Pull to refresh
760.69
Rating

Information Security *

Data protection

Show first
Rating limit

Q4 2022 DDoS Attacks and BGP Incidents

Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *

Now that 2022 has come to an end, we would like to share the DDoS attack mitigation and BGP incident statistics for the fourth quarter of the year, which overall saw unprecedented levels of DDoS attack activity across all business sectors.

In 2022, DDoS attacks increased by 73.09% compared to 2021. 

Let's take a closer look at the Q4 2022 data.

Read more
Total votes 7: ↑7 and ↓0 +7
Views 394
Comments 0

Payment Village at PHDays 11: pentesting our online bank

Positive Technologies corporate blog Information Security *Payment systems *Entertaining tasks Web services testing *

Hello everyone! We've already talked in our blog about how the Positive Hack Days 11 forum had a special Payment Village zone, where anyone could look for vulnerabilities in an online bank, ATMs, and POS terminals. Our competition to find vulnerabilities in an online bank is not new, but in recent years it has been somewhat supplanted by ethical hacking activities for other financial systems. In 2022, we decided to correct this injustice and created a new banking platform, making use of all our years of experience. We asked the participants to find typical banking vulnerabilities and report them to us. In the competition, the participants could play for either the "white hats" (participate in the bug bounty program of an online bank) or for the "black hats" (try to steal as much money from the bank as possible).

Read more
Rating 0
Views 172
Comments 0

BGP Route Leak prevention and detection with the help of the RFC9234

Qrator Labs corporate blog Information Security *Network technologies *Network standards *

All the credit is due to the RFC’s authors: A. Azimov (Qrator Labs & Yandex), E. Bogomazov (Qrator Labs), R. Bush (IIJ & Arrcus), K. Patel (Arrcus), K. Sriram.

A BGP route leak is an unintentional propagation of BGP prefixes beyond the intended scope that could result in a redirection of traffic through an unintended path that may enable eavesdropping or traffic analysis, and may or may not result in an overload or complete drop (black hole) of the traffic. Route leaks can be accidental or malicious but most often arise from accidental misconfigurations.

Read more
Total votes 9: ↑9 and ↓0 +9
Views 549
Comments 0

How to exchange a secret key over an insecure network (EC-Diffie-Hellman algorithm)

Information Security *Cryptography *Programming *

Let’s say you want to send an encrypted message to your friend in order to avoid it being intercepted and read by a third party. You generate a random secret key and encrypt the message with it. Let’s say you use AES. But how do you let your friend know the key to decrypt it?

In this article, we will explore how the Elliptic-Curve Diffie-Hellman algorithm works under the hood. The article includes the implementation of this algorithm from scratch, written in Python.

Read more
Total votes 2: ↑2 and ↓0 +2
Views 1.1K
Comments 2

Anonymity and Authenticity

Decentralized networks *Information Security *Cryptography *

The following text consists of two logically connected parts. The first part constructively rules out the assumption that untraceability supposes anonymity. The second part enumerates specific practical tasks in the form of various scenarios when digital signatures (DS) do not provide correct solutions to the task. It is demonstrated that a complete solution can be obtained through a special combination of DS and an interactive anonymous identification protocol.

Read more
Rating 0
Views 800
Comments 0

Payment Village at PHDays 11: ATM hacking

Positive Technologies corporate blog Information Security *IT systems testing *Payment systems *Entertaining tasks

The Positive Hack Days 11 forum, which took place May 18–19, 2022, was truly epic. The bitterly fought ATM hacking contest featured no fewer than 49 participants. How cool is that? The winner of this year's prize fund of 50,000 rubles, with the handle Igor, was the first to hack the virtual machines. And he wasn't even at the event! :)

Besides Igor, eight other participants picked up prizes this year for their VM-hacking skills. They were: drd0cvientvrazovdurcmzxcvcxzas7asg_krdhundred303, and drink_more_water_dude. A big thank-you to everyone who took part, and for those who weren't at PHDays, here are the links to the virtual machines.

Read more
Total votes 5: ↑3 and ↓2 +1
Views 680
Comments 1

The 2022 National Internet Segment Reliability Research

Qrator Labs corporate blog Decentralized networks *Information Security *

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Generally, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between ASes increases (the "Internet" stands for "interconnected networks" - and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are more important than others from the beginning, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, whether an international giant or a regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will always be maintained. For many ISPs at all "tiers", losing connection to even one Tier-1 peer would likely render them unreachable from some parts of the world.

Read more
Total votes 9: ↑9 and ↓0 +9
Views 536
Comments 0

Top 10 incident response mistakes

Positive Technologies corporate blog Information Security *Antivirus protection *Data recovery *Reverse engineering *

Imagine someone withdrew money from a company's account at night. The next morning panic breaks out, leading to yet more problems. The IT department can reinstall a compromised system from scratch or restore it from backup. Reinstalling from scratch will wipe out all traces left by the attackers, and external investigators will have to search for clues in other systems. Restoring from backup carries the risk of accidentally reinstating a compromised image. In this paper, we will describe common mistakes that experts make when responding to security incidents.

Read more
Rating 0
Views 644
Comments 0

20 years of payment processing problems

Information Security *
Translation

Thanks to yarbabin for the logo

Electronic payment systems have existed on the Internet for a long time, and some bugs in them are twenty years old. We've found critical vulnerabilities allowing us to steal money and drive up the balance. Today we will analyze typical implementations of payment processing and related security issues.

Read more →
Total votes 3: ↑3 and ↓0 +3
Views 1.5K
Comments 2

How abortion in the age of surveillance capitalism turns Internet into a dystopia

Information Security *Cryptocurrencies
The reversal of Roe v. Wade, which launched a furious debate about abortion rights, has a side — and a very itchy side. In June 2022, the Supreme Court struck down federal protections for abortion rights in the United States, turning the decision on the legality of abortion over to the state level, many of whom had long been waiting for it: they had «trigger» laws banning abortion, and state prosecutors were preparing to prosecute for violating or trying to circumvent them.

Not even a week later, news emerged that the blow to women's rights might come from an unexpected (for naive Americans who are not familiar with the «Yarovaya Package» and other niceties of Russian legislation) side, when the willingness to «leak» personal data even without a decision was confirmed by the developers of major applications for women. Thus, suddenly, own gadgets and all the IT infrastructure that surrounds the modern man for his convenience, suddenly showed its downside: the possibility of total control over human life and actions.

image
Read more →
Total votes 8: ↑8 and ↓0 +8
Views 2.5K
Comments 0

Blood, sweat and pixels: releasing a mobile game with no experience

«Лаборатория Касперского» corporate blog Information Security *Game development *
In January 2022, we, at Kaspersky, released our first mobile game – Disconnected. The game was designed for companies that want to strengthen their employees’ knowledge of cybersecurity basics. Even though game development is not something you would expect from a cybersecurity company, our motivation was quite clear – we wanted to create an appealing, interactive method of teaching cybersecurity.



Over our many years of experience in security awareness and experimentation with learning approaches (e.g. online adaptive platforms, interactive workshops and even VR simulations), we’ve noticed that even if the material is presented in a highly engaging way, people still lack the opportunity to apply the knowledge in practice. This means that although they are taking in the information, it won’t necessarily be applied.
Read more →
Total votes 7: ↑7 and ↓0 +7
Views 2.8K
Comments 0

IDS Bypass at Positive Hack Days 11: writeup and solutions

Positive Technologies corporate blog Information Security *Network technologies *CTF *

The IDS Bypass contest was held at the Positive Hack Days conference for the third time (for retrospective, here's . This year we created six game hosts, each with a flag. To get the flag, participants had either to exploit a vulnerability on the server or to fulfill another condition, for example, to enumerate lists of domain users.

The tasks and vulnerabilities themselves were quite straightforward. The difficulty laid in bypassing the IDS: the system inspected network traffic from participants using special rules that look for attacks. If such a rule was triggered, the participant's network request was blocked, and the bot sent them the text of the triggered rule in Telegram.

And yes, this year we tried to move away from the usual CTFd and IDS logs towards a more convenient Telegram bot. All that was needed to take part was to message the bot and pick a username. The bot then sent an OVPN file to connect to the game network, after which all interaction (viewing tasks and the game dashboard, delivering flags) took place solely through the bot. This approach paid off 100%!

Подробнее
Total votes 3: ↑3 and ↓0 +3
Views 1.1K
Comments 0

Text-based CAPTCHA in 2022

Information Security *Machine learning *Artificial Intelligence
Translation

The first text-based CAPTCHA ( we’ll call it just CAPTCHA for the sake of brevity ) was used in 1997 by AltaVista search engine. It prevented bots from adding Uniform Resource Locator (URLs) to their web search engine.

Back then it was a decent defense measure. However the progress can't be stopped, and this defense was bypassed using OCR available at those times (for example FineReader).

CAPTCHA became more complex, noise was added to it, along with distortions, so the popular OCRs couldn’t recognize this text. And then OCRs custom made for this task appeared. It costed extra money and knowledge for the attacking side. The CAPTCHA developers were required to understand the challenges the attackers met, what distortions to add, in order to make the automation of the CAPTCHA recognition more complex.

The misunderstanding of the principles the OCRs were based on, some CAPTCHAs were given such distortions, that they were more of a hassle for regular users than for a machine.

OCRs for different types of CAPTCHAs were made using heuristics, and the most complicated part of it was the CAPTCHA segmentation for the stand along symbols, that subsequently could be easily recognized by the CNN (for example LeNet-5), also SVM showed a good result even on the raw pixels.

In this article I’ll try to grasp the whole history of CAPTCHA recognition, from heuristics to the contemporary automated recognition systems. We’ll figure out, if a CAPTCHA is still alive.

I’ll review the yandex.com CAPTCHA. The Russian version of the same CAPTCHA is more complex.

Read more
Total votes 4: ↑3 and ↓1 +2
Views 1.9K
Comments 0

PHDays 11: bootkit infection, sanitizers for the Linux kernel, the new face of OSINT, and phishing on official websites

Positive Technologies corporate blog Configuring Linux *Information Security *Programming *Conferences

Positive Hack Days 11 will begin in a matter of weeks. This international forum on practical security will be held on May 18–19 in Moscow.

As per tradition, PHDays will have three big tracks dedicated to countering attacks (defensive), protection through attack (offensive), and the impact of cybersecurity on business. It is our pleasure to present the first talks.

Read more
Total votes 1: ↑0 and ↓1 -1
Views 1K
Comments 0

Why does my app send network requests when I open an SVG file?

PVS-Studio corporate blog Information Security *Programming *.NET *C# *

0923_SVG_XXE_ru/image1.png


You decided to make an app that works with SVG. Encouraged by the enthusiasm, you collected libraries and successfully made the application. But suddenly you find that the app is sending strange network requests. And data is leaking from the host-machine. How so?

Read more →
Total votes 3: ↑3 and ↓0 +3
Views 1.8K
Comments 0

Vulnerabilities due to XML files processing: XXE in C# applications in theory and in practice

PVS-Studio corporate blog Information Security *Programming *.NET *C# *

How can simple XML files processing turn into a security weakness? How can a blog deployed on your machine cause a data leak? Today we'll find answers to these questions, learn what XXE is and how it looks like.


0918_XXE_BlogEngine/image1.png

Read more →
Total votes 1: ↑1 and ↓0 +1
Views 955
Comments 0

Authors' contribution