4th June 2018 – SAML Authentication Bypass ((Symantec) CVE-2018-5241)

SAML for single sign-on (SSO) makes it possible for your users to authenticate through your company’s identity provider when they log in to Cloud computing platform. SSO allows a user to authenticate once and then access multiple products during their session, without needing to authenticate with each of those. Please be remind that SSO will only apply to normal user accounts instead of privilieges level user account.

Symantec Security Advisory (4th June 2018). So called SAML Authentication Bypass (CVE-2018-5241).

A remote attacker can modify a valid SAML response without invalidating its cryptographic signature. This may allow the attacker to bypass user authentication security controls in ASG and ProxySG.  For more details about this issue, please refer below url for reference.



Hyperledger Iroha v1.0 beta-2 version to remediate CVE-2018-3756 (May 2018)

The earlier generation of blockchain technology empower encryption power let the world know his capability. As times goes by people found the design weakness of blockchain technology is the performance of synchoization of the peer nodes. Such design weakness cause double spending vulnerability. The next generation of technology so called HYPERLEDGER. It enhance the design weakness of blockchain. As a result cryptocurrency especially Ethereum relies on Hyperledger Fabric in demand. A blockchain project developed by several Japanese firms including by startup Soramitsu and IT giant Hitachu has been accepted into the Hyperledger blockchain initiative. A fix has been released by Hyperledger IROHA project two weeks ago. Hyperledger Iroha v1.0 beta-2 version is avaliable for download. The reason is that a critical vulnerabilities discovered during the security audit.

On 2017, Cambodia central bank taps Hyperledger Iroha for blockchain settlement. Perhaps they update to beta 2 already.

Should you have interest to know the detail, please refer below:

Cambodia central bank taps Hyperledger Iroha for blockchain settlement – https://www.cryptoninjas.net/2017/04/20/cambodia-central-bank-taps-hyperledger-iroha-blockchain-settlement/

Beta 2 (download): https://github.com/hyperledger/iroha/releases/tag/v1.0.0_beta-2

Dark power (malware) jeopardize the open geospatial data


The geospatial digital environment supports planning, management, modeling, simulation and visualization related to smart initiatives across the city.

Quick understanding – Basic data structure for GIS

  1. Vector
  2. Raster
  3. Tringulate irregular network

4. Tabular data (attribute table)

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system.

So, can we store big data in RDBMS? The fact is that the specifics of data get pretty large fairly quickly and therefore it’s not very well suited to huge quantities of data.

Remark: A traditional database product would prefer more predictable, structured data. Big data design fundmentally backend contains extremely dynamic data operations.

One of the key capabilities of a NoSql type environment is the ability to dynamically, or at least easily, expand the number of servers being used for data storage. This is the reason why does NoSql DB become popular in big data infrastructure environment.

DBMS ranking and technical details

Top 5 NoSQL database engines closer look

The advantage for deploy NoSQL Database for Management of Geospatial Data

NoSQL database are primarily called as non-relational or distributed database. NoSQL is not faster than SQL. They are exactly the same. However the non relational database (NoSQL) provides a mechanism for storage and retrieval of data that is modeled in means other than the tabular relations used in relational databases.

Redis, an open source, in-memory, data structure server is frequently used as a distributed shared cache (in addition to being used as a message broker or database) because it enables true statelessness for an applications’ processes, while reducing duplication of data or requests to external data sources. Thereby redis being growth the usage in big data infrastructure environment (specifications are shown as below):

  • Redis is very fast and can perform about 110000 SETs per second, about 81000 GETs per second.
  • All the Redis operations are atomic, which ensures that if two clients concurrently access Redis server will get the updated value.

Hacker targeted Redis server recently

Redis general security model

Redis is designed to be accessed by trusted clients inside trusted environments. This means that usually it is not a good idea to expose the Redis instance directly to the internet or, in general, to an environment where untrusted clients can directly access the Redis TCP port or UNIX socket (see below)


  • default port of SSH 22/TCP
  • default port of REDIS Server 6379/TCP

Redis improved access control since version 3.2. It was implemented protected mode. As of today the version 4.0.9 released. They are not in high priority focus on cyber security protection. Since Redis is designed to be accessed by trusted clients inside trusted environments. But what’s the reasons lets hackers follow it?


The cyber criminal divided into 3 interested parties of existing technology world. The cyber criminal dark force are divided into three different group in the world nowadays.

The famous one is the Advanced Persistent Threats (APT). In normal circumstances their attack are according to the political reasons.

  • Looking for financial interest on demanding crypto currencies zone. Hacker create malware or implant malicious code for bitcoin mining.
  • Looking for benefits on crypto currencies market. Hacker create malware or implant malicious code to the compromised web site or end user web browser for fulfilling their objective. It is bitcoin mining.
  • Ransomware spreading group – Interference business operation and suspend public services. Their goal is looking for ransom.

Perhaps the design weakness on current situation of Redis servers fulfill above hacker objectives and let them doing a lot of reverse engineering works for achievement.Below picture show the famous Case of vulnerability on Redis 3.2 server. So called “crackit”.

Attacker compromises the Redis server instance and add an SSH key to /root/.ssh/authorized_keys and login to compromised Redis server with SSH connection. Since there are certain amount of Redis servers is on the way to provides geospatial data services. The classification of spatial data services are based on the geographic services taxonomy of EN ISO 19119. This taxonomy is organised in categories, the subcategories defining the value domain of the classification of spatial data services.

In general speaking, hacker might not interest of those data but they can re-engineering the compromised server become a C&C server, APT botnet and sinkhole.

How to enhance Redis server protection level

In order to avoid Redis server has been compromised by hacker. The official website has security improvement solutions suggest to user.

Network layer:

Bind Redis to a single interface by add the following command line to the redis.conf file:


And therefore external anonymous client not able to reach Redis server.

Application layer:

Three Must-Have Redis Configuration Options For Production Server

rename-command FLUSHDB ""
rename-command FLUSHALL ""
rename-command CONFIG ""

The above disables three powerful and dangerous commands. You could take it a step further and disable other questionable commands, like KEYSDEBUG SEGFAULT and SAVE.

Should you have interest of the security protection recommended by Redis. Please visit below official website for reference.


— End —

1st June 2018 – Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe

Visa Card Payment Systems Go Down Across Europe on 1st June 2018. The Visa payment service resumed on 2nd June 2018. Visa announced that systems now operating at ‘full capacity’ after crash cripples payments  (See below url for reference)


The service interruption because of hardware failure, said Visa. Observation – The fellow payment card systems MasterCard and Maestro are not affected.

My comment is that see whether is there any design limitation of the enhanced 3-D Secure 2.0 causes this incident? No problem, cyber world looks no secret. Even though it is non-disclosed at this time. May be we will know the details in future.

Have a nice Sunday.


A vulnerability found in becton dickinson DB Manager (CVE-2018-10593 and CVE-2018-10595)

On May 2017, Ransomware attack suspended UK healthcare system services. It shown the security weakness in hospital and clinic IT system infrastructure. BD is a global medical technology company that is advancing the world of health by improving medical discovery, diagnostics and the delivery of care. A vulnerabilitiy found on Becton Dickinson causes a series of products being effected. It includes BD Kiestra TLA, BD Kiestra WCA and BD InoqulA+ specimen processor. The vendor state that this vulnerability cannot be exploited remotely. You must have physical access to the sub-network shared by the BD Kiestra system.According to the vendor solution , their product allow both thick client and thin client (web base) access. And therefore the vendor requires to remind the client who engaged the web base function to staying alert. Should you have interested to find out the details. Please refer below url for reference.


22nd May 2018: Security Advisory – Privilege escalation vulnerability found in some Dahua IP products

Based in Hangzhou, China, Dahua Technology is one of the world’s leading manufacturers of security and video surveillance equipment. According to its unaudited results for 2017, it had a turnover of $2.89bn representing a year-on-year increase of 41%, and a gross profit of $404m, growing by 31%.Based on above details, you can imagine that how the popularity of the Dahua IP devices market coverage.

Regarding to the CVE reference number, it indicate that vulnerability found on 2017. Acording to the official web site announcement, the historical status shown as below:

  • 2018-5-22 UPDATE Affected products and fix software
  • 2018-3-16 INITIAL

We notice that VPN filter malware infect estimate total of 500,000 units of device (router and Network access storage) jeopardizing the world. Whereby, the US court order enforce the justice and thus quarantine the specified C&C servers. It won this battle.

But is there any hiccups of this matter?

Should you have interest of this matter, please refer below url for reference.

Security Advisory : Privilege escalation vulnerability found in some Dahua IP products https://www.dahuasecurity.com/support/cybersecurity/annoucementNotice/337

21st May 2018 – Citrix XenMobile 10.x Multiple Security Updates

Applicable Products (XenMobile 10.7 & XenMobile 10.8)

Affecting XenMobile Server 10.7 and 10.8:

  • CVE-2018-10653 (High): XML External Entity (XXE) Processing Vulnerability in Citrix XenMobile Server
  • CVE-2018-10650 (Medium): Insufficient Path Validation Vulnerability in Citrix XenMobile Server
  • CVE-2018-10654 (Medium): Hazelcast Library Java Deserialization Vulnerability in Citrix XenMobile Server
  • CVE-2018-10648 (Low): Unauthenticated File Upload Vulnerabilities in Citrix XenMobile Server
  • CVE-2018-10651 (Low): Open Redirect Vulnerabilities in Citrix XenMobile Server

Affecting XenMobile Server 10.7: ………..

Mitigating Factors: …………………………..

Should you have interest of this topic, refer below url for reference.


The book of Revelation – OPC UA will be the target for next phase of SCADA system attack.



A fascinating, unusual story which creates an eerie atmosphere. The security report issued by Kaspersky on 10th May 2018 driven my interest to do this study. So the report equivalent to enlightenment my conception.


A tremendous potential cyber attack found by Cisco. Thereby it announced to public last week. They reveal this unknown story to the world. And therefore the major security focus shift to a new malware. As a result, we know the technical specifications of malware so called “VPNFilter”. However, similar cyber attacks was encountered in past. A similarity of those cyber attacks are focusing the public facilities especially nuclear power facility , gas and water supply system as the major target. We bring your attentions today for OPC UA (Object Linking and Embedding for Process Control Unified Automation) to OPC Unified Architecture (OPC UA) system vulnerabilities. Those vulnerabilities are not running in high profile. But it requires technical people for attention.

About OPC & OPC Unified Architecture

OPC is an industry standard, it defines methods for exchanging realtime automation data between PC-based clients using Microsoft operating systems. The organization that manages this standard is the OPC Foundation. OPC Unified Architecture (OPC UA) is a machine to machine communication protocol for industrial automation developed by the OPC Foundation.

Overview of OPC Unified Architecture

Kaspersky technical findings

Referring to technical report announced by Kaspersky on 10th May 2018. The key critical design flaws are shown as below:

  1. Quote: OPC UA was designed to support data transport for two data types: the traditional binary format (used in previous versions of the standard) and SOAP/XML. Today, data transfer in the SOAP/XML format is considered obsolete in the IT world and is almost never used in modern products and services. The prospects of it being widely used in industrial automation systems are obscure, so we decided to focus our research on the binary format.


It turned out that part of the network services in the system we analyzed communicated over the OPC UA protocol and most executable files used a library named “uastack.dll”. ………

…………After developing a basic set of mutations (bitflip, byteflip, arithmetic mutations, inserting a magic number, resetting the data sequence, using a long data sequence), we managed to identify the first vulnerability in uastack.dll. It was a heap corruption vulnerability, successful exploitation of which could enable an attacker to perform remote code execution (RCE), in this case, with NT AUTHORITY/SYSTEM privileges.

Hints –  See whether below assembly language source code (call OpcUa-memory_Alloc@4) can provides any idea to you in this regard.

2. In the process of analyzing the application, found that it used the XmlDocument function, which was vulnerable to XXE attacks for .NET versions 4.5 and earlier.

Hints: What is XXE attack? Below picture shown traditional XXE attack for reference.This XXE attack so called billion laughs attack .

Remark: By disabling DTDs, application developers are also able to strengthen the parser’s ability to protect itself against DoS (denial of service) attacks.

My observation:

Upon inspection, the OPC UA requires the following library files.

libeay32.dll, ssleay32.dll, and uastack.dll

The above library file (ssleay32.dll) belongs to OpenSSL 1.0.2j. It was configured and built with the options no-idea, no-mdc2, no-ntt, and no-rc5 to avoid patent issues. If bugs are found in the version of OpenSSL. You may compile and use your own version because this is a open source program.

Reminder: Kaspersky Labs identified 17 zero-day vulnerabilities in OPC Foundation open source code. For more details about the report, please refer below url for reference.

Review of Kaspersky Labs Report Confirms OPC Foundation’s Transparent, Open Source OPC UA Implementations Strategy Improves Security

— End —

Heads-up: Low-end Wi-Fi router vulnerability – 24th May 2018

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

The devices which could be affected by new malware (vpnfilter). Below is the checklist for reference.









Special Item: QNAP DEVICES  (Network-attached storage)

TS439 Pro
Other QNAP NAS devices running QTS software

My speculation on how Cisco (Talos) found the malware (VPNFilter malware).


Using Big Data and data mining methods to predict attacks before they happen,the Cisco Umbrella Security Research team built such detection framework.

Point of view:

a. Vulnerability routers are vulnerable to Shell Metacharacters Attack

Regarding to the observation result of Cisco Talos security team. There are group of router devices are vulnerable. They are Linksys, MikroTik, Netgear, and TP-Link, as well as QNAP network-attached storage (NAS) devices. I am not going to repeat the attack details because nobody will be describe as clear as Cisco findings (see below url for reference)


However a hints given to me that they are all vulnerable for Shell Metacharacters attack. What is Shell Metacharacters attack? A metacharacter is a character that has a special meaning (instead of a literal meaning) to a computer program, such as a shell interpreter or a regular expression engine. … Otherwise, the parenthesis, plus-sign, and asterisk will have a special meaning. In the sense that those routers containes design weakness may let the router misbehave. For instance it accept arbitrary command execution through shell metacharacters in a URL.

Botnet from earlier phase relies on workstations engage the attack convert to smartphones in last few years. Most likely the security enhancement in workstations and smartphones improved. The threat actors found the new victims today.It is a low-end wireless router.

So below items are the guidance:

  • Never trust input
  • Prefer rejecting data to filtering data
  • Every component should validate data

Whereby the way to validate the input are:

  • Indirect selection – application never directly uses user input
  • Whitelist
  • Blacklist

If required input, do the validation actions:

  • Sanitize – Attempt to fix input by removing dangerous parts
  • Refuse to use invalid input
  • Record invalid input in log file
  • Alert – send notification to related personnel

b. Behavioral Analysis discovered adnormal traffic pattern

There are design weakness of modbus protocol. Basically modbus is  an application layer protocol. However the MODBUS/TCP protocol implementation contains multiple vulnerabilities that could allow an attacker to perform reconnaissance activity or issue arbitrary commands.

  1. All MODBUS messages are transmitted in clear text across the transmission media.
  2. There are no integrity checks built into the MODBUS application protocol. As a result, it depends on lower layer protocols to preserve integrity.
  3. There is no authentication at any level of the MODBUS protocol. One possible exception is some undocumented programming commands.
  4. MODBUS/TCP consists of short-lived transactions where the master initiates a request to the slave that results in a single action. When combined with the lack of authentication and poor TCP initial sequence number (ISN) generation in many embedded devices, it becomes possible for attackers to inject commands with no knowledge of the existing session.

Regarding to item no.1 design weakness. The SCADA system vendor will be recommend client make use of VPN tunnel to encrypted the traffic for remediation. Whereby hacker created working directory (/var/run/vpnfilterw) in compromised router to record the modbus traffic. And therefore user credential will be found by hacker.

c. Compromised routers and NAS transform to weaponize tool

Cisco statiscally calculate there are estimated 500,000 devices has been compromised. A hints highlights by security expert that attacker creates a configuration file in /var/run/torrc and a working directory in /var/run/tord. A evasion of detection mechanism technique since it is a encrypted communication. The command and control server is able to drive the compromised router to start the cyber attack to nuclear power facilities. Refer to above four items of modbus vulnerbilities. The QNAP network-attached storage (NAS) will be transform become a attack tool. The kernel of NAS contains linux command is able to use it. For instance execute a nping command craft packet to bother the nuclear facility. Meanwhile the hacker is able to install python or php library with script to execute the attack (Reference to above item number 4).


In the meantime, we are waiting for more information provided by Cisco.Perhaps attackers engage the attack. No news is good news, agree, Right?

Anything updating will keep you posted.

— End —

24th May 2018 – status update:

FBI take control of APT28’s. They are the suspect threat actor of this attack.

The US Federal Bureau of Investigation (FBI) has obtained court orders and has taken control of the command and control servers of a massive botnet of over 500,000 devices, known as the VPNFilter botnet.

Headline news article for reference.


Justice Department Announces Actions to Disrupt Advanced Persistent Threat 28 Botnet of Infected Routers and Network Storage Devices