Application Development, System, Under our observation

SWIFT Customer Security Controls Framework

 

Preface:

All SWIFT users must comply with the mandatory security controls by the end of 2018.

Objective:

Introduction of new controls or guidelines will take account of strong cybersecurity practices that address the currently known new and arising threats in order to pragmatically raise the security bar.

Technical details:

Mandatory Security Controls
1. Restrict Internet Access and Protect Critical Systems from General IT Environment
2. Reduce Attack Surface and Vulnerabilities
3. Physically Secure the Environment
4. Prevent Compromise of Credentials
5. Manage Identities and Segregate Privileges
6. Detect Anomalous Activity to Systems or Transaction Records
7. Plan for Incident Response and Information Sharing

Observation:
Swift system is on the way do the enhancement continuously. But do you think such continuous program will be effectively avoided cyber security attack? For instance Bangladesh heist.
It is hard to tell what is the next cyber attack challenge in the moment. Let’s keep our eye open. Stay tuned!

Reference:

Bank Negara Malaysia (Bank) detected and foiled a cybersecurity incident involving attempted unauthorized fund transfers using falsified SWIFT messages.

Potential Risk of CVE

Security Focus (Microsoft Edge) – Critical vulnerabilities fixed in November 2018 Patch Tuesday

Preface:
Chakra is a JavaScript engine developed by Microsoft for its Microsoft Edge web browser. It is a fork of the JScript engine used in Internet Explorer.

Description:
The technical details issued by patch Tuesday not describe explicitly (see below).

A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge.This vulnerability could also be exploited through Microsoft Edge via specially crafted web sites or advertisements..

Speculation:
Remote attacker to execute arbitrary code on the system caused by a ballout error in the JavaScript JIT compiler when inling ‘Array.prototype.push’ with multiple arguments.
Remark: The push() method adds oneor more elements to the end of an array and returns the new length of the array.

Remedy:

CVE-2018-8541
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8541
CVE-2018-8542
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8542
CVE-2018-8543
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8543
CVE-2018-8551
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8551
CVE-2018-8555
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8555
CVE-2018-8556
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8556
CVE-2018-8557
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8557
CVE-2018-8588
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8588

Potential Risk of CVE

Adobe Releases Security Updates – 13th Nov 2018

Preface:
Integrated Windows Authentication utilizes Negotiate/Kerberos or NTLM to authenticate users based on an encrypted ticket/message passed between a browser and a server. This is the standard authentication algorithm for Microsoft products.

Design weakness:
Hacker steal the NTLM Credentials via PDF Files. They exploit NTLM hash leaks stealing a Windows user’s NTLM hashes.

Official announcement:
Updates for Photoshop CC for Windows and macOS
https://helpx.adobe.com/security/products/photoshop/apsb18-43.html

Security updates for Adobe Acrobat and Reader for Windows
https://helpx.adobe.com/security/products/acrobat/apsb18-40.html

Security updates for Adobe Flash Player for Windows, macOS, Linux and Chrome OS
https://helpx.adobe.com/security/products/flash-player/apsb18-39.html

Potential Risk of CVE

Node.js third-party modules vulnerability – Nov 2018

Preface:
Node.js is an open source, cross-platform built on Chrome’s JavaScript runtime for fast and scalable server-side and networking applications.

Known technical concerns:
Node.js has a set of built-in modules which you can use without any further installation.
In order to enhance the function and effectiveness, the 3rd party modules are available to operate with node.js framework. Since node.js is a runtime environment for the JavaScript-based applications. JavaScript is built into your browser software (IE, Chrome, Firefox, and Safari). JavaScript is used by HTML code to provide two-way communication between your browser and the web server without you needing to refresh the web page.
So, in certain circumstances, it is bring out the security concerns.

Known vulnerability modules:

Prototype Pollution Vulnerability in cached-path-relative Package
https://hackerone.com/reports/390847

[tianma-static] Stored xss on filename
https://hackerone.com/reports/403692

[takeapeek] Path traversal allow to expose directory and files
https://hackerone.com/reports/403736

Potential Risk of CVE, Under our observation

Security Updates for SIPROTEC and SICAM Products (Oct 2018)

Preface:

SIPROTEC and SICAM – Siemens products and solutions for protection engineering, station automation, power quality, and measurement – can be connected directly and easily to MindSphere and other cloud-based platforms.

What is MindSphere?
MindSphere is an open cloud platform or “IoT operating system” developed by Siemens for applications in the context of the Internet of Things. MindSphere stores operational data and makes it accessible through digital applications to allow industrial customers to make decisions based on valuable factual information.

Product Updates:
SICAM Q200 V2.40 firmware released with security-relevant updates
SICAM Q100 V1.30 firmware released with security-relevant updates

Question?
OpenSSL sources modified by Siemens issued on 11th Sep 2018.
However OpenSSL DSA signature algorithm has been shown to be vulnerable to a timing side channel attack (use variations in the signing algorithm recover the private key).
Above vulnerability with reference number CVE-2018-0734 announced on 30th Oct 2018.
It looks that there is a gap in between version. But it cannot confirm whether there is an impact?
Regarding to above technical details. Do you have any doubt?

Public safety

What is the situation of Edward Snowden (whistle blower)? Do you still remember him?

Preface:
The samurai (or bushi) were the warriors of premodern Japan.Lone Wolf and Cub is a manga created by Japanese comics writer.Samurai respected justice.

Synopsis:
Justice is the legal or philosophical theory by which fairness is administered. It is the fundamental of human nature. But the concept of justice differs in every countries and culture.

Who is he?
Edward Snowden, an American contract employee at the National Security Agency, is the whistleblower behind significant revelations that surfaced in June 2013 about the US government’s top secret, extensive domestic surveillance programmes. Snowden flew to Hong Kong from Hawaii in May 2013, and supplied confidential US government documents to media outlets including the Guardian.

What’s the situation now?
He is on exile. His most recent interview in Moscow Russia on September 2018. (Refer below url)
https://www.youtube.com/watch?v=wimHE6SNddc

Why Edward Snowden should be pardoned?(Refer below url)
https://www.amnesty.org.uk/edward-snowden-nsa-whistleblower-pardon

 

Potential Risk of CVE

VMware Releases Security Updates – November 09, 2018

Subject: VMware ESXi, Workstation, and Fusion updates address uninitialized stack memory usage

Technical background:
VMXNET3 (VMXNET Generation 3) is a virtual network adapter designed to deliver high performance in virtual machines (VMs) running on the VMware vSphere platform.
How to enable it?
1. Power off your Virtual Appliance in the VMWare Console.
2. Right click the Virtual Appliance, go to Settings.
3. Select Network Adapter 1 and click Remove.
4. Click Add and choose Network Adapter.
5. Choose VMXNET3 under type.

Design weakness:
The uninitialized stack memory vulnerability will be present if vmxnet3 is enabled.
In computing, an uninitialized variable is a variable that is declared but is not set to a definite known value before it is used. It will have some value, but not a predictable one. As such, it is a programming error and a common source of bugs in software.

Remedy:

https://www.vmware.com/security/advisories/VMSA-2018-0027.html

IoT, Potential Risk of CVE

Does CUJO IoT firewall will be affected by U-Boot vulnerabilities? Nov 2018

Preface:
CUJO is the most adorable home firewall on the Market. Meanwhile if a threat is detected, CUJO smart firewall will tell the cloud what it has blocked so you can receive a notification on your mobile app to confirm it.

Technical background:
Cujo product working with U-boot.
U-Boot is the bootloader. Meanwhile, it provides the basic infrastructure to bring up a board to a point where it can load a linux kernel and start booting the operating system.

Synopsis:
Vulnerabilities found on U-Boot (CVE-2018-18439, CVE-2018-18440)
CVE-2018-18439: U-Boot filesystem image load buffer overflow
CVE-2018-18440: U-Boot insufficient boundary checks in filesystem image load

Observation: No technical information provided by Vendor (CUJO AI) in the moment. We keep our eye open whether a remedy will be issued by vendor soon.

 

Potential Risk of CVE

Cisco Releases Security Updates – November 07, 2018

Cisco Releases Security Updates – November 07, 2018

Cisco Stealthwatch Management Console Authentication Bypass Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-smc-auth-bypass

Cisco Small Business Switches Privileged Access Vulnerability – https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-sbsw-privacc

Cisco Unity Express Arbitrary Command Execution Vulnerability – 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-cue

Cisco Meraki Local Status Page Privilege Escalation Vulnerability – 

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181107-meraki?vs_f=Cisco%20Security%20Advisory&vs_cat=Security%20Intelligence&vs_type=RSS&vs_p=Cisco%20Meraki%20Local%20Status%20Page%20Privilege%20Escalation%20Vulnerability&vs_k=1

Data privacy, Under our observation

Self-Encrypting Solid-State Drive Vulnerabilities – November 06, 2018

Preface:
Retrospective last decade, the key word so called vulnerability look like a stranger to us. But it change today. Design vulnerability, it was no doubt to say. They are the belongings of cost effective solution, market competition (short development life cycle) and satisfy human want.

Design technique – Wear leveling (also written as wear levelling) is a technique for prolonging the service life of some kinds of erasable computer storage media.

Design limitation – Wear-leveling does not guarantee that an old copy of updated data is fully removed. If the updated data is written to a new segment, old versions of data may exist in the previous segment for some time after it has been updated (until that previous segment is overwritten).
Remark: Consumer Notice regarding Samsung SSDs – https://www.samsung.com/semiconductor/minisite/ssd/support/consumer-notice/

Impact – There is possible way to allow data theft to collect and read the encrypted data through physical attack (reverse engineering). A vulnerability for hardware encryption method.

Remedy – Fully turn off BitLocker to decrypt the drive on windows OS
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180028

antihackingonline.com