Pull to refresh
1341.22
Rating

Information Security *

Data protection

Show first
  • New
  • Top
Rating limit
  • All
  • ≥0
  • ≥10
  • ≥25
  • ≥50
  • ≥100

Espressif IoT Development Framework: 71 Shots in the Foot

PVS-Studio corporate blog Information Security *C++ *C *Development for IOT *

0790_Espressif_IoT_Development_Framework/image1.png
One of our readers recommended paying heed to the Espressif IoT Development Framework. He found an error in the project code and asked if the PVS-Studio static analyzer could find it. The analyzer can't detect this specific error so far, but it managed to spot many others. Based on this story and the errors found, we decided to write a classic article about checking an open source project. Enjoy exploring what IoT devices can do to shoot you in the foot.

Read more →
Total votes 1: ↑1 and ↓0 +1
Views 828
Comments 0

ONLYOFFICE Community Server: how bugs contribute to the emergence of security problems

PVS-Studio corporate blog Information Security *Open source *.NET *C# *
image1.png

Server-side network applications rarely get the chance to join the ranks of our reviews of errors found in open source software. This is probably due to their popularity. After all, we try to pay attention to the projects that readers themselves offer us. At the same time, servers often perform very important functions, but their performance and benefits remain invisible to most users. So, by chance, the code of ONLYOFFICE Community Server was checked. It turned out to be a very fun review.
Read more →
Total votes 4: ↑3 and ↓1 +2
Views 682
Comments 2

Russian microcontroller K1986BK025 based on the RISC-V processor core for smart electricity meters

Миландр corporate blog Information Security *Language localisation *Manufacture and development of electronics *
Welcome to RISC-V era!

Solutions based on the open standard instruction set architecture RISC-V are currently increasing their presence on the market. Microcontrollers from Chinese colleagues are already in serial production; Microchip is offering interesting solutions with FPGA on board. The ecosystem of software and design tools for this architecture are also growing. Seeming previously unshaken leaders have more often found themselves in resale ads, while young startups attract multi-million investments. Milandr also got involved in this race and today began supplying interested companies with samples of its new K1986BK025 microcontroller based on the RISC-V processor core for electricity meters. Well here we go, pictures, characteristics and other information, as well as a little bit of hype under the cut.


Read more →
Total votes 9: ↑9 and ↓0 +9
Views 3.6K
Comments 0

Unicorns on Guard for Your Safety: Exploring the Bouncy Castle Code

PVS-Studio corporate blog Information Security *Development Management *
image1.png

Would you like to see a new batch of errors found by the PVS-Studio static analyzer for Java? Then keep reading the article! This time the Bouncy Castle project is to be checked. The most interesting code snippets, as usual, are waiting for you below.
Read more →
Total votes 1: ↑0 and ↓1 -1
Views 631
Comments 0

SIEM Solutions Overview (Security Information and Event Management)

ROI4CIO corporate blog Information Security *Software
Recovery mode

Modern corporate IT infrastructure consists of many systems and components. And monitoring their work individually can be quite difficult — the larger the enterprise is, the more burdensome these tasks are. But there are the tools, which collect reports on the work of the entire corporate infrastructure — SIEM (Security Information and Event Management) system in one place. Read the best of such products according to Gartner experts in our review, and learn about the main features from our comparison table.
Read more →
Total votes 2: ↑2 and ↓0 +2
Views 1.4K
Comments 1

Checking Clang 11 with PVS-Studio

PVS-Studio corporate blog Information Security *Open source *C++ *Compilers *
PVS-Studio: I'm still worthy

Every now and then, we have to write articles about how we've checked another fresh version of some compiler. That's not really much fun. However, as practice shows, if we stop doing that for a while, folks start doubting whether PVS-Studio is worth its title of a good catcher of bugs and vulnerabilities. What if the new compiler can do that too? Sure, compilers evolve, but so does PVS-Studio – and it proves, again and again, its ability to catch bugs even in high-quality projects such as compilers.
Read more →
Total votes 3: ↑2 and ↓1 +1
Views 445
Comments 0

Why code reviews are good, but not enough

PVS-Studio corporate blog Information Security *Programming *C++ *
image1.png

Code reviews are definitely necessary and useful. It's a way to impart knowledge, educate, control a task, improve code quality and formatting, fix bugs. Moreover, you can notice high-level errors related to the architecture and algorithms used. So it's a must-have practice, except that people get tired quickly. Therefore, static analysis perfectly complements reviews and helps to detect a variety of inconspicuous errors and typos. Let's look at a decent example on this topic.
Read more →
Rating 0
Views 703
Comments 0

Molto-2 — a USB programmable multi-profile TOTP hardware token

Token2.com corporate blog Information Security *

About a year ago, we released Token2 Molto-1, the world's first programmable multi-profile hardware token. While Molto-1 is still the only solution of its kind currently available on the market, we will be soon releasing a new variation of a multi-profile hardware token, in a different form-factor and with a different set of features available.

While Molto-1 has its advantages, there were some shortcomings that we wanted to address, for example, it can only hold up to ten TOTP profiles, which is not enough for many users. Also, using NFC to program the device does not look very convenient for some users. There were also requests to have a backlight for the screen of the token, so it can be used in the dark. With Molto-2 we tried to address this and a few other concerns. So, we hereby present our new device model, Token2 Molto-2 with the following specifications:

TOKEN2 MOLTO-2 multi-profile programmable TOTP hardware token:

▣ RFC 6238 compliant

▣ supports up to 50 accounts/profiles

▣ USB-programmable with a Windows app

▣ RTC battery life: 8 years

▣ LCD screen battery: 3-4 months (rechargeable)

The table below shows the comparison between Molto-1 and Molto-2

Read more
Total votes 1: ↑1 and ↓0 +1
Views 1.4K
Comments 0

The 2020 National Internet Segment Reliability Research

Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *IPv6 *

The National Internet Segment Reliability Research explains how the outage of a single Autonomous System might affect the connectivity of the impacted region with the rest of the world. Most of the time, the most critical AS in the region is the dominant ISP on the market, but not always.

As the number of alternate routes between AS’s increases (and do not forget that the Internet stands for “interconnected network” — and each network is an AS), so does the fault-tolerance and stability of the Internet across the globe. Although some paths are from the beginning more important than others, establishing as many alternate routes as possible is the only viable way to ensure an adequately robust network.

The global connectivity of any given AS, regardless of whether it is an international giant or regional player, depends on the quantity and quality of its path to Tier-1 ISPs.

Usually, Tier-1 implies an international company offering global IP transit service over connections with other Tier-1 providers. Nevertheless, there is no guarantee that such connectivity will be maintained all the time. For many ISPs at all “tiers”, losing connection to just one Tier-1 peer would likely render them unreachable from some parts of the world.
Read more →
Total votes 26: ↑26 and ↓0 +26
Views 8.7K
Comments 0

The hunt for vulnerability: executing arbitrary code on NVIDIA GeForce NOW virtual machines

Доктор Веб corporate blog Information Security *Antivirus protection *Cloud computing *

Introduction


Against the backdrop of the coronavirus pandemic, the demand for cloud gaming services has noticeably increased. These services provide computing power to launch video games and stream gameplay to user devices in real-time. The most obvious advantage of this gaming type is that gamers do not need to have high-end hardware. An inexpensive computer is enough to run the client, spending time in self-isolation while the remote server carries out all calculations.

NVIDIA GeForce NOW is one of these cloud-based game streaming services. According to Google Trends, worldwide search queries for GeForce NOW peaked in February 2020. This correlates with the beginning of quarantine restrictions in many Asian, European, and North and South American countries, as well as other world regions. At the same time in Russia, where the self-isolation regime began in March, we see a similar picture with a corresponding delay.

Given the high interest in GeForce NOW, we decided to explore this service from an information security standpoint.
Read more →
Total votes 6: ↑6 and ↓0 +6
Views 5.3K
Comments 0

Static code analysis of the PMDK library collection by Intel and errors that are not actual errors

PVS-Studio corporate blog Information Security *Open source *C++ *C *
PVS-Studio, PMDK

We were asked to check a collection of open source PMDK libraries for developing and debugging applications with NVRAM support by PVS-Studio. Well, why not? Moreover, this is a small project in C and C++ with a total code base size of about 170 KLOC without comments. Which means, the results review won't take much energy and time. Let's go.
Read more →
Total votes 2: ↑2 and ↓0 +2
Views 561
Comments 1

EVVIS-QR1 USB Programmable TOTP hardware token

Token2.com corporate blog Information Security *
imageToday, we are presenting a new type of TOTP hardware tokens — USB Programmable token that displays the OTP value as a QR code and also can send the current OTP value over USB as a part of its HID emulation feature.

What is EVVIS-QR1?


EVVIS-QR1 is a hardware device developed primarily for Electronic visit verification (EVV) information systems (hence the name). It is a standards-based TOTP hardware token that can also be programmed over USB. The OTP generated is shown on the display both as regular digits as well as a QR image. Both features (OTP shown as QR code and HID keyboard emulation) are intended to make it possible to minimize typos when entering the OTP.
Read more →
Total votes 4: ↑4 and ↓0 +4
Views 1.3K
Comments 1

Y messenger Manifesto

Decentralized networks Information Security *
Recovery mode

Y messenger - decentralized end-2-end encrypted messenger


We are a team of independent developers. We have created a new messenger, the purpose of which is to solve the critical problems of the modern Internet and the modes of communication it provides. We see users become hostages to the services they have grown accustomed to and we see corporations exploiting their users and controlling them. And we don’t like it. We believe the Internet should be different.
In this Manifesto, we disclose our vision of the Internet and describe what we have done to make it better. If you share our ideas — join us. Together we can achieve more than each of us can alone.

Read more →
Total votes 8: ↑3 and ↓5 -2
Views 603
Comments 2

Looking back at 3 months of the global traffic shapeshifting

Qrator Labs corporate blog Information Security *IT Infrastructure *Network technologies *
image
There would be no TL;DR in this article, sorry.

Those have been three months that genuinely changed the world. An entire lifeline passed from February, 1, when the coronavirus pandemics just started to spread outside of China and European countries were about to react, to April, 30, when nations were locked down in quarantine measures almost all over the entire world. We want to take a look at the repercussions, cyclic nature of the reaction and, of course, provide DDoS attacks and BGP incidents overview on a timeframe of three months.

In general, there seems to be an objective pattern in almost every country’s shift into the quarantine lockdown.
Read more →
Total votes 27: ↑27 and ↓0 +27
Views 2.9K
Comments 0

Safe-enough linux server, a quick security tuning

Information Security *System administration **nix *Cloud computing *Server Administration *
Sandbox
Tutorial
The case: You fire up a professionally prepared Linux image at a cloud platform provider (Amazon, DO, Google, Azure, etc.) and it will run a kind of production level service moderately exposed to hacking attacks (non-targeted, non-advanced threats).

What would be the standard quick security related tuning to configure before you install the meat?


release: 2005, Ubuntu + CentOS (supposed to work with Amazon Linux, Fedora, Debian, RHEL as well)


image

Read more →
Total votes 7: ↑6 and ↓1 +5
Views 1.8K
Comments 0

This is how you deal with route leaks

Qrator Labs corporate blog Information Security *Network technologies *
That, we must say, is the unique story so far.

Here’s the beginning: for approximately an hour, starting at 19:28 UTC on April 1, 2020, the largest Russian ISP — Rostelecom (AS12389) — was announcing prefixes belonging to prominent internet players: Akamai, Cloudflare, Hetzner, Digital Ocean, Amazon AWS, and other famous names.

Before the issue was resolved, paths between the largest cloud networks were somewhat disrupted — the Internet blinked. The route leak was distributed quite well through Rascom (AS20764), then Cogent (AS174) and in a couple of minutes through Level3 (AS3356) to the world. The issue suddenly became bad enough that it saturated the route decision-making process for a few Tier-1 ISPs.

It looked like this:

image

With that:

image
Read more →
Total votes 22: ↑22 and ↓0 +22
Views 2.2K
Comments 0

Authors' contribution