• Digital Forensics Tips&Tricks: How to Find Active VPN Connection in the Memory Dump

      Sometimes you can meet a case when a cyber-attacker uses VPN to establish a reliable channel between C2 server and infected IT-infrastructure. And, as Threat Intelligence experts say, attackers often use native Windows VPN connection tools and Windows .pbk (phonebook) files. Lets find out how we can detect it using a memory dump.

      What is .pbk file and how does it look inside? It's just a text file with a lot of different parameters using when VPN connection is establishing.


      Read more →
    • DoT for RPZ distribution

        Just a few months ago there were a lot of buzz because IETF in expedited time frame (about one year) accepted DNS over HTTPS (DoH) as a standard (RFC-8484). The discussions about that are still going on because of its controversy. My personal opinion is that DoH is good for personal privacy (if you know how to use it and trust your DNS provider) but it is a security risk for enterprises. DNS over TLS (DoT) is a better alternative for enterprise customers only because it uses a well-defined TCP port but for personal privacy it is not good because of the same reason (easy to block).
        Read more →
      • Eliminating opportunities for traffic hijacking

          Beautiful scheme for BGP connection to Qrator filtering network

          A little historical overview

          • BGP hijacks — when an ISP originates an advertisement of address space that does not belong to it;
          • BGP route leaks — when an ISP advertises prefixes received from one provider or peer to another provider or peer.

          This week it has been 11 years since the memorable YouTube BGP incident, provoked by the global propagation of a more specific prefix announce, originated by the Pakistan Telecom, leading to an almost 2 hour in duration traffic disruption in the form of redirecting traffic from legitimate path to the bogus one. We could guess if that event was intentional, and even a correct answer wouldn’t help us completely prevent such incidents from happening today. While you read this, a route leak or a hijack is spreading over the networks. Why? Because BGP is not easy, and configuring a correct and secure setup is even harder (yet).

          In these eleven years, BGP hijacking became quite damaging attack vector due to the BGP emplacement in the architecture of modern internet. Thanks to BGP, routers not only acquire peer information, and therefore all the Internet routes — they are able of calculating the best path for traffic to its destination through many intermediate (transit) networks, each representing an individual AS. A single AS is just a group of IPv4 and/or IPv6 networks operating under a single external routing policy.
          Read more →
        • You Do Not Need Blockchain: Eight Well-Known Use Cases And Why They Do Not Work


            People are resorting to blockchain for all kinds of reasons these days. Ever since I started doing smart contract security audits in mid-2017, I’ve seen it all. A special category of cases is ‘blockchain use’ that seems logical and beneficial, but actually contains a problem that then spreads from one startup to another. I am going to give some examples of such problems and ineffective solutions so that you (developer/customer/investor) know what to do when somebody offers you to use blockchain this way.


            • The described use cases and problems occur at the initial stage. I am not saying these problems are impossible to solve. However, it is important to understand which solutions system creators offer for particular problems.
            • Even though the term ‘blockchain use’ looks strange and I am not sure that blockchain can be used for anything other than money (Bitcoin), I am going to use it without quotes.

            1. Supply chain management

            Let’s say you ordered some goods, and a carrier guarantees to maintain certain transportation conditions, such as keeping your goods cold. A proposed solution is to install a sensor in a truck that will monitor fridge temperature and regularly transmit the data to the blockchain. This way, you can make sure that the promised conditions are met along the entire route.

            Read more →
          • Detecting Web Attacks with a Seq2Seq Autoencoder


              Attack detection has been a part of information security for decades. The first known intrusion detection system (IDS) implementations date back to the early 1980s.

              Nowadays, an entire attack detection industry exists. There are a number of kinds of products—such as IDS, IPS, WAF, and firewall solutions—most of which offer rule-based attack detection. The idea of using some kind of statistical anomaly detection to identify attacks in production doesn’t seem as realistic as it used to. But is that assumption justified?
              Read more →
            • Internet Issues & Availability Report 2018–2019


                While working on the annual report this year we have decided to avoid retelling the news headlines of the previous year and, though it is almost impossible to ignore memories absolutely, we want to share with you the result of a clear thought and a strategic view to the point where we all are going to arrive in the nearest time — the present.

                Leaving introduction words behind, here are our key findings:

                • Average DDoS attack duration dropped to 2.5 hours;
                • During 2018, the capability appeared for attacks at hundreds of gigabits-per-second within a country or region, bringing us to the verge of “quantum theory of bandwidth relativity”;
                • The frequency of DDoS attacks continues to grow;
                • The continuing growth of HTTPS-enabled (SSL) attacks;
                • PC is dead: most of the legitimate traffic today comes from smartphones, which is a challenge for DDoS actors today and would be the next challenge for DDoS mitigation companies;
                • BGP finally became an attack vector, 2 years later than we expected;
                • DNS manipulation has become the most damaging attack vector;
                • Other new amplification vectors are possible, like memcached & CoAP;
                • There are no more “safe industries” that are invulnerable to cyberattacks of any kind.

                In this article we have tried to cherry-pick all the most interesting parts of our report, though if you would like read the full version in English, the PDF is available.
                Read more →
              • AdBlock has stolen the banner, but banners are not teeth — they will be back

              • How to prevent targeted cyber attacks? 10 best network sandboxes

                  Targeted attacks are the most dangerous among the multitude of modern cyber threats. They are also known as ATP (an abbreviation which stands for Advanced Persistent Threat). Those are not viruses that can accidentally get into the computer due to user's carelessness. Neither it is an attempt to replace the address of a popular site in order to cheat billing information from credulous users. Targeted cyber attacks are prepared and thought out carefully and pose a particular threat.
                  Read more →
                • Yet another review of OATH hardware tokens feature in Azure Cloud MFA

                    About three months ago Microsoft has announced the availability of OATH TOTP hardware tokens in Azure MFA. The feature is still in “public preview”, but we see many of our customers using the feature in production already now. As we are testing this for the last couple of months in our lab environment and, in many cases, we are also assisting our customers with the activation of the feature, we have some observations that we believe are worth sharing.

                    Read more →
                  • Why pentesting is important to your Business?


                      In today’s world, it is almost impossible to imagine a business without some type of connection to the Internet — a website, email, employee training, CRM (Customer-relationship management), CMS (Content management system), etc. It simplifies and speeds up the ordering process, search for new clients, records search and keeping, and such.
                      Read more →
                    • Programmable TOTP tokens in a key fob form-factor

                        TOTP tokens are small, easy-to-use devices that generate one-time passcodes. These tamper-evident devices can be used wherever strong authentication is required.

                        TOKEN2 is selling programmable hardware tokens in credit card format for already a few years now. Token2 miniOTP cards are marketed as a hardware alternative to Google Authenticator or other OATH-compliant software tokens. Having the same functionality extended to tokens in classic keyfob/dongle format was one of the features our customers asked for.

                        We are hereby announcing our new product, TOKEN2 C300 TOTP hardware token, which is possible to be reseeded for an unlimited number of times via NFC using a special «burner» app.
                        Читать дальше →
                      • How to crack a self-service terminal and why 80% of them are under threat

                        • Translation
                        Author of the original post in Russian: frsamara

                        I always loved playing with things and testing them under all sorts of wacky conditions as a kid and even considered getting a job as a tester, but I never did. Nevertheless, I still like taking things made by someone else and poking them for vulnerabilities.

                        I remember, when first self-service payment terminals started popping around town, I saw one of them put up a browser window while updating, and the game was on — I broke it almost immediately. There’s been a lot of discussion about it since then and developers have started to pay a lot more attention towards security in these machines.

                        Recently, fast-food joints have started installing these terminals. Obviously, it’s quite convenient: just tap a couple of virtual buttons, place an order, pay with a bank card and wait for your number to show on the screen.

                        Also, nearly every big mall has these interactive boards with floor plans and information on various sales and discounts.

                        How secure are they?
                        Read more →