regards to above flaws?

For weakness of TCP/IP protocol, the IP version 6 able to resolve design limitation of sequence number. In the long run, it is recommend IT team get rid of IP version 4. However the truth is that v4 and v6 are mixed mode in nowadays IT world.

The most headache topics are the ANS.1 complier flaw and Signalling system 7 vulnerability. For SS7 vulnerability, since those item of works (remediation and mitigation) are relies on Telecommunication service providers. Mobile phone network services provider employing security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access. For text messages, avoiding using SMS. As far as we know, whatsapp communication is being encrypted today!

How’s the status of ASN.1 compiler right now?

About SS7 vulnerability information update:

Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. For more details. Please refer to url below:

http://company.nokia.com/en/news/press-releases/2015/09/03/nokia-networks-safeguards-network-operations-with-two-new-security-launches-networksperform

About  SS7 vulnerability incident found and reported by German newspaper media on May 2017:

German newspaper (Süddeutsche Zeitung) reported that that hackers relied on SS7 attacks flaw as a backdoor. The vulnerability allow bypass two-factor authentication (2FA) systems to conduct unauthorized wire transfers.

http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504