Layer 7 (application layer) – What is the information security key factors?

Preface:

We heard shocking news this year especially EQUIFAX breach. The hackers accessed up to 143 million customer account details earlier this year. Thereafter a data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people. Perhaps you could said that the incident given by vulnerability on Apache component Struts CVE-2017-5638. A design limitation was found in the Jakarta Multipart parser. A proof of concept shown that we can set the Content-Type to an OGNL expression such as:

Content-Type: ${(#_='multipart/form-data').

The Content-Type is not escaped after the error, and is then used by LocalizedTextUtil.findText function to build the error message. This function will interpret the supplied message, and anything within ${…} will be treated as an Object Graph Navigation Library (OGNL) expression. As a result the attacker can leverage these conditions to execute OGNL expressions that in turn execute system commands (see below diagram for reference).

API security is important today especially the API infiltration

So far includes myself only focusing in ring 0 attack. It looks that information security bring my attention to kernel hooking. Once upon a time, kernel hooking looks like it is everything. I think it might have similarity and such a way anti-virus manufacturer address in the same place. But when do we awake? I believed that it is the Java application century. API security level equivalent to kernel level.

Actually the defense mechanism not difficult to detect the malware on 32-bit operating system. For instance, on a 32-bit windows system, antivirus software may use SSDT hooking (System Service Dispatch Table hooking). Using SSDT hooking, the Antivirus software can prevent attacks based on the APIs being called by the malicious software.

So, it looks secure that once modern antivirus installed, right?
But what is the reason let cyber attack victims growth rapidly? Even though IDS , firewall and modern antivirus software was deployed?

Closer Look details

Windows 7 x64 is shipped with Patch Guard which doesn’t allow to hook SSDT/MSRa/code section. Disabling PatchGuard is the 1st priority of objective for malware. Since we are the system owner and therefore it is easy to disable the Patch Guard function in your 64 bit window operating system by yourself. The instruction displayed below:

Type msconfig, Go to the boot tab and delete the patched boots.

Or running the following commands in a root-shell and restarting the PC afterwards.

Bcdedit /debug ON
Bcdedit /dbgsettings SERIAL DEBUGPORT:1 BAUDRATE:115200 /start AUTOENABLE /noumex 

As we know, malware couldn’t conduct manual driven job task. If malware is going to find their target named function. It must go to the correct memory address (refer to table 1). But the objective of the PatchGuard is protect the following data and structures.

• Modifying system service tables, for example, by hooking KeServiceDescriptorTable

• Modifying the interrupt descriptor table (IDT)

• Modifying the global descriptor table (GDT)

• Using kernel stacks that are not allocated by the kernel

• Patching any part of the kernel (detected only on AMD64-based systems)

Remark: The inline hooking 3 step slogan. However it doesn’t work since patch guard is enable.

  1. The Hook – A 5 byte relative jump which is written to the target function in order to hook it, the jump will jump from the hooked function to our code.
  2. The Proxy – This is our specified function (or code) which the hook placed on the target function will jump to.
  3. The Trampoline – Used to bypass the hook so we can call a hooked function normally.

How malware trim down himself, then go to kernel level. How to bypass antivirus or malware detector?

Attempt 1. Find out design limitation on web portal then using the scripting API or dynamic JSP inject command. One of the example has shown from our discussion first page. Try to find out vulnerability on web server side module or component. Or find our the weakness of  programming design (see below for reference) then inject system command.

But is there additional way to conduct API infiltration?

Attempt 2. Hooking Shared Library Function Calls

Phenomenon: Apache web server deployment high coverage in the world. However not less Apache servers are running on Windows operating system.

Variables factor: enable patchguard and ASLR (those functions might be make hack activities more difficulties)

Below diagram is the reference of example how does inline hook jumping to malicious code and then executing the original function.

Since defense function was strengthen today. Antivirus embedded malware detection function, Microsoft PatchGuard verify the instruction and ASLR conduct random address function limit malware infection and therefore below traditional way of cyber attack can not work well!

  • DLLs loaded at runtime into process address space
    For kernel32 – target private addres space between 0x00010000 and 0x7FFE0000
  • Hiding files in a directory
    Replace FindFirstFile(),FindNextFile() in Kernel32 to skip rootkit files

Is there any benefits in below attack methods?

DirectX/OpenGL APIs and time functions – Typically hooked to implement cheating in on-line games.

Status: Possibility high, under our observation.

Winsock API – Hooked to monitor network traffic.

Status: It was happened in frequent. Under observation now.

But a security gap still valid because of today fast growth business strategy

Further to my study on cyber attack incident over past few months, a hints to me that API hook technique on layer 7 (application layer) is the key milestone of hacker today. See below cyber incident records for reference:

February 2017 –  The internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data.

Incident root cause analysis: Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.

June 2017 (It discovered the data breach June 19): 198 Million Voter Records Exposed

Incident root cause analysis: Misconfiguration isn’t a malicious hack in itself. However such incident shown to the world that a wide range of component could be impact the information security world. A misleading message bring people major focus on operatio system level from past.

July 2017 (It discovered the hack on July 29) : Equifax recently had 143 million customer records breached in a hack.

Incident root cause analysis: Found security weakness on patch management in IT  operation and vulnerability awareness. The incident given by vulnerability on Apache component Struts CVE-2017-5638.

A major unknown area will be transformed to hacker new target

Technology zone:  The IP telephony technology integrated with  TCP stack more than decade. However business operation keen to enhance the functional features. And therefore do the customization for system integration is hard to avoid. We seen some network communications hardware vendor will be involved in the application interface technologies. Modern business world more tough and demanding competition. Looks  Cisco also become the victim on former vulnerability hiccups. For more details, please see below url for reference.

https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170909-struts2-rce

Summary: Seems, I did not has final checkpoint guide me to drawn any conclusion on this discussion. Hey Guy, keep your eye open. There will be more strange things happened in today such demanding and tough business world!

Be a happy Sunday. I remain with my best regards.

 

Reference table 1:

Become a witness of new generation of financial age. But be careful of hack.

Preface:

Bitcoin mining make the world crazy. Java base coin mining tools provides flexibility. A lightweight, small footprint let you involved to mining industry.

What is the actual reason to lure the people starting the mining work?

Reminder: Bitcoin mining like a games. Different types of crypto currencies will have different mining rewards policy.

It looks that it is easy to answer. We are looking for money that is the reward.

The Bitcoin block mining reward halves every 210,000 blocks, the coin reward will decrease from 12.5 to 6.25 coins, said bitcoinblockhalf (www.bitcoinblockhalf.com)

So what is the target mining pool (blockchain) and coin types?

The hottest crypto currencies are Bitcoin (BTC), Ethereum (ETH), Monero (XMR), Litecoin (LTC), Dash and Pascal (PASC). But Ethereum mining is profitable, but it cannot maintain in the long run. However it is still the hottest topic. Ethereum has seen an almost 20x jump in price in 2017. What are Mining Rewards in Ethereum?

The proof of work(PoW) in Ethereum is run through Ethash. The successful PoW miner will receive a static block reward that is equal to 5 Ether.

 

Why a GPU mines faster than a CPU?

A majority of GPUs support add, multiply and multiply-add natively in hardware with single-cycle throughput, as the basic computation instructions.  And thereby it is better to using GPU conduct bitcoin mining. Since traditional CPU embedded instruction set and OS footprint. It is difficult to maximize the overall performance for bitcoin mining.

Does Java code is the best suit for Bitcoin Mining?

I watch a TV program years ago, a crew visited China report the status of this industry. Shown on the TV screen the bitcoin miner campus like a factory. A whole bunch of computer units which generates high temperature. You could not found a pretty office lady in that office. So, does it a artificial intelligence office? Seems it is not, you will find young Chinese men which wearing casual to working over there.

The traditional bitcoin mining require high CPU resources to do the calculation. A hints of the mining requirement recommend using GPU (graphics processing unit) instead of CPU (central processing unit). However, an HTML IFRAME tag is able to embedded java script to share visitor CPU resources to assists for bitcoin mining ((Embedding a javascript inside another using the<iframe> tag). As we know, web site open to the world not limited to area and visitor. From technical point of view, this is a win win situation. Coinhive offers a JavaScript miner for the Monero Blockchain that you can embed in your website.

To be honest, java programming provides flexibility for bitcoin miner do the mining. Below sample shown that a light-weight java programming can conduct a mining focusing on Ethereum blockchain. Some largeBitcoin mining farms switch to Ethereum today.

Remark: Ethereum is an open-source, public, blockchain-based distributed computing platform featuring smart contract functionality

package org.ethereum.core;

import java.math.BigInteger;

import org.ethereum.crypto.HashUtil;
import org.ethereum.util.ByteUtil;
import org.ethereum.util.FastByteComparisons;
import org.spongycastle.util.Arrays;
import org.spongycastle.util.BigIntegers;
public class Miner {
public boolean mine(Block newBlock, byte[] difficulty) {

		BigInteger max = BigInteger.valueOf(2).pow(256);
		byte[] target = BigIntegers.asUnsignedByteArray(32,
				max.divide(new BigInteger(1, difficulty)));

		byte[] hash = HashUtil.sha3(newBlock.getEncodedWithoutNonce());
		byte[] testNonce = new byte[32];
		byte[] concat;

		while(ByteUtil.increment(testNonce)) {
			concat = Arrays.concatenate(hash, testNonce);
			byte[] result = HashUtil.sha3(concat);
			if(FastByteComparisons.compareTo(result, 0, 32, target, 0, 32) < 0) {
				newBlock.setNonce(testNonce);
//				System.out.println(Hex.toHexString(newBlock.getEncoded()));
				return true;
			}
		}
		return false; // couldn't find a valid nonce
	}
}

Cyber security view point

Researchers found that a sophisticated class of surreptitious mining software might penetrates your system. Hacker will delivered their services through infected image files or by clicking on links leading to a malicious site. n such a way that visitor will consume more CPU power. It is easy to figure it out what is the status of your personal computer at home. If you have everything closed but CPU usage is still super high, then you may have a crypto mining malware problem.

Potential opportunities for hacker

Since those bitcoin mining java script not going to compile, Those programming coding something do not trigger the security alarm. Hacker is easy to mix their malware code contained in bitcoin mining java script then bypass the detective mechanism.

What next?

Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. Perhaps Bitcoin environment looks like a new generation of new century. It is hard to draw into conclusion at this moment. The similar case of traditional bank robbery will be replaced by new technology. The hacker will conduct similar criteria of criminal activities.

Reference:

Monero: Mining metrics are calculated based on a network hash rate of 252 MH/s and using a XMR – USD exchange rate of 1 XMR = $ 88.35. These figures vary based on the total network hash rate and on the XMR to USD conversion rate. Block reward is fixed at 6.022756660193 XMRand future block reward reductions are not taken into account. The average block time used in the calculation is 120 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Ethereum: Mining metrics are calculated based on a network hash rate of 109,037 GH/s and using a ETH – USD exchange rate of 1 ETH = $ 307.61. These figures vary based on the total network hash rate and on the ETH to USD conversion rate. Block reward is fixed at 3 ETH and future block reward reductions are not taken into account. The average block time used in the calculation is 15 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

Bitcoin: Mining metrics are calculated based on a network hash rate of 10,399,990,921 GH/s and using a BTC – USD exchange rate of 1 BTC = $ 6138.57. These figures vary based on the total network hash rate and on the BTC to USD conversion rate. Block reward is fixed at 12.5 BTCand future block reward reductions are not taken into account. The average block time used in the calculation is 600 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

DASH: Mining metrics are calculated based on a network hash rate of 210,374 GH/s and using a DASH – USD exchange rate of 1 DASH = $ 283.43. These figures vary based on the total network hash rate and on the DASH to USD conversion rate. Block reward is fixed at1.801475954707712 DASH POW mining out of 3.602951909415424 DASH total mining reward and future block reward reductions are not taken into account. The average block time used in the calculation is 488 seconds. The electricity price used in generating these metrics is $ 0.12per kWh.

Litecoin: Mining metrics are calculated based on a network hash rate of 30,369 GH/s and using a LTC – USD exchange rate of 1 LTC = $ 56.5. These figures vary based on the total network hash rate and on the LTC to USD conversion rate. Block reward is fixed at 25 LTC and future block reward reductions are not taken into account. The average block time used in the calculation is 150 seconds. The electricity price used in generating these metrics is $ 0.12 per kWh.

 

 

 

SS7 flaw make two factor authentication insecure – Reveal the veil

Preface:

Two factor authentications claimed itself that it is a prefect security solution. No matter online banking transaction, Bitcoin wallet, e-trading business system and application system which concern the data privacy are willing to apply two factors authentication.

The overall comments for two factor authentication on the market

Let’s take a review in below cyber security incident records

  1. Cyber Criminals stolen Bitcoin in electronic Wallets by counterfeit two factor authentication SMS messages.A investment trader so called night owl. He was notified the passwords had been reset on two of his email addresses on 11th Aug 2016. He losses among the largest in his bitcoin investment. The venture capitalists (Bo Shen) he had value of US$300,000 electronic money (Augur REP tokens) stolen by hacker, plus an undisclosed amount of bitcoin and other cryptocurrencies lost. Coinbase (US base world biggest bitcoin exchange) observed that a double growth of cyber heist among it customers during November to December 2016.
  2. Criminals carried out an attack from a network of a foreign mobile network operator in the middle of January 2017. Meanwhile the attackers use SS7 vulnerability to intercept and redirect mTANs ( mobile transaction authentication numbers) sent by banks in Germany to authorize transfers payment out of victim accounts.

The clarification of two factor authentication criteria

Two factor authentication (2FA) definition is based on providing two of the following three “somethings”: (1) something you know, which is your username and password combination or a pin, (2) something you have, which can be a bank card, mobile device, smartwatch, or another device you’ve flagged as safe, and in more advanced scenarios, (3) something you are, which includes biometrics like fingerprints, retina scans, or voice recognition. By requiring a user to verify their identity with two or more of these unique ways, 2FA is effectively extending security beyond the password. The final step of the authentication process is send one-time authorization code to a device via an SMS, which you then enter to prove your identity.

My doubt on above matter?

What if my situation in regards to key terms “something you are” function replace by a hardware token. In this scenario, my hardware authentication token will be synchronized in the 1st round of registration to RSA ACE server. Thereafter the dependence of the hardware token depends on a element (timing). This setup compliance to 2FA definition. In the sense that it did not involve SMS message. So the 2FA still trustworthy, right?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

SS7 design fundamental is going to trust any request.  We known that JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. And therefore counterfeit SMS message will more easier (see below information supplement 1 at the bottom of this page for reference). Carriers often “ask” one another for the whereabouts of a certain device so they can calculate the nearest cell tower to route a call. These sorts of automated interactions happen all the time. Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. It looks that such remediation step not effective to avoid insider threats.

Nokia safeguard network operation effectiveness

The fundamental of SS7 signal system is operate in a private network, meaning that cyber criminals have to hack it to gain entry—or find a telecom insider willing to offer illicit access.However there is another vulnerability on ASN.1. That is ASN.1 Compiler flaw leads to Network vulnerability. As such , hacker explore the back door on SS7 not only targeting to their internal staff. It might have possibility allow attackers to remotely execute unknown and unauthorized code inside the firmware of devices that use the compiled ASN1C code from within C and C++. Meanwhile java language fully compatible with SS7 protocol stack and platform. Oops! Do you think a design weakness will be happen in this place?

Hacker might reading shared memory data using Java . Program source that is written by C++.

Hacker can create a method in Java to read or write on shared memory. Hacker might have way relies on Java SS7 benefits hook to sharing memory process. As a result, it compromise the machine. It can send SMS to anyone or anywhere includes communicate with other Telco vendor. It is the most concern and dangerous way.

Conclusion:

From technical point of view, 2FA (Two factor authentication) still a secure method for authentication. It looks that the flaw given by SS7 signaling system instead of 2FA itself. Since 2FA not limit to SS7 to conduct authentication. You are allow to use other alternative. Guys do not worry too much.

Information supplement 1: Open Source Java SS7 stack that allows Java apps to communicate with legacy SS7 communications equipment. JSS7 is an implementation of SS7 telephony protocol in Java, aims to create an open source, multiplatform, SS7 protocol stack. Below javascript sample is the pass along message implementation programming syntax for reference.

package org.mobicents.protocols.ss7.isup.impl.message;

import java.io.ByteArrayOutputStream;

import org.mobicents.protocols.ss7.isup.ISUPMessageFactory;
import org.mobicents.protocols.ss7.isup.ISUPParameterFactory;
import org.mobicents.protocols.ss7.isup.ParameterException;
import org.mobicents.protocols.ss7.isup.impl.message.parameter.MessageTypeImpl;
import org.mobicents.protocols.ss7.isup.message.ISUPMessage;
import org.mobicents.protocols.ss7.isup.message.PassAlongMessage;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageName;
import org.mobicents.protocols.ss7.isup.message.parameter.MessageType;

/**
 * Start time:xx<br>
 * Project: xx<br>
 *
 * @author <a href="mailto:xx@xx.com">xx </a>
 */

public class PassAlongMessageImpl extends ISUPMessageImpl implements PassAlongMessage {
 public static final MessageType _MESSAGE_TYPE = new MessageTypeImpl(MessageName.PassAlong);

static final int _INDEX_F_MessageType = 0;
 private ISUPMessage embedded;
 /**
 *
 * @param source
 * @throws ParameterException
 */
 public PassAlongMessageImpl() {
 super.f_Parameters.put(_INDEX_F_MessageType, this.getMessageType());
 }



public MessageType getMessageType() {
 return _MESSAGE_TYPE;
 }

@Override
 public void setEmbeddedMessage(ISUPMessage msg) {
 this.embedded = msg;
 }

@Override
 public ISUPMessage getEmbeddedMessage() {
 return embedded;
 }

public boolean hasAllMandatoryParameters() {
 return this.embedded == null ? false: this.embedded.hasAllMandatoryParameters();
 }

@Override
 public int encode(ByteArrayOutputStream bos) throws ParameterException {
 if(this.embedded!=null){
 throw new ParameterException("No embedded message");
 }

//encode CIC and message type
 this.encodeMandatoryParameters(f_Parameters, bos);
 final byte[] embeddedBody = ((AbstractISUPMessage)this.embedded).encode();
 // 2 - for CIC
 bos.write(embeddedBody, 2, embeddedBody.length - 2);
 return bos.size();
 }

@Override
 public int decode(byte[] b, ISUPMessageFactory messageFactory,ISUPParameterFactory parameterFactory) throws ParameterException {
 int index = 0;
 //decode CIC and PAM message type.
 index += this.decodeMandatoryParameters(parameterFactory, b, index);
 byte targetMessageType = b[index];
 this.embedded = messageFactory.createCommand(targetMessageType, this.getCircuitIdentificationCode().getCIC());
 //create fake msg body
 byte[] fakeBody = new byte[b.length-1];
 System.arraycopy(b, 1, fakeBody, 0, fakeBody.length);
 index+=((AbstractISUPMessage)this.embedded).decode(fakeBody, messageFactory, parameterFactory)-2;
 return index;
 }



// Not used, PAM contains body of another message. Since it overrides decode, those methods are not called.
 protected void decodeMandatoryVariableBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, int parameterIndex)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected void decodeOptionalBody(ISUPParameterFactory parameterFactory, byte[] parameterBody, byte parameterCode)
 throws ParameterException {
 // TODO Auto-generated method stub

}

protected int getNumberOfMandatoryVariableLengthParameters() {
 // TODO Auto-generated method stub
 return 0;
 }

protected boolean optionalPartIsPossible() {

throw new UnsupportedOperationException();
 }

}

Information supplement 2: How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design! For more detail, please refer below:  

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

 

New trend – Botnet infection technique empowered Ransomware infection

Preface:

We known that botneck infection technique popular last few year. The objective of the botneck infection more on DDOS attack. But the status now has been change.

Below sample of code on how botnet operation.

using System.Threading.Tasks;

using log4net;

using Loki.Bot;

using Loki.Common;

using Loki.Game;

 

namespace MapBuddy.Tasks

{

    public class MapExplorationCompleteTask : ITask

    {

        private static readonly ILog Log = Logger.GetLoggerInstanceForType();

 

        public async Task<bool> Logic(string type, params dynamic[] param)

        {

            if (type != "task_execute") return false;

            if (LokiPoe.Me.IsDead || !LokiPoe.CurrentWorldArea.IsMap) return false;

 

            if (CurrentMap.HasBossRoom)

            {

                if (!TrackMobTask.MapBossFound && !TrackMobTask.MapBossDead)

                {

                    Log.Warn("[MapExplorationCompleteTask] insci_test dont allow finish map until boss is alive.");

                    return false;

                }

            }

 

            Log.Warn("[MapExplorationCompleteTask] Now finishing the map run.");

            MapBuddy.EventInvocators.RaiseMapExplorationCompletedEvent();

            await CommunityLib.LibCoroutines.CreateAndTakePortalToTown();

 

            //Second portal if we are

            //if (MapBuddySettings.Instance.Mode == OpenMethod.Laboratory)

            //{

            //    var currentBot = BotManager.CurrentBot;

            //    currentBot.Settings.SetProperty("NeedsTownRun", 2);

            //}

 

            return true;

        }

 

        public string Name => "MapExplorationCompleteTask";

 

        public string Description => "Task for leaving the map.";

 

        public string Author => "ExVault";

 

        public void Start()

        {

        }

 

        public void Tick()

        {

        }

 

        public void Stop()

        {

        }

 

        public string Version

        {

            get { return "1.0"; }

        }

 

        public object Execute(string name, params dynamic[] param)

        {

            return null;

        }

    }

}

Current status:

It looks that an alert shown that an unknown attack counterfeit HSBC email to widespread the infection.  This round of attacks seems focusing on banking industry. Sample counterfeit email display below: Guys be careful!

 

Tax heaven is also a hacker playground – Bermuda

Perhaps the legal firm Mossack Fonseca data breaches incident is a history. However headline news reveal another similar case which was happened on November last year.I was shock that Mossack Fonseca encountered data breach which astonish the world since Tycoon and famous people like President of Russia Putin virama was included in their customer list.  A slogan told that a Tax heaven is also a hacker playground. It looks that legal firm only know how to use law regulations to protect their client. On the other hand, former cyber security incident shown that they are ignore the technology risks. In the meantime, we receive the news on newspaper that a cyber attack encountered on their database November last year (2016). But sounds like another important factor might bring to their attentions. For instance, it is easy to find the lawyer public email address because of their business operation model. Such business running model let hacker easy to obtained the email address. A easy way to make use of email phishing techniques let receiver become a victim. Hacker will receive the credential after compromised the email account. As a result, it is easy to drawout the data. About the detail, please refer below url for reference. 

Another story of offshore law firm data leakage. The firm encountered cyber attack on Nov 2016.
The information released the news this month.

http://www.independent.co.uk/news/business/news/appleby-offshore-law-firm-hack-data-super-rich-financial-details-bermuda-a8018451.html

Existing encryption scheme looks have space to enhance – X.931security breach

The implementation of existing encryption scheme looks have space to enhance. Another bug has been found on X.931. It looks that the vulnerability found on encryption machanism last few months reveal the bottleneck in IT environment. Can you still remember that our Hero Edward Snowden alert. He was told that cyber espionage or government will relies ob backdoor of device or application to execute their task. A scandal reveal security vendor use the weak crypto scheme benefits to NSA to receive government contract.  Perhaps we did not focus on encryption mechanism since we believed that we are secure once we make it. However the design limitation is the cache. No matter  it is a hardware or software. Hacker relies on temporary cache retrieve the SSL key then execute man-in-the middle attack in antivirus software. A private key found on chipset which make more than million of mobile devices in security breach. My imagination of conspiracy theory, it looks that Hero Snowden and wikileak reveal how  NSA doing the surveillance program.  Since secret expose and therefore they are not going to use anymore. As a result more and more scandal or unknown bug will be open to public.  Below url will provides hints to you for reference.

https://threatpost.com/duhk-attack-exposes-gaps-in-fips-certification/128582/

RTOS(real-time operating system) is under attack. Do you think it is the 2nd round of test?

The terms IoT (Internet of things) looks a messed transformation of specifics definition. The suitable criteria to define a IoT component is that for a device demand data be processed without buffering delays. If you have habits read technology post daily. We known that IT security vendor (checkpoint) alert the world that a new IoT botneck is going to jeopardizing the world. Since the case is under their investigation. My personal opinion is that the specifics attacks focus on RTOS(real-time operating system). For instance, web cam, router, smart city facilities. I strongly believed that Microsoft not the major target. Since RTOS devices has large coverage on simplified linux base OS platform.  Keep your eye open, you might seen the result of reaper IoT attack relies on shellshock vulnerabilities and bruteforce attacks.In additional, if the device found vulnerabilities on the kernel. The malicious code will relies on it. Below url can provides the details to you in this regard. Perhaps we have more and more electronic computing devices supporting to our life daily. The hostile country engage the attack to suspend the daily operations of the enemy looks better than a bomb or military threatening.

https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/

INFINEON chip design flaw – not vulnerable in ECC, flaw only encountered on RSA

Bitcoin technology looks luck this round since INFINEON chip design flaw – not vulnerable in ECC (Elliptic Curve Cryptography), flaw only encountered on RSA.

Vulnerability

The flaw resides in the Infineon-developed RSA Library version v1.02.013. A design weakness has been found. A vulnerability in an implementation of RSA Key Generation could allow private encryption key disclosure.

This vulnerability affects any products using the affected code library “RSA Library version v1.02.013” developed by Infineon Technologies. Keys generated with smartcards or embedded devices using the Infineon library are vulnerable, as well as devices certified by NIST FIPS 140-2 and CC EAL 5+.

Queries of this vulnerability – in regards to so called security regulatory standard

It is hard to believe that a tough and harsh security requirements issued by NIST (FIPS 140-2) and Common Criteria. However the certified products are also the victim.

Do you think is there a verification and identification gap in between hardware vendor and security authority? And therefore such embarrass status happened today.

Known effect areas:

Government:

Component: Smartcards (manufacturers using Infineon smartcard chips and TPMs)

Businesses: 

Component: Smartcards and IoT devices (manufacturers using Infineon smartcard chips and TPMs)

Home Users:

Component: IoT (manufacturers using Infineon smartcard chips and TPMs)

Vendor announcement:

Laptops and mobile devices use Trusted Platform Module (TPM) hardware chips with the affected encryption key code library. For instance Google, Microsoft, HP, Lenovo, and Fujitsu. They claimed that the have patched their respective software.

Reference:

Should you have interest in related topic, please refer to below url for reference.

https://nvd.nist.gov/vuln/detail/CVE-2017-15361

WPA2 vulnerability found. But online Banking system customer do not shock.

 

WPA2 vulnerability found. But online Banking system customer do not shock. Take it easy. The WPA2 wireless encryption scheme looks secure before specifics vulnerability occurred. Security expert found that hacker is able to relies on 3rd handshake doing injection which causes man-in-the-middle of attack. As a result your wireless network data traffic will be hunted by hacker. The data includes on-line banking credentials, social media credentials,….etc. But if you think it over. The SSL tunnel end point of online banking web application is seat on your mobile. Hacker must install the web server SSL public PKI key certificate in the 1st phase, otherwise he cannot view the data embedded in the traffic pattern. Perhaps hacker already install the public cert. However a HSM will be protect your password from online banking system. Since password will be shown as random code. Hacker cannot reuse. How about VISA 3D secure method? You will receive SMS alert of your payment transactions finally. You can verify by yourself.  For more detail about the WPA2 vulnerability, please refer below url for reference.

https://www.theguardian.com/technology/2017/oct/16/wpa2-wifi-security-vulnerable-hacking-us-government-warns

How will be effect to cyber world – a scandal from Microsoft

Reuters interviews with Microsoft former employees. A scandal given by former employees was that Microsoft responded quietly after detecting secret database hack in 2013. It looks that this is official commercial tactics. I have no surprise that hackers relies on known bug on vendor bug track database to formula new generation of virus. Believe it or not, we seen this virus already. We all know that the 1st version of Ransomware development relies on Microsoft bug which found by United Stated National Security Agency. The scandal happened this month. We have more and more news update afterwards. For more details about the journalist interviews.. Please see below url for reference. 

Reminder: Oct 2000 – Microsoft admits that its corporate network has been hacked and source code for future windows products has been seen. Hacker suspected to be from St. Petersburg.

https://www.reuters.com/article/us-microsoft-cyber-insight/exclusive-microsoft-responded-quietly-after-detecting-secret-database-hack-in-2013-idUSKBN1CM0D0

 

antihackingonline.com