Category Archives: Public safety

Ccache technical matter , whether it will bring your attention? (13th Mar 2023)

Preface: Multiphysics Object-Oriented Simulation Environment (MOOSE) – An open-source, parallel finite element framework.

  • Free and open source (LGPL license).
  • Large user community
  • Easy to use and customize
  • Takes advantage of high performance computing

Background: ccache is a compiler cache that speeds up recompilation by caching previous compilations and detecting when the same compilation is being done again. ccache can deliver significant speedups when developing MOOSE-based applications, or working on the framework itself.
Multiphysics Object Oriented Simulation Environment (MOOSE) is an open-source framework to facilitate solving complex real-world engineering problems.

Major components of a mesh based numerical solution technique:
1 Read the mesh from file
2 Initialize data structures
3 Construct a discrete representation of the governing equations

Security Focus: In order to use ccache with MOOSE-based applications, it will be necessary to first build libMesh using ccache. Ccache prior to 4.7.4 suffered from a design weakness of inode cache race conditions.

Solution: Upgrade to 4.7.4.

Cyber Défense from narrow to broad  (5th Jan 2023)

Preface: Sustainability is a buzzword in the modern world in recent years. It applies to business, culture…even our education. A slogan, keep learning. Maybe it’s the Cantonese mantra, One is never too old to learn. Perhaps it also apply to cyber security protection.

Background: In last twenty years, computing technology driven growth of the world. The rapid growth of telecommunication especially TCP/IP communication protocol. The invention of this technology unintended interconnect different zone and culture. The TCP/IP network protocol  empower to Industrial world transformation. So we have industrial 4.0, smart city facilities and smart home. This is the theory of sustainability. But this key word just appear in last five years.

We all concerning privacy. So European countries and union driven GDPR. Whatever data run in internet including your personal data, web browser connection cookies are fall into their protection coverage. Before that, cyber security vendor especially antivirus and cyber security protection vendor have been done predictive technology. Their way is do a passive information gathering. When incident occur with unknown cyber-attack, they will do enhancement based on your former activities log.

Cyber defence from narrow to broad  : Set up monitoring and logging of systems that trip the DNS sinkhole so that they can be investigated and remediated if they are infected with malware. Until now, such services have been run by private business owners. So if you can afford to pay for the service, you can receive updates from the online world. To avoid risking your connection, such service will integrate to your defence solution can provide protection. Perhaps this is a narrow usage.

We all know that artificial intelligence improves our lives. But they rely on data. In fact, enterprise companies, especially Amazon, Google, Cisco… are already using AI technologies in their cyber defence solutions. So their umbrella technology covers a lot. Whether it is prevention, detection or correction, it is in place. However, they are all running businesses and thus have not disclosed their technology to the public.

But when will generalized artificial intelligence develop. For example, this month the cybersecurity defence vendor discovered malicious activity that can infect the operating system Linux. In fact, AI can target these activities and make predictions (see attached image).

Sustainability seems to be the definition of the big data world. The accumulation of data to the database is a long-term process. So keywords accumulate or sustainably contain similarities.

For more information about cyber-attacks against Linux environments, you can find the details at the link – https://asec.ahnlab.com/en/45182/

The injustice invasion – Destructive Malware (28th Feb 2022)

Preface: No matter what your reasons are, children are victims!

Human nature: Human desires are infinite. We may meet some of our needs, but new ones will soon emerge. Thus, scarcity explains the relationship between having unlimited demand and the problems within it.

Security Focus: The malware, known as WhisperGate, has two stages that corrupts a system’s master boot record, displays a fake ransomware note, and encrypts files based on certain file extensions.

Malware contained destructive goal and special evasion method:

  1. They targets Windows devices, manipulating the master boot record, which results in subsequent boot failure. 
    PhysicalDrive0″, GENERIC_ALL, FILE_SHARE_READ | FILE_SHARE_WRITE
  2. Once the malware running under Anti-Debug, it can adjust its usual code execution path or modify the code to cause a crash, preventing analysts’ attempts to decipher it.
    The idea is to identify the machine code of some functions for 0xCC byte which stands for INT 3 assembly instruction.

God bless the children and the families of the victims – https://youtu.be/dzPmfaWXsvE

Kubernetes Hardening Guidance by NSA & CISA (3rd Aug 2021)

Preface: Docker helps to “create” containers, and Kubernetes allows you to “manage” them at runtime. What is Kubernetes Security? That is Cloud, Cluster, Container and code.

Background: Kubernetes is commonly targeted for three reasons observing by NSA and CISA. They are data theft, computational power theft, or denial of service. Cyber attacks encountered in the Kubernetes environment in 2020. Details are as follow:

Capital One – Occurring in 2019, this breach saw 30GB of credit application data affecting about 106 million people being exfiltrated.
A mis-configured firewall that allowed an attacker to query internal metadata and gain credentials of an Amazon Web Services
Docker hub – Attackers managed to plant malicious images in the Docker hub. unknowingly deployed cryptocurrency miners in the form of Docker
containers that then diverted compute resources toward mining cryptocurrency for the attacker.
Microsoft Azure – Microsoft is another organization that’s been seeing a lot of cryptojacking woes of its own. After disclosing that there was a large-scale cryptomining attack against Kubernetes cluster in Azure in April 2020.
Telsa – Automaker Tesla was one of the earlier victims of cryptojacking when a Kubernetes cluster was compromised due to an administrative
console not being password protected.(Mis-configuration)
Jenkins – Hackers managed to exploit a vulnerability in Jenkins to cryptomine to the tune of about $3.5 million, or 10,800 Monero in 18 months. In Docker’s operation environment, it was discovered that six malicious images had been collectively pulled over 2 million times, that’s 2 million users potentially mining Monero for the attacker.

To avoid similar incidents from happening – The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) released a Cybersecurity Technical Report, “Kubernetes Hardening Guidance,” Primary actions include the scanning of containers and Pods for vulnerabilities or mis-configurations, running containers and Pods with the least privileges possible, and using network separation, firewalls, strong authentication, and log auditing. Please refer to the link for details – https://www.nsa.gov/News-Features/Feature-Stories/Article-View/Article/2716980/nsa-cisa-release-kubernetes-hardening-guidance/

32-bit design limitation (0x7ffffffff). Another episode of Y2K. (23-07-2021)

Preface: Because humans have destroyed the environment. Therefore, natural disasters resemble God’s punishment. In the digital world, the situation is the same. The reason for the penalty is the design weakness of the software.

Background: Perhaps the younger generation has not experienced “Y2K” technical problems because they are still children. The millennium bug is about 22 years until today. I think many people have forgotten. The digital world disaster is similar to the Old Testament description of the earth flood, and God instructed to build an ark to save the species.

Fundamental design weakness: On a 32-bit Linux system, the maximum value that time_t can represent is 0x7ffffffff. When time_t takes the maximum value, it means that the system time is 2038-01-19 03:14:07, but when the clock keep going, time_t will overflow and become A negative value. At this time, the system time will start over and the operating system and upper-layer software will run incorrectly.

IoT current status 2021: The trend by today – 8-bit and 16-bit MCUs had been the hardware of choice for IoT devices, but 32-bit MCUs are now becoming increasingly popular, leading to many manufacturers using two different powered processes in devices. Therefore, your RTOS should be scalable in order to manage any future MCU upgrades.

Reports indicate that there will be 35.82 billion IoT devices installed worldwide by 2021 and 75.44 billion by 2025.

Remedy: In order to remedy this technical limitation. Software developer require to use GNU C Library 2.32 and Musl libc 1.2 to build user space for 64-bit time_t.
Musl, a C standard library, is mainly used on operating systems based on the Linux kernel. The target is embedded systems and mobile devices. It is released under the MIT license. The author is Rich Felker. The purpose of developing this library is to write a clean, efficient, and standard-compliant C standard library.

Expectation: We pass a new challenge token to the younger generation, because they have grown up now. It’s your turn.

Is the CVE process late? Esri has managed and remedy those vulnerabilities in May 2021.

Preface: When smartphones and Google Maps were born. The GIS function determines these two functions in a silent manner.

Background: Geographic Information System (GIS) plays a key role in military operations. The military uses GIS in various applications, including cartography, intelligence, battlefield management, terrain analysis, remote sensing, etc.

– Use of geospatial intelligence:The role of machine learning and GEOINT in disaster response
– Open geospatial data platform and food shortage
– Interoperability of GEOINT applications and military data
– The role of data management in crisis mapping

Vulnerability details: There are vulnerabilities announcement of GIS server on 11th Jul, 2021. Whereby those vulnerability has been addressed by ESRI on May, 2021. Seems the details of two announcement are similar and believed that both are describe the same matters. In fact, designated vulnerabilities are common vulnerabilities in OWASP Top 10. However, the applicability of GIS is becoming more and more important for human life and daily use. So we should seriously consider it.

Official announcement – https://www.esri.com/arcgis-blog/products/arcgis-enterprise/administration/arcgis-server-security-2021-update-1-patch/

If the design defect cannot be remedied in time. Prevention and detection control is one of them. (Philips Vue PACS) [7-7-2021]

Preface: In theory, if your software application design trusts multiple vendors. Repairing takes more time. Because you need to do more verification.

Technology background: Digital Imaging and Communications in Medicine (DICOM) is the standard for the communication and management of medical imaging information and related data. DICOM is most commonly used for storing and transmitting medical images enabling the integration of medical imaging devices such as scanners, servers, workstations, printers, network hardware, and picture archiving and communication systems (PACS) from multiple manufacturers. It has been widely adopted by hospitals and is making inroads into smaller applications like dentists’ and doctors’ offices.

What is Vue PACS Philips?

Philips Vue Picture Archiving and Communication System (PACS), formerly known as CARESTREAM Vue PACS, is an image-management software that provides scalable local
and wide area PACS solutions for hospitals and related institutions.

Philips Vue PACS communications are based on the Digital Imaging and Communications in Medicine (DICOM) 3.0 standard. This enables the server to communicate with any DICOM 3.0 compliant products (such as scanners, workstations, hardcopy units). The server acts as a DICOM Provider, thus other stations can retrieve and send images to and from the server.

Vulnerability details: Philips Vue PACS design require to work with Redis and Oracle. This technology utilizes an Oracle Database and its servers are stored on VA premises. DICOM image data from the modalities is stored on image cache on the PACS server attached to Storage Area Network/Network Attached Storage (SAN/NAS)-type storage technology. However it was discovered design limitation in both software. Meanwhile the software application itself also discovered different vulnerabilities.

My observation: If exisitng vulnerabilities cannot fixed immediately. It is recommended to monitoring the network connectivitiy. It is better to install a IPS to monitoring inbound and outbound network traffics in this segment. If this philips web server and DN are mistaken install to a flat LAN. Perhaps you require to install a proxy server in front of this device.

US-Cert recommendation: https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01

Headline News – unauthorized access to japan government systems via Fujitsu ProjectWeb – 28-05-2021

Headline News – The incident affected the Ministry of Land, Infrastructure, Transport and Tourism, Ministry of Foreign Affairs, Cabinet Office and Narita Airport. The stolen data included files stored by government employees on the cloud-based collaboration and file sharing platform ProjectWEB, which was launched by Fujitsu in the mid-2000s and was very popular among Japanese civil servants.
According to Japanese media reports, hackers stole documents containing employees of the Ministry of Land, Infrastructure, Transportation and Tourism and extended more than 76,000 email addresses, but the government did not confirm this information.

Background: ProjectWEB is a a cloud-based enterprise collaboration and file-sharing platform that Fujitsu has operated since the mid-2000s, and which a number of agencies within the Japan government currently use.

One of the possibilities of data leakage in this accident:
If daily operation in many small projects will go through web base management system. Furthermore, daily communication between project managers and project members uses Excel to complete status management and quality management. If excel spreadsheet encounter design weakness (CVE-2017-0006, CVE-2017-0019, CVE-2017-0020, CVE-2017-0030, CVE-2017-0031, and CVE-2017-0053). Therefore, allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted document. As a result, the data breaches will be occurred.

Headline News – https://www3.nhk.or.jp/nhkworld/en/news/20210526_28/

Update to CISA-FBI Joint Cybersecurity Advisory on DarkSide Ransomware (May 19, 2021).

Preface: Critical infrastructure cybersecurity is not new – it was first addressed by Presidential Decision Directive (PDD) 63 in 1998. The term Internet of Things (IOT) was used but it was for consumer product applications not industrial applications. Perhaps the Executive Order on Cybersecurity does not adequately protect critical infrastructures

Background: Best Practices for Preventing Disruption from Ransomware Attacks was released by CISA on May 11, 2021 – https://us-cert.cisa.gov/ncas/alerts/aa21-131a

The goal provides a directive to computer users to reduce the possibility on ransomware attack. Apart of best Practices, whether there is other way to enhance your current system infrastructure to avoid computer user negligent.

Solution 1: Technology so called clean DNS works by adding a layer of security between a user and the internet that prevents visits to websites used for scams, phishing, and malware and ransomware distribution.

Solution 2: Be aware that unofficial observation concluded that if you had infected trickbot, you would receive ransomware attack soon.
Please refer to the attached diagram for the solution.

Zerologon vulnerability note – last revised (23rd Mar, 2021)

Preface: “Logic 0” and “logic 1” represent binary digits (0 and 1) or Boolean logic conditions (true and false).  A vulnerability in the cryptography of Microsoft’s Netlogon process that allows an attack against Microsoft Active Directory domain controllers.

Background: The algorithm originally used to encrypt the logon process in Windows NT was 2DES. Thus design weakness found in this place. MS-NRPC uses an obscure setting known as AES-CFB8 (Advanced Encryption Standard – Cipher Feed Back 8 bit). However use of AES-CFB8 within MS-NRPC has an issue with the Initialisation Vector (IV) which should be a random number, but MS-NRPC has it fixed at a value of 16 bytes of zeros.

Impact: Tom Tervoort from Secura, he discovered there is a likelihood of one of every 256 keys used will create cipher text that has a value of all zeros.  Whereby, a high possibility way to root AD server. To change the password, attackers use the message NetServerPasswordSet2 in MS-NRPC. It is possible to change a password by simply sending the frame with the preferred new password. The easiest approach is to remove the password or set it to a blank value –  the hacker can now log in through a normal process.

Since February 9, 2021 is the enforcement phase. And therefore, vendor will be enforce the following setttings.

  • Enforces secure RPC usage for machine accounts on non-Windows based devices unless allowed by “Domain controller: Allow vulnerable Netlogon secure channel connections” group policy.
  • Logging of Event ID 5829 will be removed.  Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.

Official announcement: https://kb.cert.org/vuls/id/490028