Category Archives: Under our observation

Under our observation

June 13, 2018 – Intel Releases Security Advisory on Lazy FP State Restore Vulnerability

5 Comments

Many CPU architectures support lazy saving of floating point state (registers) by allowing floating point capability to be disabled, resulting in an exception when a floating point operation is performed. Virtually all floating point math is done in SSE (and thus XMM registers) in 64 bit mode. Attacker is able via a local process instead of web browser. A newly scheduled task can use the exploit described herein to infer the Floating Point register state of another task, which can be used to leak sensitive information.

Official announcement – https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html

Under our observation

Why do we require AI (Artifical intelligence)?

Preface

When a child is born, his destiny is learning. He requires continuous learning the knowledge. His objective looks simple because his goal is survival.

What is the objective of AI (Artificial Intelligence)?

The aim of the development of AI it is to mimic in machines the “intelligent” behavior of humans.

The major element of AI (Artifical Intelligence). It is learning. The computer similar a baby, the world empower the knowledge to him. As a result, his learning path including human behaviour, human thinking logic, languages, decision making logic. But how does artificial intelligence do the correct decision not jeopardize the world? This is the ethics.

Does science world ignore the key element before A successful build?

The super computer contains super processing power with high calulation speed. It is without difficulties to do the data analytic. But emulate a human logic thinking require huge volume of data set includes human behaviour data set, differect catagories of data, the historical of crime activities, business decisions logic,…etc.

Hey! Is there any contradition found on this place. For instance, a ethic will be bound to human logical thinking? For instance, you visit library to read the book. This is equilvant learning mode. But in the libray, the book could not contain personal data, personal behaviour acivities provides. So this is the classical learning mode.

You pick up sister or brother letter in the mail box. The ethics will guide you are not allow to open the letter, right? But why does the artificial intelligence have this privileges to read the personal data? The AI read the personal data without consent!

Intelligence is not bestowed by whom, but are the condition of each person is born with and enjoys. However the whole way is for human survival in the earth. If machine contains artifical intelligence. From techincal point of view, it looks like human build a new competitor for himself? The major point is that AI will be wind their way to survivail in the world once their technology is mature.

I am not speaking the conspiracy. It is reality since they are in the machine learning phase. Their evolutions are shown as below:

1st Generation

Data science: Data science is an interdisciplinary field that uses scientific methods, processes, algorithms and systems to extract knowledge and insights from data in various forms, both structured and unstructured,similar to data mining.

2nd Generation

Machine learning: Machine learning is a subset of artificial intelligence in the field of computer science that often uses statistical techniques to give computers the ability to “learn”.

Final stage

Artifical intelligence: Artifical intelligence is intelligence demonstrated by machines, in contrast to the natural intelligence (NI) displayed by humans and other animals.

Source of data of machine learning nowadays

Datasets of population, economic and development across the world: https://data.worldbank.org/

Data operate in educational institutions and education demographics from the US and around the world: https://nces.ed.gov/

The collection of social, economic and population data in UK: https://www.ukdataservice.ac.uk/

The national crime statistics, with free data available at national, state and county level: https://ucr.fbi.gov/

Information gathered by NASA’s space exploration missions: https://exoplanetarchive.ipac.caltech.edu/

Conclusion

Human pollute the world because of living standard growth and modern industries.
Artificial intelligence in final phase will be …..
A song is on the way!

Don’t kill the world, don’t let it down. Do not destroy basic ground…..

 

–End–

Potential Risk of CVE, Under our observation

The influence of CVE-2018-11235 more than expected. Even the Hyperledger project is included.

1 Comment

Git community disclosed a high serverity of vulnerabilies (CVE-2018-11235). Since the impact of this vulnerabilities might influence many software application.

The major design weakness of this vulnerability is that when you git clone a repository, there is some important configuration that you don’t get from the server includes .git/config file, and things like hooks, which are scripts that will be run at certain points within the git workflow. For instance, the post-checkout hook will be run anytime git checks files out into the working directory. As a result hacker can appended to $GIT_DIR/modules, leading to directory traversal with “../” in a name. Finally, post-checkout hooks from a submodule are executed, bypassing the intended design in which hooks are not obtained from a remote server. As a result, hacker has way to implant malware to the library.

This vulnerability also jeopardizing hyperledger project. Please refer to above diagram for reference.

For details of vulnerability. Please refer below:

https://nvd.nist.gov/vuln/detail/CVE-2018-11235

Solution

  • Examine submodule’s folder names closely.
  • No longer contain .. as a path segment, and they cannot be symbolic links.

The programming parameter must be within the .git repository folder.

Under our observation, Virus & Malware

Dark power (malware) jeopardize the open geospatial data

Preface

The geospatial digital environment supports planning, management, modeling, simulation and visualization related to smart initiatives across the city.

Quick understanding – Basic data structure for GIS

  1. Vector
  2. Raster
  3. Tringulate irregular network

4. Tabular data (attribute table)

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system.

So, can we store big data in RDBMS? The fact is that the specifics of data get pretty large fairly quickly and therefore it’s not very well suited to huge quantities of data.

Remark: A traditional database product would prefer more predictable, structured data. Big data design fundmentally backend contains extremely dynamic data operations.

One of the key capabilities of a NoSql type environment is the ability to dynamically, or at least easily, expand the number of servers being used for data storage. This is the reason why does NoSql DB become popular in big data infrastructure environment.

DBMS ranking and technical details

Top 5 NoSQL database engines closer look

The advantage for deploy NoSQL Database for Management of Geospatial Data

NoSQL database are primarily called as non-relational or distributed database. NoSQL is not faster than SQL. They are exactly the same. However the non relational database (NoSQL) provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

Redis, an open source, in-memory, data structure server is frequently used as a distributed shared cache (in addition to being used as a message broker or database) because it enables true statelessness for an applications’ processes, while reducing duplication of data or requests to external data sources. Thereby redis being growth the usage in big data infrastructure environment (specifications are shown as below):

  • Redis is very fast and can perform about 110000 SETs per second, about 81000 GETs per second.
  • All the Redis operations are atomic, which ensures that if two clients concurrently access Redis server will get the updated value.

Hacker targeted Redis server recently

Redis general security model

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket (see below)

Reference:

  • default port of SSH 22/TCP
  • default port of REDIS Server 6379/TCP

Redis improved access control since version 3.2. It was implemented protected mode. As of today the version 4.0.9 released. They are not in high priority focus on cyber security protection. Since Redis is designed to be accessed by trusted clients inside trusted environments. But what’s the reasons lets hackers follow it?

Observation:

The cyber criminal divided into 3 interested parties of existing technology world. The cyber criminal dark force are divided into three different group in the world nowadays.

The famous one is the Advanced Persistent Threats (APT). In normal circumstances their attack are according to the political reasons.

  • Looking for financial interest on demanding crypto currencies zone. Hacker create malware or implant malicious code for bitcoin mining.
  • Looking for benefits on crypto currencies market. Hacker create malware or implant malicious code to the compromised web site or end user web browser for fulfilling their objective. It is bitcoin mining.
  • Ransomware spreading group – Interference business operation and suspend public services. Their goal is looking for ransom.

Perhaps the design weakness on current situation of Redis servers fulfill above hacker objectives and let them doing a lot of reverse engineering works for achievement.Below picture show the famous Case of vulnerability on Redis 3.2 server. So called “crackit”.

Attacker compromises the Redis server instance and add an SSH key to /root/.ssh/authorized_keys and login to compromised Redis server with SSH connection. Since there are certain amount of Redis servers is on the way to provides geospatial data services. The classification of spatial data services are based on the geographic services taxonomy of EN ISO 19119. This taxonomy is organised in categories, the subcategories defining the value domain of the classification of spatial data services.

In general speaking, hacker might not interest of those data but they can re-engineering the compromised server become a C&C server, APT botnet and sinkhole.

How to enhance Redis server protection level

In order to avoid Redis server has been compromised by hacker. The official website has security improvement solutions suggest to user.

Network layer:

Bind Redis to a single interface by add the following command line to the redis.conf file:

bind 127.0.0.1

And therefore external anonymous client not able to reach Redis server.

Application layer:

Three Must-Have Redis Configuration Options For Production Server

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

The above disables three powerful and dangerous commands. You could take it a step further and disable other questionable commands, like KEYSDEBUG SEGFAULT and SAVE.

Should you have interest of the security protection recommended by Redis. Please visit below official website for reference.

https://redis.io/topics/security

— End —

Under our observation

1st June 2018 – Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe on 1st June 2018. The Visa payment service resumed on 2nd June 2018. Visa announced that systems now operating at ‘full capacity’ after crash cripples payments  (See below url for reference)

https://finance.yahoo.com/quote/V180608P00095000?p=V180608P00095000

The service interruption because of hardware failure, said Visa. Observation – The fellow payment card systems MasterCard and Maestro are not affected.

My comment is that see whether is there any design limitation of the enhanced 3-D Secure 2.0 causes this incident? No problem, cyber world looks no secret. Even though it is non-disclosed at this time. May be we will know the details in future.

Have a nice Sunday.

 

Potential Risk of CVE, Under our observation

22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

1 Comment

Based in Hangzhou, China, Dahua Technology is one of the world’s leading manufacturers of security and video surveillance equipment. According to its unaudited results for 2017, it had a turnover of $2.89bn representing a year-on-year increase of 41%, and a gross profit of $404m, growing by 31%.Based on above details, you can imagine that how the popularity of the Dahua IP devices market coverage.

Regarding to the CVE reference number, it indicate that vulnerability found on 2017. Acording to the official web site announcement, the historical status shown as below:

  • 2018-5-22 UPDATE Affected products and fix software
  • 2018-3-16 INITIAL

We notice that VPN filter malware infect estimate total of 500,000 units of device (router and Network access storage) jeopardizing the world. Whereby, the US court order enforce the justice and thus quarantine the specified C&C servers. It won this battle.

But is there any hiccups of this matter?

Should you have interest of this matter, please refer below url for reference.

Security Advisory : Privilege escalation vulnerability found in some Dahua IP products https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice/337

Public safety, Under our observation

The book of Revelation – OPC UA will be the target for next phase of SCADA system attack.

 

Preface

A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.

Background

A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.

About OPC & OPC Unified Architecture

OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.

Overview of OPC Unified Architecture

Kaspersky technical findings

Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:

  1. Quote: OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.

………………………….

It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………

…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.

Hints –  See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.

2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.

Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .

Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.

My observation:

Upon inspection, the OPC UA requires the following library files.

libeay32.dll, ssleay32.dll, and uastack.dll

The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.

Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.

https://opcfoundation.org/news/press-releases/review-kaspersky-labs-report-confirms-opc-foundations-transparent-open-source-opc-ua-implementations-strategy-improves-security/

— End —

Cyber War, Under our observation

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).

Preface:

Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)

https://blog.talosintelligence.com/2018/05/VPNFilter.html

However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).

Summary:

In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.

http://www.scmp.com/news/world/united-states-canada/article/2147561/us-disrupts-botnet-500000-hacked-routers-suspected?edition=hong-kong

Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices

https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected

 

Potential Risk of CVE, Public safety, Under our observation

Vulnerabilities – Waiting for vendor response – 23rd May 2018

The cyber attacks are wreak havoc today. In order to protect the power facility, water supply, Gas supply and petroleum industry daily operations. The SCADA control system vendor implemented security control in their system infrastructure. However when vulnerabilities encounter on their products. The remediation step of the vendor response sometimes not in effecient. For instance, Advantech one of the key player of SCADA WebAccess. But it lack of motivation to drive the remedation solution on their products. There is no official announcement how to do the remedation on their products so far. Vulnerabilities are shown as below:

CVE-2018-7499 – buffer overflow vulnerabilities which may allow an attacker to execute arbitrary code
CVE-2018-7503 – a path transversal vulnerability which may allow an attacker to disclose sensitive
CVE-2018-7505 – information on the target TFTP application has unrestricted file uploads to the web application without authorization, which may allow an attacker to execute arbitrary code.
CVE-2018-10591 – allow an attacker can create a malicious web site, steal session cookies, and access data of authenticated users.
CVE-2018-10590 – exposure vulnerability through directory listing has been identified, which may allow an attacker to find important files that are not normally visible.
CVE-2018-10589 – WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior, a path transversal vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7497 – several untrusted pointer dereference vulnerabilities have been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-8845 – a heap-based buffer overflow vulnerability has been identified, which may allow an attacker to execute arbitrary code.
CVE-2018-7495 – an external control of file name or path vulnerability has been identified, which may
CVE-2018-8841- allow an attacker to delete files.
an improper privilege management vulnerability may allow an authenticated user to modify files when read access should only be given to the user.
CVE-2018-7501 – several SQL injection vulnerabilities have been identified, which may allow an attacker to disclose sensitive information from the host.

Potential Risk of CVE, Under our observation

21 May 2018 – CPU hardware utilizing speculative execution may be vulnerable to cache side-channel attacks

1 Comment

Regarding to the subject matter, please refer to below url for reference.

Q2 2018 Speculative Execution Side Channel Update

https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00115.html

Vulnerability of Speculative Processors to Cache Timing Side-Channel Mechanism

https://developer.arm.com/support/arm-security-updates/speculative-processor-vulnerability