Military or Business Industry, Windows OS peripheral control bring to attention.

 

Preface:

Since the version of Windows XP, the Windows operating system feature embedded functionality of industrial applications.  However the motivation of factor on re-engineering of system depends on customer demand.

Case study details:

The US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015 

Information Background – According to SPAWAR official announcement on Jun 2015. The renewal process will buy the Navy time to migrate from its existing reliance on the expiring product versions to newer product versions approved for use in Ashore and Afloat networks, and will provide hotfixes to minimize risks while ensuring support and sustainability of deployed capabilities.

* The Space and Naval Warfare Systems Command (SPAWAR), based in San Diego, is an Echelon II organization within the United States Navy and is the Navy’s technical authority and acquisition command for C4ISR (Command, Control, Communications, Computers, Intelligence, Surveillance and Reconnaissance), business information technology and space systems.

Doubt – known design limitations

a. Windows OS system – The re-engineering schedule instead of Windows XP operating system.

  1. US Navy is paying Microsoft $9.1 million for continued Windows XP support – Jun 23, 2015. As of today, we believed that the operating system update has been done. However a valid design weakness on Windows operation system found on 2014 till today. It found by security expert that a kernel flaw appears to all version on Microsoft operating system platform since end of 2014 (see below picture diagram for references). From my personal point of view. I agree with Microsoft official comment on their announcement, this is not a security issue (device driver inject rootkit). My stand point is that the Windows operating system fundamental design objective does not catering for mission critical industries especially Nuclear power facility and military industry.  However the modern technology industries deploying in formal fashion of manner. Yes, I agree that the manufacture industry and business automation not shown the side effect of design limitation. But on mission critical industries, the design capability limitation similar a technology kill chain! Information security is a continuous program. Microsoft operation system  don’t have exception. A group of security expert re-open this flaw recently (Inside NT’s Asynchronous Procedure Call).  Asynchronous Procedure Calls (APCs) are a fundamental building block in NT’s asynchronous processing architecture. This architecture still valid till today.

The security expert highlight the flaw in regards to the following items. 

If you are not interested in technical descriptions detail, you can skip and jump to below item 2.

As a device driver writer, you can rely on APCs to execute a routine in a particular thread context without that thread’s intervention or consent whenever no guarantee of its address space’s availability can be made.  Since APC mechanism not on Ring 3 and therefore the fundamental of design not enforce protect this mechanism. As a result, a weakness was found in this place. The PsSetLoadImageNotifyRoutine function registers a notification function that is called when the image is loaded or the image is mapped to memory. The operating system calls the registered callback function after displaying the image executed in the user space or in the kernel space (just what we need, because the drivers are just loaded into the kernel), before the execution of the image. The main weakness of software driver integration with operating system is given by PsSetLoadImageNotifyRoutine.

* The PsSetLoadImageNotifyRoutine routine registers a driver-supplied callback that is subsequently notified whenever an image is loaded (or mapped into memory).

As we know, antivirus software using kernel driver to inject code into all all running processes. The antivirus software register for image creation notification and then queue some APCs that will execute in user mode and do the injection. Since the security level of protection of device driver on Windows OS all depends on 3rd party developer design.  A lot of security experts feedback comments on Microsoft OS products. They highlight that a flaw appears on kernel side. Microsoft official announcement was told that it is not a security issue.  The fact is that  malware can use API system call (PsSetLoadImageNotifyRoutine) to trick the OS into giving malware scanners other files. This would allow malicious software smuggling then by evade antivirus monitoring.

Device driver rootkit code (sample)

mov eax, [ebp+ImageInfo]
push dword ptr [eax+4]

Question:

Do you think the developer alert this issue on their design phase? From logical point of view, this unknown threat not announce to the world. Most of the protection mechanisms are implement falls under File, Registry, Process, DLL Load. Microsoft don’t allow anyone to hook the SSDT. For my comments, the system development cycle is division of job and therefore this protection mechanism will be fall into cyber security team job scope. As are result, the protection mechanism will be relies on antivirus and malware detection software. But the specific threat might evade malware scanner custodian.

It looks that remediation step on critical industries especially Nuclear Power facilities and Military Dept might do a audit.  As soon as possible to develop the protection mechanism through SSDT hooking.

2. Satellite communication systems design limitation

Since this topic has been discuss previous.  For more details of related article. Please see below url for reference.

Perhaps military battleship can destroy everything, but it could not win in the digital war!

 

Summary:

As of today (12th Sep 2017), my comments in regards to mission critical industries remain unchanged.  That is please re-confirm existing operating system peripherals issue before next action.

Enigma (Catalyst) – Risk investment techniques embedded inherent Risk technology

 

Preface:

Hedge funds will often use borrowed money to amplify their returns. One aspect that has set the hedge fund industry apart is the fact that hedge funds face less regulation than mutual funds and other investment vehicles. The Enigma team wants to build an environment where traders can also become hedge fund managers.

Understanding of the Enigma (Catalyst) system Platform

 

Enigma project objective: Enigma (Catalyst) platform wants to make it easy for developers to create trading robots and cryptocurrency funds, and then allow other users to emulate their success by purchasing funds/robots through an open marketplace.

Comment: In the sense that they would like to become the pioneer centralize the bitcoin types digital currencies. It looks like a global digital current exchange headquarter. In regards to the digital currency trend, the economic position of Bitcoin & Ethereum will be equivalent to traditional currencies in future. Regarding to our observation, the solid model of finance especially currencies of US dollar looks no longer become the leader of the world. It is better to develop a new concept to consolidated all the cash flow around the world compatible with popular OS system nowadays. According to the fundamental design, Enigma is the protocol run on protocol layer. In additional a platform so called catalyst. Catalyst is an algorithmic trading library for crypto-assets written in Python.

 

(Catalyst) system Platform OS requirement – Linux, Mac OS and windows 10

Catalyst platform – You are allowed to download  the source code from Website (GitHub) setup your environment for development.

Trading Strategies – You can browse a list of strategies submitted by the community through the Enigma’s web application: open an account, learn from others and create your own!

3rd Party APIs – Quantopian, Zipline, Pandas, Numpy & Matplotlib

matplotlib is a plotting library for the Python programming language and its numerical mathematics extension NumPy.

Quantopian is an online platform for algorithm development, testing and execution.  It offers a web-based Python editor interface with tight integration with a hosted version of their open-source back-testing framework Zipline.

Zipline is a Pythonic algorithmic trading library. It is an event-driven system that supports both backtesting and live-trading.

pandas is a software library written for the Python programming language for data manipulation and analysis

NumPy is a library for the Python programming language

Discussion checkpoint 1: The project objective of Enigma is going to build an environment where traders can also become hedge fund managers.

A common criteria on programming language – banking environment

J.P. Morgan uses Python for its Athena programme, and Bank of America Merrill Lynch has built Quartz using it. Python is now wide-spread across investment banking and hedge funds.

Discussion Checkpoint 2 : We known that Enigma introduce encryption technique so called homomorphic encryption. A way to encrypt data such that it can be shared with a third party and used in computations without it ever being decrypted.

A technical limitation is that bitcoin takes an average of 10 minutes before a transaction receives a network confirmation. What the benefits of Enigma?

  • Bitcoin’s block time is 10 minutes
  • Ethereum’s block time is 15 seconds.
  •  LITECOIN – It takes an average of 2.5 minutes for this process to complete.
  • MONERO – 1/5th of the time bitcoin generates a block, which does not include any anonymity features
  • RIPPLE – The average Ripple network block is generated in as little as 3.5 seconds.

What is the benefits of faster block time from cyber security viewpoint

Empty blocks are often actually good for the network. There is always a non-zero amount of time before miners calculate their next block template. From technical point of view it avoid a duplicate transaction counterfeit by anonymous party.

Defense in depth

It looks that new technology implement on Enigma digital currency platform (Catalyst) looks perfect. So can we say this is a perfect solution? But what is the background reason lets half million worth of digital currency in unknown status? News article claimed that the incident has been caused by email scam.  For more details, please see below url for reference.

With Enigma, the attackers used their access to announce a “pre-sale” via Enigma’s site, messaging channels, and email. They provided an Ethereum “address” they controlled for investors to send money to. And that’s exactly what happened, with users handing over 1,492 Ether — around $480,000 at current prices said Business insider UK.

http://uk.businessinsider.com/hackers-steal-500000-ethereum-enigma-investors-2017-8

Enigma crypto technology (see below) found by Nazi Germany during World War II.

Alan Turing (United Kingdom) and his attempts to crack the Enigma machinecode during World War II. The decryption method so called banburismus technique (see below)

But Hacker did not going to spend too much man power to break through the crypto system. They are smart to use social engineering technique (SCAM EMAIL) to mislead the investor send the money to a counterfeit site. This technique similar break through enigma crypto system use intercept technique.

 

My imagination (assumption and proof of concept)

Banburismus was a cryptanalytic process developed by Alan Turing at Bletchley Park in England during the Second World War. A program was initiated by Bletchley Park to design much faster bombes that could decrypt the four-rotor system (Enigma) in a reasonable time. The conceptual ideal shown as below:

A deduction step used by the bombe; while the actual intermediate values after the plugboard P — the “steckered” values — are unknown, if one is guessed then it is possible to use the crib to deduce other steckered values. Here, a guess that P(A) = Y can be used to deduce that P(T) = Q because A and T are linked at the 10th position in the crib.

Above conceptual idea looks have possibilities to crack the Enigma. But this is not the true structure of Enigma (Catalyst) platform. However value and Y and Q are the significant value and apply to similar concept of architecture design to other crypto system. So this is the design weakness of the equivalent.

Apart from that (Catalyst) system Platform & 3rd party APIs are deployed on Python programming language intensively. We agreed that it is hard to avoid vulnerability found on software and hardware today. But hacker execute code can more easy execute on system platform which install python on top.

A critical vulnerability occurs on Sep 2016 in Python.The vulnerability allows remote attackers to have unspecified impact via a negative data size value, which triggers a heap-based buffer overflow (CVE-2016-5636). As a result it leading to arbitrary code execution. If similar vulnerability happen in future, Hacker not only compromise the fund manger Enigma (catalyst) platform, it might possibilities to amplifying the attack to the Enigma exchange.

Discussion checkpoint 3:  Engima official announcement  will be held on 11th Sep 2017. Let’ s see how the status of finance market to cryptocurrency world.  For sure that we will keep track the activities see whether any details let us to start another discussion.

We hope that the  Enigma (catalyst) system will succeed in the future.

Goal and Objective

 

 

 

Scientific versus Prejudice – Cyber war Part II

Preface

The scandal of NSA let the world know large scale survillence program over the world. Perhaps the objective of the NSA not only this matter. We known that a vulnerability happened on VSAT satellite system. It allow malicious SMS signal obfuscate the system operation. For more details, please refer to below URL.
The war happens today hard to avoid to involve cyber technology battle. This is the prelude of the discussion today. What if, my imagination comes true, what will happen in this battle?

NSA’s backdoor catalog (OS system and Network) exposed:

On exposed information, a group list of vendors name are included in their target list. As we know, we believed that Microsoft, Cisco products hidden their backdoor. However CEO of Cisco tell the world that their products did not have embedded backdoor. Microsoft president Brad Smith blamed the NSA spy agency tarnished their system design. Do you think those two big head is a actor or they are really don’t  know?
Conspiracy theory point of view on OS system ( merely personal opinion )

In conspiracy theory point of view, what is the reason for operation system vendor maintain SMB version 1 until NSA scandal exposed to the world then take the patching action. Perhaps if not WannaCry ransomware attack outbreak tarnished SMB 1 design limitation. Meanwhile hacker claimed that they are appreciate for NSA found this secret! Since nobody aware this issue until secret leak to the world! But who know what is the true factor let OS vendor delay SMB version 1 patching schedule till incident happen afterwards? (Microsoft released patches for all supported versions of Windows on the March 2017).

Conspiracy theory point of view on Network system ( merely personal opinion )

Based on the Shadow Brokers disclosed. The two exploits, listed in the archive directory as EPICBANANA and EXTRABACON, can be used to achieve remote code execution on Cisco firewall products. A vulnerability exploited by one of the tools was patched in 2011 but the other exploit’s vulnerability is entirely new. From logical point of view, it is hard to imagine that such big technology company did not know the design weakness of their product? Maybe they are trustworthy. Or Who know, God know?

Who dare say there is no unknown backdoor in hardware unit including CPU

Information Update on 31st Aug 2017 – Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability Escalation of Privilege

Headline news today report that CPU vendor design computer according the requirement by customer , sometimes the client is a government. For instance, US government might compliance to their security standard (High Assurance Platform program so called HAP). However a design limitation was found. An official announcement by Intel in regards to this vulnerabilities on May 2017. Furthermore security experts found a unknown backdoor on Intel ME Chip. From technical point of view, this is not coincidence and speculated that both vulnerabilities has relationship.

https://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html

From safety view point, it is impossible to use hostile national science and technology products

 

In defense and protective prospective, it was not possible to use hostile national science and technology products in military zone. Even though the hardware and operation system vendor are trustworthy. However the hostile country will try different to implant malware or infiltrate techniques to related system. For instance, Network equipment vendor (router, switch and firewall) do not know the design weakness will trigger such critical level of destructive result.  Below is a simple example to proof this concept.

Picture A is the reference of normal network operating scenario. We understand that internet world coexists with BGP network protocols.  The zoning driven by AS number (autonomous system number). The AS Using BGP to Distribute Routes. For instance, on picture B. The ISP D network equipment hits SNMP design flaw and encountered core OS buffer overflow causes privileges escalation. As a result the core router has been compromised. Base on BGP protocol hijack concept, the compromised router might obfuscate the network. It might have way to control the network routing path. I am not going to explain into details since it is a very long discussion. However if you base on above techincal terms and concept do a google search. You will be able to find the details. Yes, internet world is the big data. It  is free. 

Put above concept to the realistic world

Since above example is my imagination, however it will bring a solid idea to you. How serious level of destruction will be occurs in similar circumstances. So to protect yourself in cyber war battle seems better do not let your enemy know what type of equipment you are in use. Even though they are using CVE attack or Zero day attack. You equipment will be ignore those kind of cyber attack.

The focus of the discussion

I can’t written down a term of summary or conclusion right now. Since there are more and more information coming. However I need to study the details before continues this discussion. Ok, have a nice weekend. We discuss next time, Thank you! Bye!

Picture A – Normal scenario (request to reach adjacent side IP address)

Picture B – Telecommunication service provider network equipment compromised by hostile national.(As a result, the network traffic will route to their area and under their control)

 

Electronic War reference:

http://www.antihackingonline.com/cell-phone-iphone-android-windows-mobile/the-other-side-of-the-story-on-cyber-attack-electronic-war-between-countries/

 

 

 

 

 

 

 

Perhaps military battleship can destroy everything, but it could not win in the digital war!

We heard battleships accident occurs this year. The most recent accident was that it collides with oil tanker near Singapore! (see below BBC news)

http://www.bbc.com/news/world-asia-40995829

I am interested of cyber security technology and believed that Navy already has advanced cyber defense mechanism. The errors which occurred was taken by careless mistake! Headline news was told that a possibility might causes by cyber attack. It is hard to believed in earlier stage that this is a possible factor. But now change my mind, since (VSAT) Satellite Communication Systems rife with security flaws. It was vulnerable to Remote Hacks path! This technical limitation not the news today. It was found on 2014. The subject matter expert found that just sending a simple SMS or specially crafted message from one ship to another ship would be successful for some of the SATCOM systems.

Remark: Rumors told that a weakness happen on VSAT Firmware.

A design weakness was found on the system based on Information security design best practice (see below information for reference)

Identification – identify trusted source (malicious SMS or crafted message)

Authentication – permit or denied request (an authentication mechanism system authorize the electronic computing process)

Silence (behalf of penalty) of the lambs

We all known the discipline of Military is serious. Any change management requires inform the duty officer (captain). For instance, management team define the fairway. It requires authorize person acknowledgment before modifications. If the specify accident not a low level mistake (absence duty or incorrect operation procedure). It looks that the hardware manufacturer might bare the responsibilities. However do the firmware upgrade not a difficult way in IT world because Microsoft do the software patching weekly!

My comments

Since the overall political atmosphere looks unstable in APAC countries. The United States Seventh Fleet responsible to equality of power and peaceful of this area (after finished the battle of World War II). However a technical limitation (hiccup) shown to the world in military force. Even though you have anti-defense to offence missile send by South Korea. But any military plan it is a dangerous game indeed.

 

Perhaps Enigma contains iron wall, but it couldn’t defense the a simple word processing technology

 

Preface

Enigma crypto currency Platform told the world they are next generation of cypto currency Exchange. Banking and financial industry believes that this is a trustworthy platform. Not Kidding, enterprise invests to build and support. Apart from that MIT expertise develop and design a prefect cryptographic mechanism. A shock to the world this week said that they are fall into the victim group of cyber attack.

https://www.wired.com/story/enigma-ico-ethereum-heist/

Headline news claimed that it cause by “DUMB MISTAKE” – Slack account with administrative privileges, had previously leaked

What if! We assume that their Enigma design architecture is not vulnerable. And there is another reason let this incident occurs. Is it a insider threat caused by end user computing?

This incident under law enforcement investigation. since we do not know the root cause. But we can setup a virtual reality scenario see whether we can find out the possibility.

PDF format of file, a benefits bring to malware

  1. Hidden inside a Word document that’s hidden inside a PDF

Scenario:

Step 1: Emailed spam with a PDF attachment
Step 2: PDF has an attached document inside, which is trying to get opened by the Acrobat Reader
Step 3: Once the document is opened in MS Word, it asks you to enable editing (social engineering attack)
Step 4: Runs a VBA macro, which downloads and runs the malicious code
Step 5: Insider threat happens. Try to collect the sensitive data includes credential

2. Open source applications lure malware infection

Sounds not possible! Enterprise firm less implement software application open source concept. As a matter of fact, similar idea happened in enterprise firms including broker firm and investment banking. It is hard to image that such profit making industries concerns about software licenses. But it is a factual case.

Scenario:

A critical zero-day security vulnerabilities in Foxit Reader software that could allow attackers to execute arbitrary code on a targeted computer.

CVE-2017-10951 –  vulnerabilities can be triggered through the JavaScript API in Foxit Reader.

CVE-2017-10952: This vulnerability exists within the “saveAs” JavaScript function that allows attackers to write an arbitrary file on a targeted system at any specific location

Remark: Foxit refused to patch both the vulnerabilities because they would not work with the “safe reading mode”

3. Vulnerability in LinkedIn Messenger 

Scenario:

Even though enterprise firm will be included Linkedin into the white list. It allow their staff access without restriction. Regarding to subject matter expert vendor (Checkpoint), Linkedin message Would Have Allowed Malicious File Transfer. LinkedIn allow the following file extensions to be uploaded and attached within a message:

Documents – csv, xls, xlsx, doc, docx, ppt, pptx, pdf, txt.
Images– gif, jpeg, jpg, png.

As a result, the specific issue triggers inherent risk fall into above item 1 information security design weakness.

Current status

Let stop discussion here, there are more possibilities or ways once the attack vector happens on insider threat (end user computing). We keep our eye open see whether any new findings later on.

Common vulnerability on application – who’s the perpetrator – Part 1

Preface

We heard cyber security incident daily, seems like a habit forming or it will be happened daily. We wasn’t gutted ( Feeling sad and unhappy) since we have already become insensitive!

Who’s the perpetrator?

The design limitation not only found on hardware (BIOS), OS (system kernel , dynamic link library and software driver). Besides, the critical risk sometimes found on application program design.  Since mobile phone become the technology world main stream in the market because of BYOD enable concept.May be you observe this factor earlier. Both personal computer and BYOD device looks has common criteria (not the security standard common criteria). The fact is that they are heavy duty to deploy of Java application. From technical point of view, the difference in between personal computer and BYOD device application platform might have minor things. For instance application cannot display on small size display screen. Web browser compatibility issue. Perhaps those problem enough to annoys application developers. However in regards of application infrastructure both personal computer and BYOD devices are sharing the similar application source. And such a way carry out a visible securiy bottle neck on application design. Yes, we select one of the bottle neck on software application development to discuss today. It is the API key, so I dubbed API key is the perpetrator.

What is API key?

With reference to Wikipedia (see below details for reference)

An application programming interface key (API key) is a code passed in by computer programs calling an application programming interface (API) to identify the calling program, its developer, or its user to the Web site.

API keys can be based on the universally unique identifier (UUID) system to ensure they will be unique to each user. The API key often acts as both a unique identifier and a secret token for authentication, and will generally have a set of access rights on the API associated with it.

Appendix i :

API key = public unique identifier for your app.

Access token = another secret! But a new one is generated every time a new person installs your app. Each one is used for authentication of regular API calls to a particular shop.

API Key fundamental design weakness 

Kill chain – scenario A (Application program design weakness)

  • User gets infected with malicious program
  • Malicious program opens up /rest/config
  • Malicious program navigates to / and takes the CSRF token from the cookie it receives
  • Malicious program now has complete control over the REST POST interface

Kill chain – scenario B (system application software package (library) design weakness)

JSON Web Token (jwt) vulnerability includes the following authentication mechanism : node-jsonwebtoken, pyjwt, namshi/jose, php-jwt or jsjwt with asymmetric keys (RS256, RS384, RS512, ES256, ES384, ES512)

The original design of JSON Web Token structure contains 3 parts , a header, a payload, and a signature.  See below details for reference.

Prerequisite – require X509 Private/Public Key Pair to generate the digital signature.

The Base64-URL encoded representation of the Secure Header
The Base64-URL encoded representation of the Payload
The signature that is generated from the combined "payload.header"
Assembling all of these together as payload.header.signature

Below simple node.js code that uses the jsjws node module to create the JWS

var assert = require('assert');
var jsjws = require('jsjws');
var fs = require('fs');

var privKeyFile = fs.readFileSync('./dsig-key.pem');
console.log("privKeyFile: " + privKeyFile);
var priv_pem = jsjws.createPrivateKey(privKeyFile, 'changeit','utf8');
var pubCertFile = fs.readFileSync('./dsig-cert.pem');
console.log("pubKeyFile: " + pubCertFile);
var pub_pem = jsjws.X509.getPublicKeyFromCertPEM(pubCertFile.toString())

var header = { alg: 'RS256' };
console.log("Header: " + JSON.stringify(header));
var payload = { 'a':'b',
'c':'d',
'e': 1.0
};
console.log("Payload: " + JSON.stringify(payload));

var sig = new jsjws.JWS().generateJWSByKey(header, payload, priv_pem);
console.log("Signature: " + sig);
var jws = new jsjws.JWS();

assert(jws.verifyJWSByKey(sig, pub_pem, ['RS256']));
assert.deepEqual(jws.getParsedHeader(), header);
assert.equal(jws.getUnparsedPayload(), JSON.stringify(payload));

console.log("UnparsedHeader: " + jws.getUnparsedHeader());
console.log("UnparsedPayload: " + jws.getUnparsedPayload());

Found Critical vulnerabilities in JSON Web Token libraries (March 31, 2015)

A design limitation on library occurred, some libraries treated tokens signed with the none algorithm as a valid token with a verified signature. This is so called “none” algorithm.

Therefore hacker can create their own “signed” tokens with whatever payload they want, allowing arbitrary account access on some systems.

Remediation & Mitigation

It looks that the vulnerability found on library has security remediation today. As we know the vulnerabilities in JSON Web Token libraries can settle by latest version of software libraries. But how about the application program design weakness item?  As far as I know. Even though you are going to manage your API Keys with Java, Jersey, and Stormpath. The common standard on API Key management in the market more relies on the following solution.

  1. Filter  (regular expression). As far as I know,  It requires the preventive control filtering function to avoid
  2. Define full scope of authentication mechanism (something you have,something you know and something you are)
  • Define authentication protocol
  • Based on the authentication result object do the integrity check
  • Check the token that received, and appropriately gives appropriate action (forbid or access).

Opinion

In regards of API key, authentication Token & XML language are hard to avoid the risks once they are working together. However it is hard to avoid in such operation manner in business world. But I would like to let this opportunities to urge software developer that JSON Web Tokens should be avoided in your application design.  If your design insists to adopt such methodology. You must re-confirm the data classification level in your local repository and business criteria. If both two domain subjects not in DCL 3,4 and not the critical business operation. May be it still a green light signal. If not it is better to find other alternative.

China ban VPN connectivity – current status Aug 2017

 

Preface:

The objective of China government ban VPN connectivity goal to control over its national internet, free from undue foreign influence.

Schedules (Milestone)

Action 1 – China Government Seeks Public Comments on the Cryptography Law (May 2017)

Action 2 – Telecommunication services providers includes China Mobile, China Unicom and China Telecom, to bar people from using personal VPN with effective Feb 2018. This is a mandatory action.

Action 3 – An official announcement of New cybersecurity regulation especially on Virtual Private Network connectivity (see below for reference) with effective on 1 June 2017.

Act:  The state shall take measures to monitor, defend against and deal with cybersecurity risks and threats from both inside and outside the territory of the People’s Republic of China, protect critical information infrastructure from attack, intrusion, interference and damage, punish illegal criminal activities on the network in accordance with the law, and maintain cyberspace security and order.

Action 4 – Green VPN, a China-based VPN service mainly employed by native Chinese users to bypass the Great Firewall, has been shut down on Jul 2017.

Action 5 – Apple has removed VPN apps from China’s App Store

Action 6 – China moves to block internet VPNs from 2018

Current VPN activities in China

The latest crackdown is focused on individuals, which means companies and other organizations will still have the ability to access VPNs or VPN-like services as long as they are registered.

Great wall (China Firewall) responsibility

Denied internet connectivity to Facebook, Twitter, YouTube, and Instagram. The new blocked sources include the New York Times and the Wall Street Journal, along with sites such as Google Scholar.

Next Step

1. All internet users in China go online using services run by the state-owned carriers.

2. Forcing companies to store information within the mainland.

3. The government has ordered China’s three telecommunications companies to completely block access to virtual private networks, or VPNs, by February 2018. For those who requires VPN function, it require to apply the registration license.

Highlight – Major objective of new cyber security regulation

Forcing companies to store information within the mainland.

The electronic certification service vendor (approved by China government) list displayed below:

电子认证服务使用密码许可单位名录
  
(许可证有效期5年)

序号
单位名称
所在地区
许可证号
发证日期
1
山东省数字证书认证管理有限公司
山东
0001
2015/5/1
2
上海市数字证书认证中心有限公司
上海
0002
2015/7/1
3
陕西省数字证书认证中心股份有限公司
陕西
0003
2015/6/1
4
浙江省数字安全证书管理有限公司
浙江
0004
2015/8/20
5
江西省数字证书有限公司
江西
0005
2015/9/25
6
河南省数字证书有限责任公司
河南
0006
2015/5/1
7
吉林省安信电子认证服务有限公司
吉林
0007
2016/4/19
8
中金金融认证中心有限公司
北京
0008
2015/3/1
9
西部安全认证中心有限责任公司
宁夏
0009
2015/9/25
10
北京天威诚信电子商务服务有限公司
北京
0010
2015/3/1
11
福建省数字安全证书管理有限公司
福建
0011
2015/11/16
12
东方中讯数字证书认证有限公司
重庆
0012
2015/3/1
13
广东省电子商务认证有限公司
广东
0013
2015/3/1
14
数安时代科技股份有限公司
广东
0014
2016/6/11
15
湖北省数字证书认证管理中心有限公司
湖北
0015
2015/7/1
16
辽宁数字证书认证管理有限公司
辽宁
0016
2015/3/1
17
北京数字认证股份有限公司
北京
0017
2016/12/9
18
江苏省电子商务服务中心有限责任公司
江苏
0018
2012/5/24
19
颐信科技有限公司
北京
0019
2015/3/1
20
新疆数字证书认证中心(有限公司)
新疆
0020
2015/4/1
21
河北省电子认证有限公司
河北
0021
2012/3/16
22
山西省数字证书认证中心(有限公司)
山西
0023
2015/4/1
23
北京国富安电子商务安全认证有限公司
北京
0024
2015/3/1
24
安徽省电子认证管理中心有限责任公司
安徽
0025
2015/3/1
25
深圳市电子商务安全证书管理有限公司
广东
0026
2015/5/1
26
中网威信电子安全服务有限公司
北京
0028
2015/11/15
27
北京中认环宇信息安全技术有限公司
北京
0029
2016/8/1
28
湖南省数字认证服务中心有限公司
湖南
0030
2015/3/1
29
中铁信弘远(北京)软件科技有限责任公司
北京
0031
2015/3/1
30
卓望数码技术(深圳)有限公司
广东
0032
2015/7/10
31
河南省信息化发展有限公司
河南
0033
2016/5/4
32
东方新诚信数字认证中心有限公司
湖南
0034
2012/2/23
33
广西壮族自治区数字证书认证中心有限公司
广西
0035
2013/3/7
34
沃通电子认证服务有限公司
广东
0036
2015/4/1
35
北京世纪速码信息科技有限公司
北京
0037
2014/12/2
36
云南省数字证书认证中心有限公司
云南
0038
2013/2/20
37
贵州省电子证书有限公司
贵州
0039
2013/2/20
38
山东云海安全认证服务有限公司
山东
0040
2015/6/12
39
内蒙古网信电子认证有限责任公司
内蒙古
0041
2015/9/6
40
苏博云科数字认证有限公司
湖南
0042
2016/10/12
41
黑龙江省数字证书认证有限公司
黑龙江
0043
2016/4/13
42
四川省数字证书认证管理中心有限公司
四川
0044
2016/5/1
43
天津市滨海数字认证有限公司
天津
0045
2016/5/16
44
泰尔认证中心
北京
0046
2016/7/19
45
重庆程远未来电子商务服务有限公司
重庆
0047
2016/10/26
(截止2016年12月15日

 

 

Bitcoin – Break the traditional rule of the world!

 

Preface

It looks a silent revolution, bitcoin technology spreading to the world. Even though government unsupported this financial tool and proprietary financial firm not accept this technology.
But he is valid in the finance and investment market. As a matter of fact, the activities running strong today (7th Aug 2017).

Our earlier study on block chain technology motion

Comparison table:

Hyperledge Ethereum Bitcoin
Association Linux Foundation Ethereum Developers Bitcoin Developers
Currency N/A Ether BTC
Mining Reward N/A Yes Yes
Network Design goal – Private Design goal – Public Public only
Privacy Private Open Open
Smart Contracts Multiple-programming language C++,Rust and Go i. Bitcoin Core, is written primarily in C++
ii. Lightweight clients like MultiBit and Bitcoin Wallet written in Java

 

Rouge-et-noir , they are all going to achieve this objective (blockchain or Hyperledger)

The maturity business model of bitcoin today

The fundamental design concept of bitcoin improvement program are based on vote or user input. And therefore Bitcoin is not controlled by any single entity or company. Whereby an improvement program framework has been introduced. It is so called BIP (Bitcoin Improvement Proposal).

Remark 1: A Bitcoin Improvement Proposal (BIP) is a design document for introducing features or information to Bitcoin. The BIP should provide a concise technical specification of the feature and a rationale for the feature. This is the standard way of communicating ideas since Bitcoin has no formal structure. The first BIP (BIP 0001) was submitted by Amir Taaki on 2011-08-19 and described what a BIP is?

Proposal 91

Upcoming Bitcoin activation of Bitcoin Improvement Proposal 91 (BIP 91). Bitcoin Improvement Proposal 91 (BIP 91, also known as Miner Activated Soft Fork) recently locked in over 90 percent of all mining hash power, signaling majority support for this proposal. BIP 91’s lock in effectively makes BIP 148 (User Activated Soft Fork scheduled for August 1) obsolete and discard the chances of the Bitcoin network forking through UASF (User Activated Soft Fork). What is the reason to nullifies UASF?

Bitcoin Possible Crisis, User Activated Soft Fork(UASF BIP-148)-Vulnerability encountered CVE-2017-9230

For more details about the vulnerability, please refer below url for reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9230

Bitcoins tell the world,  sunrise is on the way.

The Bitcoin Improvement Proposal (BIP) expect to meet the goal on 1st August 2017. The goal is launch of a new coin and Bitcoin Cash (BCC). These coin should include strong replay protection. All you need to do to be able to access your BCC is control your bitcoin (BTC) private keys on this day.

BIP 91 objective – BIP 91 requires 80% of the coin miners to support. Besides, it require to locking  SegWit2x’s (SegWit) update on 1st August 2017.

Remark 2: SegWit was proposed by Bitcoin Core volunteers to increase network capacity and solve transaction scalability through soft folk on 2015.

Remark 3: SegWit2x (BTC1): Supported by miners and start-up companies, the proposal aims to develop SegWit through a soft fork.

Breakthrough – below voting status shown that BIT 91 receive miner fully support

Summary:

As of today, bitcoin looks running strong in the market. We keep our eye open see whether any unforeseen matter happen in coming month.
……..in deo speramus

 

 

 

 

The enemy of ASLR (Address space layout randomization) – memory leak

Preface

Address space layout randomization (ASLR) is a computer security technique which popular in cyber world today. Since it reduce the ratio of incident hit rate of malware infection. Do you agree that there is not required to worries about malware infection once ASLR implemented?

Start discussion

We discuss ASLR topics in our earlier discussion (see below).  Our discussion last time focus on virtual machine (VM) especially VMware.

Mirror Copy – He is great partner of virtual machine but he can kill VM simultaneously – address space layout randomization

We move our focus on mobile phone this time especially Android system. As far as we know, chip-set vendors (Qualcomm and Intel) going to reduce the attack surface with division of duty of design.

Highlight of division of duty of design on mobile chip set

Baseband processor: Manages all the radio functions except Wi-Fi and Bluetooth radios. A baseband processor typically uses its own RAM and firmware.

WiFi chip-sets:  responsible for handling the PHY, MAC and MLME on its own, and hands the kernel driver data packets that are ready to be sent up.

Reference point:  We noticed that research found that hacker can implant malicious code relies on WiFi chip-set design weakness to compromised Baseband processor. Since WiFi chip-set did not protect by ASLR technique. But this time we are not going to focus on chipset design weakness from mobile phone topic. As such we move on to the following items of discussion.

ASLR implementation status on Android

Early Android versions only had stack randomization due to lack of kernel support for ASLR on ARM. The address space layout randomization (ASLR) has been adopted in their design since 2015. Android version  4.1 introduced support for full ASLR by enabling heap randomization and  position Independent Executables (PIE). But we frequently heard that Android OS encountered malware infection. But what is the root causes?

  1. Non traditional spawning model

On Android system (from my personal view point it is a tailor made Linux), but the memory management design have different. A process so called Zygote.
However the zygote process have design limitation. It might have possibilities let malware to do the infiltration (see below detail for reference).

 

Mobile apps like your wife or girlfriend. They are tracing you!

2. Memory leak

Android system needs to manage memory allocation resources. A programmatically initiate that Garbage initiation when memory runs short. Garbage collection base on the following criteria.

a. Verify all object references in memory , non reachable object will go to Garbage collection. Everything else are wiped out from memory to free up resources

b. Everything serving the user should be kept in memory

Garbage collection design weakness Highlight

a. The drawback is that when code are written in negligence form result that unused objects are referenced somehow from reachable objects, garbage collection would mark unused objects as useful object. As a result it would not be able to remove. This is called a memory leak. From technical point of view, memory leak will be few kilo bytes to mega bytes. However mobile phone application relies on  java engine and Java script. Java dynamic language use garbage collect to management memory. To enhance CPU performance, a caching technology will be in use. A design weakness was found is that component shares some of its cache with untrusted applications. Hacker could send malicious JavaScript that specifically targeted this shared memory space.  A known bug (see below CVE details) confirm that JavaScript Attack Breaks ASLR on CPU Micro-Architectures  (vulnerable CPU displayed as below:)

CVE – vulnerabilities on CPU

CVE-2017-5925 is assigned to track the developments for Intel processors
CVE-2017-5926 is assigned to track the developments for AMD processors
CVE-2017-5927 is assigned to track the developments for ARM processors
CVE-2017-5928 is assigned to track the JavaScript timer issues in different browsers

Vulnerable CPU (mobile phone devices)

Allwinner A64 ARM – Cortex A53 (2016)
Intel Xeon E3-1240 v5 – Skylake (2015)
Intel Core i7-6700K – Skylake (2015)
Intel Celeron N2840 – Silvermont (2014)
Samsung Exynos 5800 – ARM Cortex A15 (2014)
Samsung Exynos 5800 – ARM Cortex A7 (2014)
Nvidia Tegra K1 CD580M-A1 – ARM Cortex A15 (2014)
Nvidia Tegra K1 CD570M-A1 – ARM Cortex A15; LPAE (2014)

b. The side-channel attack capable to bypass ASLR algorithm and assists malware implant to the system. The modern CPU require work with internal or external cache. Therefore this is the other alternative way may potentially bypass ASLR memory protection.

i. Evict + time

The attacker measures the time it takes to execute a piece of victim code. Then attacker flushes part of the cache, executes and times the victim code again. The difference in timing tells something about whether the victim uses that part of the cache.

ii. Prime + probe

The attacker now accesses memory to fill part of the cache with his own memory and waits for the victim code to execute. (Prime) Then the attacker measures the time it takes to access the memory that he would carefully placed in cache before. If it’s slow it is because the victim needed the cache and this gives us knowledge about what victim did. (Probe)

iii. Flush + reload

The flush and reload attack utilizes that processes often share memory. By flushing a shared address, then wait for the victim and finally measuring the time it takes to access the address an attacker can tell if the victim placed the address in question in the cache by accessing it.

Summary:

It looks that new technologies claimed that it avoid malware infection. For instance 64-bit OS and ASLR. As a matter of fact, these technology are valid and required. However we can’t say we are now secure! Refer to above discussion. Any mis-use operation or negligence form of programming technique, hacker might find vulnerability to compromise your mobile system even though ASLR is running on your mobile.

Tips to detect Android memory leak

LeakCanary is an Open Source Java library to detect memory leaks in your debug builds.

You create a RefWatcher instance and give it an object to watch:

// We expect java-id-session to be gone soon (or not), let's watch it.
refWatcher.watch(java-id-session);

When the leak is detected, you automatically get a nice leak trace:

* GC ROOT static ..............
* references .............
* leaks ....... instance

Have  a nice weekend!

 

 

 

 

 

 

Do you think Mainframe forever secure in cyber world?

Preface:

IBM z/OS assumed to be secure because it have ACF2 & RACF.

Mainframe access control types:

RACF – Resource Access Control Facility or RACF® provides the tools to help the installation manage access to critical resources.

ACF2 – (Access Control Facility) is a commercial, discretionary access control software security system developed for the MVS (z/OS today), VSE (z/VSE today) and VM (z/VM today)

Start discussion

Why we have this discussion topic today? We all known IBM z/OS is a proprietary OS. The Enterprise firms especially Banking and Finance group They are relies on mainframe comupter to do the handle the high volume of electronic transaction procoess.

A term so called operation day end process, it is well known job process in banking finance, broker firm and insurance industries.

Since Mainframe responsible for the back end job and therefore the modern Java apps with front end web application not direct communicate with this giant (see below diagram for reference). The inquiry and data download will be responsible by middle tier. Such architecture implementation not require high risk components especially Java components did not install on top of mainframe partition (LPAR).

As times goes by, Unified Computing System techniques like from virtual storage integrate to cloud computing and run in wide range of coverage. Actually mainframe is the pioneer of Unified Computing System technology. Since 2000 IBM z/OS (MVS) capable to support more than one OS running on top on the machine. It can be partitioned into multiple logical partitions, each hosting a separate operating system. A logical partition, commonly called an LPAR, is a subset of a computer’s hardware resources, virtualized as a separate computer.

Vulnerability not the proprietary of Microsoft OS and Linux OS

The penetration test performed by Mark Wilson on 2013. There are over 100 vulnerabilities found on z/OS even 1.13. The weakness of z/OS happened in the following area:

  • Poor APF Library protection
  • Poor SURROGAT profiles
  • Poorly coded SVC’s

Reference: z/OS V1R1 was first introduced in October 2000, z/OS Initial release on March 30, 2001 , Version 2.2 (V2R2) introduced on June 28, 2015. On February 21, 2017 IBM z/OS Version 2 Release 3 go to the market and available to use.

Hold different opinion on vulnerability

My assumption base on the security findings of a security auditor (Ayoub Elaassal) from Black Hat conference in Las Vegas.  His finding is that the ASM program updates the ACEE block in memory to give temporary SPECIAL privilege and causes privileges escalation. Hints that if you want to manually specify the user getting the SPECIAL privilege, replace userid() with any user in line 104 (see below command syntax for reference)

QUEUE "/*"
 QUEUE "//STEP01 EXEC PGM="||PROG||",COND=(0,NE)"
 QUEUE "//STEPLIB DD DSN="||APF_DSN||",DISP=SHR"
 QUEUE "//STEP02 EXEC PGM=IKJEFT01,COND=(0,NE)"
 QUEUE "//SYSTSIN DD *"
 QUEUE " ALU "||userid()||" SPECIAL OPERATIONS"
 QUEUE "/*"
 QUEUE "//SYSIN DD DUMMY"
 QUEUE "//SYSTSPRT DD SYSOUT=*"
 QUEUE "//*"

Ayoub Elaassal create a utility to test the privileges escalation on z/OS.  The file name of the utility is ELV.APF.

***The authorized program facility (APF) helps your installation protect the system. APF-authorized programs can access system functions that can affect the security and integrity of the system. APF-authorized programs must reside in APF-authorized libraries, which are defined in an APF list, or in the link pack area.

However any misconfiguration will make a castle become a unsecured house…..But our study bring me consider of the malware infection on non IBM CISC environment especially Windows server environment and Linux environment!

If above speculation is true. The z/OS system will be encountered of the following security problem.

It looks that IBM need to cope with IT world trend. CISC system environment capable of Java framework. CICS uses the IBM 64-bit SDK for z/OS, Java Technology Edition.  Regarding to our earlier discussion, 64 bit OS environment not absolute avoid malware infection. Even though you apply ASLR technology, sometimes a open source or 3rd party application will bring up operation problem causes system developer to modify the core system source code and not aware to create the vulnerability.  We all known business driven the IT world instead of technology or Information security.

Visitor who will be interested of the report of mainframe penetration tool, please visit GitHub to find out the details.

https://github.com/ayoul3/Privesc

….let me find out more information security items and share with you soon! Bye!

 

 

 

antihackingonline.com