What can we learn from the latest hack on an U.S. Navy contractor?

17 June 2018

Report “China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare” (1) published on 8 June 2018 in the Washington Post is really worth reading.

Attacks on the supply chain have become more common in recent years. Contractors are e.g. used as gateways to the customer network or customer information is exfiltrated from the contractors network.

The latter is the case here. The product development is outsourced. The information required for product development is available only in the contractors network and, in the worst case, remains there after handover to the customer.

Under normal conditions this is not critical. But when it comes to national security matters, e.g. in product development for defense agencies or for critical infrastructures, this may end in a catastrophe.

Picture credits: Wikimedia

In such cases proper classification of the information handed over to and created by the contractor is of crucial need. Since many contractors run an information security management system, the selection of protective measures is based upon the proper classification.

At least 614 GB of data were obviously not properly classified since “highly sensitive data related to undersea warfare” was stolen from the contractor’s unclassified network.

It is always good to remember Aristotle’s proverb “The whole is greater than the sum of its parts” when it comes to classification of information.

Have a great week.

1. Nakashima E, Sonne P. China hacked a Navy contractor and secured a trove of highly sensitive data on submarine warfare. Washington Post [Internet]. 2018 Jun 8 [cited 2018 Jun 16]; Available from: https://www.washingtonpost.com/world/national-security/china-hacked-a-navy-contractor-and-secured-a-trove-of-highly-sensitive-data-on-submarine-warfare/2018/06/08/6cc396fa-68e6-11e8-bea7-c8eb28bc52b1_story.html


Blockchain unchained?

3 June 2018

Blockchain technology is a digital platform for applications where seamless traceability and full transparency is required.

For example, in pharmaceutical industry blockchain could give full traceability of drugs across the entire supply chain up to the patients.

Another interesting application is mobile voting. From the Brookings publication “How blockchain could improve election transparency” (1) on the use of blockchain for internet voting in the West Virginia primaries in May this year we learn that “all data of the election process can be recorded on a publicly verifiable ledger while maintaining the anonymity of voters, with results available instantly”.

This sounds very promising.

Blockchain Grid

Picture By Davidstankiewicz, for details see below (5)

Unfortunately, every software has bugs. On May 28th, 2018 Swati Khandelwal reported in “The Hacker News” about a remote code execution (RCE) vulnerability in the blockchain-based EOS smart contract system (2).

If an attacker exploits this RCE he could destroy the integrity of the entire system:

“Since the super node system can be controlled, the researchers said the attackers can “do whatever they want,” including, controlling the virtual currency transactions, and acquiring other financial and privacy data in the EOS network participating node systems, such as an exchange Digital currency, the user’s key stored in the wallet, key user profiles, privacy data, and much more.”

Although it is not clear whether the voting system used in West Virginia is based on the Blockchain 3.0 platform there is urgent need for action. EOSIO set up a bug bounty program (3) to improve their code. But should we rely on bug bounty programs for such important issues like elections or patient safety?

From the Qihoo 360 security researchers report (4) we learn that the vulnerability is created by “a buffer out-of-bounds write” error. This means that this vulnerability could have been avoided by performing a static code analysis prior to release.

The big question is: How many errors of this type are still included in the blockchain infrastructure? A bug bounty program is a good approach to improve security, a static code analysis is indispensable in my view. In particular when the outcome of an election can be influenced or patient safety is endangered.

Have a great week.


1. Desouza KC, Somvanshi KK. How blockchain could improve election transparency [Internet]. Brookings. 2018 [cited 2018 Jun 1]. Available from: https://www.brookings.edu/blog/techtank/2018/05/30/how-blockchain-could-improve-election-transparency/

2. Khandelwal S. Critical RCE Flaw Discovered in Blockchain-Based EOS Smart Contract System [Internet]. The Hacker News. 2018 [cited 2018 Jun 1]. Available from: https://thehackernews.com/2018/05/eos-blockchain-smart-contract.html

3. eosio. Calling all Devs: The EOSIO Bug Bounty Program is Live [Internet]. Medium. 2018 [cited 2018 Jun 3]. Available from: https://medium.com/eosio/calling-all-devs-the-eosio-bug-bounty-program-is-live-7219c625a444

4. Chen Y, Peng Z. EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds – 奇虎360技术博客 [Internet]. 2018 [cited 2018 Jun 1]. Available from: http://blogs.360.cn/blog/eos-node-remote-code-execution-vulnerability/

Picture Credits

5. By Davidstankiewicz [CC BY-SA 4.0 (https://creativecommons.org/licenses/by-sa/4.0)%5D, from Wikimedia Commons

Some thoughts on “Protecting against ransomware using PCI DSS and other hardening standards”

20 May 2018

Post “Protecting against ransomware using PCI DSS and other hardening standards” (1) published this week by Paul Norris in SC Media UK is really worth reading. Hardening is a proven method to reduce the attack surface of a computer network. If well done, the spreading of ransomware and thus the impact on an organization can be limited.

Hardening, patching, etc. serve a common goal in cyber war: Describing the limits of conflict. Everett Dolman writes in chapter 5 of “Pure Strategy: Power and Principle in the Space and Information Age” (2):

“Tactical thinkers seek to define and describe situations. Decision-making in real-time tactical mode requires it. The more knowledge of the limits to conflict, the more creatively the tactical genius can deploy, maneuver, and engage forces. Knowing completely what cannot be done allows for an investigation what can be done.”

Hardening, patching, etc. decrease the number of options / attack vectors an attacker can use for getting on and exploring a network. IT security groups can then focus on the remaining attack vectors, and prepare for the unknown.

Let me give two examples to illustrate this.

  1. If all external storage devices are technically blocked in your organization an attacker cannot use them for delivery of weaponized documents. Furthermore, if users have no chance to change this your IT security group can focus on investigating other attack vectors.

  2. If you implemented the measures for mitigation of high and medium risk findings described in the DoD “Windows 7 Security Technical Implementation Guide” (3) you can be sure that attacks based on bypassing UAC to get elevated privileges are no longer possible.

But be aware that the attacker also knows what cannot be done after a standard is implemented…

Have a great week.

  1. Norris P. Protecting against ransomware using PCI DSS and other hardening standards [Internet]. SC Media UK. 2018 [cited 2018 May 20]. Available from: https://www.scmagazineuk.com/opinion/protecting-against-ransomware-using-pci-dss-and-other-hardening-standards/article/761956/

  2. Dolman EC. Pure Strategy: Power and Principle in the Space and Information Age [Internet]. Taylor & Francis; 2004. (Strategy and History)

  3. Department of Defense. Windows 7 Security Technical Implementation Guide [Internet]. STIG Viewer | Unified Compliance Framework®. 2017 [cited 2018 May 20]. Available from: https://www.stigviewer.com/stig/windows_7/

Two-factor authentication hackable?

13 May 2018

Report “Two-factor authentication hackable” (1) published by Doug Olenick’ on May 10, 2018 at SC Media US is really frightening.

Two-factor authentication (TFA) is a great means to secure users of web services against phishing attacks. I’m aware that TFA with SMS or authenticator apps is not 100% secure because the login is not bound to the service, which means that TFA is prone to Man-in-the-Middle attacks. But the title of the report suggests that TFA is no longer secure at all.

A closer look at the report shows that Doug Olenick describes a Man-in-the-Middle attack initiated by a fake URL in an e-mail. The URL points to a web services which acts as a proxy for LinkedIn in this case. The proxy collects the users account details and the session cookie. Since the session cookie contains all details required to login to LinkedIn the attacker can hijack the users account without being requested of the password and the second factor.

For details about the attack see Kuba Gretzky’s post “Evilginx – Advanced Phishing with Two-factor Authentication Bypass” (2).

What can we learn from these reports?

TFA is vulnerable against phishing and Man-in-the-Middle attacks. User awareness and anti-phishing training become not obsolete once TFA with authenticator app or SMS is rolled out in an organization.

Although TFA is vulnerable this should not stop you from implementing TFA.

FIDO U2F Key (6)

FIDO U2F Key (6)

If you want to get it right the first time implement TFA with hardware keys, e.g. FIDO U2F keys. With hardware keys the user login is bound to the original service, which means that only the real site can authenticate with the service. For details see the FIDO alliance (3) homepage or the Yubico (4) homepage. For a great user story see report “Google Eliminates Account Takeover with the YubiKey” (5).

Have a great week.

  1. Olenick D. Two-factor authentication hackable [Internet]. SC Media US. 2018 [cited 2018 May 13]. Available from: https://www.scmagazine.com/network-security/two-factor-authentication-hackable/article/765135/

  2. Gretzky K. Evilginx – Advanced Phishing with Two-factor Authentication Bypass [Internet]. BREAKDEV. 2017 [cited 2018 May 13]. Available from: http://breakdev.org/evilginx-advanced-phishing-with-two-factor-authentication-bypass

  3. FIDO Alliance. https://fidoalliance.org/ [Internet]. FIDO Alliance. [cited 2018 May 13]. Available from: https://fidoalliance.org/

  4. U2F – FIDO Universal 2nd Factor Authentication [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/solutions/fido-u2f/

  5. Yubico.com. Google Eliminates Account Takeover with the YubiKey [Internet]. Yubico. [cited 2018 May 13]. Available from: https://www.yubico.com/about/reference-customers/google/

  6. Picture Credits: Amazon.de. [cited 2018 May 13]. Available from: https://www.amazon.de/Yubico-Y-123-FIDO-U2F-Security/dp/B00NLKA0D8


Windows 10 Lean – Microsoft’s essential step (back) to the future?

29 April 2018

The report “Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS” (1) published by Liam Tung on 24 April 2018 at ZDNet made me really curios.

Why is the industry in desperate need of a cut-down Windows OS? To answer this question we need to dig into the history of computing.

Tandberg TDV 1200 Terminal. Picture Credits (2)

Tandberg TDV 1200 (2)

In the nineteen sixties and seventies IT business was largely based on host-based computing. Usually the end-user devices were character based terminals with very restricted functionality. Business reports or letters were a real challenge on a Tandberg terminal with IBM ISPF. Individual changes to the user interface were usually limited to the change of the highlight colors and the function key assignment.

Apollo Domain DN330 Workstation

Apollo Domain DN330 (3)

The introduction of server-based computing in the nineteen seventies was a significant benefit for the end users. Graphics-based workstations, often diskless, opened up new fields of application, e.g. desktop publishing, CAD or CAPE. Here, too, the users had only limited options to customize the user interface or to install applications.

With the introduction of Windows NT AS 3.1 in 1993 everything changed. For the first time an operating system had an easy to use graphical user interface, was easy to operate through this GUI , and had easy to use inbuilt peer-to-peer networking capabilities. This was the Wild West for the users.

Unfortunately, very often the Wild West ended up in chaos. With Windows 2000 everything was under control again. Server-based computing was the standard again, peer-to-peer networking capabilities were hardly used.

SAAS, e.g. O365, OneDrive, Sharepoint Online, Box for Business or Google’s G Suite, takes us eventually back to host-based computing: The cloud is the new host.

Once the industry has adopted SAAS every interaction with the cloud is based on the HTTPS protocol. SMB and all the client-server and peer-to-peer networking capabilities of Windows are no longer needed. Even for printing the IPP protocol can substitute SMB.

Thus it is time to eliminate these networking capabilities from the OS. And with this, we eliminate all this EternalBlue, EternalRomance, WannaCry and NotPetya stuff because lateral movement depends heavily on the Windows Peer-to-Peer networking capabilities.

Chrome OS is Google’s answer to this trend. Will Microsoft follow with Windows 10 Lean?

From Liam Tung’s report we learn:

“Windows 10 Lean was revealed on Twitter by Windows enthusiast Lucan, who noted the heavily cut-down OS has no wallpaper and is missing apps like Registry Editor and Microsoft Management Console, as well as drivers for CD and DVD drives.”

From my point of view that’s not enough to deal with the IT security challenges the industry faces today.

Have a great week.

  1. Tung L. Windows 10 Lean: Latest build offers first glimpse of Microsoft’s new cut-down OS [Internet]. ZDNet. 2018 [cited 2018 Apr 24]. Available from: https://www.zdnet.com/article/windows-10-lean-latest-build-offers-first-glimpse-of-microsofts-new-cut-down-os/

  2. Picture credits: Telemuseet, Wikipedia, https://digitaltmuseum.no/011025208286/datautstyr

  3. Picture credits: Jim Rees, Wikipedia, https://commons.wikimedia.org/wiki/File:Dn330.jpg

US Gas Pipelines Hit by Cyber-Attack

15 April 2018

The report “US Gas Pipelines Hit by Cyber-Attack” (1), published on April 13, 2018 in Infosecurity Magazine, sounds more dramatic than it actually is. The attackers compromised a system for “electronic data interchange” (EDI) to some of the largest US energy providers. No impact on critical infrastructures, at least until now.

Bloomberg Technology (2) reports that at least four US pipeline companies were affected by the attack.

What surprised me was that Jim Guinn, managing director and global cyber security leader for energy, utilities, chemicals and mining at Accenture Plc, said (2):


“There is absolutely nothing of intrinsic value for someone to infiltrate the EDI other than to navigate a network to do something more malicious. All bad actors are looking for a way to get into the museum to go steal the Van Gogh painting.”

I cannot support this. The EDI system contains the access details to the systems used in the customer networks for data exchange. These details are the free admission ticket to the customer networks for the cyber-criminals.

Thus, it is very important that at least the access data to customer systems are changed directly after an attack is detected. In addition, the customers should check their networks for suspicious data transfers and indicators for lateral movement.

Have a good weekend.

1. Muncaster P. US Gas Pipelines Targeted in Cyber-Attack [Internet]. Infosecurity Magazine. 2018 [cited 2018 Apr 13]. Available from: https://www.infosecurity-magazine.com:443/news/us-gas-pipelines-hit-by-cyberattack/

2. Malik NS, Collins R, Vamburkar M. Cyberattack Pings Data Systems of At Least Four Gas Networks. Bloomberg.com [Internet]. 2018 Apr 3 [cited 2018 Apr 15]; Available from: https://www.bloomberg.com/news/articles/2018-04-03/day-after-cyber-attack-a-third-gas-pipeline-data-system-shuts


3 April 2018

CTS-Labs publication (1) of new branded security flaws in AMD’s latest Ryzen and EPYC processors attracted much media attention.

Much Ado About Nothing

Much Ado About Nothing. Made with WortArt.com.


  • In all cases the attacker requires administrative access to exploit the processor flaws.
  • For exploitation of MASTERKEY the attacker needs to re-flash the bios.

For a good overview see post ‘AMD Flaws’ (2) in the Trail of Bits blog.

To put it succinctly:: An attacker managed to fully compromise a system based on an AMD Ryzen or EPYC processor and to stay undetected. Then he starts exploiting Masterkey, flashes the BIOS and reboots the system. As a result he gets directly detected.

That makes no sense. Once I fully compromised a system I have plenty opportunities to run a deep dive into the victim’s network and, to stay undetected. The risk of getting detected when exploiting e.g. MASTERKEY is just too high.

The world of threat actors can be divided in two classes: Non-Nation State Actors and Nation State Actors. In particular MASTERKEY fits perfectly in the cyber weapon arsenal of the latter because only they have the resources to compromise the processors where it is most convenient, in the supply chain.

I don’t like branded vulnerabilities because they keep us from dealing with really important security issues.

Have a great week!

  1. CTS-Labs. Severe Security Advisory on AMD Processors [Internet]. AMDFLAWS. 2018 [cited 2018 Apr 3]. Available from: https://safefirmware.com/amdflaws_whitepaper.pdf

  2. Guido D. “AMD Flaws” Technical Summary [Internet]. Trail of Bits Blog. 2018 [cited 2018 Apr 3]. Available from: https://blog.trailofbits.com/2018/03/15/amd-flaws-technical-summary/