Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

Announcement – Since the original post encountered slow response issue. In order to keep the comments input by visitors. We are going to keep the original post. This post is cater for visitor who can’t access the original web page. Please accept our apologizes that has been made.



The trend in IT world running into virtual world nowadays. Even though your mobile phone operation system is run on top of virtual machine. The memory resources utilization from tradition static to dynamic since virtual machine architecture founded. Security experts worries about infiltration of malware on virtual machine. A mitigation step introduce on VMware since 2014. The system designer conducted a technology alleged address space layout randomization. As a result it avoid malware implant to kernel since no living place for the malware alive (see below – a statement on technical article point out that how ASLR bring in the value)

The VMware ESXi kernel uses an address space layout randomization (ASLR) methodology to provide random and unpredictable addresses for user-mode applications, drivers, libraries and other executable components. This is a significant security benefit because of the way ASLR thwarts malware looking to take advantage of memory-based exploits. The malware would not have a known address to use as a vector for the exploit because of the randomization.

As times goes by, ASLR not even is the assistance of virtual machine designer. On the other hand, he will become a killer to kill his master. But this fact is not a news today. Regarding to the technology expertise experimental studies, it is possible to execute a attack on kernel side through malicious Java application. The method is a kind of side-channel attack (side-channel attacks) and based on the definition of indirect addresses to which had previously been handling when traversing page tables memory processor unit MMU (Memory Management Unit) in the translation of virtual memory addresses to physical memory addresses. Since cache CPU general and it is recognized as an active application or activity the MMU, then by evaluating differences in data access time before and after resetting the cache (the attack variety “EVICT + TIME”) can with high probability to choose the address and able to detect the locations since it is under the operation of memory management unit.

By breaking ASLR, an attacker will know where code executes, and prepare an attack that targets the same area of the memory, stealing sensitive information stored in the computer’s memory.

The vulnerability channel found on web browser announced by Professor of Computer Science at Cornell Tech on Jan 2016.

When attacking browsers, may be able to insert arbitrary objects into the victim’s heap. Let’s focus on web browser design fundamental.

Web applications communicate with each other through system calls to the browser kernel. As we know, web applications exist in separate processes owned by the browser kernel, they are prohibited from communicating with each other, except through the browser kernel.


However Plugins are less reliable than browsers.

However Plugins are less reliable than browsers


As a matter of fact, Java script is the helper of ASLR vulnerability. Sounds like java-script is an accomplice. The murderer is plug in application.

But in which situation virtual machine will be compromise of this vulnerability?

From technical point of view hacker engage a cyber attack targets workplace on memory area we understood that it is a malware form style attack.  As we know, AMD architecture define a feature named SVM instruction set.  AMD virtualization technology, codenamed “Pacifica,” introduces several new instructions and modifies several existing instructions to facilitate the implementation of VMM systems.
The SVM instruction set includes instructions to:

Start execution of a guest (VMRUN)
Save and restore subsets of processor state (VMSAVE,VMLOAD)
Allow guests to explicitly communicate with the VMM (VMMCALL)
Set and clear the global interrupt flag (STGI, CLGI)
Invalidate TLB entries in a specified ASID (INVLPGA)
Read and write CR8 in all processor modes
Secure init and control transfer with attestation (SKINIT)

Remark: Fundamentally, VMMs (Hypervisor) work by intercepting and emulating in a safe manner sensitive operations in the guest (such as changing the page tables, which could give a guest access to memory it is not allowed to access).


As such,  you are more free to run on memory address space once AMD-V is enabled in the BIOS (or by the host OS).


Below confirmed CVEs looks headaches to virtual machine core designers (VMWARE, VBOX, Hyper-V), right?

  • CVE-2017-5925 for Intel processors
  • CVE-2017-5926 for AMD processors
  • CVE-2017-5927 for ARM processors
  • CVE-2017-5928 for a timing issue affecting multiple browsers

Since founded AnC attack (EVICT+TIME), it  can detect which locations in the page table pages are accessed during a page table walk performed by the MMU.  In the sense that it such a way broken the ASLR feature on virtual machine. The objective of ASLR mainly avoid malware infection on virtual machine. What scenario we can foreseen tomorrow!

Sample: Java code with execute arbitrary memory write

// prepare buffer with address we want to write to
ptrBuf = ""
// fill buffer: length = relative ptr address - buffer start + ptr offset
while (ptrBuf.length < (0x????? - 0x9????? + 0xC)){ptrBuf += "A"}
ptrBuf += addr

// overflow buffer and overwrite the pointer value after buffer

// use overwritten pointer to conduct memory write of 4 bytes
obj.SetFontName("\xbe\xba\xfe\xca") // WHAT TO WRITE
alert("Check after write:0x???????? + 0x?






Mobile apps like your wife or girlfriend. They are tracing you!



Power is always dangerous…..Android rule the world


About mobile phone security

Independently conducted by antihackingonline

The attack hit rate on personal mobile devices rate high. Mobile phone user enjoy to play the game apps. In order to fulfill the application requirement, their web browser require enable the plugins like Flash and Java in order to display some interactive content.

Culprit – Android OS (Zygote)

Zygote is a software component of the Android operating system uses to start apps.  The mechanism of the Zygote process will create a process (System call fork() is used to create processes), and the child process continues where it left off, loading the app itself into the VM.

ActivityThread,main() – see below

public static void main(String[] args) {
    //Create the main thread looper

    ActivityThread thread = new ActivityThread();
    //attach To the system process

    if (sMainThreadHandler == null) {
        sMainThreadHandler = thread.getHandler();

    //The main thread enters the loop state

    throw new RuntimeException("Main thread loop unexpectedly exited");

Zygote require root permissions on Android OS but it is an inherit right. And therefore Process ID is 1.

Remark: ID 1: init process, invoked by the kernel at the end of the bootstrap procedure.

Android zygote security weaknesses caused by performance design

An evaluation program found that the Address Space Layout Randomization (ASLR) not effectively implement in Android OS. As a result , it leaving software components vulnerable to attacks that bypass the protection. Zygote process creation model causes two types of  memory  layout  sharing  on  Android,  which  undermine  the effectiveness of ASLR. Firstly, the code of an application is always loaded at the exact same memory location across different runs even when  ASLR  is  present;  and  secondly,  all  running apps  inherit  the  commonly  used  libraries  from  the  Zygote process (including the libc library). For more details about the weakness of ASLR on VM. Please refer to below URL for reference.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization


Remark: Android 7.0 or above, library load order randomization and ASLR improved. The major improvement goal increase randomness feature. As a result it makes some code-reuse attacks decrease successful rate.

Inline hooking – Inline hooking is a method of intercepting calls to target functions. For instance, prepares hooks for the following system properties.

  • java.lang.System.getProperty()

If the software developer would like to obtains SMS data on your mobile phone (Android), he can do the following steps.

  1. Manages SMS operations such as sending data

    void sendDataMessage (String destinationAddress, 
                    String scAddress, 
                    short destinationPort, 
                    byte[] data, 
                    PendingIntent sentIntent, 
                    PendingIntent deliveryIntent)

    2. The null pointer exception is directly linked to name. i.e. isms or isms2.

    3. The transact() method is redefined in the customized program “isms” (or isms2) binder realization, replacing the original.

    4. When the parent application of the customized program sends an SMS it leads to the call of the customized program transact() method.

    5. As a result, the customized program can obtains SMS data (destination number, message text, service center number) from raw PDU.

Current status

It is hard to draw into conclusion on this discussion topics this moment. We keep our eye open see whether a new vulnerability find on Zygote in 3rd quarter in 2017 . Ok, have a good sleep.  Zzzzzzz……















The achilles heels of Ethereum (block chain technology)


What is Achilles heel: a small problem or weakness in a person or system that can result in failure. If you familiar with Chinese Kung Fu,  the key word “achilles heels” you might not feeling unfamiliar.

Wake the world attention – Ethereum security incidents

Jun 2016 –  Decentralized Autonomous Organization (DAO) attack – Code Issue Leads to $60 Million Ether Theft

Jul 2017South Korea’s largest Bitcoin/Ethereum cryptocurrency exchange ‘Bithumb’ hacked and over $1 Million in cryptocurrencies stolen

Ethereum claimed itself that he is the most Secure Public Blockchain. He is on the way overtaking Bitcoin technology. But what’s the key factor causes cyber security incidents happened in past?

The technical weakness summarized below:

  1. The Ethereum network itself might not vulnerable. “DAO” stands for “Decentralized Autonomous Organization”. It’s basically a type of application (a smart contract system) that can be deployed on the Ethereum network/blockchain. The hacker took advantage of a vulnerability in the contract code, written in the JavaScript allows a single participant to “drain” Ethereum tokens from the collected pool of all the investor money to a separate personal pool, which “the attacker” can then use by himself.
  2. A warning about the mempool transaction replacement mechanism.Implementors should take this into account and try to create contract mechanisms that do not rely on mempool replacement if they wish to have their implementations work with current implementations.
  3. Large Hashrate Pools Accidental suspend the services. Pools with larger hash-rates have recently been using the built in feature to only process their nodes own transactions. High volume of transaction which waiting for confirmation will slow down the performance of the pool causes services suspended.

Sample survey – in regards to cyber security incidents in the past

Investigation step 1 – Does Ethereum client have memory pool?

Yes, similar concept of memory pool definition will be valid in client side. The similar function  is for keeps transactions like Bitcoin’s mempool. The naming convention of the key term is the Transaction Pool, or TxPool in the code (see below)

var (
    // Transaction Pool Errors

const (
    maxQueued = 64 // max limit of queued txs per address

// TxPool contains all currently known transactions. Transactions
// enter the pool when they are received from the network or submitted
// locally. They exit the pool when they are included in the blockchain.
// The pool separates processable transactions (which can be applied to the
// current state) and future transactions. Transactions move between those
// two states over time as they are received and processed.
type TxPool struct {
    quit         chan bool // Quiting channel

Inherent risk & design limitation

i. Transactions may reverted

Ethereum Virtual Machine (EVM Level)

Python – If C calls, and foo does a throw ((bad jump, out-of-gas, or any other exception), as a result the entire transaction reverted.

Known bug bug in geth v1.4.19 and v1.5.2 – Geth was failing to revert empty account deletions when the transaction causing the deletions of empty accounts ended with an an out-of-gas exception. An additional issue was found in Parity, where the Parity client incorrectly failed to revert empty account deletions in a more limited set of contexts involving out-of-gas calls to precompiled contracts; the new Geth behavior matches Parity’s, and empty accounts will cease to be a source of concern in general in about one week once the state clearing process finishes.

Remark: out of gas definition – The gas cost can only be estimated until the transaction is executed against the actual contract state at the time of execution on the blockchain. If the transaction run out of gas before transaction complete. EVM exceptions result in all gas being consumed, and the transaction being rolled back. Gas is not returned if a transaction is unsuccessful because otherwise malicious users could spam the network with unsuccessful transactions.

ii. Authorization security consideration – Never use tx.origin for authorization (Detail 1). If your wallet had checked msg.sender for authorization, it would get the address of the attack wallet, instead of the owner address. But by checking tx.origin, it gets the original address that kicked off the transaction, which is still the owner address. The attack wallet instantly drains all your funds (Detail 2).

wallet contract – Detail 1

pragma solidity ^0.4.11;

contract TxUserWallet {
    address owner;

    function TxUserWallet() {
        owner = msg.sender;

    function transferTo(address dest, uint amount) {
        require(tx.origin == owner);

attack wallet – Detail 2

pragma solidity ^0.4.0;

contract TxAttackWallet {
    address owner;

    function TxAttackWallet() {
        owner = msg.sender;

    function() {
        TxUserWallet(msg.sender).transferTo(owner, msg.sender.balance);

Ethereum enhance the programming language of protection.But what’ the reason let’s the Biggest Ethereum and Bitcoin Exchanges Got Hacked?

About South Korea’s Largest Ethereum Exchange Was Hacked – Headline news hints that the attackers are setting their sights on people’s digital currency wallets (see following url for reference) From technical point of view, this is client side data breach instead of server side, right.  Since the case is under South Korea law enforcement investigation. No details provides in the meantime. For more detail, please read following url

My comment in regards to this case – since cyber incident more possibility happens on computer user negligence. Yes, I agree that we must focus the system and application design limitation. Since no any conclusion or prediction this moment. But a hints would like to bring to your consideration . Be my guest, see below detail for reference.

Fundamental design weakness of Ethereum node implemented in Go

Reference: When you are going to unlock account.   The command tool Geth will be used.  You’ll be prompted to type in the password afterward.

geth --unlock <YOUR_ACCOUNT_ADDRESS> --password <YOUR_PASSWORD>

A security concerns was happend here! In the earlier versions of Geth, providing the password as a parameter would cause the password to show up in the Geth log.  So our clever reader will speculated the story and final result properly. There is not required to mention the details again, right?

RemarkGeth is a multipurpose command line tool that runs a full Ethereum node implemented in Go. It offers three interfaces: the command line subcommands and options, a Json-rpc server and an interactive console.

Have a nice weekend.


Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)









21st century kill chain (logic bomb, cyber bomb and ransomware)


The 21st century is the current century of the Anno Domini era, in accordance with the Gregorian calendar. It began on January 1, 2001 and will end on December 31, 2100. It is the first century of the 3rd millennium.

We can’t tolerate cyber attack happen in election again, President said.

Headline news told that former president Obaman intend to use new technique to reduce other country especially Russia engage the cyber attack to USA during 2016 election of president. The solution is that activate a cyber bomb technique. But this idea did not action yet.

What is a logic bomb?

A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. The technical term so called slag code.

What is slag code?

It is not a virus, but works in a similar pattern. From technical point of view, slag code sounds like a set of instructions inserted into a program that are designed to execute the target action (sounds like “explode”).

Scenario – The technical term so called network exploded. The result of this explosion contains delete data ,corrupt data or have other harmful effects.


Below  example (Picture A) shown that only implement a simple command syntax to a windows workstation. The process will consume all the CPU resources until windows OS shutdown. This is the concept idea of a slag code. Do you think similar attack concept can whether be affect the services provider network equipment?

Picture A – slag code

How powerful of the cyber bomb, is it possible?

Above concept can show you that your workstation execute a slag code and result not operation properly. The service get back normal until reboot. What if, the telecommunication services provider receive the slav code crafted by expert. What’s the worst situation is?

Logic Bomb 

Logic Bomb 1 – infectious media (malware)

The logic bomb goal to achieve a destructive result. The infectious media relies on malware. The malware structure will  be consists of a executable file ( Agent.exe ). This file is for triggered the wiping function. Besides this file contains a hex string. For example – a hex string display 65B417D8. When we convert the hex code to numeric value, it indicate that this is the date and time of the attack to begin (June 30, 2017 at 2pm local time (2017-6-30 14:00:00)). As soon as the internal system clock on the machine hit 14:00:01, the wiper (agent) was triggered to overwrite the hard drive and master boot record on Microsoft OS of machines and then reboot the system. The malicious code can access and compromise Windows-based systems inside the industrial control network. After a Windows system has been infected, the weapon would be stealthy enough to evade IT security controls while it searches for a target system

Logic Bomb 2 – A persistent attack (the packets being constantly injected)

A persistent attack occurs when the attacker would put bad packets into a router and it would lead to vulnerabilities being exploited/revealed during the process. Significant damage can occur during this attack because packets would be flooded into the router and can end up suspend the routing function.

Remark: These attacks are very complicated to detect.

Logic Bomb 3 – The mistrating attacks

The mistreating attacks can be caused indirectly by directing an irresistible number of packers to the target victim address. Let the victim (router and network) isolated. In the means that the network services will be suspended.


Cyber warfare arsenal (major weapon)


Since this topic we discussed in past , for more details, please see below URL for reference.

The other side of the story on cyber attack (Electronic war between countries)

Informaiton Supplement  – BGP hijack attack

Below idea show a rogue AS falsely advertises a shorter path to reach a prefix P, which causes other AS’es to route traffic destined to the prefix P through the shorter path.


There are four AS’s: AS1, AS2, AS3 and AS4 (rogue).

Each routing daemon’s peers are shown using connections:

  1. Router 1 peers with router 2 and router 4.
  2. Router 2 peers with router 1 and router 3.
  3. Router 3 peers with router 4.

 1 – Show router 1 routing entries

BGP table version is 0, 
local router ID is

Network Next Hop Metric LocPrf Weight Path    0           32768  i    0               0  2 i                    0  2 3 i

Reminder A: On AS1, the chosen AS path to reach is “2 3” (i.e., via AS2 and AS3).

2: Start the rogue AS, the rogue AS will connect to AS1 and advertise a route to using a shorter path (i.e., a direct path from AS1 to AS4). Thus, AS1 will choose this shorter path by default.

3. Show router 1 routing entries again

BGP table version is 0, 
local router ID is 

Network Next Hop Metric LocPrf Weight Path     0           32768 i     0               0 2 i     0               0 4 i     0                 2 3 i

We can see AS4’s chosen path and also AS3’s path in the routing information base of AS1.
Since the AS path length to reach is smaller through AS4, router 1 chooses AS4 as its next hop.

From technical point of view, it successfully hijack the traffic in BGP network. We known internet routing protocol is using BGP. No suprise, this is only a basic theory. More complex and advance technique is under develop by different countries.
See who show his power to the world.


On our discussion of this topic, I am not going to input key word conclusion on the end of page this time. As we know, above items is my speculation. Believed it or not , the cyber attack atmosphere looks similar with discussion in past.

But bear in mind that any product includes cyber weapon require test and pilot run. These rehearsal looks mandatory since it is hard to foreseen the overall damage effect (including the response of the countries). On the other hand it is a test to know the actual system specification in hostile country. It compared to traditional way become more effective! Hire a spy infiltrate to hostile country is not the way today. Do you agree?

I am going to write more interested topics. Hope you will be interest. See you. Have a nice weekend.









Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)



Timothy 6:10: “For the love of money is the root of all [kinds of?] evil”

Before we jump into discussion see the bitcoin market status today

Ethereum briefly crashed from $319 to 10 cents , said Thursday (22nd June 2017) CNBC News.

The CoinDesk Bitcoin Price Index provides the latest and most accurate bitcoin price using an average from the world’s leading exchanges.

As of today (22nd June 2017) ,1 Bitcoin equals 2716.06 US Dollar

How does Finance sector think about it?

On 26th May 2017, Bank of America Corp, SBI Holdings Inc, HSBC Holdings Plc, Intel Corp and Temasek Holdings have invested $107 million in R3 CEV. The R3 is made up of financial industry veterans, technologists, new tech entrepreneurs and subject matter experts. This group of people goal to building the next generation of global financial services technology. Sound amazing that finance sector are keen to involves the blockchain or bitcoin technologies.

Perhaps bitcoin or blockchain are in mature stage now. It looks that it lack of acceptability. Even though banking industry treat the new payment concept with respect. But technically did not potentially replace the traditional payment gateway especially SWIFT payment system. Since different have different official financial policies and guideline.

How does criminal  think about it?

When we talk about blockchain technology, most of the time we will think about hacking. How to jail break the encryption algorithm. Few expertise opinion. The break point of the blockchain technology not focus on break though the encryption. Seems it is not easy to do. But bitcoin technology concerns of double spend” of electronic coins. In the sense that bitcoins technology itself is aware of it.  Are you interested of this information. Be my guest, take a short journey to dig out a little bit. Ok, are you ready. Our train is leaving the platform now.

World more complex, a new technology appears, it is  Hyperledger?

Hyperledger is an open source collaborative effort created to advance cross-industry blockchain technologies. It is a global collaboration, hosted by The Linux Foundation, including leaders in finance, banking, IoT, supply chain, manufacturing and technology.

Remark: Hyperledger compared to traditional interbank settlement , the overall completion need time will be shorten compared to traditional process. Meanwhile the hyperledger transaction of volume will be higher. Therefore the expert claimed that this is a speedy area like a motorway.

From technical point of view, Blockchain and Hyperledger technologies are located in services layer (see below).

No matter how the technology renovation in future, double spend might have possibility happens. Before we discuss the double spend attack technique concept.  Let’s use a simple way to understand the feature of both new and traditional technology elements. On this article, we found 2 units of element shown in Service layer. That is blockchain and hyperledger. Hyperledger benefits for cross-industry blockchain technologies. We can say it will be run in properaitery private network. Blockchain technology are open for public usage. You and me can enjoy the benefits (no transaction fees). May be you can dig out more. But above  criteria is easy for your identification. Below is the hyperledger blockchain platforms for your reference.

The availablility of Hyperledger blockchain platforms today.

Hyperledger Burrow – Burrow is a blockchain client including a built-to-specification Ethereum Virtual Machine. Contributed by Monax and sponsored by Monax and Intel.

Hyperledger Fabric – Contributed by IBM.

Hyperledger Iroha – Based on Hyperledger Fabric, with a focus on mobile applications. Contributed by Soramitsu.

Hyperledger Sawtooth – Contributed by Intel

We can go to cyber attack concept now, let’s move on.

Double-spend Attacks

Double-spending is the result of successfully spending some money more than once. It means that a suspicious transactions spend from the same inputs as the first set of transactions. The transactions conflict and are thus double spends. In order to avoid to this problem occurs. Only one transaction out of a set of double spends will be able to confirm. The rest of the transactions become invalid.

The one we consider of this attack does only work for fast payment scenarios. Oops….we known that hyperledger claim that he is work in fast payment scenarios? Are you kidding?

Actually a technical report issued by ETH Zurich did a proof of concept on the possibility of double-spend attack on blockchain instead of hyperledger. Below informative diagram can provide an idea to you in this regard. The test shown that make network traffic delay on Txv. And avoid the acknowledge  issued by Txa go to victim. The test found factual issue occurred in this circumstances.

Since developers and blockchain investors understand the weakness of current blockchain technology.  A group of financial investor build the next generation of technology goal to enhance the current technology design weakness. That is the hyperledger today.  The features enhancement area includes Message handling, Block Publishing/validation, Consensus, Global State Management. Below informative diagram display the overall operation infrastructure. A segregates transaction payload definition, validation and stat management logic to improve overall security.

Observation: In this secure environment, how does hacker do?

Regarding to the authorization check on hyperledger design (see below informative diagram) it provide a comprehensive monitor feature to prevent incorrect and suspicious transaction.  Hacker will take a another way round even through you have good authorization check system.

Since decryption of data not a easy way. It is time consuming and do not guarantee the successful rate. From technical point of view, hacker is not possible to spend on such afford. The possible and easy way is that hacker relies on the spear phishing technique. Then counterfeit messages appear to come from a trusted source fooling user in negligence. A misleading message lets user activate a internet link (url) which trigger malware infection. The hyperledger technique run in multi-layer architecture might expose more surface for attack. A insider threat might create a break point and causes the system compromised finally. As we know, ransomware is a hybrid architecture which coexists with malware and ransome features. Hacker can implant malware to a internal workstation then execute the ransomware attack afterwards.

The smart contract ID is unique reference number. No body else can help once the repository encrypt by hacker.

Is there any remediation solution on above matter?

Per my observation from past. Even though you have comprehensive detective and preventive security control. It is hard to avoid the incorrect business decision.  In short, what is the drawback on above matters in regards to business decision. The business shake holder intend provide more flexibility on the system function. For instance customization of the application to fulfill business objective.

For corrective control solution. We can do the following to recover the system after ransomware infection.

  1. Increase the backup SNAPShot schedule. Since the delta improved. It reduce the overall loss of data percentage after system restore.
  2. Not allow critical host have access internet function. Perhaps you say, it is inconvenient to do  the zero-day patch, critical patch and anti-virus signature update? But this is a important factor.

If you can use a simple way to move a mountain, why do you choose a heavy machine? Ok, let’s stop discussion here. Please take off the train.
But I will provide more interest topics soon! Bye!












2017 – How Android protect itself?


Numbers 31:3 “So Moses spoke to the people, saying, “Arm men from among you for the war, that they may go against Midian to execute the Lord’s vengeance on Midian.”

If you are familiar with Bible, you might know who’s Midian. Some scholars have suggested that Midian was not a geographical area but a league of tribes.

Cope with nowadays cyber security world.  Sounds like Midian equivalent of a  malware. Man kind is going to find a way protect the electronic devices including computer, mobile phone and IoT devices.

2017 threats predictions (mobile phone)

We all  known ransomware aggressive 1st quarter this year and believed that similar of attacks will continue to grow. We aware that malware and malicious code embedded on Google Play store applications significant increases. And therefore the downloading apps from unknown and untrusted markets has always been more dangerous. And predicts that similar type of incidents will be happens continuously. Besides  there are hardware vulnerabilities during the last several years—including vulnerabilities in microprocessors and DRAM technology. May be you might ask? How mobile phone especially Android to protect itself?

Let’s talk a closer look see whether we can find the hints

Fundamental of Android APT

Android use the standard process isolation to split application.  The application reading each-other’s data by requesting permissions in the apk’s. By requesting permissions in the apk’s
AndroidManifest it is possible to get those granted by the PackageManager. Such permissions can result in applications being run under the same user id.

Heads-up: This is the reason Google is having a hard time getting rid of malicious Android apps

APK Installation Process

An additional Android manifest file, describing the name, version, access rights, referenced library files for the application. As such, the Manifest files plays an important role for every android application. From the perspective of security the manifest file is usually the first thing that a penetration tester will check on an engagement. The android:protectionLevel attribute defines the procedure that the system should follow before grants the permission to the application that has requested it. This is a major part of Android security feature. And this is one of the important protection feature of Android.

All the permissions that the application requests should be reviewed to ensure that they don’t introduce a security risk.


Below is an example showing that an inherent risk found on Android manifest file. The setting lack of signature permission.

<?xml version='1.0' encoding='utf-8'?>
<manifest package="org.qtproject.example.notification" xmlns:android="" android:versionName="1.0" android:versionCode="1" android:installLocation="auto">
    <application android:icon="@drawable/icon" android:name="" android:label="@string/app_name">
        <activity android:configChanges="orientation|uiMode|screenLayout|screenSize|smallestScreenSize|locale|fontScale|keyboard|keyboardHidden|navigation"
                  android:label="Qt Notifier"
                <action android:name="android.intent.action.MAIN"/>
                <category android:name="android.intent.category.LAUNCHER"/>
            <meta-data android:name="" android:value="-- %%INSERT_APP_LIB_NAME%% --"/>
            <meta-data android:name="" android:resource="@array/qt_sources"/>
            <meta-data android:name="" android:value="default"/>
            <meta-data android:name="" android:resource="@array/qt_libs"/>
            <meta-data android:name="" android:resource="@array/bundled_libs"/>
            <meta-data android:name="" android:value="-- %%BUNDLE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="" android:resource="@array/bundled_in_lib"/>
            <meta-data android:name="" android:resource="@array/bundled_in_assets"/>
            <meta-data android:name="" android:value="-- %%USE_LOCAL_QT_LIBS%% --"/>
            <meta-data android:name="" android:value="/data/local/tmp/qt/"/>
            <meta-data android:name="" android:value="-- %%INSERT_LOCAL_LIBS%% --"/>
            <meta-data android:name="" android:value="-- %%INSERT_LOCAL_JARS%% --"/>
            <meta-data android:name="" android:value="-- %%INSERT_INIT_CLASSES%% --"/>
            <meta-data android:value="@string/ministro_not_found_msg" android:name=""/>
            <meta-data android:value="@string/ministro_needed_msg" android:name=""/>
            <meta-data android:value="@string/fatal_error_msg" android:name=""/>
            <meta-data android:name="" android:resource="@drawable/logo"/>
    <uses-sdk android:minSdkVersion="16" />
    <supports-screens android:largeScreens="true" android:normalScreens="true" android:anyDensity="true" android:smallScreens="true"/>
    <uses-permission android:name="android.permission.INTERNET"/>
    <uses-permission android:name="android.permission.WRITE_EXTERNAL_STORAGE"/>

Android-APT project page:

As we know Android APT plugin officially obsoleted. The Android Gradle plugin (version 2.2) replaced the traditional plug in (Android APT) on Oct 2016.

An announcement issued by Android studio. Annotation Processing became available in Android Gradle plugin (2.2 and later) so there is now no need to use the Android APT plugin anymore if using version 2.2 of gradle or above.

You can remove the line :

apply plugin: ''

Question: How about the security status who still supports Android APT plugin?

If the Android Gradle plugin not in use, it is still a Eclipse project. Currently android-apt works fine with version 2.2 of the Android Gradle plugin, but it doesn’t work with jack.

Is there security concerns on Android APT plugin?

Plugin technology was initially introduced by third parties to add additional enhancements and capabilities to Android.The plugin will find all AspectJ aspects available in the project compile classpath, plugin class and weave .class files. Meanwhile AspectJ allow to hook. AspectJ to work on Android we have to make use of some hooks when compiling our app and this is only possible using the android-library gradle plugin.

From security point of view, plugin design might contain inherent risk because of the fundamental hook process design. The Android plugin technology is an innovative application-level virtualization framework that allows a mobile application to dynamically load and launch another app without installing the app. This technology was originally developed for purposes of hot patching and reducing the released APK size. The primary application of this technology is to satisfy the growing demand for launching multiple instances of a same app on the same device, sounds like I log in my personal and business Gmail  accounts simultaneously.

Abbreviations 1: Weave (Web-based Analysis and Visualization Environment)

Abbreviations 2: AspectJ is an aspect-oriented programming (AOP) extension created at PARC for the Java programming language. It is available in Eclipse Foundation open-source projects, both stand-alone and integrated into Eclipse.

APT, AspectJ, Javassist corresponding component

Sound scary but Android have their solution to mitigate the risk?

Can we wait for Android O?



Digital wallet – Where to go? iphone, Android or not going to use



I’m smart brain, gave me lazy….

The implementation of the smart phone change people life style. Any time any where you can get in touch with the world. It break follow the sun operation concept. Why? Both online shopping and settlement simultaneously because of electronic payment function. Below bar chart on left hand side shown internet users in select countries who purchase items via mobile device in 2013. Less than 3 years time, a significant usage of mobile payment has been growth in Greater China (see below picture right hand side).

Cyber attack is a never ending story. Malware infection technique take the advantage of computer users negligence. Even though Bank did not have expection. The headline news shocked the world includes The Bangladesh Bank robbery. It was so called the Bangladesh Bank heist, took place in February 2016, when SWIFT instructions to steal US$951 million from Bangladesh Bank.

In order to avoid cyber incident happen on electronic payment transaction. Financial industry especially payment gateway services provider find perfection of authentication method goal enhance the reliability of payment. For instance 2 factor authentication, a second random generation of pass code go through SMS forward to you mobile phone.

Electronic wallet upside down to the world

A third-party online payment platform was launched in China in 2004 by Alibaba Group. As times goes by, now the biggest market share in China with 400 million users. The coverage near 50% of China’s online payment market in October 2016. As of today electronic wallet looks like flooding went to different countries in the world especially China. Electronic wallet initiate by mobile phone. Below table can provide an hints to you in this regard.



A digital wallet refers to an electronic device that allows an individual to make electronic transactions

Digital wallet infrastructure elements


The account information and Card type lure the interest of criminals. But are you aware that there are difference in between mobile computing (electronic wallet) and traditional internet payment function (without electronic wallet). See below informatic diagram. Even though how precise and advanced encryption technology are deployed. But it is difficult to avoid a single device facing compromise. Personally I am not suggest my friend to use electronic wallet on his mobile phone. My friend was told even though money lost because of malware, it only lost the charge money value. Yes, from technical point of view it is correct. But reminded you that mobile OS is fragile. Why does it say mobile OS is fragile?


Why does it say mobile OS is fragile?

Android phone


Both the Android Runtime (ART) and Dalvik virtual machine perform routine garbage collection, this does not mean you can ignore when and where your app allocates and releases memory. Software designer need to avoid introducing memory leaks, usually caused by holding onto object references in static memory variables, and release any Reference objects at the appropriate time as defined by lifecycle callbacks.

Side effect of above defect – The easiest way to leak an Activity is by defining a static variable inside the class definition of the Activity and then setting it to the running instance of that Activity. If this reference is not cleared before the Activity’s lifecycle completes, the Activity will be leaked. So all depends on mobile apps developer design. It is hard to avoid memory leak. As you know, what is the defect of memory leak? Hacker relies on this error can implant malware.

If you would like to know more details, please refer below articles.

Heard that Android operating not secure anymore, but it is properly not.

How about IOS?

Design weakness:

Every WebKit object is RefCountedBase object

Mobile Safari and most of WebKit Apps leak address – Fill in another object and use the JS pointer of the old object to read information of the new object.

Should you have interest know the details on above matter, please refer below:

Meteor shower – Apple iPhone

Checkpoint : If above 2 technical articles make you feeling confused. Tired, you are not able to read. No problem we can jump to summary of this discussion. The information will stay here, anytime you have interest you are free to read.


IT & cyber security technologies due to limit development life cycle. OS claim itself is safe today but is it hard to guarantee next 6 months. The most fundamental weakness in mobile device security is that the security decision process is dependent on yourself. You are allow anywhere play online games & watch on-line TV program. Because of the web browser extend feature, uncountable plug-In drivers will install to your mobile phone. How about your personal information includes your personal account information. Do you think only relies on your local antivirus. The so called malware detection program can aviod the cyber attack?

My personal suggestion is that think it over before install or make use of electronic wallet on your mobile phone.

Have a nice day, Good Bye!


The other side of the story on cyber attack (Electronic war between countries)



We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique)


Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.


WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017


As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

The infection status of wannacry was not issued by North Korea government.  But for sure that wannacry type infection can suspend North Korea business finance and industries operations.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic




Must aware during web surfing – protect your personal privacy – turn off your camera on web browser


What’s our objective to discussion this topic today? Our goal is going to protect user privacy. As we know, internet traffic are under surveillance. This activities not limited to China nowadays. It was includes the major leader countries in Europe, England and USA.

Situation in China

The country like China provides a clear announcement. The China government was told that all internet traffics in China are under surveillance. And thus that they build the great wall (firewall).  (Tianhe-1 and Tianhe-2 (Milkyway-2) are capable to take this responsibility.

2016 Supercomputer magazine

Situation in United State

How about the surveillance program status from NSA (National security agency) . The NSA has official announcement was that after a comprehensive review of mission needs, current technological constraints, United States person privacy interests, and certain difficulties in implementation, NSA has decided to stop some of its activities conducted under Section 702. For more details, please find below URL for references:

NSA Statement: NSA Stops Certain Section 702 “Upstream” Activities – For more detail, please refer below url for reference.

NSA Stops Certain Foreign Intelligence Collection Activities Under Section 702 – For more detail, please refer below url for reference.

NSA Transparency Report: THE USA FREEDOM Act Business Records FISA Implementation – 15 January 2016 – For more detail, please refer below url for reference.

Above items given an idea to people our communications (electronic or without electronic) are under surveillance. A positive thinking of idea told yourself that such policy are going to fight against crimes. Apart from that are you aware of your personal privacy especially your mobile phone camera (Lens)? We known more secret on mobile phone recently. The execution of JavaScript or HTML5  allow access your mobile phone camera from Chrome (example shown as below):

Enable camera and microphone in packaged application for Chrome OS

navigator.webkitGetUserMedia({ audio: true, video: true },
            function (stream) {
                mediaStream = stream;
            function (error) {
                console.error("Error trying to get the stream:: " + error.message);

Remark: The audio and video for a <webview>-embedded page require permission. It will alert mobile phone owner. A software developer hints that the require permission might embedded audioCapture and videoCapture and put the permissions in manifest.json. The mobile phone user might not aware.

Below HTML5 program language which allow to select the source and pass it in as optional into getUserMedia. This function is available in Chrome web browser.

Step 1: Select source


Step 2: pass it in as optional into getUserMedia

var constraints = {
  audio: {
    optional: [{sourceId: audioSource}]
  video: {
    optional: [{sourceId: videoSource}]
navigator.getUserMedia(constraints, successCallback, errorCallback);

Step 3: Put the permissions on manifest.json or manifest.xml. The mobile phone user might not aware.

Above audio and video capture functions only do a reverse engineering will transform to other criteria of function receive your personal photo. Are you aware of it ?


Refer to above information. It looks that we need to spend more job affords to close the back door on your mobile phone, right? But the easy way to do from end user side is that just disable the camera on your mobile phone browser. Or just use a sticker to disable it. It is straight forward, bye!










Modern Sherlock Holmes – Find out the (malware & ransomware) perpetrators.


A science concept guide human being to hypothesize boldly, to testify rigorously. It looks to me that this concept is principle but I believe that more terms can enrich our technology life. For example, carry the don’t care term during your development and thinking. That is even though it was unsucessful, you will receive knowledge. You will dig out more during this circumstances.

Remark: Since don’t care term also apply to boolean expression. May be you are think that it is a little bit side track, right. But we are in cyber world. In digital logic, a don’t-care term for a function is an input-sequence (a series of bits) for which the function output does not matter.

OK, we go to the subject matter today. How we imagine that Sherlock Holmes do a study on cybercrime. Find out the (malware & ransomware) perpetrator?

Perform investigation

From digital forensic point of view, the investigation will focus on the following objectives:

Capturing a Live RAM dump
Acquiring a Disk Image
Discovering and Analyzing Evidence
Creating Reports

Since I am not going to suggest that we engage a real exercises now. It is not a good idea without preventive control to execute this job. Run in rush without preparation thus contain inherent risk harm your machine and personal data. So we step back take a hot example (wanna cry) see whether can dig out more idea and information.

Observation Point 1 – Languages

Since we are not going to do a forensic investigation. We simply walk through example (wannacry) on language setup.  From language setup capabilities (see below), it looks that it cover the languages all around the world.

Criminal psychology

From criminal psychology point of view, it looks that the criminal not going to specify a specifics target. A high level point of view that they are looking for money. Fully compatible of language set benefits for their objective.

Observation Point 1.1 – Written language and grammar

From detection point of view, the written language and grammar can provides hints to detective see whether to dig out hints. This hints may speculate for the direction of the detection. For example: the fundamental limitation of mother tongue translation to other native language.

Weakness of this detection method:

Such detection might fool by criminal group and intend to interfere the direction.

Observation Point 2 – Malware written technique:

Some of the times, the written programming style and infection technique might provides hints to detective to the right direction. But a lot of time will interfere the direction of investigation. For example: Wannacry relies on NSA (DoublePulsar) back door software agent or SMB v1 vulnerability (see below picture) to execute the job task. From normal circumstance’s, bad guy will implant a backdoor to victim machine to fulfill the infiltration job task. Unfortunately the backdoor software (DoublePulsar) was given from NSA of their global surveillance program. Wannacry is a ransome software. In the sense that NSA might not be the perpetrator. As a result it interrupt the trace process. The investigator can’t follow the hints to predict who is the appropriate party to do this criminal job.

Observation Point 3 – Down to the grove, execute forensic investigation

Since above observation items might contain fundamental weakness. As a matter of fact, those items of evidences might become a relevant evidence. The fundamental theory by law of relevant evidence interpret that relevant part of evidence is logically connected to the fact it is intended to establish” (Blackwell, 2004).  However the investigator or detective most likely will prefer to execute forensic investigation to receive the digital and demonstrative evidence.

Technical limitation of the forensic investigation

We know that ransomware infection crisis like Wannacry victims suspended Health care services in United Kingdom. The major effect which harm to whole hospital services over there! Since healthcare services maintains compliance standard. It is possible to let the forensic investigator do the investigation (see below step).

1. Capturing a Live RAM dump
2. Acquiring a Disk Image
3. Discovering and Analyzing Evidence
4. Creating Report

However a technical limitation has been found on traditional digital forensic investigation criteria.

Few evidences will be lost once victim power off their machine.
Victim which have technical know how will erase some evidence
Audit log disable by default

Advanced technology enhance  the limitation on their investigation algorithm

Technology company note with alert of the technical weakness during forensics investigation. A preventive mechanism was build to avoid lost of critical data after system power off. The enhancement is that an software agent will be installed on the workstations. The software agent will collect the delta (data change) and then forward to the centralized repository in real time.

As we know, no design and solution is prefect. For this enhancement it is prefect to implement to enterprise or corporate environment. For workstation for personal usage it is difficult to implement. A drawback alert to the detective or government enforcement team that there is a technical limitation on personal devices (personal computer workstations, mobile computing devices and IoT devices).
Multi-angle detection architecture
Readers, if you can read this down to here, we might know the mentioned investigation mechanism are able to collect the following details.

(1) Memory dump, (2) disk image, (3) malware activities finger print, (4) virus and malware types, (5) C&C server public IP address and (6) malware dropper file.

Even through we received above informations on hand. However, it is hard to provide a comprehensive of evidence proof who is the perpetrator! For example, it is hard to collect the information details once workstation compromised by wannacry. As a matter of fact the whole disk has been encrypted. So, what’s the next step when investigator face this problem.

Refer to below picture, you might aware that point C (C&C server) and point D (victim compromised web server) are located in different regions. They are not in single operation. Even though Forensics investigator are able to decrypted the hard disk or collect the activities log from their SIEM device. The trace result sometimes mislead the location of the area. It is hard to provides a clear picture. In order to identify the root sources. A detection terminology so called multi angle detection algorithm will be assist investigator in such circumstances.

The concept idea is that investigator will summarize the following entities.

1. Total no. of C&C servers and their IP addresses
2. Total no. of Victims (compromised web server) and their IP address
3. Categorized the IP address and highlight the IP address region

Remark: As we know, hacker will relies on Tor network to hide himself in effective manner. Since it is hard to know their location status once their connectivities get inside to the onion network (Tor network).

4. Execute forensic investigation to the compromised server (Point D)

5. Find out the C&C server connectivity (Point C)

6. Sometimes law enforcement team not going to let hacker know they has been traced. The job might run on ISP side (Point B). For instance, they will lock down the appropriate tor certificate and filter the certificate Issuer and Subject ID patterns.

7. Since two important elements (tor cert and C&C server public IP address) are known. It is more easy to do the following to find out the attacker source IP address:

a.  Define correlation rule to find out the source IP address of the attacker.

b. Apply Google analytic methodology to figure out the attacker IP address.

8. The final action is activate the local police force to arrest the hacker.


Regarding to above description it looks that it is not easy to lock down the hackers actual location. Heard that some security expert relies on English written skill or C&C server to predict the attacker source IP address. From technical point of view, it might contained distortion.