Uncategorized

SSL or IPsec , where to go? Critical bug found by Cisco , but its effects might jeopardizing the IT world.

548 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/SSL-bug_zpslno4rp1z.jpg

Background Story:

POODLE attack exploit SSL 3.0 vulnerability found in late 2014, such vulnerability proven that hacker can take this vulnerability advantages execute man-in-the middle attack.

The original POODLE attack is CVE-2014-3566.
F5 Networks files CVE-2014-8730 proof POODLE attack also apply to transport layer security. Since the poodle side effects looks widely spread out, Payment card industry authority alerts and announce that they gives 14 months to merchants fix this high risk SSL problem. That means the appropriate way is replacing the SSL function (see below statement).

SSL and early TLS are not considered strong cryptography and cannot
be used as a security control after 30th June, 2016.  Prior to this date, existing
implementations that use SSL and/or early TLS must have a formal Risk Mitigation  and Migration Plan in place.  
Effective immediately, new implementations must not use SSL or early TLS.  
POS POI terminals (and the SSL/TLS termination points to which they connect)
that can be verified as not being susceptible to any known exploit
s for SSL and early TLS may continue using these as a security control after 30th June, 2016.

About the subject matter ( Cisco ASA software IKEv1 and IKEv2 buffer overflow vulnerability (CVE 2016-1287)

CVE 2016-1287 was published Feb this year, the founding was that hacker can make use of IKEv1 and IKE v2 vulnerabilities execute a fragmentation heap buffer overflow. The traditional  heap overflow is a form of buffer overflow. It happens when a chunk of memory is allocated to the heap and data is written to this memory without any bound checking being done on the data. Regarding to the information provided by Cisco, such vulnerability affected to Cisco ASA Software running on the following products.

  • Cisco ASA 5500 Series Adaptive Security Appliances
  • Cisco ASA 5500-X Series Next-Generation Firewalls
  • Cisco ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
  • Cisco ASA 1000V Cloud Firewall
  • Cisco Adaptive Security Virtual Appliance (ASAv)
  • Cisco Firepower 9300 ASA Security Module
  • Cisco ISA 3000 Industrial Security Appliance

But information supplement posted by Cisco bring to my attention. See below:

Cisco ASA Software is not affected by this vulnerability if the system is configured to terminate only the following VPN connections:
Clientless SSL
AnyConnect SSL

My understanding is that you can avoid such vulnerability occurs on Cisco products if you are using SSL 3.0 solution. But how about the PODDLE attacks? Besides, this buffer overflow on IKEv1 and IKEv2 looks not limit to Cisco brand name. May be it does not proof or found in the moment. As far as we know, firewall appliances operartion system build by Linux normally. The vendor hardening the OS and add their proprietary applications on top. If attacker can send crafted UDP packets to the affected CISCO products. Is there any possibilities engage similar attacks to other similar OS platform firewall?

Expert analysis on weakness of design

The IKE protocol uses UDP packets, usually on port 500, and generally requires 4–6 packets with 2–3 turn-around times to create an SA on both sides. The negotiated key material is then given to the IPsec stack. If an attacker can send crafted UDP packets to the related firewall products. It looks that similar vulnerability might occurs? The side effects looks serious. The following areas are vulnerable.

 

  • LAN-to-LAN IPsec VPN
  • Remote access VPN using the IPsec VPN client
  • Layer 2 Tunneling Protocol (L2TP)-over-IPsec VPN connections
  • IKEv2 AnyConnect

Expert solution:

(薑越老越辣) The older you get the more experienced you are,Chinese mantra said. The potential damage of this vulnerability was that both two entities (access control and VPN functions) are seat in the same box. If we define separation of functions might mitigate this risk. That is relocate the VPN feature to another box. Do you still remember that the Father of firewall (Checkpoint). Their Firewall design framework was that access control and  policy server are running in different boxes. The designer foresee that a single point of failure causes compromise of whole defence system. The cyber world atmosphere has been changed after Unified Threat Management appears in the world. As times go by, maybe new generation of firewall coming soon. Hardware are cheap today. Multi layer functions setup is the fashion cope with advanced cyber threats.

 

Cisco technical article in regards to CVE 2016-1278

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160210-asa-ike

PCI – standard : SSL and early TLS are not considered strong cryptography and cannot be used as a security control after 30th June, 2016. Please refer to attached document (PCI requirement 2.3 on page 5).

https://www.pcisecuritystandards.org/documents/Prioritized_Approach_for_PCI_DSS_v3-1.pdf

 

Uncategorized

Wide Angle Lens For DNC Hack (Part 1)

129 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/xtunnel_zpssmkaww5r.jpg

The headline news this week focus 2016 election of US president scandal.Just heard email leakage by Mrs. Hillary Clinton. The election in political world is a War instead of competition. This articles focus on unexplored information in DNC hack incident.

Findings by Invincea

The technical report provided the analytic that DNC hack incident caused by Trojan. Hackers modified end-of-life software product. The hacker injects Trojans and Malware functions into software. The software developed by China application vendor (Xten), it aimed to enhance voice stability operations in firewall environment. The software such a way involved unredressed injustice. Regarding to the report, hackers relies on Remote Access Trojan (RAT) technique sojurn to workstations belongs to Mrs. Hillary Clinton. The finger print shown that the hack group might belongs to APT 28. Regarding to the virus incident track records, the source IP address of this Trojan (Malware) came from 85.117.47.0/24.

How was it infect?

The infection method was that unsuspecting users manually executing unknown programs. Distribution channels include e-mail, malicious or hacked Web pages, Internet Relay Chat (IRC), peer-to-peer networks, etc.

Wide Angle Lens – invaded DNC

1st version of Trojan (born before 2010):

Check repository of virus database. The anti-virus vendor Symantec found this virus in 2010. His naming convention is “Generic Trojan”. However this Trojan (malware) headache Symantec more than 2 years. The problem was that antivirus program quarantine the execution file of Generic Trojan. The sterilize step is going to rename the original file name DWHwizrd.exe to DWHxxx.tmp. However Symantec customers found that virus alert message pop-up after Trojan quarantined. Symantec technical support provides many solution to client. But unfortunately problem still persists. The customer report that virus alert displayed on screen even though you delete all the temp files. Heard that problem was fixed in mid of 2012.

Why does hacker reuse this Trojan (malware) ?

Since China software house (Xten) created a family of SIP products based on their XTunnel protocol and run on top of windows. The benefits is that the software establish voice IP tunnel might mislead the technical staff and security administrator. They think she is using soft-phone! As usual traffic encrypted and therefore firewall can’t monitor. Or this is her personal computer, no nobody know what is happen?

Hacker relies of the software vulnerabilities re-issue next generation of Trojan.

The Xten software is a windows base open source tool and it is end of product life cycle. I believed that it is a easy way for hacker design a Trojan in short time. Since MD5 checksum different for new generation of Trojan. Therefore antivirus vendor may not aware until user report. But personally, I suspected that hackers might know the weakness of anti virus program install on target machine and custom made virus or trojan (malware). Symantec found the Trojan file name in 2010 is DWHwizard.exe. Invincea found the malicious file on victim workstation with naming convention vmupgradehelper.exe. It looks that anti-virus programs are able to detect this Trojan after 11th July 2016 (Hillary email leaks scandal open to public).

Doubts:

1. Since Xtunnel establish site to site connection. Mrs. Hillary Clinton works with US government at that time. It was confused that the defense mechanism in US government did not alert the victim workstation connect to APT 28?

2. Even though Mrs. Hillary Clinton not working in office. Do you think there is only one cyber defense program (antivirus) install on such important person workstation?

Headline News status update on 31st Jul 2016

http://www.nytimes.com/2016/07/30/world/europe/dnc-hack-russia.html?_r=0

Expert findings – so called Russian Xtunnel

https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/

 

Cell Phone (iPhone, Android, windows mobile)

Tragedy – Android bugs, should we wait or we should take pre-emptive action?

397 Comments

Hot topics within this week for sure that is the technical bugs found on Android. Sounds horrible! There are two patches is waiting for vendor to release however the patch release date is unknown.From users point of view, should we wait for the security patches or we should take the pre-emptive action?

Technical bugs information background:

CVE-2016-2059 found in Qualcomm kernel module

Description: The msm_ipc_router_bind_control_port function in net/ipc_router/ipc_router_core.c in the IPC router kernel module for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not verify that a port is a client port, which allows attackers to gain privileges or cause a denial of service (race condition and list corruption) by making many BIND_CONTROL_PORT ioctl calls.

CVE-2016-5340 presented in Qualcomm GPU driver

The is_ashmem_file function in drivers/staging/android/ashmem.c in a certain Qualcomm Innovation Center (QuIC) Android patch for the Linux kernel 3.x mishandles pointer validation within the KGSL Linux Graphics Module, which allows attackers to bypass intended access restrictions by using the /ashmem string as the dentry name.

What’s your risk?

1. The bigger risk right now are the users using non official OS version. In the sense that the jailbreak version is risky now!

2. Visits unknown website through email phishing or open unknown attachment are at risk.

In regards to these bugs, how attacker compromised your phone?

Found that engaged this so called high risk cyber attack must fulfill the following requirements.

i. Have root privileges on your Android phone.

ii. Relies on shared Memory (ashmem)

Category of attack Attack:

Category 1: How to receive root access premisson through privileges escaltion
Found the msm_ipc_router_bind_control_port() function does not check access privileges. An attacker can use the IPC Router of the CAF Linux kernel for MSM, in order to escalate his privileges.

Category 2: Relies on Shared memory (ashmem) design limitation

Android is designed to be used for resource limited embedded hardware. In order to maximize the memory resources. A system entity so called ashmem (anonymous shared memory) located at $AOSP/system/core which take care of the memory resources utilization. The operation of ashmem as simple as handling generic Linux file descriptor and . A file entry was created in the /dev/ashmem/. From technical point of view, it looks like a memory swap file of each process. However Ashmem allows processes which are not related by ancestry to share memory maps by name, which are cleaned up automatically.

Should we wait or we should take preemptive action?

Since CVE-2016-2059 and CVE-2016-5340 are the design limitation. It looks that the appropriate way is re-engineering the whole OS memory function. I speculated that may be this is the reason causes patch release date is unknown. As such, in the meantime Android users should take pre-emptive action (see below).

1. Do not jailbreak your android phone. If yes, the better idea is install the official OS version.

2. Verify your phone applications. Be aware the communication media software like WeCHAT, Whatsapp, Skype,…etc shall install updated version of software.

3. Avoid to visit online game zone and pornography web site.

4. Think it over before you open unknown email message

5. Think it over before your open unknown file attachment

For more details about these vulnerabilities. Please review below url for reference.

https://source.android.com/security/bulletin/2016-08-01.html

Status update on 11th Aug 2016

Sound strange! Found that the remediation and mitigation solution released by CodeAurora on Jul 2016. For instance CVE-2016-5340 (Invalid access to ashmem area in cases where someone deliberately set the dentry name to /ashmem)

Objective:
Validate ashmem memory with fops pointer

Solution:
Validate the ashmem memory entry against f_op pointer
rather then comparing its name with path of the dentry.

This is to avoid any invalid access to ashmem area in cases
where some one deliberately set the dentry name to /ashmem.

Comments:

It looks that the solution is available. In the meantime mobile phone users need to wait for the next action of their mobile phone vendor.

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

172 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-Cisco_zpszinq59nd.jpg

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Application Development

SOFTWARE DEVELOPMENT – Internet of Things (IoT)

216 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/App-dev_zpstuucqzml.jpg

Preface

The term BYOD first entered common use in 2009, BYOD conceptual idea looks go to another phase today. The internet of things (IoT) is the network of physical devices, vehicles, buildings and other items—embedded with electronics, software, sensors, actuators, and network connectivity that enable these objects to collect and exchange data. New products and new markets are being rapidly created base on software innovations. On the other hand, it bring out security concerns. This topic is going to provides the fundamental concept. On how,  application developers consider those factors (security in technology area).

Application development best practices

1. Avoid to combine new application into existing applications: large legacy software coding that are being reused and modified for current applications.

2. Security considerations : during software design cycle in regards to the buffer overflows, memory leaks, data protection (encryption), and other most common defects (Operating system and programmable interface software).

3. Application threat modeling:

  • Spoofing – Accessing and using another user’s authentication information.
  • Tampering –  Alteration of data as it flows over an open network.
  • Repudiation – Users denying the performance of an illegal action, in an environment where accountability can’t be identified.
  • Information Disclosure – Disclosing of information to individuals without access rights.
  • Denial of Service – DoS attacks against valid application users.
  • Elevation of Privilege – Unauthorised users gaining privileged access status.

4. Authentication: All authentication attempts should be logged, and repeatedly failed logins should trigger an account lock-out.

5. Access Control (least privilege model) – basic level of data access by default.

6. Input data validation: SQL injection and XSS are two of the most common application vulnerabilities. Define data validation scheme to avoid malicious data input.

7. Application session management: cookies need to be sanitised, and devoid of any sensitive information; and session IDs should be unique to each user, and randomly generated after successful authentication.

Any more, yes. stay tuned!

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Internet traffic governance by firewall (Great wall), what circumstances China still under external Cyber attack?

270 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/China-Firewall_zpsutjpv0vx.jpg

The surveillance program in China running in visible level. China government defined traffic monitoring scheme, the People live in China entitled to benefits of citizenship must accept this policy.A well known secret indicated that a giant (Great wall) monitoring the inbound and outbound internet traffic continuously. Sounds great! From technical point of view, workstation located in China is under government protection. The benefits is that overall hit rate with cyber attacks will become lower. We are not a politicians for not going to speculate the reason to establish this security facility. But it looks that there is no perfect defence mechanism in the world. The Internet Security Threat Report on June 2016 provides the following parameters.

Web sites for remote control

  • 3,637 foreign IP addresses through the backdoor arrived to the territory.
  • 6,618 websites encountered cyber attack causes hacker remote control.

Remark: Among them, foreign suspicious IP address is located mainly in the United States, China, Hong Kong and South Korea and other countries or regions.

  • Foreign countries IP address relies on backdoor might came from Russia . They are execute web server remote control. The total suspected IP addresses are 1,667.
  • Website implanted backdoors, ranks in high volume.
  • Besides, implanted backdoor attack IP address covered US and Hong Kong area. The total statistic are 1129 came from US and 808 came from Hong Kong.

Reference: Internet stats for 2016

China, as a country, has the most internet users; with an estimated 640 million internet users, the number of internet users in China is twice the number of the entire U.S population.

What’s the reason?

Major Factor:

1. Enterprise firm Site to Site VPN connection bypass Great Wall governance: If there is security weakness occurs in their server system and network backbone. Hackers are able to relies on those vulnerabilities of the system  activate the cyber attacks.

2. Remote Proxy services bypass Great Wall

A terminology so called internet censorship circumvention, the method is establish a encryption tunnel, the tunnel end point of connection is the foreign countries proxy gateway. It is a onion network, if one of the proxy server not in service, the proxy services application will search another available gateway.
Since the network datagram was encrypted by TLS/SSL. The version update in frequent. From certain point of view, great wall might not decrypt the network traffic and such a way let him go!

3. Layer 2 Tunneling Protocol (L2TP) bypass Great Wall

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one’s IP address, censorship circumvention, and geolocation. As far as I know, Great wall have capability to deny this network traffic.

4. Flaw found in ASN.1 compiler – for more details refer below url for reference.

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

China’s intelligence mobile phone has high growth rate. Since it is intelligence device, it is a mobile computing device. From technical point of view, it looks a workstation with Internet connection feature. China Mobile Phone Users reached 1.306 Billion in 2015. It is hard to guarantee 1.306 Billion mobile phone are compliance. That mean OS is the latest version, anti-virus installed with update pattern. To be honest it is not easy! With so many people dependent on mobile devices to communicate and work, mobile network security is more important than ever.

Additional information – SCMP regarding China Firewall

http://www.scmp.com/news/china/policies-politics/article/1922677/china-blocks-vpn-services-let-users-get-round-its-great

Any other? Is your turn to input. Be my guest!

System

Charting the undiscovered POS malware – Aug 2016 – Alerts

278 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/undiscovered-POS-malware_zpsiae2pzht.jpg

Have you heard RawPOS technical term? In short, it is a Windows based malware family that targets payment card data including Retail, Hospitality and Casinos.

The undiscovered POS malware – High Level review (Found Aug 2016)

Specifications:

  • Associated with files psrmon.exe and oobentfy.exe – psrmon.exe manipulating the data encryption process. Copies following files to temp folder.

Console.dll,Cwd.dll,mro.dll,API.dll,List.dll,Fcntl.dll,B.dll,p2x5124.dll,re.dll,OLE.dll,POSIX.dll,
File.dll,IO.dll,MD5.dll,Win32.dll,Process.dll,Dumper.dll,Util.dll,Base64.dll,Registry.dll

  • Associated with files hdmsvc.exe and oobentfy.exe – Named Pipe Vulnerabilities (C:\DosDevices\pipe\pipe\net\NtControlPipe10), discoveries in manipulating the \DosDevices object directory that also lead to privilege escalation.

Program “oobentfy.exe” is the major body (this is the Memory scanning portion of the malware).

Scenario replay

1. Malware will create a memory dump folder (sample shown as below):

C:\DOCUME~1\User\LOCALS~1\Temp\memdump

2. The program will monitor the memdump folder (C:\DOCUME~1\User\LOCALS~1\Temp\memdump). Memdump folder contains plain text credit card data.

3. Credit card data will then be encrypted and placed in a file.

Regarding to the analysis, it is a three-part RawPOS process to infect a system. Additionally, found that this malware relies on Perl Source code.

Malware structure in depth

Merchant Levels & POS system workflow architecture

Current status:

As of today(6th Aug 2016), it looks that no AV engines recognize the hash for the persistence mechanism as a threat.

Anyway, will keep you posted if there is anything updating.

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard)

The important thing is to never stop questioning (Albert Einstein)

225 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/sat-China_zpsfc8frkuz.jpg

The important thing is to never stop questioning, said Dr. Einstein. View the breaking news today.China has launched the world’s first quantum communications satellite into orbit. Watch TV News program noticed that a group of scientist find a way apply the quantum physics to traditional cryptography replacing RSA cryptosystem. The testing go to final stage in 2015. Competitions everywhere today including employees, business partners, countries. Life is not easy! World looks demanding now! Let’s review in short form in regards to RSA cryptosystem weakness.

RSA cryptosystem weakness:

  • The RSA cryptosystem can be very weak if you do not choose your primes carefully.
  • If the two corresponding ciphertexts are intercepted.
  • If you send the same message to more people with the same RSA encryption exponent e , then the plaintext can always be obtained easily from the intercepted ciphertexts.

Quantum Cryptography benefits:

  • Quantum entanglement – particles can share the same quantum state irrespective of their spatial distance from each other. The entanglement state discard when parameters change.
  • Quantum cryptography would be used in practice to produce one time pads that could be used to securely encrypt any message.

What is the key factors (built a quantum communications satellite):

Avoid eavesdropping – Being monitored

Cyber attack – Being attacked by hackers

Questioning about unknown factors?

In what Layer of the Earth’s Atmosphere install this satellite?

Answer: Exosphere – up to 10,000 km above the Earth

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/orbit-v4_zpsgkk97mbq.gif

Is there any external interfere to this layer? For instance, SUNSPOT & X-rays?

It was protected by atmosphere. Atoms are no longer gravitationally bound to the Earth and get knocked away by solar wind. As such, without interference caused by Sunspot suspend the network communications. (Remark: Satellite interfere by sunspot periodically. The result is that the satellite will lost electronic communications in short period of time.)

Does it compatible with mobile phone?

Yes, it is compatible with 4G mobile network and provides hack proof communication channel. I believed that it achieves independence from the use of fixed line or existing mobile networks through super fast Ka-band satellite backhaul.

The objective is that avoid eavesdropping on mobile phone. For instance, NSA tapped Angela Merkel’s mobile phone. The scandal expose to public in 2014.

Germany opens inquiry into claims NSA tapped Angela Merkel’s phone

https://www.theguardian.com/world/2014/jun/04/germany-inquiry-nsa-tapping-angela-merkel-phone

Interim summary:

The space of technology development is to infinite. But like Dr Einstein said, the important thing is to never stop questioning.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/questioning_zpsyrbxvutm.jpg

Network (Protocol, Topology & Standard)

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

35 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/SS7-ASN1-Flaw_zpslcpchclx.jpg

Preface

People might questions leonardo Da Vinci if he still alive. Why did he choose this woman became mona lisa? Since nobody could explain on behalf of him. But strongly believe that this is the original design.

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. On the other hand, the culture of modern world relies on electronic communications system. Therefore network communication protocol especially TCP/IP protocol and Signaling System 7 are the major elements in nowadays world.

Recall historical data of specific elements (quick & dirty)

1. ASN.1

Originally defined in 1984 as part of CCITT X.409:1984

Design objective:

i. Overcome how different computer systems transmit data
ii. Model parameters exchanged between application entities

 

2. Signalling System 7

It was developed in 1975

Design objective

i. SS7 controls telephone calls, both wired and wireless, through the use of a control signal that is separate from the actual voice circuit.

ii. It allows phone networks to exchange the information needed for passing calls and text messages between each other.

3. TCP/IP version 4

The first version of this predecessor of modern TCP was written in 1973

Design objective

i. A set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over networks.

ii. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination.

Flaws found as of today

TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/ninja-anima-ver2_zpsoonzpftm.gif

Interim solution apply to Linux environment

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. Append the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

Use “sysctl -p” to activate this feature

Flaw found in ASN.1 compiler

For more details, please see below:

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

Interim solution: unavailable

Current status: The extent of the vulnerability has yet to be determined, IT folks this vulnerability looks critical. It is hard to imagine what’s the impact at this moment. We keep our eyes open see whether a remediation will be announced by the telecommunication providers?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

Interim solution

Mobile phone network services provider has employed security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access.

For additional information details, please refer below:

SS7 hack explained: what can you do about it?

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/OSI-vs-SS7_zpsk76izco4.gif

How to protect your IT premises in regards to above flaws?

For weakness of TCP/IP protocol, the IP version 6 able to resolve design limitation of sequence number. In the long run, it is recommend IT team get rid of IP version 4. However the truth is that v4 and v6 are mixed mode in nowadays IT world.

The most headache topics are the ANS.1 complier flaw and Signalling system 7 vulnerability. For SS7 vulnerability, since those item of works (remediation and mitigation) are relies on Telecommunication service providers. Mobile phone network services provider employing security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access. For text messages, avoiding using SMS. As far as we know, whatsapp communication is being encrypted today!

How’s the status of ASN.1 compiler right now?

About SS7 vulnerability information update:

Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. For more details. Please refer to url below:

http://company.nokia.com/en/news/press-releases/2015/09/03/nokia-networks-safeguards-network-operations-with-two-new-security-launches-networksperform

About  SS7 vulnerability incident found and reported by German newspaper media on May 2017:

German newspaper (Süddeutsche Zeitung) reported that that hackers relied on SS7 attacks flaw as a backdoor. The vulnerability allow bypass two-factor authentication (2FA) systems to conduct unauthorized wire transfers.

http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504

 

System

Possibility – scenario replay (implant Rootkit on BIOS causes ATM machine crazy)

415 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/ATM-incident-2016-2_zpsfsy7w6om.jpg

The troubleshooting concept ideally that bring up hypothesis boldly while prove it conscientiously and carefully. Similar concept can apply to cyber incident investigation. Found that a security vulnerability found by security researcher Christopher Domas. The Intel chips design limitation is that vulnerability exists in the Advanced Programmable Interrupt Controller (APIC), which could allow an attack against the System. The management mode (SMM) memory area used by the operating system to interface with the boot environment like BIOS, EFI, or UEFI. An attacker can exploit this vulnerability to utilize the most privileged of execution modes and potentially overwrite secure features in the boot environment. Christopher Domas exploit uses the UEFI code features to install a rootkit sucessful during his POC in Black Hat conference. From techincal point of view, this is indeed a design limitation in CPU, it looks that we are not able to using 0x06000832 memory address. Notice that a new microcode patch is going to remediate this design limitation. The hacker implant rootkit to ATM system through malware infection through CPU design bug is a possible. The remaining issue is that how to execute infection to hundreds of ATM machines. The headline news did not provide the detail, if the investigator confirm all the ATM machines are compromised. We can speculate that the malware source might hidden in their SNA server farm or internal network. The Mainframe connectivity methodology from traditional by hardware controller integrate to LU 6.2 (APPN). The Cisco network products and specifics technology DLSW (Data Link Switch) can cope with Mainframe switch major node architecture. Thereby it is hard to say that ATM machine infrastructure is running in isolate network nowadays.

For more detail about memory sinkhole attack, please refer to below URL

http://www8.hp.com/us/en/intel-processor-memory-sinkhole.html

For details about related articles, please refer to below URL for reference.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/ATM-attack-2016_zpsfgixgzi9.jpg

Digital world – digital dinosaur attack Taiwan ATM machine (crooks stolen estimated T$70m (US $2.2m))

The most hottest cyber attack topics happened last week. Yes, a DDOS attack occurred on HSBC UK and US web portals. But the crooks jailbreak ATM machines in Taiwan looks more attractive. Sound amazing, traditional ATM machines communication link run on private network (Frame relay or ATM OC3). It is indeed real time transaction process working with back end Mainframe system. From security point of view, the media type of connection is restricted and such a way reduces the risks on cyber attack and virus infection. Recall ATM incident occured in 2009. Russian nationality hackers found the vulnerabilities on ATM vendor side (DIEBOLD). They develop malware form attack implant to ATM system DLL file (Dbddev.dll). It looks impossible that infect of the ATM machine with malicious program to steal credit card details and PINs. But the hackers looks great, they can hooks the ATM system process successfully and gain the privileges. ThisTrojans as Troj/Skimer-A.

How was today? The digital dinosaur attack Taiwan ATM machine, crooks stole an estimated T$70m (US $2.2m).

The ATM incident happened in Taiwan banking system not belongs to DIEBOLD. They were made by German manufacturer Wincor Nixdorf. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. Sound strange! Right?

Virtual realityReflections:

1. Without insertion of ATM Card can draw the cash

Possible causes: ATM machine operation system from earlier generation of IBM OS/2 migrate to windows OS platform. Is there any vulnerabilities occurs on window OS side. A critical security flaw announced by Microsoft last week, a printer spooler bug causes privileges escalation or MS16-087 for short.

2. The video playback shown that hackers steal the money from from ATM machines might relies on their smart phone. 

All ATM machines will go through backbone SNA gateway connected to backend system (Mainframe). From IT architecture point of view, SNA gateway located in data center sever farm. There is possibilities encounter malware infection during windows update processes. For example, do the DNS cache poisoning to return an incorrect IP address, diverting traffic to the counterfeit web site.

3. Well known OS platform

Windows based OS platform not difficult to implant a root kit to gain the control of the system. Hacker can through many channel to achieve their goal. For example, they will find the target person and company by SCAM mail. They can jump into the internal network and compromise the system when target person (victim) fall into their trap (compromised web site).

For more details about this incident, please refer to below URL:

http://www.ibtimes.co.uk/banks-across-taiwan-high-alert-suspected-russian-criminals-use-atm-malware-steal-millions-1570185

Additional information:

Wincor-Nixdorf’s product catalog gives insight into the operating systems its ATMs currently support.

The ProCash 280 lists its compatible software as Windows XP Professional SP3, Windows POSReady 2009 and Windows 7.

antihackingonline.com