Please be vigilant. Spyware will be installed on your phone at any time – Oct 2019

Preface: Since the spyware runs in a stealth mode, it will let you track the device without being detected.

Background: Patroit Act empower law enforcement agency or related department can legally monitor the movements of suspect especially Terrorism. And therefore law enforcement agency will be used spyware monitor what’ the target movement. As time goes by, quite a lot of software vendors do a transformation of mobile phone monitoring tool (spyware) to consumer product. Flexispy and Spyzie are popular in the market. You can purchase this product though vendor web portal. The slogan by vendor is that no rooting or jailbreaking required. It can easy to track SMS, CallLogs, Social Apps and locations.

Legal point of view: If the spyware was ‘used on a case,’ a detail document of report should be provided. Given the functionality of FlexiSpy, it would require a wiretap order, not just a search and seizure warrant, said attorney.

The reasons why cyber criminals want to hack your phone?

  • To eavesdrop on calls
  • To steal money
  • To blackmail people

So the Federal Trade Commission recommended Smartphone users who suspect an illegitimate stalking app on their device should consider their recommendations. Refer to URL for more details.

CVE-2019-12941 – AutoPi ( Wi-Fi/NB and 4G/LTE) devices wifi password vulnerability (Oct 2019)

Preface: Are you afraid of someone suddenly controlling your car?

Background: AutoPi is a small device that plugs into the OBD-II port of your car.

What is OBD-II port? OBD-II port of the car which gives the dongle access to the cars internal systems. AutoPi also provides a cloud service that lets you communicate with the dongle remotely over the Internet.

Vulnerability details: When user connected to the WiFi, it is also possible to SSH into the device. Both the web portal terminal and the SSH terminal grants root access, meaning that full access of the devices is given when connected through WiFi.

Since the wifi password mechanism design weakness. Attacker can use following method to receive the WPA2 authentication password. The default WiFi password and WiFi SSID are derived from the same hash function output (input is only 8 characters), which allows an attacker to deduce the WiFi password from the WiFi SSID. So it only take few hours can be cracked. For more details, please refer to attached infographic for reference.

Should you have interested, please download the technical white paper to review.!/Burdzovic_Matsson_dongle_v2.pdf

Oct 2019 – When hostile countries are prepared to take military action. They took cyber attacks as a 1st step.

Preface: Both ransomware and malware are powerful cyber attack tools. This is equivalent to the army entering a hostile country.

Background: On yesterday 21st Oct 2019, NSA and NCSC release joint advisory on Turla Group Activities article. The attack target is the aspx shell. It appeared to use these ASPX shells to preparing 2nd round of cyber attack.

We seen the trend for cyber attack in future will be target to the web API. The hacker still maintain interest on Microsoft product especially .Net framework. Traditionally, ASP.NET Web API does not utilize the request validation feature to sanitize user input. You will need to add this protection manually if any input will be used in HTML output. Apart from that, there are more and more Microsoft SharePoint deployment is also one of the factor.

Quite a lot of web programming feature lure the cyber attacker put their interest into software programming side (see below).

  • User-mode rootkits run in Ring 3, along with other applications as user, rather than low-level system processes. And therefore it does not require elevation of privileges.
  • A ring 0 rootkit in this instance would be a kernel mode driver (*.sys file) that also requires administrator privileges when installing.
  • Query parameter text is not checked before saving in user cookie NameValueCollection request = Request.QueryString
  • Adding cookies to the response Response.Cookies[“userName”] Value = request [“text”]

Here comes along with the cyber attack in continuous way.

Technical article for reference:

CVE-2019-6475 Bind 9 vulnerability

Preface: Existing internet service require DNS lookup function. See whether artificial intelligence world will be replaced this function?

Background: There are currently 13 root servers in operation. In order to avoid DNS request in high volume could not handle immediately. And therefore when requests are made for a certain root server, the request will be routed to the nearest mirror of that root server. The mirror zone feature is most often used to serve a local copy of the root zone. Mirror zones are a BIND feature allowing recursive servers to pre-cache zone data provided by other servers.

Vulnerability details: Found design flaw in BIND version 9.14.0 up to 9.14.6, and 9.15.0 up to 9.15.4. Found that attacker was able to insert themselves into the network path between a recursive server using a mirror zone and a root name server.
The attack method is that the hacker sniffs on the network.
Since DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse.
When he receive the ports & sequence numbers (e.g., on-path attacker), attacker can inject data into any TCP connection.

An on-path attacker who manages to successfully exploit this vulnerability can replace the mirrored zone (usually the root) with data of their own choosing, effectively bypassing DNSSEC protection.

Official announcement

(CVE-2019-16919) VMware Cloud Foundation and VMware Harbor Container Registry for PCF address broken access control vulnerability 16th oct 2019

Preface: It seems that humans are hard to avoid living with robots and AI, because this is our destiny.

Background: VMware Harbor Registry is an enterprise-class registry server that stores and distributes container images. The release of Harbor 1.8 revealed a number of new features, including the ability to share Harbor with other registries. The design goal of Harbor, allows you to store and manage images for use with VMware Enterprise PKS. If you are a project admin, you can create a Robot Account for automated operations. The name will become robot$ and will be used to distinguish a robot account from a normal harbor user. Furthermore, robot account that allows Harbor to be integrated and used by automated systems, such as CI/CD (Continuous Integration / Delivery & Deployment) tools.

Vulnerability details: CVE-2019-16919 – Found that the original design of Harbor do not enforcing project permissions and scope during robot account creation via the Harbor API. As a result, a broken access control vulnerability in the API of Harbor may allow for unauthorized access to push/pull/modify images in an adjacent project. We predicted that attacker might have way to exploit this vulnerability to conduct the session hijack. For more detail, please refer to attach diagram for reference.

Official announcement – For more details, please refer to url

CVE-2019-14379 (Oracle Banking Platform & Oracle Financial Services Analytical Applications Infrastructure) – Oct 2019

Preface: Vendor vulnerability management program sometimes have doubt to public. They frequent ask, how to do the protection before patch release? Perhaps not require worry too much because zero-day vulnerabilities are go with us all the time.

Synopsis: On October 2019, Oracle has released its Critical Patch Update for October 2019 to address 219 vulnerabilities across multiple products. Perhaps FasterXML jackson-databind vulnerability bring my focus. Because this vulnerability was announced to public on August this year.

Vulnerability details: Banking finance business analyser will be familiar with OFSAA. OFSAA out of the box data models continue to be released as Erwin. But it supports Oracle SQL modeler for data model extensions.However the CVE-2019-14379 design weakness has been found on Oracle Banking Platform and Oracle Financial Services Analytical Applications Infrastructure. Data binding is useful for allowing user input to be dynamically bound to the domain model of an application (or whatever objects you use to process user input). in FasterXML jackson-databind before mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

What is Fasterxml Jackson Databind?
Contains basic mapper (conversion) functionality that allows for converting between regular streaming json content and Java objects (beans or Tree Model: support for both is via ObjectMapper class, as well as convenience methods included in JsonParser. For more details of oracle security advisory details, please refer to url:

Suspected that Podman-Varlink encounter Remote Code Execution – Under observation (14th Oct 2019)

Preface: Red Hat is investing in CRI-O and Podman. Meanwhile they are involved in the Open Container Initiative Standards Organization. The goal is to contribute and introduce drive innovation in their products, such as Red Hat OpenShift and Red Hat Enterprise Linux.

Background: Podman decide to provide a simple CLI for managing pods and containers. The design goal of Varlink aims to make services accessible to both humans and machines in the simplest feasible way. They described its product is an “interface description format and protocol”. It is just such another. Podman decided to build the Podman API based on varlink so users and developers can interact with Podman programmatically.

Design Synopsis: Podman relies on a Systemd feature called socket activation. Systemd allows developers to create socket unit files that tells systemd to listen on a particular socket like the unix domain socket “/run/io.projectatomic.podman”. When a process connects to this socket, systemd will launch the command specified in the service file with the same name. The launched command then handles the socket communications.

Vulnerability details: Depend on how Podman and Varlink are deployed, they can be susceptible to local and remote attacks. There are a few API bugs in Podman itself, as well as a way to execute arbitary commands if one can hit Podman via the Remote API. Running Podman with Varlink over tcp listening either on localhost or the network interface is the most vulnerable setup. For more details, please refer to diagram.

CVE-2019-17132 vBulletin through 5.5.4 mishandles custom avatars

Preface: vBulletin™ is the world leader in forum and community publishing software. Vbulletin messenger make use of AJAX-based chat functionality.The main benefit of developing websites using Ajax is to help web browsers retrieve more data without causing a Web page to refresh.

Vulnerability details: User input passed through the “data[extension]” and “data[filedata]” parameters to the “ajax/api/user/updateAvatar” endpoint. Vulnerability found that these input are not properly validated before being used to update users’ avatars.
Hacker relies above flaw do exploitation, inject and execute arbitrary PHP code.

Remark: Successful exploitation of this vulnerability requires the “Save Avatars as Files” option to be enabled (disabled by default).

How attacker detect web site install vBulletin system.

  • HTTP headers, including cookies
  • Design will insert unique Javascript code into web pages.
  • Detect meta tag within the html pages.

Remedy: patches available for the following versions of vBulletin Connect:

- 5.5.4 Patch Level 2
- 5.5.3 Patch Level 2
- 5.5.2 Patch Level 2

5g, where to go from here?

Preface: Why some people want everything fast. But when a man is having dinner with his girlfriend, he hopes that time will be slower.

5G communication background: In April 2008, NASA partnered with Geoff Brown and Machine-to-Machine Intelligence (M2Mi) Corp to develop 5G communications technology.
As times go by, On 3 April 2019, South Korea became the first country to adopt 5G.

Heard a lot of news of 5G technology. In additional to high speed and low latency. Can the 5G architecture be hacked?

5G is the first generation that was designed with virtualization and cloud-based technology. Nokia said building separate systems to meet future requirements and use cases of 5G was not an option, so the future network needed to be integrated and aligned with software-defined functions, cognitive technology to orchestrate it and distributed content and processing. 5G’s future rests on software-defined networking (SDN), whose main concept is to decouple the infrastructure of wireless networks from expensive, closed hardware and shift it to an intelligent software layer running on commodity hardware. However, software-defined functions are vulnerable to security threats as well. One of the most significant security risk factors is the possibility of a compromised SDN controller attack at the control plane layer. Due to the centralization design of the SDN, the SDN controller becomes the brain of the SDN architecture. Attackers can focus on compromising the SDN controller in an attempt to manipulate the entire network.

Perhaps above prediction was true. Samsung 5G Core NFs are cloud native NFs, which consist of container-based micro-services to enable flexible scaling and upgrade to meet telecom operators’ requirements. For more details, please refer below diagram.

Besides, 5G Service-Based Architecture (SBA) components consists of serveral components (Resource Controller, Subscription Manager, Policy Controller and Exposure Server). The interconnect in between packet core controller to above four different components could make use of HTTP/JSON. From security point of view , it is hard to forseen that this type of interconnection whether will encounter vulnerability in future.

On demand patch management in existing information technology world will be extend to 5G network in future.

Docker and Kubernetes become a main trend in technology world. Both products features can improve the redundancy and fault tolerance level of the system. And therefore it is hard to avoid the 5G services provider install similar architecture. APT attack and ransomware will wreak havoc with cyber world. In order to reduce the the zero-day of attack to Docker and Kubernetes environment. System hardening process and access control policy must be take in this place. So the 5G service based architecture system will be the new hacker target soon.

Summary: The above description is only cover a small part of the 5G network. Let us observe what will happen to the mobile communication world?

All users of iTerm2 should update immediately – Oct 2019

Preface: iTerm2 not the default Mac terminal

Vulnerability details: A vulnerability, identified as CVE-2019-9535, exists in the way that iTerm2 integrates with tmux’s control mode, which may allow an attacker to execute arbitrary commands by providing malicious output to the terminal. This affects versions of iTerm2 up to and including 3.3.5.

Technical background: iTerm2 with tmux integration since version 3.3.5. The powerful feature of Tmux is able to run tmux as the remote command argument to ssh. Meanwhile Tmux is a terminal multiplexer. Simply put, this allows you to split one terminal session into many.

Remedy: Developer take the following actions:

  • Use session number everywhere rather than session name
  • Do not poll tmux for the set-titles-string, status-left, and status-right and then request the values of the returned format strings.
  • Hex-encode options saved in the tmux server to make them unexploitable

Update iTerm2 to version 3.3.6, which includes mitigations against exploitation of this vulnerability.