Category Archives: Under our observation

Headline news: FAA system outage disrupts thousands of flights across U.S. (12th Jan 2023)

Preface: Thousands of flights across the U.S. were delayed Wednesday after a Federal Aviation Administration pilot alert system failed overnight, prompting a nationwide halt to departures. said CNBC news.

Headline news –

Background: The Department of Homeland Security published the following opinion piece four years ago.

The GPS system is now considered a “crosssector dependency” for the Department of Homeland Security’s (DHS) 16 designated critical infrastructure sectors. GNSS is vulnerable to jamming and natural interference. When GNSS is denied, PNT information can be seriously affected in ways that increase risks to the safety of navigation.

My observation: Perhaps the incident was not caused by a cyber attack. But industry experts know that the overall system architecture will be combined with OS vendor-dependent drivers.

For example: if the driver is written as a specify standard driver using user-mode extensions is not recommended because this model will likely require more memory usage. However, this specify standard is available on all platforms and it is strongly recommended to use the driver written in user mode.

So, the function is not only OS specific, it also including 3rd party vendor to do the software development. As a matter of fact, aero industry is a special zone. The current computer technology is also involving such zone. In computer world nowadays, the patch to vulnerability is common. So, who can say that this is a trust zone and it is without vulnerability forever.

Cyber Défense from narrow to broad  (5th Jan 2023)

Preface: Sustainability is a buzzword in the modern world in recent years. It applies to business, culture…even our education. A slogan, keep learning. Maybe it’s the Cantonese mantra, One is never too old to learn. Perhaps it also apply to cyber security protection.

Background: In last twenty years, computing technology driven growth of the world. The rapid growth of telecommunication especially TCP/IP communication protocol. The invention of this technology unintended interconnect different zone and culture. The TCP/IP network protocol  empower to Industrial world transformation. So we have industrial 4.0, smart city facilities and smart home. This is the theory of sustainability. But this key word just appear in last five years.

We all concerning privacy. So European countries and union driven GDPR. Whatever data run in internet including your personal data, web browser connection cookies are fall into their protection coverage. Before that, cyber security vendor especially antivirus and cyber security protection vendor have been done predictive technology. Their way is do a passive information gathering. When incident occur with unknown cyber-attack, they will do enhancement based on your former activities log.

Cyber defence from narrow to broad  : Set up monitoring and logging of systems that trip the DNS sinkhole so that they can be investigated and remediated if they are infected with malware. Until now, such services have been run by private business owners. So if you can afford to pay for the service, you can receive updates from the online world. To avoid risking your connection, such service will integrate to your defence solution can provide protection. Perhaps this is a narrow usage.

We all know that artificial intelligence improves our lives. But they rely on data. In fact, enterprise companies, especially Amazon, Google, Cisco… are already using AI technologies in their cyber defence solutions. So their umbrella technology covers a lot. Whether it is prevention, detection or correction, it is in place. However, they are all running businesses and thus have not disclosed their technology to the public.

But when will generalized artificial intelligence develop. For example, this month the cybersecurity defence vendor discovered malicious activity that can infect the operating system Linux. In fact, AI can target these activities and make predictions (see attached image).

Sustainability seems to be the definition of the big data world. The accumulation of data to the database is a long-term process. So keywords accumulate or sustainably contain similarities.

For more information about cyber-attacks against Linux environments, you can find the details at the link –

Apple’s new lock mode. Do you think it is for protection against spyware or to prepare for new EU regulations (WhatsApp, iMessage and other apps for communication)? 7-7-2022

Preface: The UK GDPR is the UK General Data Protection Regulation. It is a UK law which came into effect on 01 January 2021. It sets out the key principles, rights and obligations for most processing of personal data in the UK, except for law enforcement and intelligence agencies.
On 28 June 2021, the EU approved adequacy decisions for the EU GDPR and the Law Enforcement Directive (LED). This means data can continue to flow as it did before, in the majority of circumstances. Both decisions are expected to last until 27 June 2025.


About regulations and laws – The European Union on Thursday night (24th Mar 2022) unveiled more details about its plans to curb anti-competitive practices among big tech companies. With the rules of the new Digital Markets Act (DMA), Europe wants all major messaging apps like WhatsApp, Facebook Messenger, and iMessage to have an interoperable platform.

About cyber attack on smartphone: The spyware attacks targeting individuals smartphone device took place between 2017 and 2020 and leveraged a previously undisclosed iOS zero-click exploit, dubbed “Homage” by Citizen Lab. The exploit affects devices running iOS versions before 13.2. The researchers said they found no evidence that Homage is effective against the latest versions of iOS operating system. April 2022

Technical details: Apple announced that a new security feature so called Lockdown Mode will roll out with iOS 16, iPadOS 16, and macOS Ventura.
The first version of Lockdown Mode will include protections for multiple operating systems features exposed to attacks, including:

  • Messages: Most message attachment types other than images are blocked. Some features, like link previews, are disabled.
  • Web browsing: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
  • Apple services: Incoming invitations and service requests, including FaceTime calls, are blocked if the user has not previously sent the initiator a call or request.
  • Wired connections with a computer or accessory are blocked when iPhone is locked.
  • Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM) while Lockdown Mode is turned on.

Remark: Thanks to ( for the details. For details, please refer to the link –

Question: According to above details, Apple’s new lock mode. Do you think it is for protection against spyware or to prepare for new EU regulations (WhatsApp, iMessage and other apps for communication)? What do you think?

hiccup, web server load balancing solution  3rd May 2022

Preface: Online banking cannot lack of load balancing solution today. However in terms of life cycle of operation system and software libaries , Java language development platform and on-demand custom fuctions. Does it bother the load balancing functions? The most challenging parts is the layer 7 load balancing. Perhaps you can do the healt check on appliation functions. However, it is difficult to garantee the non stop function on application side (availability).

Background: The load-balancing algorithms supported are round-robin, weighted least request, random, ring-hash and more. An additional function includes client non interrupt services using application & service availability (health-checks performance).

My focus: Online banking platform (Hong Kong)
Error 500: java.lang.RuntimeException: no EntityContext found in existing session
Date: Around 8:15 am 5/3/2022

Fundamentally, Web server load balancing function in correct way make no downtime. Therefore when you connected to web server had problem. The load balancing function will keep persistence (SSL Sticky) then redirect your connection to the web server which is available.
My experience operating in online banking system in today morning (3rd May, 2022) hints the technical information to me.
I encountered error my web services. (Reminded – it successful logged on and doing operations). However an error 500 display on my screen. Thereafter. even I close the browser, make new established connection to Banking system. It still redirect my new connection to But in round robin setup architecture, I can connect to by chance.

Observation: Perhaps, load balancer capable web application health check function. But for online banking system, it do a health check on web server front page. On java server page. For example: The EntityContext interface contains the getEjbObject and getPrimaryKey methods that a bean can use to find out about the object it is associated with. The client communicates with the bean via the EJBObject. If one of the java service had error occur. May be the load balancer health check function not know what’s happening.

Whether there is concerns on vulnerable Java SE Embedded versions. So,  apply tight protection and causes this technical problem occurs. Or there is an software configuration problem in web application itself?

Get rid of crafted Modbus traffic to bother your defense mechansim – 21st JAN 2022

Preface: Le Rouge et le Noir – Not a bad guy is good guy. If, the vulnerability is due to an integer overflow when handling Modbus traffic. Is it an early warning?

Background: The reason Modbus was so successful was the fact that it could be so readily understood by non-programmers. Engineers who built glue machines, meters, measuring devices, and such could easily understand the concept of coils/registers and the simple commands to read and write them.

About cyber attack: Modbus over serial is immune to any common malware attacks. But what methods will increase the risk of Modbus network attacks? See below:

I. MODBUS over TCP means a MODBUS RTU packet wrapped in a TCP packet.
II. MODBUS TCP means a MODBUS TCP packet wrapped in a TCP packet.

Perhaps a common idea will said Modbus driver might be vulnerable to attack. However, above two types of TCP communications methods are increasing the possibilities of attack. For instance, an attacker could sending crafted Modbus traffic attack a IDS. (This IDS device aim to protect the back-end HMI, PLC and SCADA infrastructure).
Due to implementation of decoding a message type incorrectly exposing a buffer overrun. This is equivalent a denial of service.

One of the possible ways to enhance validation in related IDS modules. (see below):

  1. Check the crc, and if it isn’t correct ignore the request.
  2. Check the validty of the data based on the function code.
  3. Broadcast is not supported
  4. Add bytes to expected request size (2 x Index, 2 x Count)

Due to PLC, the HMI for repair or mitigation is not so flexible because it affects industrial systems and/or related operating functions.
Sometimes even IIoT manufacturers cannot provide you with a clear upgrade roadmap. Therefore, installing IDS as detection and preventive control is an effective way to implement protection. This discussion does not focus on any IDS devices. If you have any related matters, it is recommended to listen to the supplier’s opinions.

End of writing.

RAT targeting Nginx. Can we say that NGINX is secure than Apache? (2-12-2021)

Preface: dlopen() The function dlopen() loads the dynamic shared object (shared library) file named by the null-terminated string filename and returns an opaque “handle” for the loaded object.

Background: NGINX Plus provides a supported and tested version.Starting at $2500 per year. NGINX is an open source software. Dynamic modules add functionality to NGINX Plus such as geolocating users by IP address, resizing images and embedding NGINX JavaScript njs or Lua scripts into the NGINX Plus event‑processing model.
Modules are created both by NGINX and third‑party developers.

NGINX, at its core, is a collection of modules. Whether you are using core modules, like the http and stream modules. Or 3rd party module, like geoip or RTMP, they are using the same module framework.
With the addition of dynamic module support, modules are an even better way to add functionality to NGINX.

Details of attack: A new parasitic malware targets the popular Nginx web server, Sansec discovered. This novel code injects itself into a host Nginx application and is nearly invisible. For more details, please refer to the link –

Observation: We are also considering a special case in which libraries are loaded during execution by using dlopen() so that external function addresses can be obtained by using dlsym().

Remark: From technical point of view, the return addresses are only used with paired call/ret instructions and are not read or written by other instructions.

However, attackers can also exploit another source of code pointers, return addresses, to perform memory disclosure attacks.

CISA urges to be vigilant! About GPS Daemon (GPSD) Rollover Bug (21st Oct, 2021)

Preface: If you are using a security token (fobs or software), when there is a problem with the NTP time source. This is unforeseen. Maybe there is nothing wrong with it. Or, in the worst case, similar you mistaken reset the NTP server time setting. Therefore, all your tokens should be suspended.

Background: Because in the original GPS protocol, only 10 bits were used to represent the week number. If there are 10 bits, it will overflow after counting to 1023, so it can only indicate about 19.6 years. Since the GPS time epoch (epoch) began in the early 1980s, there have been two rollover events (in 1999 and 2019, respectively). In April 2019, Headline News (The Register) announced this vulnerability to the public. It indicates that if you do not or cannot update, there will be a problem. Over time, the deadline has arrived.

Vulnerability details: Due to the design of the GPS protocol, time rollback (or technically termed “GPS Week Rollover”) can be anticipated and usually closely monitored by manufacturers. The next occurrence should have been in November 2038 , but a bug in some sanity checking code within GPSD would cause it to subtract 1024 from the week number on October 24, 2021. This would mean NTP servers using the bugged GPSD version would show a time/date of March 2002 after October 24, 2021.

Official details for reference:

Fastly CDN outage, perhaps not cyber attack (4th Oct, 2021)

Preface: In addition to cyber security attacks. Cloud service providers face different technical challenges, including software and hardware levels.

Background: Fastly is a company that provides content delivery network (CDN) services, mainly providing host static content and quickly showing it to Internet users. Fastly peers with other Internet Service Providers (ISPs) and Content Networks with IPv4 and IPv6 connectivity on Autonomous System (AS) 54113 for the purpose of exchanging traffic between these networks.

Service instability Report on October 4, 2021: It is reported that during the partial paralysis of Fastly CDN, Internet websites and services using the Fastly Content delivery Network (CDN) could not be used normally for more than an hour. Some users cannot access it directly, while others have entered an unexpected version of the website.

Their design attracted my attention: Fastly cloud distributed routing agent, called Silverton, which orchestrates route configuration within Fastly POPs. Silverton peers with the BGP daemon, BIRD, which interfaces with the outside internet. BIRD supports Internet Protocol version 4 and version 6 by running separate daemons. It establishes multiple routing tables,hand uses BGP, RIP, and OSPF routing protocols, as well as statically defined routes. If one service node have problem occurred which let the service up and down frequently (reboot). OSPF will update the routing table until completed. Whereby, it cause network traffic in slow response.

Current Status: Maybe we should wait for the supplier to announce the reason.

Stealth attack of UEFI bootkit (29th Sep 2021)

Preface: Digital spyware and monitoring tech that allows the user to covertly monitor a target’s communications, or collect personal data emitted from their devices.

Background: FinFisher, also known as FinSpy, is surveillance software marketed by Lench IT Solutions plc, which markets the spyware through law enforcement channels. On August 6, 2014, FinFisher source code, pricing, support history, and other related data were retrieved from the Gamma International internal network and made available on the Internet.

Synopsis: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit.

– Bypasses kernel protections (NX and Patch guard)
– Bypasses local authentication
– Elevated process privileges

Technical details: Found a UEFI bootkit that was loading FinSpy. All machines infected with the UEFI bootkit had the Windows Boot Manager (bootmgfw.efi) replaced with a malicious one. Kaspersky said.

Ref: FinSpy is a full-fledged surveillance software suite, capable of intercepting communications, accessing private data, and recording audio.

For more detailed information on the findings of this survey, please visit the Kaspersky website for details –

Security Focus on Microsoft windows CMD Stack Buffer Overflow (19-09-2021)

Preface: Twenty years ago, content filter firewalls were not popular. A quick way to harden the Microsoft Internet Information server is to delete all cmd commands to avoid network attacks.

Background: If you would like to run cmd in privileged mode. You have to do the following:

  1. type “CMD” you can hit Ctrl+Shift+Enter to open as administration
  2. Explorer – Hold Shift and right click on a folder, and choose “Open command window here”

To use multiple commands for , separate them by the command separator && and enclose them in quotation marks.

Vulnerability details: Expert found that special crafted payload will trigger a Stack Buffer Overflow in the NT Windows “cmd[.]exe” commandline interpreter. Furthermore, running file type especially [dot]cmd or [bot]bat will be risky. However, when cmd[.]exe accepts arguments using /c /k flags which execute commands specified by string, that will trigger the buffer overflow condition.

Above attack only exploit in local workstation. Do you think it can do it remotely? As far as I remember, if the situation is available. For example, Windows OS server encounter zero day or not patched.The netcat tool can do a remote command execution by CMD. Refer to attached diagram, if the stack buffer overflow run by tool to exploit by concept. Therefore this vulnerability will become more risky.

Observation: If your are using application firewall. It will drop the malicious traffic including netcat command automatically. Since this idea is still in concept stage. So, no need to worries.