Existing encryption scheme looks have space to enhance – X.931security breach

The implementation of existing encryption scheme looks have space to enhance. Another bug has been found on X.931. It looks that the vulnerability found on encryption machanism last few months reveal the bottleneck in IT environment. Can you still remember that our Hero Edward Snowden alert. He was told that cyber espionage or government will relies ob backdoor of device or application to execute their task. A scandal reveal security vendor use the weak crypto scheme benefits to NSA to receive government contract.  Perhaps we did not focus on encryption mechanism since we believed that we are secure once we make it. However the design limitation is the cache. No matter  it is a hardware or software. Hacker relies on temporary cache retrieve the SSL key then execute man-in-the middle attack in antivirus software. A private key found on chipset which make more than million of mobile devices in security breach. My imagination of conspiracy theory, it looks that Hero Snowden and wikileak reveal how  NSA doing the surveillance program.  Since secret expose and therefore they are not going to use anymore. As a result more and more scandal or unknown bug will be open to public.  Below url will provides hints to you for reference.

https://threatpost.com/duhk-attack-exposes-gaps-in-fips-certification/128582/

RTOS(real-time operating system) is under attack. Do you think it is the 2nd round of test?

The terms IoT (Internet of things) looks a messed transformation of specifics definition. The suitable criteria to define a IoT component is that for a device demand data be processed without buffering delays. If you have habits read technology post daily. We known that IT security vendor (checkpoint) alert the world that a new IoT botneck is going to jeopardizing the world. Since the case is under their investigation. My personal opinion is that the specifics attacks focus on RTOS(real-time operating system). For instance, web cam, router, smart city facilities. I strongly believed that Microsoft not the major target. Since RTOS devices has large coverage on simplified linux base OS platform.  Keep your eye open, you might seen the result of reaper IoT attack relies on shellshock vulnerabilities and bruteforce attacks.In additional, if the device found vulnerabilities on the kernel. The malicious code will relies on it. Below url can provides the details to you in this regard. Perhaps we have more and more electronic computing devices supporting to our life daily. The hostile country engage the attack to suspend the daily operations of the enemy looks better than a bomb or military threatening.

https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/

INFINEON chip design flaw – not vulnerable in ECC, flaw only encountered on RSA

Bitcoin technology looks luck this round since INFINEON chip design flaw – not vulnerable in ECC (Elliptic Curve Cryptography), flaw only encountered on RSA.

Vulnerability

The flaw resides in the Infineon-developed RSA Library version v1.02.013. A design weakness has been found. A vulnerability in an implementation of RSA Key Generation could allow private encryption key disclosure.

This vulnerability affects any products using the affected code library “RSA Library version v1.02.013” developed by Infineon Technologies. Keys generated with smartcards or embedded devices using the Infineon library are vulnerable, as well as devices certified by NIST FIPS 140-2 and CC EAL 5+.

Queries of this vulnerability – in regards to so called security regulatory standard

It is hard to believe that a tough and harsh security requirements issued by NIST (FIPS 140-2) and Common Criteria. However the certified products are also the victim.

Do you think is there a verification and identification gap in between hardware vendor and security authority? And therefore such embarrass status happened today.

Known effect areas:

Government:

Component: Smartcards (manufacturers using Infineon smartcard chips and TPMs)

Businesses: 

Component: Smartcards and IoT devices (manufacturers using Infineon smartcard chips and TPMs)

Home Users:

Component: IoT (manufacturers using Infineon smartcard chips and TPMs)

Vendor announcement:

Laptops and mobile devices use Trusted Platform Module (TPM) hardware chips with the affected encryption key code library. For instance Google, Microsoft, HP, Lenovo, and Fujitsu. They claimed that the have patched their respective software.

Reference:

Should you have interest in related topic, please refer to below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

WPA2 vulnerability found. But online Banking system customer do not shock.

 

WPA2 vulnerability found. But online Banking system customer do not shock. Take it easy. The WPA2 wireless encryption scheme looks secure before specifics vulnerability occurred. Security expert found that hacker is able to relies on 3rd handshake doing injection which causes man-in-the-middle of attack. As a result your wireless network data traffic will be hunted by hacker. The data includes on-line banking credentials, social media credentials,….etc. But if you think it over. The SSL tunnel end point of online banking web application is seat on your mobile. Hacker must install the web server SSL public PKI key certificate in the 1st phase, otherwise he cannot view the data embedded in the traffic pattern. Perhaps hacker already install the public cert. However a HSM will be protect your password from online banking system. Since password will be shown as random code. Hacker cannot reuse. How about VISA 3D secure method? You will receive SMS alert of your payment transactions finally. You can verify by yourself.  For more detail about the WPA2 vulnerability, please refer below url for reference.

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

How will be effect to cyber world – a scandal from Microsoft

Reuters interviews with Microsoft former employees. A scandal given by former employees was that Microsoft responded quietly after detecting secret database hack in 2013. It looks that this is official commercial tactics. I have no surprise that hackers relies on known bug on vendor bug track database to formula new generation of virus. Believe it or not, we seen this virus already. We all know that the 1st version of Ransomware development relies on Microsoft bug which found by United Stated National Security Agency. The scandal happened this month. We have more and more news update afterwards. For more details about the journalist interviews.. Please see below url for reference. 

Reminder: Oct 2000 – Microsoft admits that its corporate network has been hacked and source code for future windows products has been seen. Hacker suspected to be from St. Petersburg.

https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0

 

Potential risk of CVE-2017-15265

CVE-2017-15265 found on Linux causes privileges escalation. Cisco expert found that it the vulnerability is due to a use-after-free memory error in the ALSA .The ALSA Framework design for audio function. However Android and IoT devices are deployed the ALSA framework on demand. Since Cisco do not have sound on their router, network switch, IDS and firewall devices. However hacker is able to use this vulnerability on all Linux OS platform. No one can say this is only a critical incident. This design weakness jeopardizing the IT world. Keep your eye open. Perhaps there are under going cyber attacks or data leakages cases relies on this design weakness which infiltrate the victim devices.However we do not find yet till now! For details of this vulnerability, Cisco provides their findings. Please refer below url for reference.

https://tools.cisco.com/security/center/viewAlert.x?alertId=55599

 

The art of cyberwar – Internet of things (IoT)

Preface:

The art of war (孫子兵法) written by Sun Tzu. The Art of War is an ancient Chinese military treatise dating from the Spring and Autumn period in 5th century BC. The work, which is attributed to the ancient Chinese military strategist Sun Tzu, is composed of 13 chapters. Perhaps the art of cyberwar do not have author. It is created by Artificial Intelligence.

The art of cyberwar first chapter (IoT Operating System)

The foundation of Open Systems Interconnection model strengthen the technology world. A common standard categorized software application, network protocol, network communications and hardware. Perhaps the standard founded in 1983. However it become mature till earlier of 90’s.

Obviously the situation of Internet of things (IoT) have certain similarity comparing with 80’s technology world. Since such period of time the vendor not intend enforce OSI model standard.

The Internet of Things presents a new set of data storage. Meanwhile it create cyber security challenges. First, there is large-file data, such as images and videos captured from smartphones and other devices. The second data type is very small, for example, log-file data generated from sensors. The operation system will be embedded on Flash Drive and SD Ram. Be my guest, let’s take a closer look of popular IoT OS system.

The art of cyberwar 2nd chapter

What are the parameters for selecting a suitable IoT Operating System.

Yes, it is the memory requirement and OS footprint.

The art of cyberwar 3rd chapter

Due to the Design limitation of free disk space and API library. And therefore it limit the types of cyber attack.

The art of cyberwar 4th chapter

IoT Jeopardize the world records (see below):

The art of cyberwar 5th chapter

This chapter looks straight forward. A common standard is waiting for all of you especially software developer and vendor define!

Not a sophisticated technique, but it got his way to compromised ATM windows OS machine

Preface:

Not a pulp fiction! Kaspersky Lab found that the latest generation of Malware focus in Bank ATM machine attack operate lightweight and simple. But we known that ATM machine was hardening the connectivity. May be you will be interested? In what way let the machine compromised?

Introduction to Bank ATM malware types (malware found since 2015)

i. Rufus – a malicious code used to clean out ATMs running outdated Windows XP software across states.

ii. GreenDispenser – GreenDispenser attempts to query the microsoft windows registry location (see below) to find the peripheral name for the cash dispenser.

“HKEY_USERS\ .DEFAULT\XFS\LOGICAL_SERVICES\class=CDM”

The malware will make a call to WFSExecute with the command set to WFS_CMD_CDM_DISPENSE” and a timeout of 12000 to dispense cash (see above picture). GreenDispenser capable to execute the sdelete to remove itself from the ATM.

iii. Ploutus – Ploutus enabled criminals to empty ATMs using either an external keyboard attached to the machine or via SMS message. It could run on ATMs running the Windows 10, Windows 8, Windows 7 and XP operating systems. The attack targer aim to control Diebold ATMs.

iv. SUCEFUL – The (SUCEFUL) malware target design to attacks Diebold and NCR ATMs machines.The malicious code features are capable to do the following:

  1. Reading data from the chip of the card
  2. Control of the malware via ATM PIN pad
  3. Suppressing ATM sensors to avoid detection

v. Skimer – Skimer was distributed extensively between 2010 and 2013. Its appearance resulted in a drastic increase in the number of attacks against ATMs, with up to nine different malware families identified by Kaspersky Lab. The criminal (Skimer) group using social engineering technique implant malware to the ATM system through physical access, or via the bank’s internal network.

Another way to make machine vulnerable especially Windows Operating System

 

  • Infection technique through phishing, embedded malware in MS-word document ,download malware infection file and visit compromised website.
  • Try to infect server especially WSUS server
  • Compromise ATM machines through software path management and ATM application software update
  • ATM windows operating system compromised
  • As a result, the ATM machine might become crazy!

 

Protect Yourself:

It is better to use the ATM machine inside of a bank lobby.

Reference:

Should you have interest to elaborate more, please read below details.

ATM thieves are all in jail. Can you tell me that bank ATM environments are safe now?

Do you think Kaspersky is a Scapegoat?

Preface

U.S. Orders Federal Agencies to Remove Kaspersky Software Over Security Concerns!

https://www.wsj.com/articles/u-s-orders-federal-agencies-to-remove-kaspersky-software-over-security-concerns-1505337484

Discussion topics – Do you think Kaspersky is a Scapegoat?

Headlines news told that Eugene Kaspersky trained by former USSR KGB. For some potential reason predicted that his antivirus product design intend to collect the computer privacy thus doing the surveillance activities. From my personal opinion is that defendant Kaspersky might not engaged such treason activities. My stand points are shown below:

Allegation of their design mechanism similar as a Russian proxy

Below details highlights is the investigation team by US government written on incident report.

US investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.

My bold hypothesis to object above speculations

We known the well-known names such as Symantec, McAfee and AVG may contains inherent risks and letting hackers and criminals secretly access your PC. What is the inherent risks will be encountered? Let’s take a quick closer look see whether you can find hints in this regard.

I. Design limitation and defense mechanism

a. Vulnerability (Design limitation)

For instance, Symantec anti-virus products found multiple vulnerabilities by Google researcher. The flaws affected both Mac and Windows PCs, and could be triggered simply by emailing a file to someone or sending them a link to a malicious website. The historical records are displayed below:

May 2016 – Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (see below url for reference)

https://bugs.chromium.org/p/project-zero/issues/detail?id=820

Jan 2017 – Google Security Researcher Finds Serious Vulnerability In Kaspersky’s TLS Interception Tool

Hacker wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef.
Step 1: Hacker sends you the real leaf certificate for mail.google.com, which Kasperksy validates and then generates its own certificate and key for.
Step 2: On the next connection, hacker sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (lets say Scapegoat.com)
Step 3: Now hacker redirects DNS for mail.google.com to Scapegoat.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com.
Step 4: vulnerability occurred
b. Defense mechanism

Since a kernel hook method so called kernel hook bypassing engine.

Features:

  • Attacker can use the system call instruction directly without calling of Windows API
  • Malicious code can be passed to the AntiVirus through the hooks functions for analysis and as soon as it bypass the security checks.

In order to avoid this rootkit or antivirus bypassing incident occurs, anti-virus manufacturer better stand in front of any boot loader processes. And therefore it will using so called in proper hook technique to governance the overall activities. As a result antivirus program including build in IDP, malware detector will be received more privileges. From technical point of view, it is not possible to do it if anti-virus itself not hook to all core kernel process.

This is the major concerns of many informaiton security experts. But be reminded that such design feature not the only one make by Kaspersky. Other anti-virus vendors are using the same design of mechanism.

From general principal of common law system, benefit of the doubt goes to defendant.

II.  The company not loyal to Russia in regards to past cyber detection behaviors

a. Detection of Russia area APT activities

Above APT Trends report Q2 2017 statistic diagram issued by KASPERSKY. We did not seen the company intend to hide cyber security attacks given by Russia area. Meanwhile, the report highlight that the second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of ‘attention grabbers’ were the Sofacy and Turla threat actors. Should you have interest, please feel free to review the specify report in below url

https://securelist.com/apt-trends-report-q2-2017/79332/

b. Russia arrests top cyber security expert amid allegations of treason

There is not require for me to mention of this matter, for more detail please refer below headline news posted by telegraph.co.uk.

Russia arrests Kasperky cyber security expert amid allegations of treason

http://www.telegraph.co.uk/news/2017/01/25/russia-arrests-top-cyber-security-expert-amid-allegations-treason/

Summary:

My observation cannot guarantee will be generated false positive (incorrect) on this matter, however above items of evidence looks that the company is a Scapegoat!

 

I am a Microsoft OS. Just wonder why I was hacked even though I have protective system?

Preface:

A simple question was asked by kernel? Why I was hacked even though I have comprehensive protective system?

Background:

The windows Operating System development team fully understand relies on market anti virus might not protecting their core OS significantly. Since the computer user not only using Microsoft word processing application. They are allow the 3rd party application vendor run on top of their operating system.
They provides security defense mechanism to 3rd party software developers on their OS products since 2002. Such advanced protective mechanism also apply to windows XP SP2 and windows server 2003.

Introduction – Microsoft Comprehensive protective system for 3rd party application development (cookbook)

Top 3 protection features overview

Stack buffer overrun detection

The Detection  capability was introduced to the C/C++ compiler in Visual Studio .NET.  The /GS switch only inserts checks into function that it “recognizes as subject to buffer overrun problems.

Mitigation scheme – add below instruction in a commonly used header file to increase the number of functions protected by /GS:

#pragma strict_gs_check(on)

Preventing the SEH Overwrites with SEHOP

Structured Exception Handling (SEH) is a Windows mechanism for handling both hardware and software exceptions consistently. In many cases, an attacker will choose to overwrite the exception handler function pointer with an address that contains instructions that are equivalent to a pop reg, pop reg, ret. This allows an attacker to reliably execute arbitrary code by transferring control to the EstablisherFrame that the exception dispatcher passes as the second parameter when calling an exception handler. (see below diagram for reference)

Remark: The SEH overwrite technique uses a software vulnerability to execute arbitrary code by abusing the 32-bit exception dispatching facilities provided by Windows.

Mitigation scheme:

Adding dynamic checks to the exception dispatcher that do not rely on having metadata derived from a binary. This is the approach taken by SEHOP. SEHOP achieves this functionality in two distinct steps.

  1. Insertion of a symbolic exception registration record as the tail record in a thread’s exception handler list.
  2. Ensure that the symbolic record can be reached and that it is valid

Below diagram illustration of this logic:

 

Address space layout randomization (ASLR)

Address Space Layout Randomisation (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. By default, Windows Vista and later will randomize system DLLs and EXEs. In order to prevent an attacker from reliably jumping to, for example, a particular exploited function in memory, ASLR randomly arranges the address space positions of key data areas of a process, including the base of the executable and the positions of the stack, heap and libraries. It provides random stack and heap allocations and page load every time a process starts. Even though system process was hacked. The malware cannot execute shellcode theoretically.

Below articles are my research on ASLR topic on Virtual Machine and other operation system . Should you have interest. Please review below articles for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

The enemy of ASLR (Address space layout randomization) – memory leak

But why was hacked ?

Technical insight –  It looks that using ASLR feature protect windows OS products are perfect. But the cyber security incident happened from past proven that ASLR is hard to avoid side-channel attack. For instance, the vulnerabilities (CVE-2016-7260 and CVE-2016-7259) could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. The windows OS system including 2008,2008R2, 2012,2012R2 and 2016.

Another example alert by Microsoft that attackers are using a blend of in-memory malware, legitimate pen-testing tools and a compromised updater to attack banks and tech firms. Similar type of attack was happened on 2013 of several South Korean organizations via a malicious version of an installer from storage service SimDisk.

Below details of information can help you to developing more idea in regards of this matter.

The operating system can promote a driver’s StartType to be a boot start driver depending on the BootFlags value specified in the driver’s INF. You can specify one or more (ORed) of the following numeric values in the INF file, expressed as a hexadecimal value:

  • If a driver should be promoted to be a boot start driver on network boot, specify 0x1 (CM_SERVICE_NETWORK_BOOT_LOAD).
  • If a driver should be promoted on booting from a VHD, specify 0x2 (CM_SERVICE_VIRTUAL_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a USB disk, specify 0x4 (CM_SERVICE_USB_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting from SD storage, specify 0x8 (CM_SERVICE_SD_DISK_BOOT_LOAD)
  • If a driver should be promoted while booting from a disk on a USB 3.0 controller, specify 0x10 (CM_SERVICE_USB3_DISK_BOOT_LOAD).
  • If a driver should be promoted while booting with measured boot enabled, specify 0x20 (CM_SERVICE_MEASURED_BOOT_LOAD).
  • If a driver should be promoted while booting with verifier boot enabled, specify 0x40 (CM_SERVICE_VERIFIER_BOOT_LOAD).
  • If a driver should be promoted on WinPE boot, specify 0x80 (CM_SERVICE_WINPE_BOOT_LOAD).

Windows registry:  Turn on/off ASLR feature: (see below)

ASLR by setting HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\MoveImages

Summary:

ASLR does not affect runtime performance. However it might slow down the initial loading of modules. But it is not in full capability to protect your windows OS system.

A reminder . Do not ignore unimportant item.