Category Archives: System

Part 1:Blockchain technology situation – A Tales of Two Cities

 

Quotes from A Tales of Two Cities

“It was the best of times, it was the worst of times,.. Charles Dicken

Read the fiction from my view point looks boring, however a famous quotes written by Charles Dicken can correctly describe the current situation of Blockchain technology.

It was the best of the times

Blockchain technology appear to the world cope with electronic currencies. The proprietary payment method covered up financial world long period of times. As a consumer you are not going to pay high rate of services fees for transfer payment method , right? The blockchain technology (crypto currency) appears like a sunrise to everybody.

Traditional payment transfer (SWIFT) vs Blockchain technology

The traditional payment transfer need for central authorities to certify ownership and clear transactions (see below diagram for reference)

Blockchain technology – decentral data storage

In a blockchain network the data is stored on many computers (miner). Each computer interconnect the other computers (nodes) in the blockchain network. The information on all these computers are constantly aligned.

Blockchain is a bitcoin wallet and block explorer service. From general point of view, it confer benefits on society. Transaction fees are voluntary on the part of the person making the bitcoin transaction, as the person attempting to make a transaction can include any fee or none at all in the transaction.

Economic Benefits: In the meantime bitcoin did not have high economic benefits.

Business development opportunities: Block chain concept lure entrepreneurship bring up new business idea. Their objective is going to break the ice. Make the electronic payment more open.

It was the worst of times!

Hacking looking for ransom not possible occurs since law enforcement team trace the finger prints can find out details. Bad guy aware that he will under arrest during money clearing process . Therefore they are not intend to ask for ransom until crypto currency (bitcoin) appears. It looks that bitcoin feature lure hacking activities in serious. For instance triggers ransomware infection scare IT world. Law enforcement team (FBI) did not have solution in this regard!

Observation: Why does bitcoin feature lure hacker interest?

The realistic were told that Bitcoin exchange operation and policy visible level are low. Yes, they are make use of blockchain technology, however the governance structure not equal to common financial institution. The incidents occurred so far look lack of visibility! See below historical incident records (thefts from Bitcoin exchange) might bring an idea to you.

Thefts from Bitcoin exchanges

Aug 2016 – Hong Kong base Bitcoin exchange (Bitfinex) hacked : drained 119,756 bitcoins from its customer accounts

June 2015 – Scrypt.CC (Bitcoin exchange): Undisclosed sum stolen

May 2015 – Bitfinex (Bitcoin exchange): incident of lost 1,500 bitcoins value US$330,000

Mar 2015 – Coinapult (Bitcoin exchange): incident of lost 150 bitcoins value $43,000

Remark: Hong Kong monetary authority enforce Hong kong financial institution includes bitcoin exchange business vendor mandatory execute their guideline. For more details, please refer to regulatory requirements such as HKMA(TM-E-1, TM-G-1, TM-G-2, SA-2).

Level of Trustworthy – cryptocurrency (Bitcoin)

Aug 2016 – US Marshals to Sell US$1.6 Million in Bitcoin at Auction.

Regarding to the above auction by US government. Do you think it equivalent that US government gave blockchain technology as a untrust vote?

Cyber security viewpoint - Blockchain vs. SWIFT 

Famous quotes:

The guillotine, a machine designed to behead its victims, is one of the enduring symbols of the French Revolution. In Tale of Two Cities, the guillotine symbolizes how revolutionary chaos gets institutionalized.

Swift bangladesh heist cause a sensation. Let’s finance institution heads up. Bring their attention to end user computing. Whereby a continous information security program and policy announced. But you might have question? How SWIFT manage to fight it all? That is unknow system vulnerabilities on their system?

Blockchain technique – every transfer of funds from one account to another is recorded in a secure and verifiable form by using mathematical techniques borrowed from cryptography. From technical point of view, it is a tamper-proof technology. Why was bitcoin exchange Bitfinex hacked (Aug 2016)?

The cyber incidents encountered in blockchain and traditional payment (SWIFT) hints that a weakness of fundamental design (see below)

 

 

Refer to above diagrams, a common criteria occurs on both traditional payment and blockchain solution. No matter how secure on your payment method, a single point of failure on single element will crash your tamper-proof design. For instance, a vulnerability occurs in sender or receiver workstation OS level, malware can compromise the whole solution. Even though you are using advanced crypto solution.

Next topic we are going to investigate bitcoin malware. Coming soon!

 

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Is this a hoax? Or it is National Security Agency?

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Internet traffic governance by firewall (Great wall), what circumstances China still under external Cyber attack?

The surveillance program in China running in visible level. China government defined traffic monitoring scheme, the People live in China entitled to benefits of citizenship must accept this policy.A well known secret indicated that a giant (Great wall) monitoring the inbound and outbound internet traffic continuously. Sounds great! From technical point of view, workstation located in China is under government protection. The benefits is that overall hit rate with cyber attacks will become lower. We are not a politicians for not going to speculate the reason to establish this security facility. But it looks that there is no perfect defence mechanism in the world. The Internet Security Threat Report on June 2016 provides the following parameters.

Web sites for remote control

  • 3,637 foreign IP addresses through the backdoor arrived to the territory.
  • 6,618 websites encountered cyber attack causes hacker remote control.

Remark: Among them, foreign suspicious IP address is located mainly in the United States, China, Hong Kong and South Korea and other countries or regions.

  • Foreign countries IP address relies on backdoor might came from Russia . They are execute web server remote control. The total suspected IP addresses are 1,667.
  • Website implanted backdoors, ranks in high volume.
  • Besides, implanted backdoor attack IP address covered US and Hong Kong area. The total statistic are 1129 came from US and 808 came from Hong Kong.

Reference: Internet stats for 2016

China, as a country, has the most internet users; with an estimated 640 million internet users, the number of internet users in China is twice the number of the entire U.S population.

What’s the reason?

Major Factor:

1. Enterprise firm Site to Site VPN connection bypass Great Wall governance: If there is security weakness occurs in their server system and network backbone. Hackers are able to relies on those vulnerabilities of the system  activate the cyber attacks.

2. Remote Proxy services bypass Great Wall

A terminology so called internet censorship circumvention, the method is establish a encryption tunnel, the tunnel end point of connection is the foreign countries proxy gateway. It is a onion network, if one of the proxy server not in service, the proxy services application will search another available gateway.
Since the network datagram was encrypted by TLS/SSL. The version update in frequent. From certain point of view, great wall might not decrypt the network traffic and such a way let him go!

3. Layer 2 Tunneling Protocol (L2TP) bypass Great Wall

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one’s IP address, censorship circumvention, and geolocation. As far as I know, Great wall have capability to deny this network traffic.

4. Flaw found in ASN.1 compiler – for more details refer below url for reference.

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

China’s intelligence mobile phone has high growth rate. Since it is intelligence device, it is a mobile computing device. From technical point of view, it looks a workstation with Internet connection feature. China Mobile Phone Users reached 1.306 Billion in 2015. It is hard to guarantee 1.306 Billion mobile phone are compliance. That mean OS is the latest version, anti-virus installed with update pattern. To be honest it is not easy! With so many people dependent on mobile devices to communicate and work, mobile network security is more important than ever.

Additional information – SCMP regarding China Firewall

http://www.scmp.com/news/china/policies-politics/article/1922677/china-blocks-vpn-services-let-users-get-round-its-great

Any other? Is your turn to input. Be my guest!

Charting the undiscovered POS malware – Aug 2016 – Alerts

Have you heard RawPOS technical term? In short, it is a Windows based malware family that targets payment card data including Retail, Hospitality and Casinos.

The undiscovered POS malware – High Level review (Found Aug 2016)

Specifications:

  • Associated with files psrmon.exe and oobentfy.exe – psrmon.exe manipulating the data encryption process. Copies following files to temp folder.

Console.dll,Cwd.dll,mro.dll,API.dll,List.dll,Fcntl.dll,B.dll,p2x5124.dll,re.dll,OLE.dll,POSIX.dll,
File.dll,IO.dll,MD5.dll,Win32.dll,Process.dll,Dumper.dll,Util.dll,Base64.dll,Registry.dll

  • Associated with files hdmsvc.exe and oobentfy.exe – Named Pipe Vulnerabilities (C:\DosDevices\pipe\pipe\net\NtControlPipe10), discoveries in manipulating the \DosDevices object directory that also lead to privilege escalation.

Program “oobentfy.exe” is the major body (this is the Memory scanning portion of the malware).

Scenario replay

1. Malware will create a memory dump folder (sample shown as below):

C:\DOCUME~1\User\LOCALS~1\Temp\memdump

2. The program will monitor the memdump folder (C:\DOCUME~1\User\LOCALS~1\Temp\memdump). Memdump folder contains plain text credit card data.

3. Credit card data will then be encrypted and placed in a file.

Regarding to the analysis, it is a three-part RawPOS process to infect a system. Additionally, found that this malware relies on Perl Source code.

Malware structure in depth

Merchant Levels & POS system workflow architecture

Current status:

As of today(6th Aug 2016), it looks that no AV engines recognize the hash for the persistence mechanism as a threat.

Anyway, will keep you posted if there is anything updating.

Possibility – scenario replay (implant Rootkit on BIOS causes ATM machine crazy)

The troubleshooting concept ideally that bring up hypothesis boldly while prove it conscientiously and carefully. Similar concept can apply to cyber incident investigation. Found that a security vulnerability found by security researcher Christopher Domas. The Intel chips design limitation is that vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System. The management mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. Christopher Domas exploit uses the UEFI code features to install a rootkit sucessful during his POC in Black Hat conference. From techincal point of view, this is indeed a design limitation in CPU, it looks that we are not able to using 0x06000832 memory address. Notice that a new microcode patch is going to remediate this design limitation. The hacker implant rootkit to ATM system through malware infection through CPU design bug is a possible. The remaining issue is that how to execute infection to hundreds of ATM machines. The headline news did not provide the detail, if the investigator confirm all the ATM machines are compromised. We can speculate that the malware source might hidden in their SNA server farm or internal network. The Mainframe connectivity methodology from traditional by hardware controller integrate to LU 6.2 (APPN). The Cisco network products and specifics technology DLSW (Data Link Switch) can cope with Mainframe switch major node architecture. Thereby it is hard to say that ATM machine infrastructure is running in isolate network nowadays.

For more detail about memory sinkhole attack, please refer to below URL

http://www8.hp.com/us/en/intel-processor-memory-sinkhole.html

For details about related articles, please refer to below URL for reference.

Digital world – digital dinosaur attack Taiwan ATM machine (crooks stolen estimated T$70m (US $2.2m))

The most hottest cyber attack topics happened last week. Yes, a DDOS attack occurred on HSBC UK and US web portals. But the crooks jailbreak ATM machines in Taiwan looks more attractive. Sound amazing, traditional ATM machines communication link run on private network (Frame relay or ATM OC3). It is indeed real time transaction process working with back end Mainframe system. From security point of view, the media type of connection is restricted and such a way reduces the risks on cyber attack and virus infection. Recall ATM incident occured in 2009. Russian nationality hackers found the vulnerabilities on ATM vendor side (DIEBOLD). They develop malware form attack implant to ATM system DLL file (Dbddev.dll). It looks impossible that infect of the ATM machine with malicious program to steal credit card details and PINs. But the hackers looks great, they can hooks the ATM system process successfully and gain the privileges. ThisTrojans as Troj/Skimer-A.

How was today? The digital dinosaur attack Taiwan ATM machine, crooks stole an estimated T$70m (US $2.2m).

The ATM incident happened in Taiwan banking system not belongs to DIEBOLD. They were made by German manufacturer Wincor Nixdorf. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. Sound strange! Right?

Virtual realityReflections:

1. Without insertion of ATM Card can draw the cash

Possible causes: ATM machine operation system from earlier generation of IBM OS/2 migrate to windows OS platform. Is there any vulnerabilities occurs on window OS side. A critical security flaw announced by Microsoft last week, a printer spooler bug causes privileges escalation or MS16-087 for short.

2. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. 

All ATM machines will go through backbone SNA gateway connected to backend system (Mainframe). From IT architecture point of view, SNA gateway located in data center sever farm. There is possibilities encounter malware infection during windows update processes. For example, do the DNS cache poisoning to return an incorrect IP address, diverting traffic to the counterfeit web site.

3. Well known OS platform

Windows based OS platform not difficult to implant a root kit to gain the control of the system. Hacker can through many channel to achieve their goal. For example, they will find the target person and company by SCAM mail. They can jump into the internal network and compromise the system when target person (victim) fall into their trap (compromised web site).

For more details about this incident, please refer to below URL:

http://www.ibtimes.co.uk/banks-across-taiwan-high-alert-suspected-russian-criminals-use-atm-malware-steal-millions-1570185

Additional information:

Wincor-Nixdorf’s product catalog gives insight into the operating systems its ATMs currently support.

The ProCash 280 lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.