Windows Junction Points looks like malware helper – AvGator

A tremendous news exposed that malware relies on Microsoft design limitation (Windows Junction Points) recovered itself after quarantine. A related flaw found on following antivirus vendor. They areTrend Micro, Emsisoft, Kaspersky Lab, Malwarebytes, Check Point and Ikarus Security Software. Now vendors released patches for affected products.

Do you still remember that American government Allegation Kaspersky that a spy tool embedded in their product. My personal opinion is that Kapersky is the victim of this allegation.However do you think this is part of the spy method? What is the name of this attack. His name is AVGater. For more details, please refer below url:

https://forum.kaspersky.com/index.php?/topic/382512-exploit-avgater/

Doubt? See whether similar problem will be happen in future?

Heard that in Infineon chip set has vulnerability occurs. Since security expert found the vulnerability in new German national ID card since 2010. However a technical article (ZdNet) report last week that a chip crypto flaws vulnerability occured in Spain ID card. Per announcement by NIST, this vulnerability file to CVE database (CVE-2017-15361). A security vulnerability was found in the implementation of RSA keypair generation in a cryptographic library used in a wide range of cryptographic chips produced by Infineon Technologies AG. The product is also integrated in authentication, signature and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. The vulnerability is present in NIST FIPS 140-2 and CC EAL 5+ certified devices since at least the year 2012. Any doubts? For more details about this vulnerability. Please see below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

Reference: Hong Kong Government to Use Infineon’s Chip Card Technology in Smart Identification Card Project – announcement June 2002 (see below url for reference)

https://www.infineon.com/cms/en/about-infineon/press/market-news/2002/129155.html

To usher the wolf into the S3 Cloud

CNN interview a research Friday (17th Nov 2017) in discussion of US government Pentagon exposed huge amounts of web-monitoring data in a security failure which given by Amazon S3 buckets. I was wondering the similar data breaches not only happened in Pentagon. As far as we know ,a consulting firm found data breach few month ago on S3 bucket. But the scalability of Amazon Cloud are huge. How does bad guy or people who carry with interest find out the details? It looks that the culprit is Amazon itself. A useful tool open to public so called (ip-ranges.json). You relies on this tool can locate the IP address range of Amazon S3 bucket. Since IP address and service package expose to public. It such away increasing the attack surface. Should you have interest of CNN news. Please refer to below url for reference. Reminded that CNN did not provide those json script.Maybe you dig out the hints of my picture.

http://money.cnn.com/2017/11/17/technology/centcom-data-exposed/index.html

Oct 2017 – Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server(see below url):

http://www.crn.com/news/security/300093646/accenture-latest-company-to-leave-critical-data-exposed-on-amazon-web-services-server.htm

Updated on November 28, 2017 – Top Secret NSA and Army Data Leaked Online:

https://www.upguard.com/breaches/cloud-leak-inscom

1st Dec 2017 – Over 100GB of Secret Consumer Credit Data Leaked Online. Claimed that misconfigured Amazon Web Services (AWS) S3 cloud storage bucket.

https://www.infosecurity-magazine.com/news/100gb-secret-consumer-credit-data/?es_p=5544850

 

Perspective of e-Wallet Vulnerability

Preface:

Java, NodeJS, Python, ObjC with Xcode and GO are the popular programming language for develop of e-wallet application. It looks that some of the programmer favor of Java language since it is a common programming language.

New technology, but targeting approach by hacker remain unchanged

Reporting of Cybersecurity Incidents – InfoSec Resources

Jul 2017 – Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Nov 2017 – Parity wallet vulnerability freezes US$278 million of ethereum. The company patched the bug encountered on July 2017. However the code still present bugs and therefore freeze the crypto currency in the wallet.

* Ethereum wallet is implemented in C++ programming language

Feb 2012 – exposes a PIN vulnerability in Google Wallet security.

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

Common Security Vulnerabilities in a Digital Wallet

  • The registration process does not identify fraud verification of the user’s information card information.
  • Develop programming language encountered design limitation (vulnerability).

* For native android application it is using a Java programming language.

Observation: It looks that even though your e-wallet contains facial recognition for authentication. However the historical records shown that the vulnerabilities discovered in past are causes by programming mistake.

How is e-wallet different from cryptocurrency wallet on cyber security viewpoint?

Bitcoin is a cyrptocurrency. You need a wallet to keep your bitcoins. But Bitcoin underlying technology is block chain which cannot be counterfeited. If ever there is an issue with a transfer of funds, Bitcoin protocol settles it through consensus.

The e-wallet currency is traditional currency.It uses the secure 256bit Advanced Encryption Standard (AES) for encrypting information in your wallet. If a hacker tries a brute force attack relies on computer enter possible random-number strings at top speed it would take more than a billion years to exhaust all the possibilities.

Observation: It  looks that  both type of wallet contained hack proofed feature. But is there any underlying reason make those wallet in risk?

The Java, NodeJS, Python, ObjC with Xcode and GO are the main trend of the programming language today. Why does application developer like Java? Java is a platform Independent. Means Java does not depend on hardware and OS. Java platform fully compatible with all computers. Even through it is a mainframe computer. However the cyber security incidents from past awake the IT world that even though you are using block-chain technology platform. The other side of end point might encounter cyber attack which causes data breach or compromised of both machines. From security point of view, the overall risk rating for e-business applications including cryptocurrency or traditional currency payment transfer system are equal.

Traditional way bring people consider endpoint security but ignore other possibilities factors which are in risk!

About programming language

Python

Language: Python is a dynamically type language. Java is better characterized as a low-level implementation language.

Use of VARIABLE: No requires to declare any variables. You can mix object-oriented and imperative programming you run the code directly.

Run time speed: Slower than Java

Java

Language: Java is a statically typed language. Python is much better suited as a “glue” language.

Use of Variable: Requires to define the type of each variable, it’s object oriented in the sense that you cannot write any code without defining a class, you also invoke a compiler to compiler the code then you can run it.

Runtime speed: Run faster than python

Node.js

Language: Node.js is not a programming language. The programming language is Javascript. But Node.js not similar JavaScript framework. A group of authors define a new frameworks specifically for Node.js, It includes Express.js, Restify.js, and Hapi.js.

Use of Variable: When you declare methods without using var (function <function_name>() {}), those function declarations are moved to the top of the local scope. If you manually declare you functions, you have to wait until they are both declared before you can use them.

Runtime speed: Refer to benchmark table

C++ vs. Python vs. PHP vs. Java vs. Others performance benchmark (2016 Q3)

GO

Language: Go is an open source programming language designed for building simple, fast, and reliable software. The introduction phase for GO is written in C. The libraries are written by google developer itself. Now the compiler has been rewritten in Go, so it is fully self-hosting by Google.

Variable: The type of variable is automatically judged by the compiler based on the value passed to it.

Runtime speed: Refer to below benchmark table

ObjC with Xcode

Language: Xcode supports C, C++, Objective-C, Objective-C++, Java, AppleScript, Python, Ruby, Rez, and Swift source code with a variety of programming models, including but not limited to Cocoa, Carbon, and Java.

Variable: It is important to note that ObjC does not support class variables. But developer can simulate static variables

Runtime speed: Objective-C is slightly slower than straight C function calls because of the lookups involved in its dynamic nature.

Security Focus

 

Since no bug proof software or hardware in the world and therefore the practical operation expose the design weakness (vulnerability). Refer to informative diagram table below , Java and php looks unsecure because of the accumulate vulnerability records.

But why Java and PHP programming language are popular in the IT world. Even though Node.js framework make use of Java language. I believe that it is the fate of the IT product market. Perhaps Java bring security worries to the world. However java language provide a comprehensive functions. E-wallet looks has benefits running on Apple iPhone OS. Since it is a proprietary environment. From security prospective, it is better than opensource OS since it looks a black hole. Perhaps vulnerability occurs, the vendor (Apple) will conduct the remediation immediately. As mentioned iOS is a proprietary environment and such away avoid multiple vulnerabilities occurs simultaneously.

Example of multiple vulnerabilities: For instance Multiple Vulnerabilities in Apache Struts 2 Affecting Cisco Products (September 2017). On September 5, 2017, the Apache Software Foundation released security bulletins that disclosed three vulnerabilities in the Apache Struts 2 package. However those vulnerability affected a series of Cisco products since those voice and media management products deployed Apache Structs 2.

E-Wallet on top of mobile device platform

The Near Field Communication (NFC) payment wallets designed by GSMA program project. It relies on SIM based technique support the payment service in past. But Android M break the ice develop other alternative for online payment electronic wallet. From security point of view, the new android system architecture of the design provide sandbox feature enhance the security (see below). If we believe that it is a trustworthy environment then we move our security concerns to e-wallet SDK.

Most likely the technology trend will be form into two different way. The retail shop remain to use near field communication technique secure the payment transaction. For online payment transaction like Master card, Paypal and Alipay will lead the online payment solution. As mentioned the vulnerability found in online e-wallet SDK more or less will involved in programming language. For more details, please see below:

Instance 1: A cross-site scripting (XSS) vulnerability in GetAuthDetails.html.php in PayPal PHP Merchant SDK (aka merchant-sdk-php) 3.9.1 allows remote attackers to inject arbitrary web script or HTML via the token parameter (CVE-2017-6099).

Instance 2: The Android source code file (internal/telephony/SMSDispatcher.java) does not properly construct warnings about premium SMS messages, which allows attackers to spoof the premium-payment confirmation dialog via a crafted application, aka internal bug 28557603 (CVE-2016-3883)

Reference: Telephony in Android 4.x before 4.4.4, 5.0.x before 5.0.2, 5.1.x before 5.1.1, 6.x before 2016-09-01, and 7.0 before 2016-09-01

Instance 3: Inappropriate implementation of the web payments API on blob: and data: schemes in Web Payments in Google Chrome prior to 60.0.3112.78 for Mac, Windows, Linux, and Android allowed a remote attacker to spoof the contents of the Omnibox via a crafted HTML page (CVE-2017-5110).

Instance 4: Hacker stole ether equivalent US$31 million. A design weakness found in multi-sig wallet, it allow method called initWallet() in share wallet library. As a result such action reinitialized the contract by delegating through the library method, overwriting the owners on the original contract. The attacker will become the owners.

* Ethereum wallet is implemented in C++ programming language

Refer to above details, the argument can confirm that programming language is the important factor in e-wallet development. Even through it is a cryptocurrency wallet. The overall security level of protection for a eletronic payment system must include programming language as a major factor.

End of discussion……!

Information Supplement (under observation)

Typically, a program consists of instructions tell the computer what to do. Thus what types of data will be used when it is running will be responsible by variable. In the Java programming language, the words field and variable are both one and the same thing. Variables are devices that are used to store data, such as a number, or a string of character data. The enumerate() is one of the built-in Python functions. It returns an enumerate object. In our case that object is a list of tuples (immutable lists), each containing a pair of count/index and value. However variable can be rebound at any time, so no consistent use as an enumerator. This is a vulnerability encountered in python.

* An enumeration is a set of symbolic names (members) bound to unique, constant values.

But comparing with Java and Python CVE checklist. It shown that Python programming language hit vulnerability less than Java programming language .

 

 

Reveal block chain technology secret – he is the Genesis-of-Bible

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).

Layer 7 (application layer) – What is the information security key factors?

Preface:

We heard shocking news this year especially EQUIFAX breach. The hackers accessed up to 143 million customer account details earlier this year. Thereafter a data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people. Perhaps you could said that the incident given by vulnerability on Apache component Struts CVE-2017-5638. A design limitation was found in the Jakarta Multipart parser. A proof of concept shown that we can set the Content-Type to an OGNL expression such as:

Content-Type: ${(#_='multipart/form-data').

The Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression. As a result the attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands (see below diagram for reference).

API security is important today especially the API infiltration

So far includes myself only focusing in ring 0 attack. It looks that information security bring my attention to kernel hooking. Once upon a time, kernel hooking looks like it is everything. I think it might have similarity and such a way anti-virus manufacturer address in the same place. But when do we awake? I believed that it is the Java application century. API security level equivalent to kernel level.

Actually the defense mechanism not difficult to detect the malware on 32-bit operating system. For instance, on a 32-bit windows system, antivirus software may use SSDT hooking (System Service Dispatch Table hooking). Using SSDT hooking, the Antivirus software can prevent attacks based on the APIs being called by the malicious software.

So, it looks secure that once modern antivirus installed, right?
But what is the reason let cyber attack victims growth rapidly? Even though IDS , firewall and modern antivirus software was deployed?

Closer Look details

Windows 7 x64 is shipped with Patch Guard which doesn’t allow to hook SSDT/MSRa/code section. Disabling PatchGuard is the 1st priority of objective for malware. Since we are the system owner and therefore it is easy to disable the Patch Guard function in your 64 bit window operating system by yourself. The instruction displayed below:

Type msconfig, Go to the boot tab and delete the patched boots.

Or running the following commands in a root-shell and restarting the PC afterwards.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex 

As we know, malware couldn’t conduct manual driven job task. If malware is going to find their target named function. It must go to the correct memory address (refer to table 1). But the objective of the PatchGuard is protect the following data and structures.

• Modifying system service tables, for example, by hooking KeServiceDescriptorTable

• Modifying the interrupt descriptor table (IDT)

• Modifying the global descriptor table (GDT)

• Using kernel stacks that are not allocated by the kernel

• Patching any part of the kernel (detected only on AMD64-based systems)

Remark: The inline hooking 3 step slogan. However it doesn’t work since patch guard is enable.

  1. The Hook – A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code.
  2. The Proxy – This is our specified function (or code) which the hook placed on the target function will jump to.
  3. The Trampoline – Used to bypass the hook so we can call a hooked function normally.

How malware trim down himself, then go to kernel level. How to bypass antivirus or malware detector?

Attempt 1. Find out design limitation on web portal then using the scripting API or dynamic JSP inject command. One of the example has shown from our discussion first page. Try to find out vulnerability on web server side module or component. Or find our the weakness of  programming design (see below for reference) then inject system command.

But is there additional way to conduct API infiltration?

Attempt 2. Hooking Shared Library Function Calls

Phenomenon: Apache web server deployment high coverage in the world. However not less Apache servers are running on Windows operating system.

Variables factor: enable patchguard and ASLR (those functions might be make hack activities more difficulties)

Below diagram is the reference of example how does inline hook jumping to malicious code and then executing the original function.

Since defense function was strengthen today. Antivirus embedded malware detection function, Microsoft PatchGuard verify the instruction and ASLR conduct random address function limit malware infection and therefore below traditional way of cyber attack can not work well!

  • DLLs loaded at runtime into process address space
    For kernel32 – target private addres space between 0x00010000 and 0x7FFE0000
  • Hiding files in a directory
    Replace FindFirstFile(),FindNextFile() in Kernel32 to skip rootkit files

Is there any benefits in below attack methods?

DirectX/OpenGL APIs and time functions – Typically hooked to implement cheating in on-line games.

Status: Possibility high, under our observation.

Winsock API – Hooked to monitor network traffic.

Status: It was happened in frequent. Under observation now.

But a security gap still valid because of today fast growth business strategy

Further to my study on cyber attack incident over past few months, a hints to me that API hook technique on layer 7 (application layer) is the key milestone of hacker today. See below cyber incident records for reference:

February 2017 –  The internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data.

Incident root cause analysis: Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

June 2017 (It discovered the data breach June 19): 198 Million Voter Records Exposed

Incident root cause analysis: Misconfiguration isn’t a malicious hack in itself. However such incident shown to the world that a wide range of component could be impact the information security world. A misleading message bring people major focus on operatio system level from past.

July 2017 (It discovered the hack on July 29) : Equifax recently had 143 million customer records breached in a hack.

Incident root cause analysis: Found security weakness on patch management in IT  operation and vulnerability awareness. The incident given by vulnerability on Apache component Struts CVE-2017-5638.

A major unknown area will be transformed to hacker new target

Technology zone:  The IP telephony technology integrated with  TCP stack more than decade. However business operation keen to enhance the functional features. And therefore do the customization for system integration is hard to avoid. We seen some network communications hardware vendor will be involved in the application interface technologies. Modern business world more tough and demanding competition. Looks  Cisco also become the victim on former vulnerability hiccups. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Summary: Seems, I did not has final checkpoint guide me to drawn any conclusion on this discussion. Hey Guy, keep your eye open. There will be more strange things happened in today such demanding and tough business world!

Be a happy Sunday. I remain with my best regards.

 

Reference table 1:

Become a witness of new generation of financial age. But be careful of hack.

Preface:

Bitcoin mining make the world crazy. Java base coin mining tools provides flexibility. A lightweight, small footprint let you involved to mining industry.

What is the actual reason to lure the people starting the mining work?

Reminder: Bitcoin mining like a games. Different types of crypto currencies will have different mining rewards policy.

It looks that it is easy to answer. We are looking for money that is the reward.

The Bitcoin block mining reward halves every 210,000 blocks, the coin reward will decrease from 12.5 to 6.25 coins, said bitcoinblockhalf (www.bitcoinblockhalf.com)

So what is the target mining pool (blockchain) and coin types?

The hottest crypto currencies are Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Litecoin (LTC), Dash and Pascal (PASC). But Ethereum mining is profitable, but it cannot maintain in the long run. However it is still the hottest topic. Ethereum has seen an almost 20x jump in price in 2017. What are Mining Rewards in Ethereum?

The proof of work(PoW) in Ethereum is run through Ethash. The successful PoW miner will receive a static block reward that is equal to 5 Ether.

 

Why a GPU mines faster than a CPU?

A majority of GPUs support add, multiply and multiply-add natively in hardware with single-cycle throughput, as the basic computation instructions.  And thereby it is better to using GPU conduct bitcoin mining. Since traditional CPU embedded instruction set and OS footprint. It is difficult to maximize the overall performance for bitcoin mining.

Does Java code is the best suit for Bitcoin Mining?

I watch a TV program years ago, a crew visited China report the status of this industry. Shown on the TV screen the bitcoin miner campus like a factory. A whole bunch of computer units which generates high temperature. You could not found a pretty office lady in that office. So, does it a artificial intelligence office? Seems it is not, you will find young Chinese men which wearing casual to working over there.

The traditional bitcoin mining require high CPU resources to do the calculation. A hints of the mining requirement recommend using GPU (graphics processing unit) instead of CPU (central processing unit). However, an HTML IFRAME tag is able to embedded java script to share visitor CPU resources to assists for bitcoin mining ((Embedding a javascript inside another using the<iframe> tag). As we know, web site open to the world not limited to area and visitor. From technical point of view, this is a win win situation. Coinhive offers a JavaScript miner for the Monero Blockchain that you can embed in your website.

To be honest, java programming provides flexibility for bitcoin miner do the mining. Below sample shown that a light-weight java programming can conduct a mining focusing on Ethereum blockchain. Some largeBitcoin mining farms switch to Ethereum today.

Remark: Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract functionality

package org.ethereum.core;

import java.math.BigInteger;

import org.ethereum.crypto.HashUtil;
import org.ethereum.util.ByteUtil;
import org.ethereum.util.FastByteComparisons;
import org.spongycastle.util.Arrays;
import org.spongycastle.util.BigIntegers;
public class Miner {
public boolean mine(Block newBlock, byte[] difficulty) {

		BigInteger max = BigInteger.valueOf(2).pow(256);
		byte[] target = BigIntegers.asUnsignedByteArray(32,
				max.divide(new BigInteger(1, difficulty)));

		byte[] hash = HashUtil.sha3(newBlock.getEncodedWithoutNonce());
		byte[] testNonce = new byte[32];
		byte[] concat;

		while(ByteUtil.increment(testNonce)) {
			concat = Arrays.concatenate(hash, testNonce);
			byte[] result = HashUtil.sha3(concat);
			if(FastByteComparisons.compareTo(result, 0, 32, target, 0, 32) < 0) {
				newBlock.setNonce(testNonce);
//				System.out.println(Hex.toHexString(newBlock.getEncoded()));
				return true;
			}
		}
		return false; // couldn't find a valid nonce
	}
}

Cyber security view point

Researchers found that a sophisticated class of surreptitious mining software might penetrates your system. Hacker will delivered their services through infected image files or by clicking on links leading to a malicious site. n such a way that visitor will consume more CPU power. It is easy to figure it out what is the status of your personal computer at home. If you have everything closed but CPU usage is still super high, then you may have a crypto mining malware problem.

Potential opportunities for hacker

Since those bitcoin mining java script not going to compile, Those programming coding something do not trigger the security alarm. Hacker is easy to mix their malware code contained in bitcoin mining java script then bypass the detective mechanism.

What next?

Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. The similar case of traditional bank robbery will be replaced by new technology. The hacker will conduct similar criteria of criminal activities.

Reference:

Monero: Mining metrics are calculated based on a network hash rate of 252 MH/s and using a XMR – USD exchange rate of 1 XMR = $ 88.35. These figures vary based on the total network hash rate and on the XMR to USD conversion rate. Block reward is fixed at 6.022756660193 XMRand future block reward reductions are not taken into account. The average block time used in the calculation is 120 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Ethereum: Mining metrics are calculated based on a network hash rate of 109,037 GH/s and using a ETH – USD exchange rate of 1 ETH = $ 307.61. These figures vary based on the total network hash rate and on the ETH to USD conversion rate. Block reward is fixed at 3 ETH and future block reward reductions are not taken into account. The average block time used in the calculation is 15 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Bitcoin: Mining metrics are calculated based on a network hash rate of 10,399,990,921 GH/s and using a BTC – USD exchange rate of 1 BTC = $ 6138.57. These figures vary based on the total network hash rate and on the BTC to USD conversion rate. Block reward is fixed at 12.5 BTCand future block reward reductions are not taken into account. The average block time used in the calculation is 600 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

DASH: Mining metrics are calculated based on a network hash rate of 210,374 GH/s and using a DASH – USD exchange rate of 1 DASH = $ 283.43. These figures vary based on the total network hash rate and on the DASH to USD conversion rate. Block reward is fixed at1.801475954707712 DASH POW mining out of 3.602951909415424 DASH total mining reward and future block reward reductions are not taken into account. The average block time used in the calculation is 488 seconds. The electricity price used in generating these metrics is $ 0.12per kWh.

Litecoin: Mining metrics are calculated based on a network hash rate of 30,369 GH/s and using a LTC – USD exchange rate of 1 LTC = $ 56.5. These figures vary based on the total network hash rate and on the LTC to USD conversion rate. Block reward is fixed at 25 LTC and future block reward reductions are not taken into account. The average block time used in the calculation is 150 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

 

 

 

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

New trend – Botnet infection technique empowered Ransomware infection

Preface:

We known that botneck infection technique popular last few year. The objective of the botneck infection more on DDOS attack. But the status now has been change.

Below sample of code on how botnet operation.

using System.Threading.Tasks;

using log4net;

using Loki.Bot;

using Loki.Common;

using Loki.Game;

 

namespace MapBuddy.Tasks

{

    public class MapExplorationCompleteTask : ITask

    {

        private static readonly ILog Log = Logger.GetLoggerInstanceForType();

 

        public async Task<bool> Logic(string type, params dynamic[] param)

        {

            if (type != "task_execute") return false;

            if (LokiPoe.Me.IsDead || !LokiPoe.CurrentWorldArea.IsMap) return false;

 

            if (CurrentMap.HasBossRoom)

            {

                if (!TrackMobTask.MapBossFound && !TrackMobTask.MapBossDead)

                {

                    Log.Warn("[MapExplorationCompleteTask] insci_test dont allow finish map until boss is alive.");

                    return false;

                }

            }

 

            Log.Warn("[MapExplorationCompleteTask] Now finishing the map run.");

            MapBuddy.EventInvocators.RaiseMapExplorationCompletedEvent();

            await CommunityLib.LibCoroutines.CreateAndTakePortalToTown();

 

            //Second portal if we are

            //if (MapBuddySettings.Instance.Mode == OpenMethod.Laboratory)

            //{

            //    var currentBot = BotManager.CurrentBot;

            //    currentBot.Settings.SetProperty("NeedsTownRun", 2);

            //}

 

            return true;

        }

 

        public string Name => "MapExplorationCompleteTask";

 

        public string Description => "Task for leaving the map.";

 

        public string Author => "ExVault";

 

        public void Start()

        {

        }

 

        public void Tick()

        {

        }

 

        public void Stop()

        {

        }

 

        public string Version

        {

            get { return "1.0"; }

        }

 

        public object Execute(string name, params dynamic[] param)

        {

            return null;

        }

    }

}

Current status:

It looks that an alert shown that an unknown attack counterfeit HSBC email to widespread the infection.  This round of attacks seems focusing on banking industry. Sample counterfeit email display below: Guys be careful!

 

Tax heaven is also a hacker playground – Bermuda

Perhaps the legal firm Mossack Fonseca data breaches incident is a history. However headline news reveal another similar case which was happened on November last year.I was shock that Mossack Fonseca encountered data breach which astonish the world since Tycoon and famous people like President of Russia Putin virama was included in their customer list.  A slogan told that a Tax heaven is also a hacker playground. It looks that legal firm only know how to use law regulations to protect their client. On the other hand, former cyber security incident shown that they are ignore the technology risks. In the meantime, we receive the news on newspaper that a cyber attack encountered on their database November last year (2016). But sounds like another important factor might bring to their attentions. For instance, it is easy to find the lawyer public email address because of their business operation model. Such business running model let hacker easy to obtained the email address. A easy way to make use of email phishing techniques let receiver become a victim. Hacker will receive the credential after compromised the email account. As a result, it is easy to drawout the data. About the detail, please refer below url for reference. 

Another story of offshore law firm data leakage. The firm encountered cyber attack on Nov 2016.
The information released the news this month.

http://www.independent.co.uk/news/business/news/appleby-offshore-law-firm-hack-data-super-rich-financial-details-bermuda-a8018451.html