Flaw and all

IT college student praised by American tech giant for discovering vulnerabilities

February 11, 2021 by e.vnexpress.net

“Hello everyone, my name is Quynh. I am a senior at the Academy of Cryptography Techniques, Hanoi, and a security researcher, a job focusing on vulnerabilities in the Java platform.”

That was how Quynh introduced herself at a security webinar last October.

Over the past five years, the 23-year-old had to repeat this introduction during many lectures since few thought a girl in her early twenties could detect as many as four vulnerabilities with high severity in less than a year, transforming her into a favorite speaker at various information security events.

The four Common Vulnerabilities and Exposures (CVE), the general term for security vulnerabilities, Quynh has found are CVE-2020-14625, CVE-2020-14825, CVE-2020-2883, and CVE-2020-2798. Of these, three vulnerabilities rated 9.8 out of 10 by experts on Oracle WebLogic Server in terms of severity. The other rated 7.2.

Oracle’s WebLogic Server application is used by tens of thousands of companies around the world, bringing billions of dollars in revenue to the U.S. technology giant. If not detected early, the vulnerabilities above could be exploited by hackers and might cause unpredictable consequences.

With Oracle publishing a list of vulnerabilities and patches for its products every quarter, the name of the senior college student popped up thrice last year.

Getting hooked by chance

To be able to detect her very first CVE in two weeks, it took Quynh four years of schooling and two months of research.

But she admitted she did not enter this industry because of her passion or with a specific goal, but simply found it “cool.”

“I decided to study IT since I have always had a curious mind and the program has a study abroad option,” she recalled.

Surprisingly, the first-year college student who loves literature and knows how to play the piano had completed her study program with good results and earned a study slot abroad. But when she achieved her initial goal, Quynh realized she really loved information security and later decided to continue pursuing this field.

At the end of her sophomore year, Quynh learned and sought wisdom from older college students and later earned an apprenticeship at the information security center of state-owned telecom firm Vietnam Posts and Telecommunications Group (VNPT).

“I was mesmerized and really got hooked. Initially, I just wanted to learn about the field from older students, but later became interested in this industry.”

When she discovered the first Oracle vulnerability in late 2019, she screamed for joy, but later worried someone may have detected the flaw before her.

According to Quynh, these are emotions she would never forget since her passion produced results and got recognized.

Dream of heading overseas

To find a vulnerability, information security personnel like Quynh spend months researching the problem and looking back at the discovered vulnerabilities. So sitting in front of the computer for tens of hours a day is not a strange thing for this girl.

Even though finding the problem is already a challenge, proving it a threat is even more difficult, with the hardest step writing codes to hack into the system.

“Just like saying an old lock is bad for securing things. We also need to show how the bad guy can potentially break the lock,” Quynh explained.

She said an IT engineer “must really understand the software and vulnerability” in order to detect the CVE.

All the vulnerabilities she found relate to Oracle’s WebLogic, which was written using Java programming language.

Focusing and specializing on problems related to serialization in Java, most of the vulnerabilities Quynh has detected are associated with this mechanism. Some errors can be found in a week, while some may take her up to a month to discover.

Once found, it can take months to come up with the patch to fix the CVE, with solutions needed as soon as possible to minimize the impact on clients.

Quynh revealed she wishes to become an influencer in the global information security industry.

“I want to detect even harder vulnerabilities and become a professional information security researcher. I hope to be able to speak in front of a world-class security conference one day.”

Quynh spends eight hours every day working at VNPT’s information security center and uses her evenings to work on her graduation project.

Despite her busy schedule, she aims to pursue a more balanced lifestyle in and outside of work.

“I always try to keep a positive mindset and manage my tasks, while getting enough sleep and having spare time to hang out with friends on weekends.”

Since the process of detecting and fixing vulnerabilities does not yield immediate results, Quynh shared it is important for an information security researcher to persevere.

Popular Vietnamese delivery system gets hacked

December 9, 2020 by hanoitimes.vn

The Hanoitimes – The Vietnamese delivery system Giao Hang Tiet Kiem (GHTK – Saving on Deliveries) was attacked by hackers.

The Vietnamese delivery system Giao Hang Tiet Kiem (GHTK – Saving on Deliveries) was attacked by hackers.

Screenshot of an article on Medium about the cyber-attack on the Vietnamese delivery system Giao Hang Tiet Kiem (GHTK). Source: kinhtedothi.vn

According to the social publishing platform Medium, hackers got access to nearly 4GB of source code of the delivery system Giao Hang Tiet Kiem and sold it online.

Speaking about the data they are selling, the hackers said they got it because there was a major flaw in the GHTK system. This flaw allowed them to view, edit and modify the codes of any projects. As the result, they downloaded all of the system’s data.

Medium said the flaw could be the result of mistakes in the DevOps practices of the system’s programmers and administrators. It could also be caused by the system’s password low level of security, which made it become untrustworthy.

A cybersecurity expert said the hackers could probably use the technique social engineering. This is a form of attack that targets the employees of GHTK, deceiving them to break into the system and steal data.

GHTK is a professional e-commerce delivery company in Vietnam founded in 2013. It specialises in providing convenient door-to-door delivery services for online shops and businesses.

With a wide range of operations with more than 1,000 branches nationwide, GHTK currently has more than 20,000 customers, serving millions of orders per month. The delivery company is also keeping a large amount of data including important information such as name, phone number, and address of users.

At present, there is no information on whether personal data of customers using GHTK’s services has been exploited. However, that scenario is highly possible, according to Medium.

GHTK is not the first company to suffer from data leakage and system source code issues. More than 50 companies, including Microsoft, Adobe, Lenovo, AMD, Qualcomm, MediaTek,… have also been victims of cybercrime organisations.

Everton savour first win at Liverpool since 1999, Chelsea held

February 21, 2021 by www.vir.com.vn

Everton savour first win at Liverpool since 1999, Chelsea held (photo: youtube/Kplus Sports)

Richarlison’s early opener and Gylfi Sigurdsson’s late penalty gave the Toffees a first win on any ground over Liverpool in 24 attempts dating back to 2010.

After a run of 68 league games unbeaten at Anfield, injury-ravaged Liverpool have lost their last four on home turf for the first time since 1923.

“I’m very pleased for the club and the supporters. I hope for sure that they are going to celebrate tonight,” said Everton boss Carlo Ancelotti.

Liverpool have won just two of their last 11 league games to leave them in grave danger of missing out on Champions League football for the first time since Jurgen Klopp’s first season in charge five years ago.

The Reds are languishing in sixth place and would be five points adrift of the top four if West Ham beat Tottenham on Sunday.

“The first goal which we have to defend better gave the direction of the game. It was unnecessary,” said Klopp. “We had to chase the game and were not calm enough.”

The sting from defeat in the 238th Merseyside derby will linger even longer given it was a bad tackle from Everton keeper Jordan Pickford in their meeting earlier this season that left Virgil van Dijk sidelined ever since with a serious knee injury.

Without the influential Dutch centre-back, Liverpool have endured a wretched time and their defensive flaws were exposed by Everton after just 145 seconds.

A weak headed Ozan Kabak clearance fell to James Rodriguez, who slipped in a pass behind the on-loan Schalke centre-back and Richarlison ran on to fire an angled drive past Alisson Becker.

Liverpool then suffered the latest in a series of injury blows when captain Jordan Henderson limped off with a groin problem.

The hosts applied all the pressure in the second half but they were hit with a sucker punch seven minutes from time when Dominic Calvert-Lewin was brought down by Trent Alexander-Arnold.

Sigurdsson stroked home the penalty to take Everton level on points with their local rivals and with a game in hand to come.

– Hudson-Odoi targeted by Tuchel –

Chelsea remain in fourth for now as Tuchel is unbeaten in seven games since replacing the sacked Frank Lampard last month.

But the German endured some of the same frustrations that Lampard suffered earlier in the season as the Blues’ domination of the ball created little, while one slack moment defensively cost them two points.

On-loan Liverpool midfielder Takumi Minamino did his parent club a favour by opening the scoring with a cool finish after sitting down Edouard Mendy and Cesar Azpilicueta on 33 minutes.

Tuchel sent on Callum Hudson-Odoi for the second half but was less than impressed with the England international as he was replaced just 21 minutes later by Hakim Ziyech.

By that point the visitors were level as Mason Mount converted from the penalty spot after he had been chopped down by Danny Ings.

“We brought in Callum Hudson-Odoi but I was not happy with his attitude, energy and counter-pressing. I took him off and we demand 100 percent,” Tuchel said.

“I feel he is not in the right shape to help us. I was not happy with his body language.”

After losing six consecutive league matches for the first time in their history, even a scrappy point was a welcome boost for Southampton.

At the bottom, Fulham closed to within three points of survival thanks to Ademola Lookman’s strike to beat bottom-of-the-table Sheffield United 1-0.

West Brom’s chances of beating the drop are diminishing after a 0-0 draw at Burnley left them still 11 points from safety.

Despite Semi Ajayi’s 30th-minute red card for deliberate handball, the Baggies had the better chances at Turf Moor but have won just once in 13 games under Sam Allardyce.

AFP