Category Archives: System

System

2019 – The security protection of Docker, where are they?

Preface: Sysadmin may unintentionally expose a Docker registry service without enforcing proper access control, said Palo Alto Networks.

Background: Easy to deploy, one of the goal of container-based technology. Docker storing image in a managed collection, with standardized methods of identifying, committing, and pulling individual images. With this feature it is equivalent as a image Repositories. It makes Docker so useful is how easy it is to pull ready-to-use images from a Docker’s Central Registry. Meanwhile you can’t share your repository with other because it contains proprietary code or confidential information.

Technical details: Docker-Registry is a simple Python app. Your Registry can develop as a Private Registries. Besides, in some environments, sysadmin can setup the Registry SRV on port 443 and make it accessible on internet (Registry-dot-com). Such services are popular on AWS S3 or Azure.

Key areas of concern: Compromised Containers, mis-configuration & access control.

What we can do? Perhaps we can reference to NIST SP 800-190 application container security guide. URL display as below: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-190.pdf

System, Under our observation

How we focus design weakness?

Preface: Flaws that require root access are not considered security issues in existing policy. If we are not using cloud computing concept. It is acceptable. But we need cloud system!

Security focus: Turkish information security specialist found a design weakness in Windows kernel design. According to the vendor’s Bug Bounty program rules, flaws that require root access are not considered security issues and are not classified as vulnerabilities. However our the whole IT world in the trend of cloud technology. It is hard to guarantee similar type of vulnerability will be impact the public cloud farm. Perhaps it might have possibility to do a re-engineering become as a Surveillance tool.

Defect details: An PoC tool proof that it can hijacks the HalPrivateDispatchTable table to create a early-bugcheck hook. Utilizing this early-bugcheck hook it collects information about the exception and basically provides a simple interface to register a high-level system-wide exception handler. My intention is going to urge Microsoft should be consider this technical issue. Perhaps it may become a zero-day. So I do not display related url.Should you have interested of this topic, not difficult to do a search. You will find the details.

Reference:

The ntoskrnl.exe kernel service, which is responsible for handling exceptions, system call procedures, and thread scheduling in Windows.

Kernel Patch Protection (KPP), informally known as PatchGuard, is a feature of 64-bit (x64) editions of Microsoft Windows that prevents patching the kernel.

Fundamental design concept – related to this matter:

  1. RSPx is loaded in whenever an interrupt causes the CPU to change PL to x. The TSS in long mode also holds the Interrupt Stack Table, which is a table of 7 known good stack pointers that can be used for handling interrupts.
  2. BKPT #0x3 ; Breakpoint with immediate value set to 0x3 (debugger can ; extract the immediate value by locating it using the PC- (program counter))
  3. x86_64 also has a feature which is not available on i386, the ability to automatically switch to a new stack for designated events such as double fault or NMI, which makes it easier to handle these unusual events on x86_64. This feature is called the Interrupt Stack Table (IST). There can be up to 7 IST entries per CPU. The IST code is an index into the Task State Segment (TSS). The IST entries in the TSS point to dedicated stacks; each stack can be a different size.

This topic is under our observation.

Application Development, System

He is a bird – Taiwan supercomputer (Nov 2018)

Preface: There are many reasons for wanting to combine the two parallel programming approaches of MPI and CUDA. A common reason is to enable solving problems with a data size too large to fit into the memory of a single GPU, or that would require an unreasonably long compute time on a single node. The message passing interface (MPI) architecture successful exchanging messages between multiple computers running a parallel program across distributed memory. Thereby single system can group together form a big power.

Synopsis:
The open source refers to any program whose source code is made available for public use. Open MPI is a Message Passing Interface library project combining technologies and resources from several other projects. Meanwhile it is a potential power driving the technology world in this century. It is hard to imagine that Xeon processor type computer machine will go to supercomputers world. With assist of QuantaGrid D52G-4U GPU. The dream come true now. Tesla V100 can deliver up to 896 tensor Tflops to training deep learning model with 8 NVIDIA Tesla V100 (dual-width 10.5″). Taiwania 2 supercomputer take the role to handle big data , AI and scientific research functions.

Ref: https://www.taiwannews.com.tw/en/news/3575187

Application Development, System

Supercomputer – You focus the speed of CPU, but my design goal is efficiency (Nov 2018)

Preface:

The art of driving a car in a race comes from the ability to maximize the performance of the car. Everything you do on a track takes skill when you are reaching the limits of performance. This concept also suitable on computer design.

Japan supercomputer rating:

Fujitsu ranks supercomputers seventh in the world.

Cores: 391,680

Memory: 417,792 GB

Processor: Xeon Gold 6148 20C 2.4GHz

Historical background:

The traditional supercomputer architecture contains HIGH SPEED VECTOR PROCESSORS, crossbar switch, LPARs architecture. Since CPU speed is most important element on calculation. Meanwhile LPARs design can let system allocate the function feature and requirements.
Remark: Logical partitions (LPARs) are, in practice, equivalent to separate mainframes.

Synopsis:

But the military, scientific and public safety requirements of the world in today more demanding. The traditional Supercomputer LPARs design still have space for improvement. And therefore Linux high performance cluster and docker infrastructure become a key components. It boostup the system efficiency. Even though Fujitsu ranks supercomputers seventh in the world. But it maximum the efficiency.

System

Supercomputer – Who’s running fastest in the world? Nov 2018

Preface:

When executing a process by switching it between various CPU cores is that, when switching a process to a new CPU core, the “L1” cache of the new core has to be updated and the previous core’s “L1” cache might requires to be deleted etc. Whereby in a somewhat unnecessary cache activity that ultimately downgrade the performance. But the traditional mainframe vector processor and crossbar switch did not have above technical limitation.

What technologies have changed the world? The success of the PCR clusters was followed by the purchase of the Multiprogrammatic Capability Resource (MCR) cluster in July, 2002 from Linux NetworX. The PCR cluster debuted as the Top 500 Supercomputers list in November, 2002.

Who’s running fastest in the world?

1. Summit – IBM Power System AC922, IBM POWER9 22C 3.07GHz, NVIDIA Volta GV100, Dual-rail Mellanox EDR Infiniband , IBM DOE/SC/Oak Ridge National Laboratory
United States
Cores – 2,397,824, Rmax (TFlop/s)143,500.0
….

3. Sunway TaihuLight – Sunway MPP, Sunway SW26010 260C 1.45GHz, Sunway , NRCPC National Supercomputing Center in Wuxi China
Cores – 10,649,600 Rmax (TFlop/s) 93,014.6

Who knows who is the winner tomorrow?

System

AWS S3 Misconfigurations how to Avoid?

Preface:
AWS cloud business keep running strong in the market. Amazon S3 or Amazon Simple Storage Service is a “simple storage service” offered by Amazon Web Services (AWS) that provides object storage through a web service interface.

Synopsis:
S3 buckets can be configured with public access. But S3 looks like a burden for AWS reputation. Since the access permission is similar do it yourself service type.
So, AWS customer must be confirm the access permission themselves in order to cope with their business function access permission policy.
However if customer apply the services with mistaken permission setup. It will be jeopardizing AWS company reputation as well.

Former records:
Alteryx S3 leak leaves 123m American households exposed1 – Dec 19, 2017
Open AWS S3 bucket exposes private info on thousands of Fedex customers2 – Feb 15, 2018
Sensitive medical records on AWS bucket found to be publicly accessible3 – Jan 22, 2018
Domain Name Registrar was exposed Online (31,000 GoDaddy servers) – Aug 2018

How to avoid?
Hints can find in the following document (Identifying Public Buckets Using Bucket Permissions Check).

https://docs.aws.amazon.com/AmazonS3/latest/user-guide/set-bucket-permissions.html

Application Development, System, Under our observation

SWIFT Customer Security Controls Framework

 

Preface:

All SWIFT users must comply with the mandatory security controls by the end of 2018.

Objective:

Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar.

Technical details:

Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
2. Reduce Attack Surface and Vulnerabilities
3. Physically Secure the Environment
4. Prevent Compromise of Credentials
5. Manage Identities and Segregate Privileges
6. Detect Anomalous Activity to Systems or Transaction Records
7. Plan for Incident Response and Information Sharing

Observation:
Swift system is on the way do the enhancement continuously. But do you think such continuous program will be effectively avoided cyber security attack? For instance Bangladesh heist.
It is hard to tell what is the next cyber attack challenge in the moment. Let’s keep our eye open. Stay tuned!

Reference:

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Public safety, System, Under our observation

Reflections – New 5G network edge server design

NSA Senior Cybersecurity Advisor questions Bloomberg Businessweek’s China iCloud spy chip claim (see below url)

http://macdailynews.com/2018/10/10/nsa-senior-cybersecurity-advisor-questions-bloomberg-businessweeks-china-icloud-spy-chip-claim/

Now we take a quick discussion but do not related to conspiracy. From technical point of view, if hardware is polluted (spy feature). It is hard to imagine what the impact was?

In the SD-branch, routing, firewall, and WAN optimization are provided as virtual functions in a cloud-like NaaS model, replacing expensive hardware. As a result, the telephone company will use SD-branch to provide virtual CPE and unversal CPE services.

Meanwhile uCPE consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. So uCPE in reposible of very import role in future technology. What if there is vulnerability occurs in this place. It make the problem worst, complicated!

Supermicro Designs New Open Software-Defined Networking (SDN) Platform Optimized for 5G and Telco Applications and Launches verified Intel® Select Solution for uCPE

http://ir.supermicro.com/news-releases/news-release-details/supermicro-designs-new-open-software-defined-networking-sdn

Application Development, System, Under our observation

Aug 2018 – Similar to establish new challenge in IT world, mingw-w64 design limitation!

Address space layout randomization (ASLR) is a computer security technique involved in preventing exploitation of memory corruption vulnerabilities. ASLR function like the last line of defense of the system against cyber attack. Recently, security expert comment that the software application developer might not following guideline issue by CPU vendor. The fact is that an error occur on their software application when apply ASLR or SGX ( Software Guard Extensions – Intel). As a result, the non compliance application products will be available in the cyber world.

The actual scenario is that several tools that check for ASLR compatibility assume that the presence of the “Dynamic base” PE header is sufficient for ASLR compatibility. Because Process Explorer does not check that a relocation table is present, its indication of “ASLR” for a running process may be incorrect, and it may provides room for malware alive. I forseen that it may create the impact to the docker environment.

 

MinGW is an implementation of most of the GNU building utilities, like gcc and make on windows, while gcc is only the compiler. It looks that it has more Linux operating system includes in ASLR non compatible checklist announced by MinGW. The CPU vendor on the way to address the CPU design flaw (Meltdown and Spectre). It looks that a new form of challenge is going to join into the mistaken task force.

Should you have interest. Below hyperlink can provides the detail.

Vulnerability Note VU#307144 : mingw-w64 by default produces executables that opt in to ASLR, but are not compatible with ASLR

https://www.kb.cert.org/vuls/id/307144

Application Development, Cell Phone (iPhone, Android, windows mobile), System, Under our observation

Synopsis- NIST plan to retire SMS function deployed for two Factor Authentication

As of today, we are enjoying the security protection of 2 factor authentication with SMS-based one-time passwords (OTP). This protection mechanism was distributed widely. For instance, online banking, Visa,Master credit card online payment system and mobile application payment system. However NIST plan to retire SMS base 2 factor authentication. This decision has similar a open topic for public discussion in related industry since end of 2016. Some of the people queries of the technical standpoint of this decision.

Background – NIST-800-63-3 equivalent a bible for CSO (chief security officer) in the world. Even though you business not focusing US market.  The documentation structure of NIST SP 800-63A is the subset of 800-63-3. This subset of guidelines was specify address digital identity guidelines. Item 4.4.1.6 indicate the address confirmation including SMS. (below hyperlink for official document download).

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63a.pdf

Reference: Two-factor authentication uses two different factors of below namely, “something you have” (e.g. mobile phones), “something you are” (e.g. fingerprints) or “something you know” (e.g. password), to authenticate a user identity.

SMS messages system design limitation (see below):

  1. SIM swap is a type of phishing fraud that poses a serious threat to mobile phone user. As a result, all calls and texts to the victim’s number are routed to the fraudster’s phone, including one-time passwords
  2. SMS Messages Can Be Intercepted in Many Ways (problem in SS7)
  3. ASN.1 design flaw

Should you have interest of item 2 and 3? Please refer below:

SS7 flaw make two factor authentication insecure – Reveal the veil